Using Secure Connections with a Galera Cluster

Updated 20 May 2016

When a galera node joins an exising galera cluster, it must be synchronized. This can happen in one of two ways:

A state snapshot transter (SST)
An incremental state transfer (IST)

An SST is a full data copy from the donor node to the joiner node. This will take place the first time the node joins the cluster and, in general, when IST is not possible. Note that this SST takes place after the node has joined. There is no authentication used when joining a galera cluster, so using secure connections provide a means to limit what nodes can join the cluster to those which have the proper SSL key and certficate. Additionally, using secure connections with galera causes all replication and IST operations to be encrypted.

NOTE

SST operations are not encrypted.

By default, installing the mariadb-galera-server package will generate an self-signed certificate unique to the server. The key and certificate can be found like the /etc/pki/galera/ directory.

/etc/pki/galera/galera.crt
/etc/pki/galera/galera.key

This self-signed certificate created at install will expire after 2 years (730 days). It is highly recommended that the user create their own certificate with an appropriate expiration date. Failure to do this will result in the galera cluster failing 2 years after installation.

Use openssl to create an 2048 bit key and a self-signed certificate that will expire after 10 years (3650 days):

umask 077 && openssl genrsa -out /etc/pki/galera/galera.key 2048 2>/dev/null
CN="$(hostname) mariadb-galera cluster"
umask 022 && openssl req -key /etc/pki/galera/galera.key -out /etc/pki/galera/galera.crt -subj "/CN=$CN/" -new -x509 -days 3650 -extensions usr_cert 2>/dev/null

NOTE

It is not necessarily recommended to use a validity period of 10 years. This depends on the security policies within your organization.

Make sure the key and certificate are owned by the mysql user and group:

chown mysql:mysql /etc/pki/galera/galera.key
chown mysql:mysql /etc/pki/galera/galera.crt

It is recommended that the key and certificate be placed in the /etc/pki/ directory so that the files will inherit the corrent SELinux security context.

By default, the galera configuration file (/etc/my.cnf.d/galera.cnf) has secure connections enabled and is using the certificate and key generated at install time. This is set via the wsrep_provider_options parameter:

wsrep_provider_options="socket.ssl=true; socket.ssl_cert=/etc/pki/galera/galera.crt; socket.ssl_key=/etc/pki/galera/galera.key"

This means that individual galera nodes will not be able to form a cluster unless secure connections are disabled on each node or the key and certificate files identical on all cluster nodes. This in intentional and prevents nodes from being able to freely join a galera cluster.

If the user changes the certificate, key, or enables/disables SSL, this change must be done on each node and each node must have mariadb restarted. Note that if pacemaker is managing mariadb the restart will need to be done via pacemaker.

Product(s)

Red Hat OpenStack Platform

Category

Secure

Article Type

General