summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulius Goryavsky <julius.goryavsky@mariadb.com>2021-05-24 17:59:15 +0200
committerJulius Goryavsky <julius.goryavsky@mariadb.com>2021-05-24 18:07:54 +0200
commitd7112a69e300cc5216e5f0c8641e6c515187499c (patch)
tree6bd7139bd88e8a68f3a0c9262df25548ec0020b8
parent58edfc1aca00c63abb92c47a9b54075b4068b274 (diff)
downloadmariadb-git-bb-10.6-MDEV-21192-galera.tar.gz
MDEV-21192: SST failing when enabling IPV6bb-10.6-MDEV-21192-galera
The following features have been added: 1) Automatic addition of the pf = ip6 option for socat when it can be recognized by the format of the connection address; 2) Automatically add or remove extra commas at the beginning and at the end of sockopt, for example, sockopt='pf=ip6' and sockopt=',pf=ip6' work equally well; Also, due to interference in the code of the get_transfer() function, I also refactored it and now: 3) encrypt = 4 is supported not only for xtrabackup-v2, but also for mariabackup - this can help with migration from Percona; 4) Improved setting of 'commonname' option for encrypt=3 and encrypt=4 modes;
-rw-r--r--mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup.cnf1
-rw-r--r--mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup_section.cnf1
-rw-r--r--mysql-test/suite/galera_3nodes/t/galera_ipv6_mysqldump.cnf3
-rw-r--r--mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync.cnf3
-rw-r--r--mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync_section.cnf3
-rw-r--r--scripts/wsrep_sst_common.sh22
-rw-r--r--scripts/wsrep_sst_mariabackup.sh107
-rw-r--r--scripts/wsrep_sst_rsync.sh22
8 files changed, 104 insertions, 58 deletions
diff --git a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup.cnf b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup.cnf
index 8432b1c368c..3b0f0173b35 100644
--- a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup.cnf
+++ b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup.cnf
@@ -34,4 +34,3 @@ bind-address=::
[SST]
transferfmt=@ENV.MTR_GALERA_TFMT
streamfmt=xbstream
-sockopt=",pf=ip6"
diff --git a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup_section.cnf b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup_section.cnf
index aa3da690416..a3ab9a85707 100644
--- a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup_section.cnf
+++ b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mariabackup_section.cnf
@@ -38,4 +38,5 @@ bind-address=::
[SST]
transferfmt=@ENV.MTR_GALERA_TFMT
streamfmt=xbstream
+# Not needed, but left here for debugging:
sockopt=",pf=ip6"
diff --git a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mysqldump.cnf b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mysqldump.cnf
index 5e77a45210b..c163f798335 100644
--- a/mysql-test/suite/galera_3nodes/t/galera_ipv6_mysqldump.cnf
+++ b/mysql-test/suite/galera_3nodes/t/galera_ipv6_mysqldump.cnf
@@ -24,6 +24,3 @@ wsrep_provider_options='base_host=[::1];base_port=@mysqld.3.#galera_port;gmcast.
wsrep_sst_receive_address='[::1]:@mysqld.3.#sst_port'
wsrep_node_incoming_address='[::1]:@mysqld.3.port'
bind-address=::
-
-[SST]
-sockopt=",pf=ip6"
diff --git a/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync.cnf b/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync.cnf
index 5e77a45210b..c163f798335 100644
--- a/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync.cnf
+++ b/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync.cnf
@@ -24,6 +24,3 @@ wsrep_provider_options='base_host=[::1];base_port=@mysqld.3.#galera_port;gmcast.
wsrep_sst_receive_address='[::1]:@mysqld.3.#sst_port'
wsrep_node_incoming_address='[::1]:@mysqld.3.port'
bind-address=::
-
-[SST]
-sockopt=",pf=ip6"
diff --git a/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync_section.cnf b/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync_section.cnf
index 809b83bb782..ee92efeff1d 100644
--- a/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync_section.cnf
+++ b/mysql-test/suite/galera_3nodes/t/galera_ipv6_rsync_section.cnf
@@ -29,6 +29,3 @@ wsrep_provider_options='base_host=[::1];base_port=@mysqld.3.#galera_port;gmcast.
