Securing MariaDB Galera Cluster using SSL

In MariaDB Galera cluster, the data (writeset) is replicated across all the nodes over network. This data traffic can be secured by enabling SSL connection between the nodes. In order to achieve this, one needs to have SSL certificate/key pair (Here’s how to generate one). The certificate and key can then be copied to all the nodes. Once done, instruct the nodes to establish SSL connection on startup by simply pointing to the certificate/key files using wsrep_provider_options system variable.

wsrep_provider_options='socket.ssl_cert=/tmp/cert.pem;socket.ssl_key=/tmp/key.pem'

Following is the list of SSL options that Galera supports (details : Galera parameters:

  • socket.ssl : Enable/disable SSL, explicitly
  • socket.ssl_ca : SSL CA file
  • socket.ssl_cert : SSL certificate file
  • socket.ssl_cipher : SSL cipher list
  • socket.ssl_compression : Enable/disable SSL compression
  • socket.ssl_key : SSL key file
  • socket.ssl_password_file : SSL password file, in case the key is encrypted

At the time of writing, there is no way to check if galera connection is encrypted using SQL (issue#165). The only way is to look into the node’s error log for the following :

150516 14:22:03 [Note] WSREP: SSL handshake successful, remote endpoint ssl://127.0.0.1:46661 local endpoint ssl://127.0.0.1:4000 cipher: AES128-SHA compression: 
150516 14:22:03 [Note] WSREP: (6f49f928, 'ssl://0.0.0.0:4000') turning message relay requesting on, nonlive peers: 
150516 14:22:03 [Note] WSREP: declaring 73263ae6 at ssl://127.0.0.1:4010 stable

Lastly, it is important to note that SST (snapshot state transfer) traffic is not affected, whatsoever, by the use of galera SSL options.

Generating self-signed SSL certificate/key pair

Here, I present a simple command to generate a self signed SSL certificate/key pair that can be used to secure the communication channel between communicating parties.

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days `echo "365 * 2" | bc` -nodes
Generating a 2048 bit RSA private key
.....................................+++
.....................................+++
unable to write 'random state'
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

$ ls
cert.pem  key.pem

$ $ date
Mon May 11 15:18:24 EDT 2015

$ openssl x509 -noout -startdate -enddate -in cert.pem
notBefore=May 11 19:12:03 2015 GMT
notAfter=May 10 19:12:03 2017 GMT

Note: -nodes switch skips encryption of the key.

MariaDB 10.1 : A new version of GRA_X_X.log file

When a MariaDB Galera cluster node fails to apply a binary log (or writeset, as we call it), the node dumps it into a file (GRA_X_X.log) under the data directory for further investigation. This process has been explained fairly well in this Percona blog). Since the dumped log file is header-less, one has to first prepend a binary log header to it in order to open it using mysqlbinlog tool.

Starting MariaDB 10.1.4, the node will automatically prepend the binlog header to the writeset before dumping it into the GRA_ log file. In order to differentiate it from the older log files, the file has been renamed to GRA_X_X_v2.log.

$ ./bin/mysqlbinlog data2/GRA_1_1_v2.log

/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=1*/;
/*!40019 SET @@session.max_insert_delayed_threads=0*/;
/*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/;
DELIMITER /*!*/;
# at 4
#150414 17:50:20 server id 0  end_log_pos 248  Start: binlog v 4, server v 10.1.4-MariaDB-wsrep-debug created 150414 17:50:20 at startup
ROLLBACK/*!*/;
BINLOG '
nIstVQ8AAAAA9AAAAPgAAAAAAAQAMTAuMS40LU1hcmlhREItd3NyZXAtZGVidWcAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAACciy1VEzgNAAgAEgAEBAQEEgAA3AAEGggAAAAICAgCAAAACgoKAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAEEwQAZxODxw==
'/*!*/;
# at 248
#150414 17:50:20 server id 0  end_log_pos 76   Query   thread_id=4 exec_time=0 error_code=0
use `test`/*!*/;
SET TIMESTAMP=1429048220/*!*/;
SET @@session.pseudo_thread_id=4/*!*/;
SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;
SET @@session.sql_mode=0/*!*/;
SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;
/*!\C utf8 *//*!*/;
SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=8/*!*/;
SET @@session.lc_time_names=0/*!*/;
SET @@session.collation_database=DEFAULT/*!*/;
drop table t1
/*!*/;
DELIMITER ;
# End of log file
ROLLBACK /* added by mysqlbinlog */;
/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;
/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;

