User:StefanLangenmaier/Poor man's Cluster/Galera Cluster

MariaDB Galera Cluster

The cluster will run geographically distributed and each node is "directly connected" (the ports necessary, but not the whole container) to the internet. The nodes are not together behind a VPN because this would make the VPN a single point of failure and it's an additional layer of complexity.

The downside is that the encryption has to be done now directly by the cluster. Here we have to look into two things:

• The connection between the nodes, running on port 4567 and 4568 for the IST
• The connection in case of a SST, running on port 4444

For the normal connection Galera already comes equipped with a configuration for SSL certificates. How the certificates are created and configured can be seen in the Galera documentation or in the example my.cnf file on the github repository.

### SNIP ###

# These settings are required for Galera clustering
#mysql settings
wsrep_on=ON
binlog_format=ROW
default-storage-engine=innodb
innodb_autoinc_lock_mode=2
query_cache_size=0
query_cache_type=0
bind-address=0.0.0.0

log-bin=mysqld-bin
# Uncomment this section to activate Galera clustering
wsrep_provider=/usr/lib/galera/libgalera_smm.so
# You should change this name to something meaningful
wsrep_cluster_name="owncloud_wsrep_cluster"
# List all nodes of the cluster including this one

wsrep_cluster_address="gcomm://"
#wsrep_cluster_address="gcomm://domain1.com,domain2.com"
wsrep_sst_method=rsync_ssl

ssl-ca = /etc/ssl/galera/ca-cert.pem
ssl-key = /etc/ssl/galera/server-key.pem
ssl-cert = /etc/ssl/galera/server-cert.pem

# name of the current hosts
# important if behind a nat or ip address can change dynamically
wsrep_node_address="domain1.com"
wsrep_provider_options="socket.ssl_key=/etc/ssl/galera/server-key.pem;socket.ssl_cert=/etc/ssl/galera/server-cert.pem;socket.ssl_ca=/etc/ssl/galera/ca-cert.pem"
wsrep_notify_cmd=/bin/true

### SNIP ###

SST

For the connection in case of a SST, you have the choice of multiple methods. I didn't like the mysqldump solution as this whould need a permanent connection open on the mysql port to the outside world. The xtrabackup solution didn't install on arm so the only choice left was the default rsync sst. I would have preferred this solution anyway as it seems to be the default but unfortunately there is no configuration available to do it in a secure way. Therefore I modified the default script and added support for stunnel. The script is on github in my lxc-gentoo-build-tools repository.

IST

If Galera is behind a NATed network there is a problem with the IST. A workaround can be found here: https://github.com/codership/galera/issues/105

Remote access

GRANT ALL PRIVILEGES ON *.* TO 'user'@'192.168.122.%' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

Other

expire_logs_days=14

References

• MariaDB_Galera_Cluster
• http://galeracluster.com/documentation-webpages/sslconfig.html
• https://www.stunnel.org/howto.html#authentication
• https://github.com/stefan-langenmaier/lxc-gentoo-build-tools/tree/master/galera-cluster-scripts
• http://galeracluster.com/documentation-webpages/configurationtips.html