User:StefanLangenmaier/Poor man's Cluster/Galera Cluster

MariaDB Galera Cluster
The cluster will run geographically distributed and each node is "directly connected" (the ports necessary, but not the whole container) to the internet. The nodes are not together behind a VPN because this would make the VPN a single point of failure and it's an additional layer of complexity.

The downside is that the encryption has to be done now directly by the cluster. Here we have to look into two things:


 * The connection between the nodes, running on port 4567 and 4568 for the IST
 * The connection in case of a SST, running on port 4444

For the normal connection Galera already comes equipped with a configuration for SSL certificates. How the certificates are created and configured can be seen in the Galera documentation or in the example my.cnf file on the github repository.


 * 1) SNIP ###

wsrep_on=ON binlog_format=ROW default-storage-engine=innodb innodb_autoinc_lock_mode=2 query_cache_size=0 query_cache_type=0 bind-address=0.0.0.0
 * 1) These settings are required for Galera clustering
 * 2) mysql settings

log-bin=mysqld-bin wsrep_provider=/usr/lib/galera/libgalera_smm.so wsrep_cluster_name="owncloud_wsrep_cluster"
 * 1) Uncomment this section to activate Galera clustering
 * 1) You should change this name to something meaningful
 * 1) List all nodes of the cluster including this one

wsrep_cluster_address="gcomm://" wsrep_sst_method=rsync_ssl
 * 1) wsrep_cluster_address="gcomm://domain1.com,domain2.com"

ssl-ca = /etc/ssl/galera/ca-cert.pem ssl-key = /etc/ssl/galera/server-key.pem ssl-cert = /etc/ssl/galera/server-cert.pem

wsrep_node_address="domain1.com" wsrep_provider_options="socket.ssl_key=/etc/ssl/galera/server-key.pem;socket.ssl_cert=/etc/ssl/galera/server-cert.pem;socket.ssl_ca=/etc/ssl/galera/ca-cert.pem" wsrep_notify_cmd=/bin/true
 * 1) name of the current hosts
 * 2) important if behind a nat or ip address can change dynamically


 * 1) SNIP ###

SST
For the connection in case of a SST, you have the choice of multiple methods. I didn't like the mysqldump solution as this whould need a permanent connection open on the mysql port to the outside world. The xtrabackup solution didn't install on arm so the only choice left was the default rsync sst. I would have preferred this solution anyway as it seems to be the default but unfortunately there is no configuration available to do it in a secure way. Therefore I modified the default script and added support for stunnel. The script is on github in my lxc-gentoo-build-tools repository.

IST
If Galera is behind a NATed network there is a problem with the IST. A workaround can be found here: https://github.com/codership/galera/issues/105

Other
expire_logs_days=14