2

Is it possible to secure Galera Cluster SST via rsync with SSL/SSH? This page suggests it is not, specifically the following quote:

Unlike rsync, xtrabackup includes support for SSL encryption built in.

I have followed all the steps to secure the database and replication.

[mysqld]
ssl-ca = /path/to/ca-cert.pem
ssl-key = /path/to/server-key.pem
ssl-cert = /path/to/server-cert.pem
wsrep_provider_options="socket.ssl_key=/path/to/server-key.pem;socket.ssl_cert=/path/to/server-cert.pem;socket.ssl_ca=/path/to/cacert.pem;socket.checksum=2;socket.ssl_cipher=AES128-SHA"

[mysql]
ssl-ca = /path/to/ca-cert.pem
ssl-key = /path/to/client-key.pem
ssl-cert = /path/to/client-cert.pem

Will those settings secure my SST, outside of rsync? Or is there no way to secure rsync SST?

I am familiar with how to secure rsync transfers via SSH with rsync -e ssh. What I can't find the answer to, however, is how to specify that option to Galera. This is the only option I can find:

wsrep_sst_method=rsync

This is important because - in a worst-case scenario - I might need to perform SST over the WAN.

I am using MariaDB 10.1.11 with Galera 25.3.12.

Andrew Ensley
  • 912
  • 2
  • 16
  • 30
  • Possible duplicate of http://serverfault.com/questions/12102/how-to-perform-a-secure-rsync-between-servers-across-an-unsecured-network/14196 – austinian Feb 08 '16 at 20:59
  • @austinian This is not a duplicate of that question because that question is about how to secure `rsync` transfers. I already know how to secure `rsync` transfers via ssh. What I'm asking about here is how to use that same security with Galera's implementation of SST via `rsync`. There's very little explaining this that I could find. The only configuration option I found was `wsrep_sst_method=rsync`. Not much to go on there. – Andrew Ensley Feb 08 '16 at 21:36
  • Is transferring over a VPN possible? – austinian Feb 08 '16 at 21:40
  • Technically possible, of course, but no VPN is currently setup. Would prefer SSL/SSH support in Galera SST. Also, it's just good to know and is something that should be clearly stated in the documentation anyway. – Andrew Ensley Feb 08 '16 at 21:44

1 Answers1

1

Edit: Perhaps you could just look at the way rsync currently works and make your own version out of that. The current method resides in file /usr/bin/wsrep_sst_rsync and has multiple plain rsync lines that you could probably fine-tune to work for your needs.

I happened to have this very same problem and stumbled across this Secure rsync script (GitHub) which looked promising.

While I eventually decided to use xtrabackup because it seemed to suit our needs better, I hope this could help you a little. Looks like it's been a while since it has been updated so it may not work at all. However, even if you can't use it as it is, perhaps it'll answer the other question of yours, "how to specify [-e] option to Galera".

In short, based on the information available at the page, it seems that if you configure wsrep_sst_method=[something], Galera looks to run a file /usr/bin/wsrep_sst_[something]. So if you wrote a new script (or modified the secure_rsync one, given that it works at all), you might be able to solve your headache - and mine from a few hours back, too!

Sorry for giving such a vague non-answer. I'd have given just a comment instead but am lacking the respect to do so.

sankari
  • 176
  • 4
  • `/usr/bin/wsrep_sst_rsync` was exactly what I was looking for! For some reason, I just could not find the info anywhere about *how* galera issues the SST commands. Will try editing that script and accept your answer if it works. – Andrew Ensley Feb 09 '16 at 14:56