3

Is it possible to secure Galera Cluster SST via rsync with SSL/SSH? This page suggests it is not, specifically the following quote:

Unlike rsync, xtrabackup includes support for SSL encryption built in.

I have followed all the steps to secure the database and replication.

[mysqld]
ssl-ca = /path/to/ca-cert.pem
ssl-key = /path/to/server-key.pem
ssl-cert = /path/to/server-cert.pem
wsrep_provider_options="socket.ssl_key=/path/to/server-key.pem;socket.ssl_cert=/path/to/server-cert.pem;socket.ssl_ca=/path/to/cacert.pem;socket.checksum=2;socket.ssl_cipher=AES128-SHA"

[mysql]
ssl-ca = /path/to/ca-cert.pem
ssl-key = /path/to/client-key.pem
ssl-cert = /path/to/client-cert.pem

Will those settings secure my SST, outside of rsync? Or is there no way to secure rsync SST?

I am familiar with how to secure rsync transfers via SSH with rsync -e ssh. What I can't find the answer to, however, is how to specify that option to Galera. This is the only option I can find:

wsrep_sst_method=rsync

This is important because - in a worst-case scenario - I might need to perform SST over the WAN.

I am using MariaDB 10.1.11 with Galera 25.3.12.

Andrew Ensley
  • 972

1 Answers1

2

Edit: Perhaps you could just look at the way rsync currently works and make your own version out of that. The current method resides in file /usr/bin/wsrep_sst_rsync and has multiple plain rsync lines that you could probably fine-tune to work for your needs.

I happened to have this very same problem and stumbled across this Secure rsync script (GitHub) which looked promising.

While I eventually decided to use xtrabackup because it seemed to suit our needs better, I hope this could help you a little. Looks like it's been a while since it has been updated so it may not work at all. However, even if you can't use it as it is, perhaps it'll answer the other question of yours, "how to specify [-e] option to Galera".

In short, based on the information available at the page, it seems that if you configure wsrep_sst_method=[something], Galera looks to run a file /usr/bin/wsrep_sst_[something]. So if you wrote a new script (or modified the secure_rsync one, given that it works at all), you might be able to solve your headache - and mine from a few hours back, too!

Sorry for giving such a vague non-answer. I'd have given just a comment instead but am lacking the respect to do so.

sankari
  • 186