correct healthcheck.sh under --require-secure-transport #597
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require-secure-transport on the server mandates that tls or unix socket be used. The healthcheck user doesn't have explict tls credentials, so would have failed. 11.4+ would have tls negiotated, except in MariaDB#594 it was disabled for people that didn't configure ssl-ca correctly. To resolve this _process_sql adds an explict --protocol socket to get around the default configuration of 'protocol=tcp' in .my-healthcheck.sh. The protocol=tcp was there to catch people who put `healthcheck.sh --innodb_initialized` to discover it checked that in the starting phase of the container, without a tcp connection being available, it still returned true. We work around this my making a connection test always occur in the healthcheck. Remove the protocol=tcp from the generation of .my-healthcheck.cnf files. --connect, as a method that requires to test the connection, we add a mechanims that examines @@skip_networking and considers that if false, the connection is viable. We made a unix socket connection to do the test, which is active the same time as tcp sockets are. This alternate --connect method would have only worked the credentials of the healthcheck user where valid. If it isn't fall back to looking for "Can't connect". Closes: MariaDB#596
grooverdan
force-pushed
the
require_secure_auth_healthcheck
branch
from
0ec5225
to
5133ff8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
require-secure-transport on the server mandates that tls or unix socket be used. The healthcheck user doesn't have explict tls credentials, so would have failed. 11.4+ would have tls negiotated, except in #594 it was disabled for people that didn't configure ssl-ca correctly.
To resolve this _process_sql adds an explict --protocol socket to get around the default configuration of 'protocol=tcp' in .my-healthcheck.sh. The protocol=tcp was there to catch people who put
healthcheck.sh --innodb_initializedto discover it checked that in the starting phase of the container, without a tcp connection being available, it still returned true.We work around this my making a connection test always occur in the healthcheck.
Remove the protocol=tcp from the generation of .my-healthcheck.cnf files.
--connect, as a method that requires to test the connection, we add a mechanims that examines @@skip_networking and considers that if false, the connection is viable. We made a unix socket connection to do the test, which is active the same time as tcp sockets are.
This alternate --connect method would have only worked the credentials of the healthcheck user where valid. If it isn't fall back to looking for "Can't connect".
Closes: #596