Secure Binlog Server: Encrypted Binary Logs and SSL Communication
4 stars based on
This module allows MariaDB MaxScale to connect to a master server and retrieve binary logs while slave servers can connect to MariaDB MaxScale like they would connect to a normal master server. If the master server goes down, the slave servers can still connect to MariaDB MaxScale and read binary logs.
You can switch to a new master server without the slaves noticing that the actual master server has changed. This allows for a more highly available replication setup where replication is high-priority. The binlogrouter requires the serveruser and secure binlog server encrypted binary logs and ssl communication parameters. These should be configured according to the Configuration Guide. This is the main way the binlogrouter is configured and it will be covered in detail in the next section.
As of version 2. Binlogrouter is configured with a comma-separated list of key-value pairs. In the binlog dir there is also the 'cache' directory that contains data retrieved from the master during registration phase and the master.
Read the MySQL Authenticator documentation for instructions on how to define a custom location for the user cache. This is used to set the unique uuid that the binlog router uses when it connects to the master server.
If no explicit value is given for the uuid in the configuration file then a uuid will be generated. As with uuid, MariaDB MaxScale must have a unique server id for the connection it makes to the master.
This parameter provides the value of the server id that MariaDB MaxScale will use when connecting to the master. The id can also be specified using server-id but that is deprecated and will be removed in a future release of MariaDB MaxScale. This may either be the same as the server id of the real master or can be chosen to be different if the slaves need to be aware of the proxy layer.
The real master server id will be used if the option is not secure binlog server encrypted binary logs and ssl communication. The id can also be specified using master-id but that is deprecated and will be removed in a future release of MariaDB MaxScale.
It is a requirement of replication that each slave have a unique UUID value. The MariaDB MaxScale router will identify itself to the slaves using the uuid of the real master if this option is not set.
The MariaDB MaxScale router will identify itself to the slaves using the server version of the real master if this option is not set. The MariaDB MaxScale router will identify itself to the slaves using the server hostname of the real master if this option is not set.
This user name must have the rights required for replication as with any other user that a slave uses for replication purposes. If the user parameter is not given in the router options then the same user as is used to retrieve the credential information will be used for the replication connection, i.
The password of the above user. If the password is not explicitly given then the password in the service entry will be used. This defines the value of the heartbeat interval in seconds for the connection to the master. MariaDB MaxScale requests the master to ensure that a binlog event is sent at least every heartbeat period.
If there are no real binlog events to send the master will sent a special heartbeat event. The default value for the heartbeat period is every 5 minutes. The current interval value is reported in the diagnostic output. This parameter is used to define the maximum amount of data that will be sent to a slave by MariaDB MaxScale when that slave is lagging behind the master.
In this situation the slave is said to be in "catchup mode", this parameter is designed to both prevent flooding of that slave and also to prevent threads within MariaDB Secure binlog server encrypted binary logs and ssl communication spending disproportionate amounts of time with slaves that are lagging behind the master.
The burst size can be provided as specified hereexcept that IEC binary prefixes can be used as suffixes only from MaxScale 2. The default value is 1Mwhich will be used if burstsize is not provided in the router options. This parameter allows binlogrouter to replicate from a MariaDB GTID will not be used in the replication.
When MariaDB MaxScale starts an error message may appear if current binlog file is corrupted or an incomplete transaction is found. This defines whether on off MariaDB MaxScale sends to the slave the heartbeat packet when there are no real binlog events to send.
The default value if 'off', no heartbeat event is sent to slave server. If value is 'on' the interval value requested by the slave during registration is reported in the diagnostic output and the packet is send after the time interval without any event to send. This parameter controls whether binlog server could ask Master server to start the Semi-Synchronous replication.
This parameter sets the maximum length of the certificate authority chain that secure binlog server encrypted binary logs and ssl communication be accepted. Legal values are positive integers.
This applies to SSL connection to master server that could be acivated either by writing options in master. This parameter cannot be secure binlog server encrypted binary logs and ssl communication at runtime, default is 9.
In order to use binlog encryption the master server MariaDB This is required because both master and maxscale must store encrypted data for a working scenario for Secure data-at-rest.
Additionally, as long as Master server doesn't send the StartEncryption event which contains encryption setup information for the binlog filethere is a position gap between end of FormatDescription event pos and next event start pos. MaxScale binlog server adds its own StartEncryption to binlog files consequently the binlog events positions in binlog file are the same as in the master binlog file and there is no position mismatch.
The Replication Proxy tutorial will show you how to configure and administrate a binlogrouter installation. Configuration Mandatory Router Parameters The binlogrouter requires the serveruser and passwd parameters. Router Options Binlogrouter is configured with a comma-separated list of key-value pairs. Please note that semi-sync replication is only related to binlog server to Master communication.
This is the Encryption Key File key id 1 is for binlog files encryption: Examples The Replication Proxy tutorial will show you how to configure and administrate a binlogrouter installation.