Password validation plugins in MariaDB

Let me start off with a phrase : “A chain is only as strong as its weakest link”. So, how to ensure that all the links (=passwords) are strong enough to keep the system secure? One of the key attributes to consider here is password strength. MariaDB 10.1.2 added support for password validation by introducing a password validation plugin API and two password validation plugins. These plugins can be used to ensure that the password used for the user accounts adhere to some required security standards.

  1. simple_password_check
  2. 
    MariaDB [test]> INSTALL SONAME 'simple_password_check';
    Query OK, 0 rows affected (0.04 sec)
    
    
    MariaDB [test]> SELECT VARIABLE_NAME, DEFAULT_VALUE, VARIABLE_COMMENT FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES WHERE VARIABLE_NAME LIKE 'SIMPLE_PASSWORD%'\G
    *************************** 1. row ***************************
       VARIABLE_NAME: SIMPLE_PASSWORD_CHECK_DIGITS
       DEFAULT_VALUE: 1
    VARIABLE_COMMENT: Minimal required number of digits
    *************************** 2. row ***************************
       VARIABLE_NAME: SIMPLE_PASSWORD_CHECK_LETTERS_SAME_CASE
       DEFAULT_VALUE: 1
    VARIABLE_COMMENT: Minimal required number of letters of the same letter case.This limit is applied separately to upper-case and lower-case letters
    *************************** 3. row ***************************
       VARIABLE_NAME: SIMPLE_PASSWORD_CHECK_OTHER_CHARACTERS
       DEFAULT_VALUE: 1
    VARIABLE_COMMENT: Minimal required number of other (not letters or digits) characters
    *************************** 4. row ***************************
       VARIABLE_NAME: SIMPLE_PASSWORD_CHECK_MINIMAL_LENGTH
       DEFAULT_VALUE: 8
    VARIABLE_COMMENT: Minimal required password length
    4 rows in set (0.00 sec)
    
    MariaDB [test]> SET PASSWORD = PASSWORD('abc');
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    
    
  3. cracklib_password_check (requires libcrack2)
  4. 
    MariaDB [test]> INSTALL SONAME 'cracklib_password_check';
    Query OK, 0 rows affected (0.05 sec)
    
    MariaDB [test]> SELECT VARIABLE_NAME, DEFAULT_VALUE, VARIABLE_COMMENT FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES WHERE VARIABLE_NAME LIKE 'CRACKLIB_PASSWORD%'\G
    *************************** 1. row ***************************
       VARIABLE_NAME: CRACKLIB_PASSWORD_CHECK_DICTIONARY
       DEFAULT_VALUE: /var/cache/cracklib/cracklib_dict
    VARIABLE_COMMENT: Path to a cracklib dictionary
    1 row in set (0.00 sec)
    
    MariaDB [test]> SET PASSWORD = PASSWORD('qwerty');
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    
    

    So, what passwords are now forbidden? Lets check :

    $ echo "nirbhay" | cracklib-check 
    nirbhay: it is based on your username
    $ echo "password" | cracklib-check 
    password: it is based on a dictionary word
    $ echo "qwerty" | cracklib-check 
    qwerty: it is based on a dictionary word
    $ echo "123" | cracklib-check 
    123: it is WAY too short
    $ echo "123456" | cracklib-check 
    123456: it is too simplistic/systematic
    $ echo "12345654321" | cracklib-check 
    12345654321: it is too simplistic/systematic
    

Password validation plugins only validate plain-text password (for obvious reasons!). So commands that contain password hashes are not validated. In order to reject such commands strict_password_validation system variable can be used. Lastly, it important to note that multiple password validation plugins can be loaded at the same time and the password must pass on all the plugins.

