Skip to content
This repository has been archived by the owner on Nov 24, 2023. It is now read-only.

conn: refine TLS configuration #1560

Closed
wants to merge 4 commits into from
Closed

conn: refine TLS configuration #1560

wants to merge 4 commits into from

Conversation

lichunzhu
Copy link
Contributor

@lichunzhu lichunzhu commented Apr 6, 2021
edited by lance6716
Loading

replaced by #1575

What problem does this PR solve?

fix #1555

What is changed and how it works?

Set TLS too even if we only have ssl-ca.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
    This works fine on my PC mysql with require_secure_transport=ON.

Related changes

  • Need to cherry-pick to the release branch

@lance6716 lance6716 added the needs-cherry-pick-release-2.0 This PR should be cherry-picked to release-2.0. Remove this label after cherry-picked to release-2.0 label Apr 6, 2021
@lance6716 lance6716 added this to the v2.0.2 milestone Apr 6, 2021
@GMHDBJD
Copy link
Collaborator

GMHDBJD commented Apr 6, 2021

/lgtm

@ti-chi-bot ti-chi-bot added the status/LGT1 One reviewer already commented LGTM label Apr 6, 2021
@lance6716
Copy link
Collaborator

/lgtm

@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • GMHDBJD
  • lance6716

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by writing /lgtm in a comment.
Reviewer can cancel approval by writing /lgtm cancel in a comment.

@ti-chi-bot ti-chi-bot added status/LGT2 Two reviewers already commented LGTM, ready for merge and removed status/LGT1 One reviewer already commented LGTM labels Apr 6, 2021
coderplay
coderplay reviewed Apr 6, 2021
View reviewed changes
Copy link

@coderplay coderplay left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see below comment

dm/master/server.go
@@ -1230,7 +1230,7 @@ func enableTLS(tlsCfg *config.Security) bool {
return false
}

if len(tlsCfg.SSLCA) == 0 || len(tlsCfg.SSLCert) == 0 || len(tlsCfg.SSLKey) == 0 {
if len(tlsCfg.SSLCA) == 0 {
Copy link

@coderplay coderplay Apr 6, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue in #1555 was a MySQL client side tls issue , but this line of change is for DM server side tls config that will effect on the AdvertiseAddr. IIUC, it's unrelated, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/pingcap/dm/pull/1560/files#diff-d42d00fe16fdbc10836731179db540c30ef59f1eb7789bf2ad3ea771554eceb5R67
The MySQL related file is in pkg/conn/basedb.go. I change this line because it's wrong for dm-master too.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does dm-worker need similar change?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just searched len(.*SSLCA), looks that's the only place left.

@lance6716
Copy link
Collaborator

/hold

@coderplay
Copy link

coderplay commented Apr 6, 2021
edited
Loading

The TLS issue isn't completely fixed. I got another similar error from worker side when I tried to create a migration task. Please update the TLS code for dumper/loader/syncer as well.

example errror:

/ # /dmctl --master-addr ultra-dm-master-0:8261 start-task task.yaml
{
    "result": true,
    "msg": "",
    "sources": [
        {
            "result": false,
            "msg": "[code=38032:class=dm-master:scope=internal:level=high], Message: some error occurs in dm-worker: ErrCode:10001 ErrClass:\"database\" ErrScope:\"upstream\" ErrLevel:\"high\" Message:\"fail to initial unit Sync of subtask sql-history-migration : database driver error\" RawCause:\"Error 9002: SSL connection is required. Please specify SSL options and retry.\\000\" Workaround:\"Please check the database connection and the database config in configuration file.\" , Workaround: Please execute `query-status` to check status.",
            "source": "testdb",
            "worker": "ultra-dm-worker-0"
        }
    ]
}

@lichunzhu Would you please test the whole migration procedure after you fixed the rest?

Much appreciated!

@coderplay
Copy link

The above add-task ran into 3 errors. They are from

  1. https://github.com/pingcap/dm/blob/v2.0.0/syncer/checkpoint.go#L799
  2. https://github.com/pingcap/dm/blob/v2.0.0/syncer/heartbeat.go#L279
  3. https://github.com/pingcap/dm/blob/v2.0.0/syncer/heartbeat.go#L137

@ti-chi-bot ti-chi-bot added size/L and removed size/XS labels Apr 7, 2021
@lichunzhu
Copy link
Contributor Author

lichunzhu commented Apr 7, 2021
edited
Loading

The above add-task ran into 3 errors. They are from

  1. https://github.com/pingcap/dm/blob/v2.0.0/syncer/checkpoint.go#L799
  2. https://github.com/pingcap/dm/blob/v2.0.0/syncer/heartbeat.go#L279
  3. https://github.com/pingcap/dm/blob/v2.0.0/syncer/heartbeat.go#L137

@coderplay This commit d0a90a3 will fix the problem for heartbeat.

@ti-chi-bot
Copy link
Member

@coderplay: /lgtm is only allowed for the reviewers in list.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@ti-chi-bot
Copy link
Member

@coderplay: /lgtm is only allowed for the reviewers in list.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@coderplay
Copy link

seems I don't have permission to approve, but LGTM!

@lance6716
Copy link
Collaborator

@lichunzhu please fix CI

@sleepymole sleepymole mentioned this pull request Apr 9, 2021
Merged
@sleepymole
Copy link
Contributor

CI will be fixed in #1575.

@ti-chi-bot
Copy link
Member

@lichunzhu: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lance6716 lance6716 removed this from the v2.0.2 milestone Apr 9, 2021
@ti-srebot ti-srebot mentioned this pull request Apr 9, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@coderplay coderplay coderplay approved these changes

@GMHDBJD GMHDBJD Awaiting requested review from GMHDBJD

@lance6716 lance6716 Awaiting requested review from lance6716

Assignees
No one assigned
Labels
do-not-merge/hold needs-cherry-pick-release-2.0 This PR should be cherry-picked to release-2.0. Remove this label after cherry-picked to release-2.0 needs-rebase size/L status/LGT2 Two reviewers already commented LGTM, ready for merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support TLS connections when only ssl-ca is set
6 participants
@lichunzhu @GMHDBJD @lance6716 @ti-chi-bot @coderplay @sleepymole