Skip to content

M
MariaDB
Commit a3da3c8a authored by Julius Goryavsky's avatar Julius Goryavsky
Browse files
Options

MDEV-26377: Stricter validation of ssl-mode values 

This commit adds validation of the values of the ssl-mode parameter
in SSL scripts, since now only a basic check for the presence of the
"VERIFY_" prefix is performed there to detect "VERIFY_IDENTITY" and
"VERIFY_CA", but all other values are not checked at all.

In addition, this commit removes leading and trailing spaces from
parameter values that SST scripts read from configuration files or
from the command line so that they do not interfere with parameter
checks and substitutions. Parameter substitution has been made more
robust against characters in strings that the shell might erroneously
interpret as regexp.
parent 8b7abe21
Hide whitespace changes
Inline Side-by-side
Showing with 87 additions and 86 deletions
scripts/wsrep_sst_common.sh
View file @ a3da3c8a
...@@ -99,7 +99,6 @@ WSREP_SST_OPT_ADDR="" ...@@ -99,7 +99,6 @@ WSREP_SST_OPT_ADDR=""
WSREP_SST_OPT_ADDR_PORT="" WSREP_SST_OPT_ADDR_PORT=""
WSREP_SST_OPT_HOST="" WSREP_SST_OPT_HOST=""
WSREP_SST_OPT_HOST_UNESCAPED="" WSREP_SST_OPT_HOST_UNESCAPED=""
WSREP_SST_OPT_HOST_ESCAPED=""
INNODB_DATA_HOME_DIR=$(trim_dir "${INNODB_DATA_HOME_DIR:-}") INNODB_DATA_HOME_DIR=$(trim_dir "${INNODB_DATA_HOME_DIR:-}")
INNODB_LOG_GROUP_HOME=$(trim_dir "${INNODB_LOG_GROUP_HOME:-}") INNODB_LOG_GROUP_HOME=$(trim_dir "${INNODB_LOG_GROUP_HOME:-}")
INNODB_UNDO_DIR=$(trim_dir "${INNODB_UNDO_DIR:-}") INNODB_UNDO_DIR=$(trim_dir "${INNODB_UNDO_DIR:-}")
...@@ -122,20 +121,22 @@ case "$1" in ...@@ -122,20 +121,22 @@ case "$1" in
# without square brackets: # without square brackets:
readonly WSREP_SST_OPT_HOST_UNESCAPED="${addr_no_bracket%%\]*}" readonly WSREP_SST_OPT_HOST_UNESCAPED="${addr_no_bracket%%\]*}"
# Square brackets are needed in most cases: # Square brackets are needed in most cases:
readonly WSREP_SST_OPT_HOST="[${WSREP_SST_OPT_HOST_UNESCAPED}]" readonly WSREP_SST_OPT_HOST="[$WSREP_SST_OPT_HOST_UNESCAPED]"
readonly WSREP_SST_OPT_HOST_ESCAPED="\\[${WSREP_SST_OPT_HOST_UNESCAPED}\\]"
# Mark this address as IPv6: # Mark this address as IPv6:
readonly WSREP_SST_OPT_HOST_IPv6=1 readonly WSREP_SST_OPT_HOST_IPv6=1
# Let's remove the leading part that contains the host address:
remain="${WSREP_SST_OPT_ADDR#*\]}"
;; ;;
*) *)
readonly WSREP_SST_OPT_HOST="${WSREP_SST_OPT_ADDR%%[:/]*}" readonly WSREP_SST_OPT_HOST="${WSREP_SST_OPT_ADDR%%[:/]*}"
readonly WSREP_SST_OPT_HOST_UNESCAPED="$WSREP_SST_OPT_HOST" readonly WSREP_SST_OPT_HOST_UNESCAPED="$WSREP_SST_OPT_HOST"
readonly WSREP_SST_OPT_HOST_ESCAPED="$WSREP_SST_OPT_HOST"
readonly WSREP_SST_OPT_HOST_IPv6=0 readonly WSREP_SST_OPT_HOST_IPv6=0
# Let's remove the leading part that contains the host address:
remain="${WSREP_SST_OPT_ADDR#*[:/]}"
;; ;;
esac esac
# Let's remove the leading part that contains the host address: # If there is nothing but the address, then the remainder is empty:
remain="${WSREP_SST_OPT_ADDR#$WSREP_SST_OPT_HOST_ESCAPED}" [ "$remain" = "$WSREP_SST_OPT_ADDR" ] && remain=""