Understanding split brain in a Galera cluster

Split brain is a condition when a cluster gets partitioned and each part is operating independently. This is an unwanted situation that one would always want to avoid. So, how is it handled in a MariaDB Galera cluster? In order to understand this, lets first start by looking into the logs of a node from a split-brain(ed) cluster.

50217 15:49:02 [Note] WSREP: (dc9e817d-b6e5-11e4-a36f-8fe330cf395b, 'tcp://0.0.0.0:4010') turning message relay requesting on, nonlive peers: tcp://192.168.0.8:4030 tcp://192.168.0.8:4040
150217 15:49:03 [Note] WSREP: (dc9e817d-b6e5-11e4-a36f-8fe330cf395b, 'tcp://0.0.0.0:4010') reconnecting to 370a81b6-b6e6-11e4-b985-beb180620fd9 (tcp://192.168.0.8:4030), attempt 0
150217 15:49:03 [Note] WSREP: (dc9e817d-b6e5-11e4-a36f-8fe330cf395b, 'tcp://0.0.0.0:4010') reconnecting to 4ba33092-b6e6-11e4-93a4-ba232dff3484 (tcp://192.168.0.8:4040), attempt 0
150217 15:49:04 [Note] WSREP: evs::proto(dc9e817d-b6e5-11e4-a36f-8fe330cf395b, GATHER, view_id(REG,370a81b6-b6e6-11e4-b985-beb180620fd9,4)) suspecting node: 370a81b6-b6e6-11e4-b985-beb180620fd9
150217 15:49:04 [Note] WSREP: evs::proto(dc9e817d-b6e5-11e4-a36f-8fe330cf395b, GATHER, view_id(REG,370a81b6-b6e6-11e4-b985-beb180620fd9,4)) suspecting node: 4ba33092-b6e6-11e4-93a4-ba232dff3484
...
...
150217 15:49:14 [Note] WSREP: evs::proto(dc9e817d-b6e5-11e4-a36f-8fe330cf395b, GATHER, view_id(REG,370a81b6-b6e6-11e4-b985-beb180620fd9,4)) detected inactive node: 370a81b6-b6e6-11e4-b985-beb180620fd9
150217 15:49:14 [Note] WSREP: evs::proto(dc9e817d-b6e5-11e4-a36f-8fe330cf395b, GATHER, view_id(REG,370a81b6-b6e6-11e4-b985-beb180620fd9,4)) detected inactive node: 4ba33092-b6e6-11e4-93a4-ba232dff3484
150217 15:49:15 [Note] WSREP: view(view_id(NON_PRIM,370a81b6-b6e6-11e4-b985-beb180620fd9,4) memb {
        d40d3354-b6e5-11e4-aed5-8e8f043f2e91,0
        dc9e817d-b6e5-11e4-a36f-8fe330cf395b,0
} joined {
} left {
} partitioned {
        370a81b6-b6e6-11e4-b985-beb180620fd9,0
        4ba33092-b6e6-11e4-93a4-ba232dff3484,0
})
150217 15:49:15 [Note] WSREP: New COMPONENT: primary = no, bootstrap = no, my_idx = 1, memb_num = 2
150217 15:49:15 [Note] WSREP: Flow-control interval: [23, 23]
150217 15:49:15 [Note] WSREP: Received NON-PRIMARY.
150217 15:49:15 [Note] WSREP: Shifting SYNCED -> OPEN (TO: 0)
150217 15:49:15 [Note] WSREP: New cluster view: global state: d40f1ba3-b6e5-11e4-91f1-1b1c88707f31:0, view# -1: non-Primary, number of nodes: 2, my index: 1, protocol version 3
150217 15:49:15 [Note] WSREP: Setting wsrep_ready to 0

In the event of a network partition, some nodes of the cluster may no longer be reachable from the other nodes. They try to reconnect to these suspecting nodes and later move them to partitioned list by marking them as inactive when no response is received. A voting for quorum is then taken on each node to see if they belong to the majority partition (Primary Component) using the following formula :

where,

  • : members of the last seen primary component,
  • : members that are known to have left gracefully,
  • : current components members, and
  • : member’s weight

In a Galera cluster, nodes outside the primary component are not allowed to process queries. It is mainly done preserve data consistency.

