SST encryption no working with xtrabackup-v2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona XtraDB Cluster moved to https://jira.percona.com/projects/PXC |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On a fresh install of Percona Galera (CentOS 7, Percona-
I'm using the most basic my.cnf as per the Galera main documentation (5.6.24-25.11) to narrow down possible causes.
I'm also using the test files from Launchpad as linked in the docs for testing purposes. Permissions for these files are 0600 and owned by user mysql
The log says that there is a problem with the socat connection as “library:
I've elimiated usual suspects by:
- Disabling selinux
- Opening ports 3306/tcp, 4444/tcp, 4567/tcp, 4568/tcp in firewalld
- Ensuring that socat is built with openSSL:
socat -V | grep OPENSSL
#define WITH_OPENSSL 1
- Even giving a 777 to the .pem and .crt files
These are the my.conf file and log
#######
[mysqld]
datadir=
user=mysql
log_error = /var/log/
# Path to Galera library
wsrep_provider=
# Cluster connection URL contains the IPs of node#1, node#2 and node#3
wsrep_cluster_
# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW
# MyISAM storage engine has only experimental support
default_
# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_
# Node #1 address
wsrep_node_
# SST method
wsrep_sst_
# Cluster name
wsrep_cluster_
[xtrabackup]
target_dir = /data/backups/
[sst]
encrypt=2
tca=/etc/
tcert=/
!includedir /etc/my.cnf.d
#######
2015-07-06 10:51:20 10739 [Note] WSREP: Prepared SST request: xtrabackup-
2015-07-06 10:51:20 10739 [Note] WSREP: wsrep_notify_cmd is not defined, skipping notification.
2015-07-06 10:51:20 10739 [Note] WSREP: REPL Protocols: 7 (3, 2)
2015-07-06 10:51:20 10739 [Note] WSREP: Service thread queue flushed.
2015-07-06 10:51:20 10739 [Note] WSREP: Assign initial position for certification: 15, protocol version: 3
2015-07-06 10:51:20 10739 [Note] WSREP: Service thread queue flushed.
2015-07-06 10:51:20 10739 [Warning] WSREP: Failed to prepare for incremental state transfer: Local state UUID (00000000-
at galera/
WSREP_SST: [INFO] Evaluating timeout -k 110 100 socat -u openssl-
2015/07/06 10:51:20 socat[10991] E SSL_CTX_
WSREP_SST: [ERROR] Error while getting data from donor node: exit codes: 1 0 (20150706 10:51:20.535)
WSREP_SST: [ERROR] Cleanup after exit with status:32 (20150706 10:51:20.536)
Thank you for the report.
Error message says: "WSREP_SST: [INFO] Evaluating timeout -k 110 100 socat -u openssl- listen: 4444,reuseaddr, cert=/etc/ ssh/mysql/ node1.pem, cafile= /etc/ssh/ mysql/node1. crt stdio | xbstream -x; RC=( ${PIPESTATUS[@]} ) (20150706 10:51:$ load_verify_ locations( ): error:0200100D: system library: fopen:Permissio n denied" What are permissions of /etc/ssh/ mysql/node1. pem and /etc/ssh/ mysql/node1. crt files? Which user you run mysqld as?
2015/07/06 10:51:20 socat[10991] E SSL_CTX_