843388
socat tunnel for encrypted rsync SST
843388
====================================
843388
843388
`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
843388
implementation that ships with mariadb. Its purpose is to encrypt
843388
communication between the donor and the joiner during an SST.
843388
843388
Encryption is implemented by means of a socat tunnel, using OPENSSL
843388
addresses. It can be configured via the regular openssl flags exposed
843388
by socat.
843388
843388
843388
## How to configure the script
843388
843388
This SST script can configured by setting a few keys in your favorite
843388
mariadb option file in addition to the usual galera settings.
843388
843388
    [mysqld]
843388
    ...
843388
    bind_address=<node-name>
843388
    wsrep_sst_method=rsync_tunnel
843388
    ...
843388
    
843388
    [sst]
843388
    tca=/path/to/your/ca-file.crt
843388
    tcert=/path/to/node/certificate.crt
843388
    tkey=/path/to/node/key.key
843388
    sockopt=<openssl-address-options-as-per-socat-manual>
843388
843388
When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
843388
socat to listen to incoming SSL connections on port 4444 in lieu of
843388
the original rsync daemon. Received data will be forwarded to the
843388
rscynd daemon started locally to replicate the database.
843388
843388
When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
843388
a series of rsync calls that target a locally started socat daemon.
843388
The daemon tunnels all rsync traffic into an encrypted SSL connection
843388
that targets the joiner's end of the socat tunnel.
843388
843388
Encryption parameters are specified under the `[sst]` group in the
843388
mariadb option file, where `tkey` and `tcert` are respectively the key
843388
and the certificate that are used by both sides of the socat tunnel.
843388
Each node typically has a different key and cert. Both key and
843388
certificate can be combined into a single PEM file and referenced by
843388
`tcert`. Option `tca` holds a list of the trusted signing
843388
certificates.
843388
843388
In case you need to tweak the creation of the SSL connection, you can
843388
pass valid socat options (as per socat manual) via the `sockopt` key.
843388
For debugging purpose, the exact socat command that is being executed
843388
shows up in the mariadb log file.
843388
843388
Note that socat verifies that the certificate's commonName matches
843388
that of the host that is being targeted. The target name comes from
843388
the value configured in `bind_address`, so it's important that it
843388
matches the certificate's commonName. An IP address can be used for
843388
`bind_address`, but you may get into trouble in case different
843388
hostnames resolve to the same IP (e.g. multiple networks per host).
843388
843388
843388
## Examples of use
843388
843388
Suppose you're running a 3-node galera cluster
843388
`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
843388
843388
### Scenario: using self-signed certificates
843388
843388
On each node, create a key and a certificate, and bundle them into a
843388
single PEM file. For instance on `node1.my.cluster`:
843388
843388
    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
843388
    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
843388
    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
843388
843388
Then, on each node, create a cafile that will contain all the certs to
843388
trust:
843388
843388
    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
843388
       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
843388
    done
843388
843388
Once you have those two files on each host, you can configure the SST
843388
appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
843388
843388
    [mysqld]
843388
    ...
843388
    
843388
    [sst]
843388
    tca=/tls/all-mysql.crt
843388
    tcert=/tls/mysql.pem
843388
843388
### Scenario: using self-signed certificates, without verification
843388
843388
By default, when socat tries to establish a SSL connection to a peer,
843388
it also verifies that it can trust the peer's certificate. If for some
843388
reason you need to disable that feature, you can amend the previous
843388
configuration with a sockopt option:
843388
843388
    [mysqld]
843388
    ...
843388
    
843388
    [sst]
843388
    tca=/tls/all-mysql.crt
843388
    tcert=/tls/mysql.pem
843388
    sockopt="verify=0"
843388
843388
The associated sockopt value is passed to socat when
843388
the donor or the joiner configures his part of the tunnel.
843388
843388
Note: please do not do so in production, this is inherently insecure
843388
as you will not verify the identity of the peer you're connecting to!
843388
843388
### Scenario: using certificates from a CA
843388
843388
Suppose you have a FreeIPA service which generated a key file and a
843388
certificate file for the three galera nodes, respectively located at
843388
/tls/mysql.key and /tls/mysql.crt.
843388
843388
Assuming that the certificate for the FreeIPA server is available at
843388
/etc/ipa/ca.crt, you can configure you galera servers as follows:
843388
843388
    [sst]
843388
    tca=/etc/ipa/ca.crt
843388
    tcert=/tls/mysql.crt
843388
    tkey=/tls/mysql.key
843388
843388
## License
843388
843388
Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
843388
This work is derived from the original `wsrep_rsync_sst`, copyright
843388
© 2010-2014 [Codership Oy](https://github.com/codership).
843388
Released under the GNU GPLv2.