MariaDB [test]> select 1;
ERROR 1047 (08S01): WSREP has not yet prepared node for application use

Now, as shown in the logs above, when the cluster gets split into two partitions of equal size, (i.e. both the partitions get equal weight, split-brain), the quorum algorithm fails find the the primary component. As a result, the cluster has no primary component and can no longer process any queries. In this case, one has to find the node which has most recent updates and bootstrap the cluster using that node.

Reference: http://galeracluster.com/documentation-webpages/weightedquorum.html

New Information schema tables for Galera membership and status

MariaDB Galera server logs all the cluster related information like node status, cluster status, membership, etc. in the error log. MariaDB 10.1.2 introduces a new INFORMATION SCHEMA plugin WSREP_INFO that enables querying these information via INFORMATION SCHEMA tables. The WSREP_INFO plugin adds two new tables to the Information Schema, WSREP_MEMBERSHIP and WSREP_STATUS. The plugin is not enabled by default, so in order to use it, it needs to be installed first :

MariaDB [test]> INSTALL SONAME 'wsrep_status';
Query OK, 0 rows affected (0.04 sec)

MariaDB [test]> SHOW PLUGINS;
+-----------------------------+----------+--------------------+-----------------+---------+
| Name                        | Status   | Type               | Library         | License |
+-----------------------------+----------+--------------------+-----------------+---------+
...
| WSREP_MEMBERSHIP            | ACTIVE   | INFORMATION SCHEMA | wsrep_status.so | GPL     |
| WSREP_STATUS                | ACTIVE   | INFORMATION SCHEMA | wsrep_status.so | GPL     |
+-----------------------------+----------+--------------------+-----------------+---------+
52 rows in set (0.01 sec)

MariaDB [test]> SHOW CREATE TABLE INFORMATION_SCHEMA.WSREP_MEMBERSHIP\G
*************************** 1. row ***************************
       Table: WSREP_MEMBERSHIP
Create Table: CREATE TEMPORARY TABLE `WSREP_MEMBERSHIP` (
  `INDEX` int(11) NOT NULL DEFAULT '0',
  `UUID` varchar(36) NOT NULL DEFAULT '',
  `NAME` varchar(32) NOT NULL DEFAULT '',
  `ADDRESS` varchar(256) NOT NULL DEFAULT ''
) ENGINE=MEMORY DEFAULT CHARSET=utf8
1 row in set (0.00 sec)

MariaDB [test]> SHOW CREATE TABLE INFORMATION_SCHEMA.WSREP_STATUS\G
*************************** 1. row ***************************
       Table: WSREP_STATUS
Create Table: CREATE TEMPORARY TABLE `WSREP_STATUS` (
  `NODE_INDEX` int(11) NOT NULL DEFAULT '0',
  `NODE_STATUS` varchar(16) NOT NULL DEFAULT '',
  `CLUSTER_STATUS` varchar(16) NOT NULL DEFAULT '',
  `CLUSTER_SIZE` int(11) NOT NULL DEFAULT '0',
  `CLUSTER_STATE_UUID` varchar(36) NOT NULL DEFAULT '',
  `CLUSTER_STATE_SEQNO` bigint(21) NOT NULL DEFAULT '0',
  `CLUSTER_CONF_ID` bigint(21) NOT NULL DEFAULT '0',
  `GAP` varchar(10) NOT NULL DEFAULT '',
  `PROTOCOL_VERSION` int(11) NOT NULL DEFAULT '0'
) ENGINE=MEMORY DEFAULT CHARSET=utf8
1 row in set (0.00 sec)

MariaDB [test]> SELECT @@wsrep_provider;
+----------------------------------+
| @@wsrep_provider                 |
+----------------------------------+
| /usr/lib/galera/libgalera_smm.so |
+----------------------------------+
1 row in set (0.00 sec)

Now that WSREP_INFO plugin is installed, lets look into the contents of these tables on a 3-node cluster.

