Skip to content
Permalink
Browse files
MDEV-26562: galera-sst-mariabackup is failing due to missing xtraback… 
…up_checkpoints

This commit contains workaround for a bug known as 'Red Hat issue 1870279'
(connection reset by peer issue in socat versions 1.7.3.3 to 1.7.4.0) which
further causes crashes during SST using mariabackup (when openssl is used).

Also fixed broken logic of automatic generation of the Diffie-Hellman parameters
for socat version less than 1.7.3 (which defaults to 512-bit values instead of
2048-bit ones).
  • Loading branch information
@sysprg
sysprg committed Jun 21, 2022
1 parent d453942 commit 3e09c61
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 39 deletions.
61 scripts/wsrep_sst_common.sh
View file
@@ -1187,28 +1187,27 @@ check_port()
check_for_dhparams()
{
ssl_dhparams="$DATA/dhparams.pem"
if [ ! -r "$ssl_dhparams" ]; then
get_openssl
if [ -n "$OPENSSL_BINARY" ]; then
wsrep_log_info \
"Could not find dhparams file, creating $ssl_dhparams"
local bug=0
local errmsg
errmsg=$("$OPENSSL_BINARY" \
dhparam -out "$ssl_dhparams" 2048 2>&1) || bug=1
if [ $bug -ne 0 ]; then
wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam -out \"$ssl_dhparams\" 2048"
wsrep_log_info "output: $errmsg"
wsrep_log_error "******** ERROR *****************************************"
wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *"
wsrep_log_error "********************************************************"
ssl_dhparams=""
fi
else
# Rollback: if openssl is not installed, then use
# the default parameters:
get_openssl
if [ -n "$OPENSSL_BINARY" ]; then
wsrep_log_info \
"Could not find dhparams file, creating $ssl_dhparams"
local bug=0
local errmsg
errmsg=$("$OPENSSL_BINARY" \
dhparam -out "$ssl_dhparams" -dsaparam 2048 2>&1) || bug=1
if [ $bug -ne 0 ]; then
wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam"\
"-out \"$ssl_dhparams\" -dsaparam 2048"
wsrep_log_info "output: $errmsg"
wsrep_log_error "******** ERROR *****************************************"
wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *"
wsrep_log_error "********************************************************"
ssl_dhparams=""
fi
else
# Rollback: if openssl is not installed, then use
# the default parameters:
ssl_dhparams=""
fi
}

@@ -1310,29 +1309,39 @@ verify_cert_matches_key()
#
check_for_version()
{
y1="${1#*.}"
local y1="${1#*.}"
[ "$y1" = "$1" ] && y1=""
z1=${y1#*.}
local z1="${y1#*.}"
[ "$z1" = "$y1" ] && z1=""
x1="${1%%.*}"
local w1="${z1#*.}"
[ "$w1" = "$z1" ] && w1=""
local x1="${1%%.*}"
y1="${y1%%.*}"
z1="${z1%%.*}"
w1="${w1%%.*}"
[ -z "$y1" ] && y1=0
[ -z "$z1" ] && z1=0
y2="${2#*.}"
[ -z "$w1" ] && w1=0
local y2="${2#*.}"
[ "$y2" = "$2" ] && y2=""
z2="${y2#*.}"
local z2="${y2#*.}"
[ "$z2" = "$y2" ] && z2=""
x2="${2%%.*}"
local w2="${z2#*.}"
[ "$w2" = "$z2" ] && w2=""
local x2="${2%%.*}"
y2="${y2%%.*}"
z2="${z2%%.*}"
w2="${w2%%.*}"
[ -z "$y2" ] && y2=0
[ -z "$z2" ] && z2=0
[ -z "$w2" ] && w2=0
[ $x1 -lt $x2 ] && return 1
[ $x1 -gt $x2 ] && return 0
[ $y1 -lt $y2 ] && return 1
[ $y1 -gt $y2 ] && return 0
[ $z1 -lt $z2 ] && return 1
[ $z1 -gt $z2 ] && return 0
[ $w1 -lt $w2 ] && return 1
return 0
}

48 scripts/wsrep_sst_mariabackup.sh
View file
@@ -218,6 +218,21 @@ get_keys()
stagemsg="$stagemsg-XB-Encrypted"
}

get_socat_ver()
{
[ -n "${SOCAT_VERSION+x}" ] && return
# Determine the socat version
SOCAT_VERSION=$(socat -V 2>&1 | \
grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \
head -n1 || :)
if [ -z "$SOCAT_VERSION" ]; then
wsrep_log_error "******** FATAL ERROR ******************"
wsrep_log_error "* Cannot determine the socat version. *"
wsrep_log_error "***************************************"
exit 2
fi
}

get_transfer()
{
if [ "$tfmt" = 'nc' ]; then
@@ -283,7 +298,7 @@ get_transfer()
# If sockopt contains 'pf=ip6' somewhere in the middle,
# this will not interfere with socat, but exclude the trivial
# cases when sockopt contains 'pf=ip6' as prefix or suffix:
if [ "$sockopt" = "${sockopt#,pf=ip6}" -a \
if [ "$sockopt" = "${sockopt#,pf=ip6,}" -a \
"$sockopt" = "${sockopt%,pf=ip6}" ]
then
sockopt=",pf=ip6$sockopt"
@@ -310,22 +325,25 @@ get_transfer()
if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
tcmd="socat -u openssl-listen:$SST_PORT,reuseaddr"
else
tcmd="socat -u stdio openssl-connect:$REMOTEIP:$SST_PORT"
local addr="$REMOTEIP:$SST_PORT"
tcmd="socat -u stdio openssl-connect:$addr"
action='Encrypting'
get_socat_ver
if ! check_for_version "$SOCAT_VERSION" '1.7.4.1'; then
if check_for_version "$SOCAT_VERSION" '1.7.3.3'; then
# Workaround for a bug known as 'Red Hat issue 1870279'
# (connection reset by peer) in socat versions 1.7.3.3
# to 1.7.4.0:
tcmd="socat stdio openssl-connect:$addr,linger=10"
wsrep_log_info \
"Use workaround for socat $SOCAT_VERSION bug"
fi
fi
fi

if [ "${sockopt#*,dhparam=}" != "$sockopt" ]; then
if [ "${sockopt#*,dhparam=}" = "$sockopt" ]; then
if [ -z "$ssl_dhparams" ]; then
# Determine the socat version
SOCAT_VERSION=$(socat -V 2>&1 | \
grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \
head -n1 || :)
if [ -z "$SOCAT_VERSION" ]; then
wsrep_log_error "******** FATAL ERROR ******************"
wsrep_log_error "* Cannot determine the socat version. *"
wsrep_log_error "***************************************"
exit 2
fi
get_socat_ver
if ! check_for_version "$SOCAT_VERSION" '1.7.3'; then
# socat versions < 1.7.3 will have 512-bit dhparams (too small)
# so create 2048-bit dhparams and send that as a parameter:
@@ -556,6 +574,10 @@ read_cnf()
"CERT='$tpem', KEY='$tkey', MODE='$tmode'," \
"encrypt='$encrypt'"

if [ $encrypt -ge 2 ]; then
ssl_dhparams=$(parse_cnf "$encgroups" 'ssl-dhparams')
fi

sockopt=$(parse_cnf sst sockopt "")
progress=$(parse_cnf sst progress "")
ttime=$(parse_cnf sst time 0)

0 comments on commit 3e09c61

Please sign in to comment.