diff --git a/SOURCES/README.wsrep_sst_rsync_tunnel b/SOURCES/README.wsrep_sst_rsync_tunnel new file mode 100644 index 0000000..0222b34 --- /dev/null +++ b/SOURCES/README.wsrep_sst_rsync_tunnel @@ -0,0 +1,132 @@ +socat tunnel for encrypted rsync SST +==================================== + +`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer) +implementation that ships with mariadb. Its purpose is to encrypt +communication between the donor and the joiner during an SST. + +Encryption is implemented by means of a socat tunnel, using OPENSSL +addresses. It can be configured via the regular openssl flags exposed +by socat. + + +## How to configure the script + +This SST script can configured by setting a few keys in your favorite +mariadb option file in addition to the usual galera settings. + + [mysqld] + ... + bind_address= + wsrep_sst_method=rsync_tunnel + ... + + [sst] + tca=/path/to/your/ca-file.crt + tcert=/path/to/node/certificate.crt + tkey=/path/to/node/key.key + sockopt= + +When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses +socat to listen to incoming SSL connections on port 4444 in lieu of +the original rsync daemon. Received data will be forwarded to the +rscynd daemon started locally to replicate the database. + +When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes +a series of rsync calls that target a locally started socat daemon. +The daemon tunnels all rsync traffic into an encrypted SSL connection +that targets the joiner's end of the socat tunnel. + +Encryption parameters are specified under the `[sst]` group in the +mariadb option file, where `tkey` and `tcert` are respectively the key +and the certificate that are used by both sides of the socat tunnel. +Each node typically has a different key and cert. Both key and +certificate can be combined into a single PEM file and referenced by +`tcert`. Option `tca` holds a list of the trusted signing +certificates. + +In case you need to tweak the creation of the SSL connection, you can +pass valid socat options (as per socat manual) via the `sockopt` key. +For debugging purpose, the exact socat command that is being executed +shows up in the mariadb log file. + +Note that socat verifies that the certificate's commonName matches +that of the host that is being targeted. The target name comes from +the value configured in `bind_address`, so it's important that it +matches the certificate's commonName. An IP address can be used for +`bind_address`, but you may get into trouble in case different +hostnames resolve to the same IP (e.g. multiple networks per host). + + +## Examples of use + +Suppose you're running a 3-node galera cluster +`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`. + +### Scenario: using self-signed certificates + +On each node, create a key and a certificate, and bundle them into a +single PEM file. For instance on `node1.my.cluster`: + + openssl genrsa -out /tls/mysql-$(hostname -f).key 2048 + openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch + cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem + +Then, on each node, create a cafile that will contain all the certs to +trust: + + for n in node1.my.cluster node2.my.cluster node3.my.cluster; do + ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt + done + +Once you have those two files on each host, you can configure the SST +appropriately. For instance from `/etc/my.cnf.d/galera.cnf`: + + [mysqld] + ... + + [sst] + tca=/tls/all-mysql.crt + tcert=/tls/mysql.pem + +### Scenario: using self-signed certificates, without verification + +By default, when socat tries to establish a SSL connection to a peer, +it also verifies that it can trust the peer's certificate. If for some +reason you need to disable that feature, you can amend the previous +configuration with a sockopt option: + + [mysqld] + ... + + [sst] + tca=/tls/all-mysql.crt + tcert=/tls/mysql.pem + sockopt="verify=0" + +The associated sockopt value is passed to socat when +the donor or the joiner configures his part of the tunnel. + +Note: please