MariaDB [test]> SELECT * FROM INFORMATION_SCHEMA.WSREP_MEMBERSHIP;
+-------+--------------------------------------+----------+-----------------+
| INDEX | UUID                                 | NAME     | ADDRESS         |
+-------+--------------------------------------+----------+-----------------+
|     0 | 19058073-8940-11e4-8570-16af7bf8fced | my_node1 | 10.0.2.15:16001 |
|     1 | 19f2b0e0-8942-11e4-9cb8-b39e8ee0b5dd | my_node3 | 10.0.2.15:16003 |
|     2 | d85e62db-8941-11e4-b1ef-4bc9980e476d | my_node2 | 10.0.2.15:16002 |
+-------+--------------------------------------+----------+-----------------+
3 rows in set (0.00 sec)

MariaDB [test]> SELECT * FROM INFORMATION_SCHEMA.WSREP_STATUS\G
*************************** 1. row ***************************
         NODE_INDEX: 0
        NODE_STATUS: Synced
     CLUSTER_STATUS: Primary
       CLUSTER_SIZE: 3
 CLUSTER_STATE_UUID: 190604d7-8940-11e4-a084-ebee5211c190
CLUSTER_STATE_SEQNO: 2
    CLUSTER_CONF_ID: 3
                GAP: NO
   PROTOCOL_VERSION: 3
1 row in set (0.00 sec)

As seen above, WSREP_MEMBERSHIP table shows information about current members in the cluster which includes node’s name and incoming address. WSREP_STATUS table, on the other hand, shows status information about the node and cluster as a whole.

SHOW command can also be used to query these tables. Its quick and reduces the number of columns for WSREP_STATUS to fit to the screen.

MariaDB [test]> SHOW WSREP_MEMBERSHIP;
+-------+--------------------------------------+----------+-----------------+
| Index | Uuid                                 | Name     | Address         |
+-------+--------------------------------------+----------+-----------------+
|     0 | 19058073-8940-11e4-8570-16af7bf8fced | my_node1 | 10.0.2.15:16001 |
|     1 | 19f2b0e0-8942-11e4-9cb8-b39e8ee0b5dd | my_node3 | 10.0.2.15:16003 |
|     2 | d85e62db-8941-11e4-b1ef-4bc9980e476d | my_node2 | 10.0.2.15:16002 |
+-------+--------------------------------------+----------+-----------------+
3 rows in set (0.00 sec)

MariaDB [test]> SHOW WSREP_STATUS;
+------------+-------------+----------------+--------------+
| Node_Index | Node_Status | Cluster_Status | Cluster_Size |
+------------+-------------+----------------+--------------+
|          0 | Synced      | Primary        |            3 |
+------------+-------------+----------------+--------------+
1 row in set (0.00 sec)

The curious case of lost data

There is no doubt that Galera makes a fine clustering solution. The ease at which one can setup a cluster is incredible. Recently, a query from a user on #mariadb@freenode, however, revealed a caveat which I feel is quite important and worth sharing.

Sep 10 14:16:09 <____> nirbhay: executive summary, my cluster was out of sync, and when i brought it back into sync the DB is now 3 weeks old. it updated the new node with the old node’s contents.
Sep 10 14:16:23 <____> nirbhay: galera + maria 5.5

Let me first try to explain the problem. The user has a MariaDB Galera cluster – up and running – but with stale data (3 weeks old to be precise) and another MariaDB Galera node running outside the cluster storing latest updates. Now, the user takes this node and adds to the cluster, thinking that out-of-sync cluster nodes would receive latest changes from this joining node. Unfortunately, it turned out that opposite happened – and this joiner node instead became stale (losing 3 weeks worth of updates!) when into synced with the cluster.

Actually, this is expected. When a node joins an existing Galera cluster, it receives data from one of the nodes (donor) of the cluster in order to get in sync with the cluster. During this process (aka snapshot state transfer) the node itself loses it own data (if any). This is precisely the reason why the joiner node (with latest updates) lost the recent changes in the above mentioned scenario.

So, how to handle such situations? In cases like this, one should discard the existing stale cluster and bootstrap a new cluster using the node having latest updates.

