User:StefanLangenmaier/Poor man's Cluster/Galera Cluster

MariaDB Galera Cluster
The cluster will run geographically distributed and each node is "directly connected" (the ports necessary, but not the whole container) to the internet. The nodes are not together behind a VPN because this would make the VPN a single point of failure and it's an additional layer of complexity.

The downside is that the encryption has to be done now directly by the cluster. Here we have to look into two things:


 * The connection between the nodes, running on port 4567
 * The connection in case of a SST, running on port 4444

For the normal connection Galera already comes equipped with a configuration for SSL certificates. How the certificates are created and configured can be seen in the Galera documentation or in the example my.cnf file.

For the connection in case of a SST, you have the choice of multiple methods. I didn't like the mysqldump solution as this whould need a permanent connection open on the mysql port to the outside world. The xtrabackup solution didn't install on arm so the only choice left was the default rsync sst. I would have preferred this solution anyway as it seems to be the default but unfortunately there is no configuration available to do it in a secure way. Therefore I modified the default script and added support for stunnel. The script is not perfect but should be a start. You should find it attached as well.


 * MariaDB_Galera_Cluster
 * http://galeracluster.com/documentation-webpages/sslconfig.html