do not do so in production, this is inherently insecure +as you will not verify the identity of the peer you're connecting to! + +### Scenario: using certificates from a CA + +Suppose you have a FreeIPA service which generated a key file and a +certificate file for the three galera nodes, respectively located at +/tls/mysql.key and /tls/mysql.crt. + +Assuming that the certificate for the FreeIPA server is available at +/etc/ipa/ca.crt, you can configure you galera servers as follows: + + [sst] + tca=/etc/ipa/ca.crt + tcert=/tls/mysql.crt + tkey=/tls/mysql.key + +## License + +Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin). +This work is derived from the original `wsrep_rsync_sst`, copyright +© 2010-2014 [Codership Oy](https://github.com/codership). +Released under the GNU GPLv2. diff --git a/SOURCES/wsrep_sst_rsync_tunnel b/SOURCES/wsrep_sst_rsync_tunnel new file mode 100644 index 0000000..f537249 --- /dev/null +++ b/SOURCES/wsrep_sst_rsync_tunnel @@ -0,0 +1,492 @@ +#!/bin/bash -ue + +# Copyright (C) 2010-2014 Codership Oy +# Copyright (C) 2017-2020 Damien Ciabrini +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston +# MA 02110-1301 USA. + +# This is a reference script for rsync-based state snapshot tansfer +# over an encrypted communication channel, managed by socat + +RSYNC_PID= # rsync pid file +RSYNC_CONF= # rsync configuration file +RSYNC_REAL_PID= # rsync process id + +SOCAT_PID= # socat pid file +SOCAT_REAL_PID= # socat process id + +SOCAT_OPTS= # openssl connection args + +MODULE="rsync_tunnel_sst" + +OS=$(uname) +[ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH + +# Setting the path for lsof on CentOS +export PATH="/usr/sbin:/sbin:$PATH" + +. $(dirname $0)/wsrep_sst_common + +wsrep_check_programs rsync socat + +cleanup_pid() +{ + local real_pid=$1 + [ "0" != "$real_pid" ] && \ + kill $real_pid && \ + sleep 0.5 && \ + kill -9 $real_pid >/dev/null 2>&1 || \ + : +} + +cleanup_tunnel() +{ + if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then + wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID" + cleanup_pid $SOCAT_REAL_PID + fi + rm -rf "$SOCAT_PID" +} + +cleanup_joiner() +{ + wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID" + [ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID + rm -rf "$RSYNC_CONF" + rm -rf "$MAGIC_FILE" + rm -rf "$RSYNC_PID" + + cleanup_tunnel + + wsrep_log_info "Joiner cleanup done." + if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then + wsrep_cleanup_progress_file + fi +} + +# Check whether process is still running. +check_pid() +{ + local pid_file=$1 + [ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1 +} + +check_pid_and_port() +{ + local pid_file=$1 + local service_pid=$2 + local service_port=$3 + local service_host=$4 + local service_name=$5 + + if ! which lsof > /dev/null; then + wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed." + exit 2 # ENOENT + fi + + local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \ + grep "(LISTEN)") + local is_service=$(echo $port_info | \ + grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null) + + if [ -n "$port_info" -a -z "$is_service" ]; then + wsrep_log_error "$service_name daemon port '$service_port' has been taken" + exit 16 # EBUSY + fi + + if ! check_pid $pid_file; then + wsrep_log_error "$service_name process terminated unexpectedly" + exit 10 # ECHILD + fi + + [ -n "$port_info" ] && [ -n "$is_service" ] && \ + [ $(cat $pid_file) -eq $service_pid ] +} + +config_from_cnf() +{ + local group=$1 + local key=$2 + echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1) +} + +setup_tunnel_args() +{ + tca=$(config_from_cnf sst tca) + tkey=$(config_from_cnf sst tkey) + tcert=$(config_from_cnf sst tcert) + sockopt=$(config_from_cnf sst sockopt) + + if [ -z "$tcert" ]; then + wsrep_log_error "Encryption certificate not found in my.cnf" + exit 3 + else + SOCAT_OPTS="cert=$tcert" + fi + [ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey" + [ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca" + wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS" + + [ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt" +} + +MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete" +rm -rf "$MAGIC_FILE" + +BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar" +BINLOG_N_FILES=1 +rm -f "$BINLOG_TAR_FILE" || : + +if ! [ -z $WSREP_SST_OPT_BINLOG ] +then + BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG) + BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG) +fi + +WSREP_LOG_DIR=${WSREP_LOG_DIR:-""} +# if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf +if [ -z "$WSREP_LOG_DIR" ]; then + WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \ + | grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \ + | cut -b 29- ) +fi + +if [ -n "$WSREP_LOG_DIR" ]; then + # handle both relative and absolute paths + WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P) +else + # default to datadir + WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P) +fi + +# Old filter - include everything except selected +# FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \ +# --exclude '*.conf' --exclude core --exclude 'galera.*' \ +# --exclude grastate.txt --exclude '*.pem' \ +# --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index') + +# New filter - exclude everything except dirs (schemas) and innodb files +FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes' + -f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*') + +SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid" + +if check_pid $SOCAT_PID +then + wsrep_log_error "socat tunnel already running." + exit 114 # EALREADY +fi +rm -rf "$SOCAT_PID" + +setup_tunnel_args + +if [ "$WSREP_SST_OPT_ROLE" = "donor" ] +then + + SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}') + # map to name in case we received an IP + SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }') + if [ -z "$SOCAT_JOINER_HOST" ]; then + SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR + fi + SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }') + if [ -z "$SOCAT_PORT" ] + then + SOCAT_PORT=4444 + fi + TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE + + trap cleanup_tunnel EXIT + + # Socat forwards rsync connections to the joiner + SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork + SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS + wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST" + socat $SOCAT_SRC $SOCAT_DST & + SOCAT_REAL_PID=$! + # This is ok because a local galera node doesn't run SST concurrently + echo $SOCAT_REAL_PID >"$SOCAT_PID" + until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat" + do + sleep 0.2 + done + + if [ $WSREP_SST_OPT_BYPASS -eq 0 ] + then + + FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed" + ERROR="$WSREP_SST_OPT_DATA/sst_error" + + rm -rf "$FLUSHED" + rm -rf "$ERROR" + + # Use deltaxfer only for WAN + inv=$(basename $0) + [ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \ + || WHOLE_FILE_OPT="--whole-file" + + echo "flush tables" + + # Wait for : + # (a) Tables to be flushed, AND + # (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR + # (c) ERROR file, in case flush tables operation failed. + + while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1 + do + # Check whether ERROR file exists. + if [ -f "$ERROR" ] + then + # Flush tables operation failed. + rm -rf "$ERROR" + exit 255 + fi + + sleep 0.2 + done + + STATE="$(cat $FLUSHED)" + rm -rf "$FLUSHED" + + sync + + if ! [ -z $WSREP_SST_OPT_BINLOG ] + then + # Prepare binlog files + pushd $BINLOG_DIRNAME &> /dev/null + binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index) + binlog_files="" + for ii in $binlog_files_full + do + binlog_files="$binlog_files $(basename $ii)" + done + if ! [ -z "$binlog_files" ] + then + wsrep_log_info "Preparing binlog files for transfer:" + tar -cvf $BINLOG_TAR_FILE $binlog_files >&2 + fi + popd &> /dev/null + fi + + # first, the normal directories, so that we can detect incompatible protocol + RC=0 + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --dirs --delete --quiet \ + $WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \ + rsync://$TARGET_ADDR >&2 || RC=$? + + if [ "$RC" -ne 0 ]; then + wsrep_log_error "rsync returned code $RC:" + + case $RC in + 12) RC=71 # EPROTO + wsrep_log_error \ + "rsync server on the other end has incompatible protocol. " \ + "Make sure you have the same version of rsync on all nodes." + ;; + 22) RC=12 # ENOMEM + ;; + *) RC=255 # unknown error + ;; + esac + exit $RC + fi + + # second, we transfer InnoDB log files + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --dirs --delete --quiet \ + $WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \ + rsync://$TARGET_ADDR-log_dir >&2 || RC=$? + + if [ $RC -ne 0 ]; then + wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:" + exit 255 # unknown error + fi + + # then, we parallelize the transfer of database directories, use . so that pathconcatenation works + pushd "$WSREP_SST_OPT_DATA" >/dev/null + + count=1 + [ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo) + [ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu) + + find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \ + xargs -I{} -0 -P $count \ + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --recursive --delete --quiet \ + $WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \ + rsync://$TARGET_ADDR/{} >&2 || RC=$? + + popd >/dev/null + + if [ $RC -ne 0 ]; then + wsrep_log_error "find/rsync returned code $RC:" + exit 255 # unknown error + fi + + else # BYPASS + wsrep_log_info "Bypassing state dump." + + # Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id + # (separated by a space). + STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID" + fi + + echo "continue" # now server can resume updating data + + echo "$STATE" > "$MAGIC_FILE" + rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR + + # to avoid cleanup race, stop tunnel before declaring the SST finished. + # This ensures galera won't start a new SST locally before we exit. + cleanup_tunnel + + echo "done $STATE" + +elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ] +then + wsrep_check_programs lsof socat + + touch $SST_PROGRESS_FILE + MYSQLD_PID=$WSREP_SST_OPT_PARENT + + RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid" + + if check_pid $RSYNC_PID + then + wsrep_log_error "rsync daemon already running." + exit 114 # EALREADY + fi + rm -rf "$RSYNC_PID" + + ADDR=$WSREP_SST_OPT_ADDR + RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }') + if [ -z "$RSYNC_PORT" ] + then + RSYNC_PORT=4444 + ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT" + fi + + SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }') + # map to name in case we received an IP + SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }') + if [ -z "$SOCAT_HOST" ]; then + SOCAT_HOST=$SOCAT_ADDR + fi + SOCAT_PORT=$RSYNC_PORT + + trap "exit 32" HUP PIPE + trap "exit 3" INT TERM ABRT + trap cleanup_joiner EXIT + + RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf" + + if [ -n "${MYSQL_TMP_DIR:-}" ] ; then + SILENT="log file = $MYSQL_TMP_DIR/rsynd.log" + else + SILENT="" + fi + +cat << EOF > "$RSYNC_CONF" +pid file = $RSYNC_PID +use chroot = no +read only = no +timeout = 300 +$SILENT +[$MODULE] + path = $WSREP_SST_OPT_DATA +[$MODULE-log_dir] + path = $WSREP_LOG_DIR +EOF + +# rm -rf "$DATA"/ib_logfile* # we don't want old logs around + + # Socat receives rsync connections from the donor + SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS + SOCAT_DST=tcp:localhost:$RSYNC_PORT + wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST" + socat $SOCAT_SRC $SOCAT_DST & + SOCAT_REAL_PID=$! + # This is ok because a local galera node doesn't run SST concurrently + echo $SOCAT_REAL_PID >"$SOCAT_PID" + until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat" + do + sleep 0.2 + done + + wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\"" + rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" & + RSYNC_REAL_PID=$! + + until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync" + do + sleep 