Snapshot State Transfer (SST) methods in MariaDB Galera Cluster

In a Galera cluster, when a node (joiner) joins the cluster, it receives a copy of entire data from one of the nodes (donor) in the cluster. This process is called Snapshot state transfer (SST). MariaDB Galera Cluster provides various methods for snapshot state transfer which can be configured using wsrep_sst_method option. MariaDB Galera cluster distribution currently includes the following SST methods :

  • rsync
  • It is the default method which uses rsync to transfer data files across the cluster. The donor node itself becomes READ-ONLY during the transfer by executing FLUSH TABLES WITH READ LOCK. It is important to note that even though the data transfer is fast, this method requires no authentication (wsrep_sst_auth).

    rsync sst

  • mysqldump
  • This method uses mysqldump tool to get a dump of all the databases on donor node which is then played/executed on the joiner node. This method requires wsrep_sst_auth to be set with credentials to connect to the donor as well as joiner node.

    mysqldump sst

  • xtrabackup/xtrabackup-v2
  • This method uses Percona XtraBackup tool to take a backup (snapshot) of donor’s data directory which is then restored on the joiner node. This method requires wsrep_sst_auth to be set with credentials to connect to the donor node.

    xtrabackup-v2 sst

Configuring SELinux for Galera cluster

Setting up a MariaDB Galera cluster can easily become tedious if its being setup on a Linux system with SELinux enabled.

140805 16:16:20 [Note] WSREP: gcomm: connecting to group 'my_wsrep_cluster', peer ''
140805 16:16:20 [ERROR] WSREP: Permission denied
140805 16:16:20 [ERROR] WSREP: failed to open gcomm backend connection: 13: error while trying to listen 'tcp://0.0.0.0:4567?socket.non_blocking=1', asio error 'Permission denied': 13 (Permission denied)
         at gcomm/src/asio_tcp.cpp:listen():814
140805 16:16:20 [ERROR] WSREP: gcs/src/gcs_core.c:gcs_core_open():202: Failed to open backend connection: -13 (Permission denied)
140805 16:16:20 [ERROR] WSREP: gcs/src/gcs.c:gcs_open():1291: Failed to open channel 'my_wsrep_cluster' at 'gcomm://': -13 (Permission denied)
140805 16:16:20 [ERROR] WSREP: gcs connect failed: Permission denied
140805 16:16:20 [ERROR] WSREP: wsrep::connect() failed: 7
140805 16:16:20 [ERROR] Aborting

In a test environment one can disable/enable SELinux for mysqld using the following commands (Thanks to Daniel Black for the tip!) :

$ sudo semanage permissive -a mysqld_t
$ sudo semanage permissive -d mysqld_t

Disabling SELinux for mysql works, but its certainly not the best solution. So, I tried to configure SELinux for a 2-node MariaDB Galera cluster on CentOS by using some tools provided to manage SELinux policies. The basic idea is to let the MariaDB Galera nodes run under permissive mode in order to get all possible operations (which SELinux would have otherwise denied) logged into the audit log and then create a policy module using allow2audit tool after carefully analyzing the “denials”. The resulting module can then be installed before enabling (enforcing) SELinux for mysqld again.

Prepare the hosts
* Install MariaDB Galera server packages ($ sudo yum install MariaDB-Galera-server)
* Setup MariaDB configuration options ($sudo vi /etc/my.cnf.d/server.cnf)
* Install SELinux policy management tools ($ sudo yum install policycoreutils-python)
* Firewall settings (see resources below)

Generate the policy module
* Disable SELinux for mysqld on both the hosts. With SELinux in permissive mode, it logs all the denial operations as warnings instead of enforcing them.

$ sudo semanage permissive -a mysqld_t
  • Once mysqld on both the hosts are in permissive mode, our goal is to trigger all sorts of events that can happen on a node in a MariaDB Galera cluster (the more extensive, the better!) like, starting the node as donor/joiner with different snapshot state transfer (SST) methods and incremental state transfer (IST). The idea is to let all possible denials get logged into the audit log, which we later use to generate the policy module.
  • Carefully analyze (sealert Messages) all the “denials” logged in the audit log (/var/log/audit/audit.log). If the denials are expected, create a local policy module using allow2audit.
  $ sudo grep mysql audit.log | audit2allow -M mariadb-galera
  • Install the policy module.
  $ sudo semodule -i mariadb-galera.pp
  • Put mysqld back to enforcing mode.
$ sudo semanage permissive -d mysqld_t

Resources