# Let's remove the ":" character that separates the port number # Let's remove the ":" character that separates the port number
# from the hostname: # from the hostname:
remain="${remain#:}" remain="${remain#:}"
...@@ -143,39 +144,32 @@ case "$1" in ...@@ -143,39 +144,32 @@ case "$1" in
# up to "/" (if present): # up to "/" (if present):
WSREP_SST_OPT_ADDR_PORT="${remain%%/*}" WSREP_SST_OPT_ADDR_PORT="${remain%%/*}"
# If the "/" character is present, then the path is not empty: # If the "/" character is present, then the path is not empty:
if [ "${remain#*/}" != "$remain" ]; then if [ "$WSREP_SST_OPT_ADDR_PORT" != "$remain" ]; then
# This operation removes everything up to the "/" character, # This operation removes everything up to the "/" character,
# effectively removing the port number from the string: # effectively removing the port number from the string:
readonly WSREP_SST_OPT_PATH="${remain#*/}" readonly WSREP_SST_OPT_PATH="${remain#*/}"
else else
readonly WSREP_SST_OPT_PATH="" readonly WSREP_SST_OPT_PATH=""
fi fi
# The rest of the string is the same as the path (for now):
remain="$WSREP_SST_OPT_PATH"
# If there is one more "/" in the string, then everything before
# it will be the module name, otherwise the module name is empty:
if [ "${remain%%/*}" != "$remain" ]; then
# This operation removes the tail after the very first
# occurrence of the "/" character (inclusively):
readonly WSREP_SST_OPT_MODULE="${remain%%/*}"
else
readonly WSREP_SST_OPT_MODULE=""
fi
# Remove the module name part from the string, which ends with "/": # Remove the module name part from the string, which ends with "/":
remain="${WSREP_SST_OPT_PATH#*/}" remain="${WSREP_SST_OPT_PATH#*/}"
# If the rest of the string does not match the original, then there # This operation removes the tail after the very first occurrence
# was something else besides the module name: # of the "/" character, inclusively:
readonly WSREP_SST_OPT_MODULE="${WSREP_SST_OPT_PATH%%/*}"
# If there is one more "/" in the string, then everything before
# it will be the LSN, otherwise the LSN is empty:
if [ "$remain" != "$WSREP_SST_OPT_PATH" ]; then if [ "$remain" != "$WSREP_SST_OPT_PATH" ]; then
# Extract the part that matches the LSN by removing all # Extract the part that matches the LSN by removing all
# characters starting from the very first "/": # characters starting from the very first "/":
readonly WSREP_SST_OPT_LSN="${remain%%/*}" readonly WSREP_SST_OPT_LSN="${remain%%/*}"
# Exctract everything after the first occurrence of # Exctract everything after the first occurrence of
# the "/" character in the string: # the "/" character in the string:
source="$remain"
remain="${remain#*/}" remain="${remain#*/}"
# If the remainder does not match the original string, # If the remainder does not match the original string,
# then there is something else (the version number in # then there is something else (the version number in
# our case): # our case):
if [ "$remain" != "$WSREP_SST_OPT_LSN" ]; then if [ "$remain" != "$source" ]; then
