1346067 – maria-galera creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run.

Bug 1346067 - maria-galera creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run.

Summary: maria-galera creates SSL/TLS certificates needs to be unique per instance or ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	mariadb-galera
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	All
OS:	All
Priority:	high
Severity:	medium
Target Milestone:	ga
Target Release:	9.0 (Mitaka)
Assignee:	Michael Bayer
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1346019 1349195
TreeView+	depends on / blocked

Reported:	2016-06-13 20:15 UTC by Kurt Seifried
Modified:	2023-02-22 23:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:	mariadb-galera-5.5.42-2.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, the RPM for `mariadb-galera` included a step to generate TLS certificates for use in Galera SSL communication. However, when the installed RPMs were used with containers that were then replicated, the TLS certificates themselves would be replicated as well. Consequently, copies of a container would contain a TLS certificate identical to the original, creating a security condition if these certificates were actually used. With this update, the RPM package no longer generates the certificates. As a result, no certificate is generated which may be present in a container. Certificates can be generated manually if SSL configuration of Galera is needed. Note that Red Hat OpenStack director currently does not configure Galera for SSL.
Clone Of:
Clones:	1349195 (view as bug list)
Environment:
Last Closed:	2016-08-11 12:25:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:1597	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 9 Release Candidate Advisory	2016-08-11 16:06:52 UTC

Description Kurt Seifried 2016-06-13 20:15:41 UTC

Version-Release number of selected component (if applicable):

mariadb-galera-5.5.42-1.el7ost

How reproducible:

Always.
from postinstall:

if [ ! -f /etc/pki/galera/galera.key ]; then
    umask 077 && /usr/bin/openssl genrsa -out /etc/pki/galera/galera.key 2048 2>/dev/null
    chown mysql:mysql /etc/pki/galera/galera.key
fi

if [ ! -f /etc/pki/galera/galera.crt ]; then
    umask 022 && /usr/bin/openssl req -key /etc/pki/galera/galera.key -out /etc/pki/galera/galera.crt \
        -subj "/CN=$(hostname)/" -new -x509 -days 730 -extensions usr_cert 2>/dev/null
    chown mysql:mysql /etc/pki/galera/galera.crt
fi



Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.

Actual results:

All container and image instances share the same key/certificate.

Expected results:

Each instance should receive a unique key/certificate.

Additional info:

This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506

The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.

Comment 1 Michael Bayer 2016-06-13 20:24:41 UTC

IMO, it's not even appropriate that TLS certs are generated for a mariadb-galera install.   As for the solution that the certs are generated as part of systemd start, while the mariadb packages do follow this for the mysql_init step, for Galera SSL this is problematic since all nodes in a Galera cluster must share the same keys.

That is, it's not possible for a node to receive a randomly generated key per-node if the goal is that the cluster can be started.   But as it turns out, mariadb-galera already produces a Galera install that can't run without manual configuration in any case (e.g. wsrep_provider defaults to None, wsrep_cluster_address is not set).  So why do we need wsrep_provider_options to point to a valid file to start with if manual steps are needed to set up the cluster in any case ?

Comment 11 Kurt Seifried 2016-06-25 03:12:23 UTC

Just a note, the first run issue can also be handled through orchestration (e.g. OpenStack, CloudForms, OpenShift Enterprise and so on). But the certificate creation MUST be removed from the rpm install scripts.

Comment 14 Udi Shkalim 2016-07-21 10:21:17 UTC

Verified on: 
galera-25.3.5-7.el7ost.x86_64
mariadb-galera-common-5.5.42-2.el7ost.x86_64
mariadb-galera-server-5.5.42-2.el7ost.x86_64


[root@overcloud-controller-0 ~]# ls -ltrh /etc/pki/galera/
total 0

Comment 16 errata-xmlrpc 2016-08-11 12:25:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1597.html

Note You need to log in before you can comment on or make changes to this bug.