[MIR] mysql-router (mysql-8.0)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-8.0 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[Availability]
All mysql-server-8 binary packages are already in main, but mysql-router, mysql-testsuite and mysql-source-8. From those, mysql-router should be in main judging its importance to mysql setups:
upstream:
- https:/
rmadison:
mysql-router | 8.0.17-0ubuntu2 | eoan/universe
amd64, arm64, armhf, i386, ppc64el, s390x
mysql-router | 8.0.17-0ubuntu3 | focal/universe
amd64, arm64, armhf, i386, ppc64el, s390x
There are juju charms already relying on it:
https:/
being actively developed.
[Rationale]
Before mysql-server-8, mysql-router wasn't part of the upstream mysql-server source. It got included from commit:
commit 07f77542cb3
Author: Andrzej Religa <email address hidden>
Date: Fri Aug 10 13:45:46 2018
wl#10799 integrate MySQL Router into MySQL Server repository
describe: mysql-8.
Before that the last available mysql-router was:
(mysql-
distributed apart from the main mysql-server code.
[Security]
Couldn't find any cve specific to mysql-router in:
- cve.mitre.org (only mysql-server CVEs)
- www.openwall.com (only mysql-server CVEs)
- binaries
usr/bin/
usr/bin/
usr/bin/
- no suid/sgid bits
- no services
- mysql-router default ports:
6446/tcp 6447/tcp 3306/tcp 6448/tcp 6449/tcp 33060/tcp
https:/
mysql-
[Quality assurance]
- source as mysql-server-8, binary is still in universe
- possible to config based on documentation
- do not ask debconf questions by default
- no long-term outstanding bugs (mysql behind)
- important bugs / upstream supportability:
- ubuntu pushing new debian mysql-server pkgs (tks to @rbasak).
- mysql-server-8 is already in main
- contains tests: <source>
- uses debian/watch
- does not rely on obsolete packages
- no exotic hardware
bugs since it was G/A (2018-04-19)
https:/
All MySQL Router BUGS in upstream community:
(ordered by version, only 8.0.xx matter, as they were GA)
[UI standards]
N/A
[Dependencies]
pool/
pool/
pool/
pool/
pool/
pool/
pool/
pool/
- recommends:
pool/
pool/
All dependencies are in main.
[Standards compliance]
- Meets FHC (https:/
- Same Debian policy standards are mysql-server.
[Maintenance]
- well maintained in Debian/Ubuntu
(will be maintained with mysql-server-8)
- ubuntu-server will subscribe for package maintenance
[Background information]
MySQL Router is lightweight middleware that provides transparent routing between your application and any backend MySQL Servers. It can be used for a wide variety of use cases, such as providing high availability and scalability by effectively routing database traffic to appropriate backend MySQL Servers. The pluggable architecture also enables developers to extend MySQL Router for custom use cases.
Failover
Typically, a highly available MySQL setup consists of a single master and multiple slaves and it is up to the application to handle failover, in case the MySQL master becomes unavailable. Using MySQL Router, application connections will be transparently routed based on load balancing policy, without implementing custom application code.
Load Balancing
MySQL Router provides additional scalability and performance by distributing database connections across a pool of servers. For example, if you have a replicated set of MySQL Servers, MySQL Router can distribute application connections to them in a round-robin fashion.
description: | updated |
Changed in mysql-8.0 (Ubuntu): | |
milestone: | none → ubuntu-20.04 |
Changed in mysql-8.0 (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in mysql-8.0 (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in mysql-8.0 (Ubuntu): | |
status: | New → Confirmed |
[Summary]
- MIR Team ack
- needs no subscriber as it is part of mysql-8 which has the server Team subscribed already
@Security
- Security check of the subdir router/* requested
@Server
- While security is working on the review the server Team should try to enable the tests in router/test/* in either build or autopkgtest
- should we add a service file or something or is this intentionally up to the users and/or the mentioned charms thereof?
- d/copyright could get an update lintian yells about it all over the place
[Background]
This is the request to review a new binary of a package otherwise already in main.
But since the functionality wasn't in the source long ago when it was accepted and since functionally it is rather (security) critical a re-review was requested.
Going forward it is important to understand that we are not (re-)reviewing all of mysql but the subdir router/* and its associated snippets in the build system and debian directory.
[Duplication] 12-pgpool2 mariadb maxscale, ... there is none for mysql yet and none in main.
There is no other package that provides the function of mysql-router.
There are other DB-proxies like postgresql-
[Embedded sources and static linking]
- no embedded libs
- no golang
[Security]
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not processe arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Ok, but worth to look at: /dev.mysql. com/doc/ mysql-router/ 8.0/en/ mysql-router- general- using-deploying .html
- while it does not run a daemon as root (we only provide the binary, no service)
That still means for deployment people will have to use it in such a way or similar
=> https:/
- while only redirecting instead of handling the requests it does parses data formats
- it opens a port or sockets depending on setup
- technically a proxy is itself a "man in the middle" so attacks like that get more attack surface to work with
While being under the same strict coverage like mysql8 itself being part of the same source feels good I think this is worth a check by the security Team.
[Common blockers]
- builds fine atm
- already has a bug subscriber
- translations are not present (for this componentn) but it isn't user facing
- not a python package, so no further checks on that needed
Not perfect, but acceptable for now: /launchpadlibra rian.net/ 452198941/ buildlog_ ubuntu- focal-amd64. mysql-8. 0_8.0.18- 0ubuntu3_ BUILDING. txt.gz /objectstorage. prodstack4- 5.canonical. com/v1/ AUTH_77e2ada1e7 a84929a74ba3b87 153c0ac/ autopkgtest- focal/focal/ amd64/m/ mysql-8. 0/20191119_ 213042_ 010c3@/ log.gz
- router has an own test section in the code at router/tests
But I see none of them run at build or autopkgtest time:
=> https:/
=> https:/
Adding that would be great for QA
[Packaging red flags] mysql-router/ not meant for external usage.
- Ubuntu carries delta in general but nothing massive and nothing on router
- it has a bunch of "internal" libs in /usr/lib/
While tracking symbols is nice in this case it isn't strictly required
Also once bug 1845661 is fixed ...