# Let's extract the version number by removing the tail # Let's extract the version number by removing the tail
# after the very first occurence of the "/" character # after the very first occurence of the "/" character
# (inclusively): # (inclusively):
...@@ -238,14 +232,12 @@ case "$1" in ...@@ -238,14 +232,12 @@ case "$1" in
readonly WSREP_SST_OPT_HOST_UNESCAPED="${addr_no_bracket%%\]*}" readonly WSREP_SST_OPT_HOST_UNESCAPED="${addr_no_bracket%%\]*}"
# Square brackets are needed in most cases: # Square brackets are needed in most cases:
readonly WSREP_SST_OPT_HOST="[${WSREP_SST_OPT_HOST_UNESCAPED}]" readonly WSREP_SST_OPT_HOST="[${WSREP_SST_OPT_HOST_UNESCAPED}]"
readonly WSREP_SST_OPT_HOST_ESCAPED="\\[${WSREP_SST_OPT_HOST_UNESCAPED}\\]"
# Mark this address as IPv6: # Mark this address as IPv6:
readonly WSREP_SST_OPT_HOST_IPv6=1 readonly WSREP_SST_OPT_HOST_IPv6=1
;; ;;
*) *)
readonly WSREP_SST_OPT_HOST="$2" readonly WSREP_SST_OPT_HOST="$2"
readonly WSREP_SST_OPT_HOST_UNESCAPED="$2" readonly WSREP_SST_OPT_HOST_UNESCAPED="$2"
readonly WSREP_SST_OPT_HOST_ESCAPED="$2"
readonly WSREP_SST_OPT_HOST_IPv6=0 readonly WSREP_SST_OPT_HOST_IPv6=0
;; ;;
esac esac
...@@ -475,25 +467,25 @@ case "$1" in ...@@ -475,25 +467,25 @@ case "$1" in
;; ;;
'--innodb-force-recovery') '--innodb-force-recovery')
if [ -n "$value" -a "$value" != "0" ]; then if [ -n "$value" -a "$value" != "0" ]; then
INNODB_FORCE_RECOVERY="$value" INNODB_FORCE_RECOVERY=$(trim_string "$value")
fi fi
skip_mysqld_arg=1 skip_mysqld_arg=1
;; ;;
'--log-bin') '--log-bin')
if [ -z "$WSREP_SST_OPT_BINLOG" ]; then if [ -z "$WSREP_SST_OPT_BINLOG" ]; then
MYSQLD_OPT_LOG_BIN="$value" MYSQLD_OPT_LOG_BIN=$(trim_string "$value")
fi fi
skip_mysqld_arg=1 skip_mysqld_arg=1
;; ;;
'--log-bin-index') '--log-bin-index')
if [ -z "$WSREP_SST_OPT_BINLOG_INDEX" ]; then if [ -z "$WSREP_SST_OPT_BINLOG_INDEX" ]; then
MYSQLD_OPT_LOG_BIN_INDEX="$value" MYSQLD_OPT_LOG_BIN_INDEX=$(trim_string "$value")
fi fi
skip_mysqld_arg=1 skip_mysqld_arg=1
;; ;;
'--log-basename') '--log-basename')
if [ -z "$WSREP_SST_OPT_LOG_BASENAME" ]; then if [ -z "$WSREP_SST_OPT_LOG_BASENAME" ]; then
MYSQLD_OPT_LOG_BASENAME="$value" MYSQLD_OPT_LOG_BASENAME=$(trim_string "$value")
fi fi
skip_mysqld_arg=1 skip_mysqld_arg=1
;; ;;
...@@ -678,27 +670,18 @@ if [ -n "$WSREP_SST_OPT_ADDR_PORT" ]; then ...@@ -678,27 +670,18 @@ if [ -n "$WSREP_SST_OPT_ADDR_PORT" ]; then
# the corresponding variable: # the corresponding variable:
readonly WSREP_SST_OPT_PORT="$WSREP_SST_OPT_ADDR_PORT" readonly WSREP_SST_OPT_PORT="$WSREP_SST_OPT_ADDR_PORT"
fi fi
elif [ -n "$WSREP_SST_OPT_ADDR" ]; then else
# If the port is missing, take the default port: # If the port is missing, take the default port:
if [ -z "$WSREP_SST_OPT_PORT" ]; then if [ -z "$WSREP_SST_OPT_PORT" ]; then
readonly WSREP_SST_OPT_PORT=4444 readonly WSREP_SST_OPT_PORT=4444
fi fi
WSREP_SST_OPT_ADDR_PORT="$WSREP_SST_OPT_PORT" WSREP_SST_OPT_ADDR_PORT="$WSREP_SST_OPT_PORT"
# Let's remove the leading part that contains the host address:
remain="${WSREP_SST_OPT_ADDR#$WSREP_SST_OPT_HOST_ESCAPED}"