wsrep_sst_receive_address='[::1]:@mysqld.3.#sst_port'
wsrep_node_incoming_address='[::1]:@mysqld.3.port'
bind-address=::
-
-[SST]
-sockopt=",pf=ip6"
diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh
index ceab62b4c56..261912b86ad 100644
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@@ -1021,3 +1021,25 @@ check_for_version()
[ $z1 -lt $z2 ] && return 1
return 0
}
+
+trim_string()
+{
+ if [ -n "$BASH_VERSION" ]; then
+ local pattern="[![:space:]${2:-}]"
+ local x="${1#*$pattern}"
+ local z=${#1}
+ x=${#x}
+ if [ $x -ne $z ]; then
+ local y="${1%$pattern*}"
+ y=${#y}
+ x=$(( $z-$x-1 ))
+ y=$(( $y-$x+1 ))
+ printf '%s' "${1:$x:$y}"
+ else
+ printf ''
+ fi
+ else
+ local pattern="[[:space:]${2:-}]"
+ echo "$1" | sed -E "s/^$pattern+|$pattern+\$//g"
+ fi
+}
diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh
index 530d3e49256..9a81ffcacdc 100644
--- a/scripts/wsrep_sst_mariabackup.sh
+++ b/scripts/wsrep_sst_mariabackup.sh
@@ -214,8 +214,6 @@ get_keys()
get_transfer()
{
- TSST_PORT="$SST_PORT"
-
if [ $tfmt = 'nc' ]; then
wsrep_log_info "Using netcat as streamer"
wsrep_check_programs nc
@@ -237,7 +235,7 @@ get_transfer()
wsrep_log_info "Using traditional netcat as streamer"
tcmd="$tcmd -l -p"
fi
- tcmd="$tcmd $TSST_PORT"
+ tcmd="$tcmd $SST_PORT"
else
# Check to see if netcat supports the '-N' flag.
# -N Shutdown the network socket after EOF on stdin
@@ -259,7 +257,7 @@ get_transfer()
wsrep_log_info "Using traditional netcat as streamer"
tcmd="$tcmd -q0"
fi
- tcmd="$tcmd $WSREP_SST_OPT_HOST_UNESCAPED $TSST_PORT"
+ tcmd="$tcmd $WSREP_SST_OPT_HOST_UNESCAPED $SST_PORT"
fi
else
tfmt='socat'
@@ -267,8 +265,38 @@ get_transfer()
wsrep_log_info "Using socat as streamer"
wsrep_check_programs socat
- if [ $encrypt -eq 2 -o $encrypt -eq 3 ] && ! socat -V | grep -q -F 'WITH_OPENSSL 1'; then
- wsrep_log_error "Encryption requested, but socat is not OpenSSL enabled (encrypt=$encrypt)"
+ if [ -n "$sockopt" ]; then
+ sockopt=$(trim_string "$sockopt" ',')
+ if [ -n "$sockopt" ]; then
+ sockopt=",$sockopt"
+ fi
+ fi
+
+ # Add an option for ipv6 if needed:
+ if [ $WSREP_SST_OPT_HOST_IPv6 -eq 1 ]; then
+ # If sockopt contains 'pf=ip6' somewhere in the middle,
+ # this will not interfere with socat, but exclude the trivial
+ # cases when sockopt contains 'pf=ip6' as prefix or suffix:
+ if [ "$sockopt" = "${sockopt#,pf=ip6}" -a \
+ "$sockopt" = "${sockopt%,pf=ip6}" ]
+ then
+ sockopt=",pf=ip6$sockopt"
+ fi
+ fi
+
+ if [ $encrypt -lt 2 ]; then
+ if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
+ tcmd="socat -u TCP-LISTEN:$SST_PORT,reuseaddr$sockopt stdio"
+ else
+ tcmd="socat -u stdio TCP:$REMOTEIP:$SST_PORT$sockopt"
+ fi
+ return
+ fi
+
+ if ! socat -V | grep -q -F 'WITH_OPENSSL 1'; then
+ wsrep_log_error "******** FATAL ERROR ************************************************ "
+ wsrep_log_error "* Encryption requested, but socat is not OpenSSL enabled (encrypt=$encrypt) *"
+ wsrep_log_error "********************************************************************* "
exit 2
fi
@@ -281,11 +309,19 @@ get_transfer()
exit 2
fi
- if ! check_for_version "$SOCAT_VERSION" "1.7.3"; then
+ local action='Decrypting'
+ if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
+ tcmd="socat -u openssl-listen:$SST_PORT,reuseaddr"
+ else
+ tcmd="socat -u stdio openssl-connect:$REMOTEIP:$SST_PORT"
+ action='Encrypting'
+ fi
+
+ if ! check_for_version "$SOCAT_VERSION" '1.7.3'; then
# socat versions < 1.7.3 will have 512-bit dhparams (too small)
# so create 2048-bit dhparams and send that as a parameter:
check_for_dhparams
- sockopt=",dhparam='$ssl_dhparams'$sockopt"
+ tcmd="$tcmd,dhparam='$ssl_dhparams'"
fi
if [ $encrypt -eq 2 ]; then
@@ -294,15 +330,10 @@ get_transfer()
wsrep_log_error "Both PEM and CRT files required"
exit 22
fi
+ tcmd="$tcmd,cert='$tpem',cafile='$tcert'$sockopt"
stagemsg="$stagemsg-OpenSSL-Encrypted-2"
- if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
- wsrep_log_info "Decrypting with cert=${tpem}, cafile=${tcert}"
