Bug 1497981 - mariadb-galera does not encrypt SST traffic when using Internal TLS
Summary: mariadb-galera does not encrypt SST traffic when using Internal TLS
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: mariadb-galera
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 12.0 (Pike)
Assignee: Damien Ciabrini
QA Contact: Udi Shkalim
Depends On:
Blocks: 1486759 1506020
TreeView+ depends on / blocked
Reported: 2017-10-03 09:31 UTC by Damien Ciabrini
Modified: 2022-08-09 13:51 UTC (History)
7 users (show)

Fixed In Version: mariadb-galera-5.5.42-7.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 22:11:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-8636 0 None None None 2022-08-09 13:51:02 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Damien Ciabrini 2017-10-03 09:31:49 UTC
Description of problem:
With the Internal TLS work upstream, it is now possible to configure Galera so that both regular MySQL traffic and WSREP replication traffic use encryption.

However the SST traffic - used during bootstrap and for rejoining cluster - is still happening unencrypted.

Version-Release number of selected component (if applicable):

How reproducible:Always

Steps to Reproduce:
Deploying an OSP overcloud would should it, but the steps boil down to:
1. on a three node galera cluster, delete /var/lib/grastate.dat to force SST
2. bootstrap the galera cluster
3. verify that wsrep_sst_rsync is run on two of the nodes (unencrypted SST)

Actual results:
The traffic goes via rsync, thus enuncrypted

Expected results:
When Internal TLS is enabled, all internal endpoint of the controller service should encrypt their communication

Additional info:
An alternative SST implementation [1] allows encryption of traffic via a socat tunnel. Associated change in tripleo is being tracker upstream [2]

[1] https://github.com/dciabrin/wsrep_sst_rsync_tunnel
[2] https://bugs.launchpad.net/tripleo/+bug/1719885

Comment 4 Udi Shkalim 2017-12-05 12:15:52 UTC
Verified on: mariadb-galera-server-5.5.42-7.el7ost.x86_64

TLS setup is deployed and passed sanity

Comment 7 errata-xmlrpc 2017-12-13 22:11:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.