# Let's remove the ":" character that separates the port number
# from the hostname:
remain="${remain#:}"
# Let's remove all characters upto first "/" character that
# separates the hostname with port number from the path:
remain="${remain#/}"
# Let's construct a new value for the address with the port:
WSREP_SST_OPT_ADDR="$WSREP_SST_OPT_HOST:$WSREP_SST_OPT_PORT"
if [ -n "$remain" ]; then
WSREP_SST_OPT_ADDR="$WSREP_SST_OPT_ADDR/$remain"
fi
fi fi
# Let's construct a new value for the address with the port:
sst_path="${WSREP_SST_OPT_PATH:+/}$WSREP_SST_OPT_PATH"
WSREP_SST_OPT_ADDR="$WSREP_SST_OPT_HOST:$WSREP_SST_OPT_PORT$sst_path"
readonly WSREP_SST_OPT_ADDR readonly WSREP_SST_OPT_ADDR
readonly WSREP_SST_OPT_ADDR_PORT readonly WSREP_SST_OPT_ADDR_PORT
...@@ -809,8 +792,11 @@ parse_cnf() ...@@ -809,8 +792,11 @@ parse_cnf()
local group="${groups%%\|*}" local group="${groups%%\|*}"
# Remove the remainder (the group name) from the rest # Remove the remainder (the group name) from the rest
# of the groups list (as if it were a prefix): # of the groups list (as if it were a prefix):
groups="${groups#$group}" if [ "$group" != "$groups" ]; then
groups="${groups#\|}" groups="${groups#*\|}"
else
groups=""
fi
# If the group name is the same as the "mysqld" without "--" prefix, # If the group name is the same as the "mysqld" without "--" prefix,
# then try to use it together with the group suffix: # then try to use it together with the group suffix:
if [ "$group" = 'mysqld' -a -n "$WSREP_SST_OPT_SUFFIX_VALUE" ]; then if [ "$group" = 'mysqld' -a -n "$WSREP_SST_OPT_SUFFIX_VALUE" ]; then
...@@ -835,9 +821,11 @@ parse_cnf() ...@@ -835,9 +821,11 @@ parse_cnf()
done done
# Use default if we haven't found a value: # Use default if we haven't found a value:
if [ -z "$reval" ]; then [ -z "$reval" ] && reval="${3:-}"
[ -n "${3:-}" ] && reval="$3"
fi # Truncate spaces:
[ -n "$reval" ] && reval=$(trim_string "$reval")
if [ -n "$BASH_VERSION" ]; then if [ -n "$BASH_VERSION" ]; then
printf '%s' "$reval" printf '%s' "$reval"
else else
...@@ -868,8 +856,11 @@ in_config() ...@@ -868,8 +856,11 @@ in_config()
local group="${groups%%\|*}" local group="${groups%%\|*}"
# Remove the remainder (the group name) from the rest # Remove the remainder (the group name) from the rest
# of the groups list (as if it were a prefix): # of the groups list (as if it were a prefix):
groups="${groups#$group}" if [ "$group" != "$groups" ]; then
groups="${groups#\|}" groups="${groups#*\|}"
else
groups=""
fi
# If the group name is the same as the "mysqld" without "--" prefix, # If the group name is the same as the "mysqld" without "--" prefix,
# then try to use it together with the group suffix: # then try to use it together with the group suffix:
if [ "$group" = 'mysqld' -a -n "$WSREP_SST_OPT_SUFFIX_VALUE" ]; then if [ "$group" = 'mysqld' -a -n "$WSREP_SST_OPT_SUFFIX_VALUE" ]; then
...@@ -1455,13 +1446,9 @@ check_server_ssl_config() ...@@ -1455,13 +1446,9 @@ check_server_ssl_config()
fi fi
fi fi
if [ -n "$tcert" ]; then if [ -n "$tcert" ]; then
tcert=$(trim_string "$tcert")