- tcmd="socat -u openssl-listen:$TSST_PORT,reuseaddr,cert='$tpem',cafile='$tcert'$sockopt stdio"
- else
- wsrep_log_info "Encrypting with cert=${tpem}, cafile=${tcert}"
- tcmd="socat -u stdio openssl-connect:$REMOTEIP:$TSST_PORT,cert='$tpem',cafile='$tcert'$sockopt"
- fi
- elif [ $encrypt -eq 3 ]; then
+ wsrep_log_info "$action with cert=$tpem, cafile=$tcert"
+ elif [ $encrypt -eq 3 -o $encrypt -eq 4 ]; then
wsrep_log_info "Using openssl based encryption with socat: with key and crt"
if [ -z "$tpem" -o -z "$tkey" ]; then
wsrep_log_error "Both certificate and key files required"
@@ -310,36 +341,34 @@ get_transfer()
fi
stagemsg="$stagemsg-OpenSSL-Encrypted-3"
if [ -z "$tcert" ]; then
- # no verification
- if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
- wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, verify=0"
- tcmd="socat -u openssl-listen:$TSST_PORT,reuseaddr,cert='$tpem',key='$tkey',verify=0$sockopt stdio"
- else
- wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, verify=0"
- tcmd="socat -u stdio openssl-connect:$REMOTEIP:$TSST_PORT,cert='$tpem',key='$tkey',verify=0$sockopt"
+ if [ $encrypt -eq 4 ]; then
+ wsrep_log_error "Peer certificate required if encrypt=4"
+ exit 22
fi
+ # no verification
+ tcmd="$tcmd,cert='$tpem',key='$tkey',verify=0$sockopt"
+ wsrep_log_info "$action with cert=$tpem, key=$tkey, verify=0"
else
# CA verification
- if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
- wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
- tcmd="socat -u openssl-listen:$TSST_PORT,reuseaddr,cert='$tpem',key='$tkey',cafile='$tcert'$sockopt stdio"
+ if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then
+ CN_option=",commonname='$WSREP_SST_OPT_REMOTE_USER'"
+ elif [ $encrypt -eq 4 ]; then
+ CN_option=",commonname=''"
+ elif is_local_ip "$WSREP_SST_OPT_HOST_UNESCAPED"; then
+ CN_option=',commonname=localhost'
else
- CN_option=""
- if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then
- CN_option=",commonname='$WSREP_SST_OPT_REMOTE_USER'"
- elif is_local_ip "$WSREP_SST_OPT_HOST_UNESCAPED"; then
- CN_option=',commonname=localhost'
- fi
- wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
- tcmd="socat -u stdio openssl-connect:$REMOTEIP:$TSST_PORT,cert='$tpem',key='$tkey',cafile='$tcert'$CN_option$sockopt"
+ CN_option=",commonname='$WSREP_SST_OPT_HOST_UNSECAPED'"
fi
+ tcmd="$tcmd,cert='$tpem',key='$tkey',cafile='$tcert'$CN_option$sockopt"
+ wsrep_log_info "$action with cert=$tpem, key=$tkey, cafile=$tcert"
fi
else
- if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
- tcmd="socat -u TCP-LISTEN:$TSST_PORT,reuseaddr$sockopt stdio"
- else
- tcmd="socat -u stdio TCP:$REMOTEIP:$TSST_PORT$sockopt"
- fi
+ wsrep_log_info "Unknown encryption mode: encrypt=$encrypt"
+ exit 22
+ fi
+
+ if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
+ tcmd="$tcmd stdio"
fi
fi
}
diff --git a/scripts/wsrep_sst_rsync.sh b/scripts/wsrep_sst_rsync.sh
index f954046382c..0cc13ee4191 100644
--- a/scripts/wsrep_sst_rsync.sh
+++ b/scripts/wsrep_sst_rsync.sh
@@ -261,16 +261,20 @@ then
;;
'VERIFY_CA')
VERIFY_OPT='verifyChain = yes'
- # check if the address is an ip-address (v4 or v6):
- if echo "$WSREP_SST_OPT_HOST_UNESCAPED" | \
- grep -q -E '^([0-9]+(\.[0-9]+){3,3}|[0-9a-fA-F]?(\:[0-9a-fA-F]*)+)$'
- then
- CHECK_OPT="checkIP = $WSREP_SST_OPT_HOST_UNESCAPED"
+ if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then
+ CHECK_OPT="checkHost = $WSREP_SST_OPT_REMOTE_USER"
else
- CHECK_OPT="checkHost = $WSREP_SST_OPT_HOST"
- fi
- if is_local_ip "$WSREP_SST_OPT_HOST_UNESCAPED"; then
- CHECK_OPT_LOCAL="checkHost = localhost"
+ # check if the address is an ip-address (v4 or v6):
+ if echo "$WSREP_SST_OPT_HOST_UNESCAPED" | \
+ grep -q -E '^([0-9]+(\.[0-9]+){3,3}|[0-9a-fA-F]*(\:[0-9a-fA-F]*)+)$'
+ then
+ CHECK_OPT="checkIP = $WSREP_SST_OPT_HOST_UNESCAPED"
+ else
+ CHECK_OPT="checkHost = $WSREP_SST_OPT_HOST"
+ fi
+ if is_local_ip "$WSREP_SST_OPT_HOST_UNESCAPED"; then
+ CHECK_OPT_LOCAL="checkHost = localhost"
+ fi
fi
;;
*)