Hide Forgot
Description of problem: With the Internal TLS work upstream, it is now possible to configure Galera so that both regular MySQL traffic and WSREP replication traffic use encryption. However the SST traffic - used during bootstrap and for rejoining cluster - is still happening unencrypted. Version-Release number of selected component (if applicable): 5.5.42 How reproducible:Always Steps to Reproduce: Deploying an OSP overcloud would should it, but the steps boil down to: 1. on a three node galera cluster, delete /var/lib/grastate.dat to force SST 2. bootstrap the galera cluster 3. verify that wsrep_sst_rsync is run on two of the nodes (unencrypted SST) Actual results: The traffic goes via rsync, thus enuncrypted Expected results: When Internal TLS is enabled, all internal endpoint of the controller service should encrypt their communication Additional info: An alternative SST implementation [1] allows encryption of traffic via a socat tunnel. Associated change in tripleo is being tracker upstream [2] [1] https://github.com/dciabrin/wsrep_sst_rsync_tunnel [2] https://bugs.launchpad.net/tripleo/+bug/1719885
Verified on: mariadb-galera-server-5.5.42-7.el7ost.x86_64 TLS setup is deployed and passed sanity
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462