if [ "${tcert%/}" != "$tcert" -o -d "$tcert" ]; then if [ "${tcert%/}" != "$tcert" -o -d "$tcert" ]; then
tcap="$tcert" tcap="$tcert"
tcert="" tcert=""
fi fi
fi fi
if [ -n "$tcap" ]; then
tcap=$(trim_string "$tcap")
fi
} }
scripts/wsrep_sst_mariabackup.sh
View file @ a3da3c8a
...@@ -40,7 +40,7 @@ tcert="" ...@@ -40,7 +40,7 @@ tcert=""
tcap="" tcap=""
tpem="" tpem=""
tkey="" tkey=""
tmode='DISABLED' tmode=""
sockopt="" sockopt=""
progress="" progress=""
ttime=0 ttime=0
...@@ -474,6 +474,15 @@ read_cnf() ...@@ -474,6 +474,15 @@ read_cnf()
tmode=$(parse_cnf "$encgroups" 'ssl-mode' 'DISABLED' | \ tmode=$(parse_cnf "$encgroups" 'ssl-mode' 'DISABLED' | \
tr [:lower:] [:upper:]) tr [:lower:] [:upper:])
case "$tmode" in
'VERIFY_IDENTITY'|'VERIFY_CA'|'REQUIRED'|'DISABLED')
;;
*)
wsrep_log_error "Unrecognized ssl-mode option: '$tmode'"
exit 22 # EINVAL
;;
esac
if [ $encrypt -eq 0 -o $encrypt -ge 2 ]; then if [ $encrypt -eq 0 -o $encrypt -ge 2 ]; then
if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then
check_server_ssl_config check_server_ssl_config
...@@ -667,16 +676,13 @@ setup_ports() ...@@ -667,16 +676,13 @@ setup_ports()
# #
wait_for_listen() wait_for_listen()
{ {
local PORT="$1"
local ADDR="$2"
local MODULE="$3"
for i in {1..150}; do for i in {1..150}; do
if check_port "" "$PORT" 'socat|nc'; then if check_port "" "$SST_PORT" 'socat|nc'; then
break break
fi fi
sleep 0.2 sleep 0.2
done done
echo "ready $ADDR/$MODULE//$sst_ver" echo "ready $ADDR:$SST_PORT/$MODULE/$lsn/$sst_ver"
} }
check_extra() check_extra()
...@@ -733,7 +739,7 @@ recv_joiner() ...@@ -733,7 +739,7 @@ recv_joiner()
set +e set +e
if [ $wait -ne 0 ]; then if [ $wait -ne 0 ]; then
wait_for_listen "$SST_PORT" "$ADDR" "$MODULE" & wait_for_listen &
fi fi
timeit "$msg" "$ltcmd | $strmcmd; RC=( "\${PIPESTATUS[@]}" )" timeit "$msg" "$ltcmd | $strmcmd; RC=( "\${PIPESTATUS[@]}" )"
...@@ -1179,7 +1185,7 @@ then ...@@ -1179,7 +1185,7 @@ then
stagemsg='Joiner-Recv' stagemsg='Joiner-Recv'
MODULE='xtrabackup_sst' MODULE="${WSREP_SST_OPT_MODULE:-xtrabackup_sst}"
[ -f "$DATA/$IST_FILE" ] && rm -f "$DATA/$IST_FILE" [ -f "$DATA/$IST_FILE" ] && rm -f "$DATA/$IST_FILE"
...@@ -1187,7 +1193,7 @@ then ...@@ -1187,7 +1193,7 @@ then
[ -f "$DATA/xtrabackup_binary" ] && rm -f "$DATA/xtrabackup_binary" [ -f "$DATA/xtrabackup_binary" ] && rm -f "$DATA/xtrabackup_binary"
[ -f "$DATA/xtrabackup_galera_info" ] && rm -f "$DATA/xtrabackup_galera_info" [ -f "$DATA/xtrabackup_galera_info" ] && rm -f "$DATA/xtrabackup_galera_info"
ADDR="$WSREP_SST_OPT_ADDR" ADDR="$WSREP_SST_OPT_HOST"
if [ "${tmode#VERIFY}" != "$tmode" ]; then if [ "${tmode#VERIFY}" != "$tmode" ]; then
# backward-incompatible behavior: # backward-incompatible behavior:
...@@ -1201,7 +1207,7 @@ then ...@@ -1201,7 +1207,7 @@ then
exit 42 exit 42
fi fi
CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \ CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \
tr ',' '\n' | grep -F 'CN =' | cut -d= -f2 | sed s/^\ // | \ tr ',' '\n' | grep -F 'CN =' | cut -d '=' -f2 | sed s/^\ // | \
sed s/\ %//) sed s/\ %//)
fi fi
MY_SECRET="$(wsrep_gen_secret)" MY_SECRET="$(wsrep_gen_secret)"
......
