Galera Cluster: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
Line 6: Line 6:
Make a CA certificate with a very long lifetime as you dont want to make normal certificate updates at this point.
Make a CA certificate with a very long lifetime as you dont want to make normal certificate updates at this point.
<source lang=bash>
<source lang=bash>
# openssl genrsa 2048                              -out ca-key.pem
$ subject='/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Databases/CN=Galera Cluster'
# openssl req -new -x509 -nodes -days 365000       -key ca-key.pem -out ca-cert.pem
$ openssl req -new -x509 -nodes -days 365000 -newkey rsa:4096 -sha256 -keyout ca-key.pem -out ca-cert.pem -batch -subj "${subject}"
</source>
</source>


Create a certificate for each server:
Create a certificate for each server:
<source lang=bash>
<source lang=bash>
# openssl req -newkey rsa:2048 -nodes -days 365000 -keyout maria-1-key.pem -out maria-1-req.pem
$ for node in {1..4}
# openssl x509 -req -days 365000 -set_serial 01        -in maria-1-req.pem -out maria-1-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
do
 
  emailAddress="dbadmin@server.de"
# openssl req -newkey rsa:2048 -nodes -days 365000 -keyout maria-2-key.pem -out maria-2-req.pem
  servername="maria-${node}.server.de"
# openssl x509 -req -days 365000 -set_serial 02        -in maria-2-req.pem -out maria-2-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
  subject="/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Databases/CN=${servername}/emailAddress=${emailAddress}"
 
  openssl req -newkey rsa:4096 -nodes -keyout ${servername}-key.pem   -out ${servername}-req.pem -batch -subj "${subject}"
# openssl req -newkey rsa:2048 -nodes -days 365000 -keyout maria-3-key.pem -out maria-3-req.pem
  openssl x509 -req -days 365000 -set_serial $(printf "%02d" "${node}") -in ${servername}-req.pem -out ${servername}-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
# openssl x509 -req -days 365000 -set_serial 03        -in maria-3-req.pem -out maria-3-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
done
 
# openssl req -newkey rsa:2048 -nodes -days 365000 -keyout maria-4-key.pem -out maria-4-req.pem
# openssl x509 -req -days 365000 -set_serial 04        -in maria-4-req.pem -out maria-4-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
</source>
</source>


Revision as of 13:44, 12 November 2021


Setup the Cluster

Setup certificates for the cluster comunication

Make a CA certificate with a very long lifetime as you dont want to make normal certificate updates at this point. 

$ subject='/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Databases/CN=Galera Cluster'
$ openssl req -new -x509 -nodes -days 365000 -newkey rsa:4096 -sha256 -keyout ca-key.pem -out ca-cert.pem -batch -subj "${subject}"

Create a certificate for each server: 

$ for node in {1..4}
do
  emailAddress="dbadmin@server.de"
  servername="maria-${node}.server.de"
  subject="/C=DE/ST=Hamburg/L=Hamburg/O=Organisation/OU=Databases/CN=${servername}/emailAddress=${emailAddress}"
  openssl req  -newkey rsa:4096 -nodes -keyout ${servername}-key.pem    -out ${servername}-req.pem -batch -subj "${subject}"
  openssl x509 -req -days 365000 -set_serial $(printf "%02d" "${node}") -in  ${servername}-req.pem -out ${servername}-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
done

Show wsrep_provider_options

$ mariadb -NBABe 'show variables like "wsrep_provider_options"' | awk '{gsub(/$/,":\n",$1); gsub(/(;|$)/,";\n"); printf $0; }'
Retrieved from "https://lars.timmann.de/wiki/index.php?title=Galera_Cluster&oldid=2171"