Blame SOURCES/README.wsrep_sst_rsync_tunnel

a41a5b
socat tunnel for encrypted rsync SST
a41a5b
====================================
a41a5b
a41a5b
`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
a41a5b
implementation that ships with mariadb. Its purpose is to encrypt
a41a5b
communication between the donor and the joiner during an SST.
a41a5b
a41a5b
Encryption is implemented by means of a socat tunnel, using OPENSSL
a41a5b
addresses. It can be configured via the regular openssl flags exposed
a41a5b
by socat.
a41a5b
a41a5b
a41a5b
## How to configure the script
a41a5b
a41a5b
This SST script can configured by setting a few keys in your favorite
a41a5b
mariadb option file in addition to the usual galera settings.
a41a5b
a41a5b
    [mysqld]
a41a5b
    ...
a41a5b
    bind_address=<node-name>
a41a5b
    wsrep_sst_method=rsync_tunnel
a41a5b
    ...
a41a5b
    
a41a5b
    [sst]
a41a5b
    tca=/path/to/your/ca-file.crt
a41a5b
    tcert=/path/to/node/certificate.crt
a41a5b
    tkey=/path/to/node/key.key
a41a5b
    sockopt=<openssl-address-options-as-per-socat-manual>
a41a5b
a41a5b
When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
a41a5b
socat to listen to incoming SSL connections on port 4444 in lieu of
a41a5b
the original rsync daemon. Received data will be forwarded to the
a41a5b
rscynd daemon started locally to replicate the database.
a41a5b
a41a5b
When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
a41a5b
a series of rsync calls that target a locally started socat daemon.
a41a5b
The daemon tunnels all rsync traffic into an encrypted SSL connection
a41a5b
that targets the joiner's end of the socat tunnel.
a41a5b
a41a5b
Encryption parameters are specified under the `[sst]` group in the
a41a5b
mariadb option file, where `tkey` and `tcert` are respectively the key
a41a5b
and the certificate that are used by both sides of the socat tunnel.
a41a5b
Each node typically has a different key and cert. Both key and
a41a5b
certificate can be combined into a single PEM file and referenced by
a41a5b
`tcert`. Option `tca` holds a list of the trusted signing
a41a5b
certificates.
a41a5b
a41a5b
In case you need to tweak the creation of the SSL connection, you can
a41a5b
pass valid socat options (as per socat manual) via the `sockopt` key.
a41a5b
For debugging purpose, the exact socat command that is being executed
a41a5b
shows up in the mariadb log file.
a41a5b
a41a5b
Note that socat verifies that the certificate's commonName matches
a41a5b
that of the host that is being targeted. The target name comes from
a41a5b
the value configured in `bind_address`, so it's important that it
a41a5b
matches the certificate's commonName. An IP address can be used for
a41a5b
`bind_address`, but you may get into trouble in case different
a41a5b
hostnames resolve to the same IP (e.g. multiple networks per host).
a41a5b
a41a5b
a41a5b
## Examples of use
a41a5b
a41a5b
Suppose you're running a 3-node galera cluster
a41a5b
`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
a41a5b
a41a5b
### Scenario: using self-signed certificates
a41a5b
a41a5b
On each node, create a key and a certificate, and bundle them into a
a41a5b
single PEM file. For instance on `node1.my.cluster`:
a41a5b
a41a5b
    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
a41a5b
    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
a41a5b
    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
a41a5b
a41a5b
Then, on each node, create a cafile that will contain all the certs to
a41a5b
trust:
a41a5b
a41a5b
    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
a41a5b
       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
a41a5b
    done
a41a5b
a41a5b
Once you have those two files on each host, you can configure the SST
a41a5b
appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
a41a5b
a41a5b
    [mysqld]
a41a5b
    ...
a41a5b
    
a41a5b
    [sst]
a41a5b
    tca=/tls/all-mysql.crt
a41a5b
    tcert=/tls/mysql.pem
a41a5b
a41a5b
### Scenario: using self-signed certificates, without verification
a41a5b
a41a5b
By default, when socat tries to establish a SSL connection to a peer,
a41a5b
it also verifies that it can trust the peer's certificate. If for some
a41a5b
reason you need to disable that feature, you can amend the previous
a41a5b
configuration with a sockopt option:
a41a5b
a41a5b
    [mysqld]
a41a5b
    ...
a41a5b
    
a41a5b
    [sst]
a41a5b
    tca=/tls/all-mysql.crt
a41a5b
    tcert=/tls/mysql.pem
a41a5b
    sockopt="verify=0"
a41a5b
a41a5b
The associated sockopt value is passed to socat when
a41a5b
the donor or the joiner configures his part of the tunnel.
a41a5b
a41a5b
Note: please do not do so in production, this is inherently insecure
a41a5b
as you will not verify the identity of the peer you're connecting to!
a41a5b
a41a5b
### Scenario: using certificates from a CA
a41a5b
a41a5b
Suppose you have a FreeIPA service which generated a key file and a
a41a5b
certificate file for the three galera nodes, respectively located at
a41a5b
/tls/mysql.key and /tls/mysql.crt.
a41a5b
a41a5b
Assuming that the certificate for the FreeIPA server is available at
a41a5b
/etc/ipa/ca.crt, you can configure you galera servers as follows:
a41a5b
a41a5b
    [sst]
a41a5b
    tca=/etc/ipa/ca.crt
a41a5b
    tcert=/tls/mysql.crt
a41a5b
    tkey=/tls/mysql.key
a41a5b
a41a5b
## License
a41a5b
a41a5b
Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
a41a5b
This work is derived from the original `wsrep_rsync_sst`, copyright
a41a5b
© 2010-2014 [Codership Oy](https://github.com/codership).
a41a5b
Released under the GNU GPLv2.