scripts/wsrep_sst_rsync.sh
View file @ a3da3c8a
...@@ -238,6 +238,15 @@ if [ -z "$SSLMODE" ]; then ...@@ -238,6 +238,15 @@ if [ -z "$SSLMODE" ]; then
elif [ -n "$SSTKEY" -a -n "$SSTCERT" ]; then elif [ -n "$SSTKEY" -a -n "$SSTCERT" ]; then
SSLMODE='REQUIRED' SSLMODE='REQUIRED'
fi fi
else
case "$SSLMODE" in
'VERIFY_IDENTITY'|'VERIFY_CA'|'REQUIRED'|'DISABLED')
;;
*)
wsrep_log_error "Unrecognized ssl-mode option: '$SSLMODE'"
exit 22 # EINVAL
;;
esac
fi fi
if [ -n "$SSTKEY" -a -n "$SSTCERT" ]; then if [ -n "$SSTKEY" -a -n "$SSTCERT" ]; then
...@@ -262,18 +271,11 @@ VERIFY_OPT="" ...@@ -262,18 +271,11 @@ VERIFY_OPT=""
CHECK_OPT="" CHECK_OPT=""
CHECK_OPT_LOCAL="" CHECK_OPT_LOCAL=""
if [ "${SSLMODE#VERIFY}" != "$SSLMODE" ]; then if [ "${SSLMODE#VERIFY}" != "$SSLMODE" ]; then
case "$SSLMODE" in if [ "$SSLMODE" = 'VERIFY_IDENTITY' ]; then
'VERIFY_IDENTITY')
VERIFY_OPT='verifyPeer = yes' VERIFY_OPT='verifyPeer = yes'
;; else
'VERIFY_CA')
VERIFY_OPT='verifyChain = yes' VERIFY_OPT='verifyChain = yes'
;; fi
*)
wsrep_log_error "Unrecognized ssl-mode option: '$SSLMODE'"
exit 22 # EINVAL
;;
esac
if [ -z "$SSTCA$SSTCAP" ]; then if [ -z "$SSTCA$SSTCAP" ]; then
wsrep_log_error "Can't have ssl-mode='$SSLMODE' without CA file or path" wsrep_log_error "Can't have ssl-mode='$SSLMODE' without CA file or path"
exit 22 # EINVAL exit 22 # EINVAL
...@@ -338,7 +340,8 @@ while check_pid "$STUNNEL_PID" 1 "$STUNNEL_CONF"; do ...@@ -338,7 +340,8 @@ while check_pid "$STUNNEL_PID" 1 "$STUNNEL_CONF"; do
sleep 1 sleep 1
done done
MODULE='rsync_sst' MODULE="${WSREP_SST_OPT_MODULE:-rsync_sst}"
RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid" RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid"
RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf" RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf"
...@@ -650,7 +653,7 @@ elif [ "$WSREP_SST_OPT_ROLE" = 'joiner' ] ...@@ -650,7 +653,7 @@ elif [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]
then then
check_sockets_utils check_sockets_utils
ADDR="$WSREP_SST_OPT_ADDR" ADDR="$WSREP_SST_OPT_HOST"
RSYNC_PORT="$WSREP_SST_OPT_PORT" RSYNC_PORT="$WSREP_SST_OPT_PORT"
RSYNC_ADDR="$WSREP_SST_OPT_HOST" RSYNC_ADDR="$WSREP_SST_OPT_HOST"
RSYNC_ADDR_UNESCAPED="$WSREP_SST_OPT_HOST_UNESCAPED" RSYNC_ADDR_UNESCAPED="$WSREP_SST_OPT_HOST_UNESCAPED"
...@@ -751,7 +754,7 @@ EOF ...@@ -751,7 +754,7 @@ EOF
fi fi
if [ "${SSLMODE#VERIFY}" != "$SSLMODE" ]; then if [ "${SSLMODE#VERIFY}" != "$SSLMODE" ]; then
# backward-incompatible behavior # backward-incompatible behavior:
CN="" CN=""
if [ -n "$SSTCERT" ]; then if [ -n "$SSTCERT" ]; then
# find out my Common Name # find out my Common Name
...@@ -770,7 +773,6 @@ EOF ...@@ -770,7 +773,6 @@ EOF
ADDR="$CN:$MY_SECRET@$WSREP_SST_OPT_HOST" ADDR="$CN:$MY_SECRET@$WSREP_SST_OPT_HOST"
else else
MY_SECRET="" # for check down in recv_joiner() MY_SECRET="" # for check down in recv_joiner()
ADDR="$WSREP_SST_OPT_HOST"
fi fi
until check_pid_and_port "$TRANSFER_PID" $TRANSFER_REAL_PID \ until check_pid_and_port "$TRANSFER_PID" $TRANSFER_REAL_PID \
......
