Mariabackup SST Method
The mariabackup SST method uses the Mariabackup utility for performing SSTs. It is one of the methods that does not block the donor node. Mariabackup was originally forked from Percona XtraBackup, and similarly, the mariabackup SST method was originally forked from the [xtrabackup-v2] SST method.
Note that if you use the mariabackup SST method, then you also need to have [socat](#socat-dependency) installed on the server. This is needed to stream the backup from the donor node to the joiner node. This is a limitation that was inherited from the [xtrabackup-v2] SST method.
Choosing Mariabackup for SSTs
To use the mariabackup SST method, you must set the [wsrep_sst_method=mariabackup](../../reference/galera-cluster-system-variables.md#wsrep_sst_method) on both the donor and joiner node. It can be changed dynamically with [SET GLOBAL](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/sql-statements-and-structure/sql-statements/administrative-sql-statements/set-commands/set#global-session) on the node that you intend to be a SST donor. For example:
It can be set in a server option group in an option file prior to starting up a node:
For an SST to work properly, the donor and joiner node must use the same SST method. Therefore, it is recommended to set [wsrep_sst_method](../../reference/galera-cluster-system-variables.md#wsrep_sst_method) to the same value on all nodes, since any node will usually be a donor or joiner node at some point.
Major version upgrades
The InnoDB redo log format has been changed in MariaDB 10.5 and MariaDB 10.8 in a way that will not allow the crash recovery or the preparation of a backup from an older major version. Because of this, the mariabackup SST method cannot be used for some major version upgrades, unless you temporarily edit the wsrep_sst_mariabackup script so that the --prepare step on the newer-major-version joiner will be executed using the older-major-version mariabackup tool.
The default method wsrep_sst_method=rsync will work for major version upgrades; see MDEV-27437.
Authentication and Privileges
To use the mariabackup SST method, Mariabackup needs to be able to authenticate locally on the donor node, so that it can create a backup to stream to the joiner. You can tell the donor node what username and password to use by setting the [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth) system variable. It can be changed dynamically with [SET GLOBAL](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/sql-statements-and-structure/sql-statements/administrative-sql-statements/set-commands/set#global-session) on the node that you intend to be a SST donor. For example:
It can also be set in a server option group in an option file prior to starting up a node:
Some authentication plugins do not require a password. For example, the [unix_socket](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) and [gssapi](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-gssapi) authentication plugins do not require a password. If you are using a user account that does not require a password in order to log in, then you can just leave the password component of [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth) empty. For example:
The user account that performs the backup for the SST needs to have the same privileges as Mariabackup, which are the RELOAD , PROCESS, LOCK TABLES and BINLOG MONITOR, REPLICA MONITOR global privileges. To be safe, you should ensure that these privileges are set on each node in your cluster. Mariabackup connects locally on the donor node to perform the backup, so the following user should be sufficient:
Passwordless Authentication - Unix Socket
It is possible to use the [unix_socket](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth).
The user account would have to have the same name as the operating system user account that is running the mysqld process. On many systems, this is the user account configured as the [user](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/server-management/getting-installing-and-upgrading-mariadb/starting-and-stopping-mariadb/mariadbd-options) option, and it tends to default to mysql.
For example, if the [unix_socket](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin is already installed, then you could execute the following to create the user account:
And then to configure [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth), you could set the following in a server option group in an option file prior to starting up a node:
Passwordless Authentication - GSSAPI
It is possible to use the [gssapi](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-gssapi) authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth).
The following steps would need to be done beforehand:
You need a KDC running MIT Kerberos or Microsoft Active Directory.
You will need to create a keytab file for the MariaDB server.
You will need to install the package containing the
[gssapi](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-gssapi)authentication plugin.You will need to install the plugin in MariaDB, so that the
[gssapi](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-gssapi)authentication plugin is available to use.You will need to configure the plugin.
You will need to create a user account that authenticates with the
[gssapi](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/plugins/authentication-plugins/authentication-plugin-gssapi)authentication plugin, so that the user account can be used for SSTs. This user account will need to correspond with a user account that exists on the backend KDC.
For example, you could execute the following to create the user account in MariaDB:
And then to configure [wsrep_sst_auth](../../reference/galera-cluster-system-variables.md#wsrep_sst_auth), you could set the following in a server option group in an option file prior to starting up a node:
Choosing a Donor Node
When Mariabackup is used to create the backup for the SST on the donor node, Mariabackup briefly requires a system-wide lock at the end of the backup. This is done with [BACKUP STAGE BLOCK_COMMIT](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/reference/sql-statements-and-structure/sql-statements/administrative-sql-statements/backup-commands/backup-stage).
