SST does not work in default Config
Description
Environment
ubuntu 18-04
packages from repo
Smart Checklist
Activity
patrick.birch February 7, 2022 at 2:20 PM
Documentation has already been updated.
Kathy Williamson May 22, 2020 at 1:44 PM
Documentation Modifications to be completed - https://www.percona.com/doc/percona-xtradb-cluster/8.0/configure.html
Replace Step 5 with the following:
A large red message stating something to the effect of:
COMPLETE THIS STEP PRIOR TO STARTING CLUSTERS - ALL NODES MUST HAVE THE SAME SSL FILES PRIOR TO INITIAL START AS AN 8.0 CLUSTERUse blog: https://www.percona.com/blog/2020/05/18/percona-xtradb-cluster-8-0-behavior-change-for-pxc-encrypt-cluster-traffic/ to document each of the 4 possibilities (Case 1-4) - be sure to change any actual values to be consistent with the example used in the base document.
@Borys Belinsky - please provide me a sample web page of these changes when completed prior to submitting for application. Thanks
Kathy Williamson May 21, 2020 at 12:08 PM
@Hubertus Krogmann [X] - I will be making changes to this documentation and will let you know to make sure it is what you feel is needed
Lalit Choudhary May 21, 2020 at 7:02 AM
@Hubertus Krogmann
yes, we already addressed this in the documentation.
https://jira.percona.com/browse/PXC-3124
Ref Doc for changes:
https://www.percona.com/doc/percona-xtradb-cluster/8.0/configure.html
additionally published the same information in a blog post.
Hubertus Krogmann May 20, 2020 at 8:55 AM
Hello
Then the documentation should point out this problem as without these steps you don't get a running PXC.
Not all users will search through the blog for helpful articles.
From my point of view it would be better if PXC would generate those ssl files directly in a directory != datadir
and search there per default, but I'm not sure how hard this would be to code as the ssl files generation is probably
something mysql does without being part of a PXC.
Details
Details
Assignee
Reporter
Time tracking
Components
Affects versions
Priority
MediumSmart Checklist
Open Smart Checklist
Smart Checklist
Hello
I'm not sure if I missed something, but:
Ubuntu 18.04 with pxc-80 repo
installed 1st node with default config (beside some changes for memory and a valid gcomm://ip1,ip2,ip3 setting)
bootstrapping it ends up running with
pxc_encrypt_cluster_traffic
ON
ssl_ca
ca.pem
ssl_cert
server-cert.pem
ssl_key
server-key.pem
like mentioned in
https://www.percona.com/doc/percona-xtradb-cluster/8.0/security/encrypt-traffic.html
unlike those wsrep_provider_options does not show the mentioned
socket.ssl_key=server-key.pem;socket.ssl_cert=server-cert.pem;socket.ssl_ca=ca.pem
The real problem is more a hen and egg situation on the 2nd node I try to start
I generated the same config (with adjusted wsrep_node_address ... of course)
on node 2 erased /var/lib/mysql/ contents and start it:
Results in
error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus')
This error is often caused by SSL issues. For more information, please see:
https://per.co.na/pxc/encrypt_cluster_traffic
Of course, no ssl ca, certs, key files on the 2nd node
transfer of those file manually into datadir (the default location) and start
results in "/var/lib/mysql is not empty" errors
Adding to [mysqld] and [sst]
encrypt=4 # (only in [sst])
ssl-key=/etc/mysql/certs/server-key.pem
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
and coping the generated files from node1 to these location
reusults in a started 2nd node.
Either the ssl files needs to be generated outside datadir
and the default location adjusted or the SST has to ignore those files in the datadir
or we need a step between setting up 1st node in default config and moving ssl files out of datadir and reconfigure all nodes ...
Or did I missed something