0.2 + done + + echo "ready $ADDR/$MODULE" + + # wait for SST to complete by monitoring magic file + while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \ + check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null + do + sleep 1 + done + + # to avoid cleanup race, we can tear down the socat tunnel now + # before signaling the end of the SST to galera. + cleanup_tunnel + + if ! ps -p $MYSQLD_PID >/dev/null + then + wsrep_log_error \ + "Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly." + exit 32 + fi + + if ! [ -z $WSREP_SST_OPT_BINLOG ] + then + + pushd $BINLOG_DIRNAME &> /dev/null + if [ -f $BINLOG_TAR_FILE ] + then + # Clean up old binlog files first + rm -f ${BINLOG_FILENAME}.* + wsrep_log_info "Extracting binlog files:" + tar -xvf $BINLOG_TAR_FILE >&2 + for ii in $(ls -1 ${BINLOG_FILENAME}.*) + do + echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index + done + fi + popd &> /dev/null + fi + if [ -r "$MAGIC_FILE" ] + then + # UUID:seqno & wsrep_gtid_domain_id is received here. + cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id + else + # this message should cause joiner to abort + echo "rsync process ended without creating '$MAGIC_FILE'" + fi + wsrep_cleanup_progress_file +# cleanup_joiner +else + wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'" + exit 22 # EINVAL +fi + +rm -f $BINLOG_TAR_FILE || : + +exit 0 diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec index fc1f956..bea684a 100644 --- a/SPECS/mariadb.spec +++ b/SPECS/mariadb.spec @@ -154,7 +154,7 @@ Name: mariadb Version: 10.5.12 -Release: 2%{?with_debug:.debug}%{?dist} +Release: 3%{?with_debug:.debug}%{?dist} Epoch: 3 Summary: A very fast and robust SQL database server @@ -170,6 +170,7 @@ Source0: https://fedoraproject.org/mariadb-%{version}-downstream_modifi Source2: mysql_config_multilib.sh Source3: my.cnf.in Source6: README.mariadb-docs +Source8: README.wsrep_sst_rsync_tunnel Source10: mariadb.tmpfiles.d.in Source11: mysql.service.in Source12: mariadb-prepare-db-dir.sh @@ -204,6 +205,10 @@ Source71: LICENSE.clustercheck # https://jira.mariadb.org/browse/MDEV-12646 Source72: mariadb-server-galera.te +# Script to support encrypted rsync transfers when SST is required between nodes. +# https://github.com/dciabrin/wsrep_sst_rsync_tunnel/blob/master/wsrep_sst_rsync_tunnel +Source73: wsrep_sst_rsync_tunnel + # Patch4: Red Hat distributions specific logrotate fix # it would be big unexpected change, if we start shipping it now. Better wait for MariaDB 10.2 Patch4: %{pkgnamepatch}-logrotate.patch @@ -766,7 +771,7 @@ cat %{SOURCE53} | tee -a mysql-test/unstable-tests %endif cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} \ - %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} scripts + %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} %{SOURCE73} scripts %if %{with galera} # prepare selinux policy @@ -1042,6 +1047,7 @@ ln -s %{_libexecdir}/mariadbd %{buildroot}%{_sbindir}/mariadbd # copy additional docs into build tree so %%doc will find them install -p -m 0644 %{SOURCE6} %{basename:%{SOURCE6}} +install -p -m 0644 %{SOURCE8} %{basename:%{SOURCE8}} install -p -m 0644 %{SOURCE16} %{basename:%{SOURCE16}} install -p -m 0644 %{SOURCE71} %{basename:%{SOURCE71}} @@ -1063,6 +1069,9 @@ rm -r %{buildroot}%{_datadir}/%{pkg_name}/policy/apparmor # Buildroot does not have symlink /lib64 --> /usr/lib64 mv %{buildroot}/%{_lib}/security %{buildroot}%{_libdir} +# Add wsrep_sst_rsync_tunnel script +install -p -m 0755 scripts/wsrep_sst_rsync_tunnel %{buildroot}%{_bindir}/wsrep_sst_rsync_tunnel + # Disable plugins %if %{with gssapi} sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf @@ -1380,6 +1389,7 @@ fi %endif %files server +%doc README.wsrep_sst_rsync_tunnel %{_bindir}/aria_{chk,dump_log,ftdump,pack,read_log} %{_bindir}/mariadb-service-convert @@ -1638,6 +1648,9 @@ fi %endif %changelog +* Mon Oct 11 2021 Michal Schorm - 3:10.5.12-3 +- Add wsrep_sst_rsync_tunnel script + * Tue Aug 17 2021 Honza Horak - 3:10.5.12-2 - Fix OpenSSL 3.x compatibility Resolves: #1962047