If a specific node in your cluster is acting as the primary node by receiving all of the application's write traffic, then this node should not usually be used as the donor node, because the system-wide lock could interfere with the application. In this case, you can define one or more preferred donor nodes by setting the [wsrep_sst_donor](../../reference/galera-cluster-system-variables.md#wsrep_sst_donor) system variable.
For example, let's say that we have a 5-node cluster with the nodes node1, node2, node3, node4, and node5, and let's say that node1 is acting as the primary node. The preferred donor nodes for node2 could be configured by setting the following in a server option group in an option file prior to starting up a node:
The trailing comma tells the server to allow any other node as donor when the preferred donors are not available. Therefore, if node1 is the only node left in the cluster, the trailing comma allows it to be used as the donor node.
Socat Dependency
During the SST process, the donor node uses socat to stream the backup to the joiner node. Then the joiner node prepares the backup before restoring it. The socat utility must be installed on both the donor node and the joiner node in order for this to work. Otherwise, the MariaDB error log will contain an error like:
Installing Socat on RHEL/CentOS
On RHEL/CentOS, socat can be installed from the Extra Packages for Enterprise Linux (EPEL) repository.
TLS
This SST method supports two different TLS methods. The specific method can be selected by setting the encrypt option in the [sst] section of the MariaDB configuration file. The options are:
TLS using OpenSSL encryption built into
socat(encrypt=2)TLS using OpenSSL encryption with Galera-compatible certificates and keys (
encrypt=3)
Note that encrypt=1 refers to a TLS encryption method that has been deprecated and removed. encrypt=4 refers to a TLS encryption method in xtrabackup-v2 that has not yet been ported to mariabackup. See MDEV-18050 about that.
TLS Using OpenSSL Encryption Built into Socat
To generate keys compatible with this encryption method, you can follow these directions.
For example:
First, generate the keys and certificates:
On some systems, you may also have to add dhparams to the certificate:
Then, copy the certificate and keys to all nodes in the cluster.
Then, configure the following on all nodes in the cluster:
But replace the paths with whatever is relevant on your system.
This should allow your SSTs to be encrypted.
TLS Using OpenSSL Encryption with Galera-compatible Certificates and Keys
To generate keys compatible with this encryption method, you can follow these directions.
For example:
First, generate the keys and certificates:
Then, copy the certificate and keys to all nodes in the cluster.
Then, configure the following on all nodes in the cluster:
But replace the paths with whatever is relevant on your system.
This should allow your SSTs to be encrypted.
Logs
The mariabackup SST method has its own logging outside of the MariaDB Server logging.
Logging to SST Logs
Logging for mariabackup SSTs works the following way.
By default, on the donor node, it logs to mariabackup.backup.log. This log file is located in the [datadir](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/server-usage/replication-cluster-multi-master/optimization-and-tuning/system-variables/server-system-variables#datadir).
By default, on the joiner node, it logs to mariabackup.prepare.log and mariabackup.move.log These log files are also located in the [datadir](https://app.gitbook.com/s/SsmexDFPv2xG2OTyO5yV/server-usage/replication-cluster-multi-master/optimization-and-tuning/system-variables/server-system-variables#datadir).
By default, before a new SST is started, existing mariabackup SST log files are compressed and moved to /tmp/sst_log_archive. This behavior can be disabled by setting sst-log-archive=0 in the [sst] option group in an option file. Similarly, the archive directory can be changed by setting sst-log-archive-dir. For example:
See MDEV-17973 for more information. <>
Logging to Syslog
You can redirect the SST logs to the syslog instead by setting the following in the [sst] option group in an option file:
You can also redirect the SST logs to the syslog by setting the following in the [mysqld_safe] option group in an option file:
Performing SSTs with IPv6 Addresses
If you are performing Mariabackup SSTs with IPv6 addresses, then the socat utility needs to be passed the pf=ip6 option. This can be done by setting the sockopt option in the [sst] option group in an option file. For example:
See MDEV-18797 for more information.
Manual SST with Mariabackup
In some cases, if Galera Cluster's automatic SSTs repeatedly fail, then it can be helpful to perform a "manual SST". See the following page on how to do that:
See Also
This page is licensed: CC BY-SA / Gnu FDL
Last updated
Was this helpful?