scripts/wsrep_sst_xtrabackup-v2.sh
View file @ a3da3c8a
...@@ -41,7 +41,7 @@ tcert="" ...@@ -41,7 +41,7 @@ tcert=""
tcap="" tcap=""
tpem="" tpem=""
tkey="" tkey=""
tmode='DISABLED' tmode=""
sockopt="" sockopt=""
progress="" progress=""
ttime=0 ttime=0
...@@ -479,6 +479,15 @@ read_cnf() ...@@ -479,6 +479,15 @@ read_cnf()
tmode=$(parse_cnf "$encgroups" 'ssl-mode' 'DISABLED' | \ tmode=$(parse_cnf "$encgroups" 'ssl-mode' 'DISABLED' | \
tr [:lower:] [:upper:]) tr [:lower:] [:upper:])
case "$tmode" in
'VERIFY_IDENTITY'|'VERIFY_CA'|'REQUIRED'|'DISABLED')
;;
*)
wsrep_log_error "Unrecognized ssl-mode option: '$tmode'"
exit 22 # EINVAL
;;
esac
if [ $encrypt -eq 0 -o $encrypt -ge 2 ]; then if [ $encrypt -eq 0 -o $encrypt -ge 2 ]; then
if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then
check_server_ssl_config check_server_ssl_config
...@@ -679,16 +688,13 @@ setup_ports() ...@@ -679,16 +688,13 @@ setup_ports()
# #
wait_for_listen() wait_for_listen()
{ {
local PORT="$1"
local ADDR="$2"
local MODULE="$3"
for i in {1..150}; do for i in {1..150}; do
if check_port "" "$PORT" 'socat|nc'; then if check_port "" "$SST_PORT" 'socat|nc'; then
break break
fi fi
sleep 0.2 sleep 0.2
done done
echo "ready $ADDR/$MODULE//$sst_ver" echo "ready $ADDR:$SST_PORT/$MODULE/$lsn/$sst_ver"
} }
check_extra() check_extra()
...@@ -745,7 +751,7 @@ recv_joiner() ...@@ -745,7 +751,7 @@ recv_joiner()
set +e set +e
if [ $wait -ne 0 ]; then if [ $wait -ne 0 ]; then
wait_for_listen "$SST_PORT" "$ADDR" "$MODULE" & wait_for_listen &
fi fi
timeit "$msg" "$ltcmd | $strmcmd; RC=( "\${PIPESTATUS[@]}" )" timeit "$msg" "$ltcmd | $strmcmd; RC=( "\${PIPESTATUS[@]}" )"
...@@ -1206,7 +1212,7 @@ then ...@@ -1206,7 +1212,7 @@ then
stagemsg='Joiner-Recv' stagemsg='Joiner-Recv'
MODULE='xtrabackup_sst' MODULE="${WSREP_SST_OPT_MODULE:-xtrabackup_sst}"
[ -f "$DATA/$IST_FILE" ] && rm -f "$DATA/$IST_FILE" [ -f "$DATA/$IST_FILE" ] && rm -f "$DATA/$IST_FILE"
...@@ -1214,7 +1220,7 @@ then ...@@ -1214,7 +1220,7 @@ then
[ -f "$DATA/xtrabackup_binary" ] && rm -f "$DATA/xtrabackup_binary" [ -f "$DATA/xtrabackup_binary" ] && rm -f "$DATA/xtrabackup_binary"
[ -f "$DATA/xtrabackup_galera_info" ] && rm -f "$DATA/xtrabackup_galera_info" [ -f "$DATA/xtrabackup_galera_info" ] && rm -f "$DATA/xtrabackup_galera_info"
ADDR="$WSREP_SST_OPT_ADDR" ADDR="$WSREP_SST_OPT_HOST"
if [ "${tmode#VERIFY}" != "$tmode" ]; then if [ "${tmode#VERIFY}" != "$tmode" ]; then
# backward-incompatible behavior: # backward-incompatible behavior:
...@@ -1228,7 +1234,7 @@ then ...@@ -1228,7 +1234,7 @@ then
exit 42 exit 42
fi fi
CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \ CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \
tr ',' '\n' | grep -F 'CN =' | cut -d= -f2 | sed s/^\ // | \ tr ',' '\n' | grep -F 'CN =' | cut -d '=' -f2 | sed s/^\ // | \
sed s/\ %//) sed s/\ %//)
fi fi
MY_SECRET="$(wsrep_gen_secret)" MY_SECRET="$(wsrep_gen_secret)"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7