StarlingX

Second mariadb-server to be up fails to enter GaleraDB (TLS)

Bug #1955649 reported by Lucas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Lucas

Bug Description

Brief Description
-----------------

mariadb apply fails in AIO-DX or STD enironment Due to ssl-verify-server-cert being enabled so there is a CNs mismatch and ssl_verify fails

Severity
--------

Major

Steps to Reproduce
------------------

Enable https
apply overrides for tls
apply stx-openstack
Expected Behavior

openstack applied without issues.

Actual Behavior
---------------

openstack apply failed due to mariadb timeout

Reproducibility
---------------

Reproducible

System Configuration
-------------------

AIO-DX

Branch/Pull Time/Commit
----------------------

Starlingx/Master

Timestamp/Logs
--------------

```

 2021-12-15 14:15:27,370 - OpenStack-Helm Mariadb - INFO - b"2021-12-15 14:15:27 139773687600896 [ERROR] WSREP: Process completed with error: wsrep_sst_mariabackup --role 'donor' --address 'mariadb-server-0.mariadb-discovery.openstack.svc.cluster.local:4444/xtrabackup_sst//1' --socket '/var/run/mysqld/mysqld.sock' --datadir '/var/lib/mysql/' --gtid '1844023c-5db0-11ec-a417-9287d3b267aa:0' --gtid-domain-id '0' --mysqld-args --user=mysql --wsrep-new-cluster: 22 (Invalid argument)"
Alarms
```

Workaround
----------

Override mariadb-etc configmap removing ssl-verify server

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-armada-app (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/openstack-armada-app/+/822831

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/openstack-armada-app/+/822831
Committed: https://opendev.org/starlingx/openstack-armada-app/commit/fbf8dd7772c43978d1b5a79c1358d64adf857c9e
Submitter: "Zuul (22348)"
Branch: master

commit fbf8dd7772c43978d1b5a79c1358d64adf857c9e
Author: Lucas Cavalcante <email address hidden>
Date: Thu Dec 23 10:26:38 2021 -0300

    Add GaleraDB Secure Replica Traffic

    This sets `wsrep_provider_options` for GaleraDB when TLS is enabled

    NOTE: The recommended SST (state snapshot transfer) for mariadb>=10.2
    is `mariabackup`. mariabackup ONLY works connecting to localhost
    see: https://github.com/MariaDB/server/blob/fe7e44d8ad5d7fe9c91f476353a3e1749f18afc6/scripts/wsrep_sst_mariabackup.sh#L711
    Therefore, you MUST create a certificate with SAN `localhost` or cert
    verification will fail.

    Test Plan:

    Pass:
          * Apply Openstack
          * Run `SHOW GLOBAL STATUS LIKE 'wsrep_%';` at mariadb
          * assert wsrep_cluster_size is 2
          * assert wsrep_cluster_status is Primary

    Closes-Bug: 1955649
    Change-Id: I8081ffb4fb1a08f1a05323b3286e9bad23a379af
    Signed-off-by: Lucas Cavalcante <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
description: updated
description: updated
Changed in starlingx:
importance: Undecided → Medium
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: marking as medium/stx.7.0 given there is a workaround

Changed in starlingx:
assignee: nobody → Lucas (lcavalca)
tags: added: stx.7.0 stx.distro.openstack
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.