[MDEV-34009] Introduce server-initiated instant failover mechanism #3231
Commits on Apr 29, 2024
-
[MDEV-34009] Basic framework for instant failover mechanism
This adds the system variables `INSTANT_FAILOVER_TARGET` and `INSTANT_FAILOVER_MODE` (`OFF`/`ON`/`ALL`), and the error code `ER_INSTANT_FAILOVER`. When `INSTANT_FAILOVER_MODE=ON`, the server will immediately respond to newly-connected clients with an error packet containing the error code 4196 (`ER_INSTANT_FAILOVER`) and a specially-formatted message: |Arbitary human-readable message|value of INSTANT_FAILOVER_TARGET For example: |Server is directing clients to the alternative server 'other-mariadb-server.company.com:3307'.|other-mariadb-server.company.com:3307 Updated and compatible clients can parse this message and redirect appropriately, or display the human-readable message if they do not wish to follow this redirection. Older clients will display the message in its entirety, and end users should at least have an idea of what's going on. In my earliest implementation, the sending of the `ER_INSTANT_FAILOVER` error packet by the MariaDB server depended on the exploitation of the client vulnerability https://jira.mariadb.org/browse/CONC-648 (“Client improperly accepts error packets prior to TLS handshake”), which I discovered during its implementation. The server should obviously be able to redirect clients which don't suffer from this severe vulnerability. In order to do this, we need to move the redirection handling into `native_password_authentication()`. This awkward arrangement is necessitated by the total entanglement of the APPLICATION-layer authentication code (e.g. username+password for "native" authentication) with the TRANSPORT-layer security mechanism (TLS literally stands for Transport Layer Security). An unfortunate consequence of this is that the redirection mechanism will not work unless the client is using the "native" authentication plugin, or until other authentication plugins are similarly updated similarly. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc. -
Exclude connections to the EXTRA_PORT from INSTANT_FAILOVER_MODE=ON
MariaDB servers can optionally listen for client connections on an additional TCP port (configured with the system variable `EXTRA_PORT`) in addition to the "normal" TCP port (default 3306). See https://mariadb.com/kb/en/thread-pool-in-mariadb/#configuring-the-extra-port for more information. This `EXTRA_PORT` is intended for emergency and/or administrative use, and we should therefore include it from redirection in `INSTANT_FAILOVER_MODE=ON`, just as we do for non-network based connections (Unix sockets and named pipes). The code required to check for connections to the EXTRA_PORT is greatly complicated by the fact that the `thd->net->vio->mysql_socket` and `thd->net->vio->local` data structures are not reliably or fully populated at the point where they are passed into `parse_client_handshake_packet. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
-
Use libmariadb as updated for instant failover
The updated libmariadb parses the `ER_INSTANT_FAILOVER` error packets (with the message component formatted as `|Human-readable message|value of INSTANT_FAILOVER_TARGET system variable`) and reconnects accordingly. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
-
Add --follow-instant-failovers option to MariaDB CLI
This option is ENABLED by default. The `main.mysqld--help` MTR test is updated as well, to reflect the addition of this option to the `mysqld --help` output. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
-
This MTR test verifies the basic functionality of the INSTANT_FAILOVER_{MODE,TARGET} system variables, including: 1. `INSTANT_FAILOVER_MODE=ON` as well as `ALL` 2. The handling of the extra port and local-socket connections (redirected in mode `ALL`, but not in mode `ON`) 3. The behavior of the client both with `--follow-instant-failovers` (the default) and with `--disable-follow-instant-failovers` 4. The client's handling of redirect loops (>=8 redirections causes `ER_INSTANT_FAILOVER`) 5. The ability to turn `INSTANT_FAILOVER_MODE` back to `OFF`, and to resume connections without redirection. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.