21 Mar 2024

MariaDB Galera Cluster – the wsrep allowlist

If you’ve used Galera Cluster for sometime, you might have already realised that with Galera 4, you have 3 new tables in the mysql database: wsrep_cluster, wsrep_cluster_members, and wsrep_streaming_log. We document this quite well in Galera System Tables. Join us for a Webinar: Top tips to drive your MariaDB Galera Cluster performance with new features. If you are a MariaDB Server user, you’ll notice that since MariaDB Server 10.10, there is yet another.

MariaDB [mysql]> show tables like 'wsrep%';
+--------------------------+
| Tables_in_mysql (wsrep%) |
+--------------------------+
| wsrep_allowlist          |
| wsrep_cluster            |
| wsrep_cluster_members    |
| wsrep_streaming_log      |
+--------------------------+
4 rows in set (0.000 sec)

It is the wsrep_allowlist table, which stores the allowed IP addresses that can perform an IST/SST, in a comma delimited format. Before the introduction of wsrep_allowlist, as long as a node has access to Galera Cluster’s TCP ports, it an make an SST/IST request, without authentication being performed; some users prefer to have a method to make this more robust, and secure, hence with wsrep_allowlist only if the JOINER node is in the IP list, will it be allowed to join the cluster.

You can either have IPv4 or IPv6 addresses for wsrep_allowlist, but it does not allow wildcard IPs or hostnames. It was implemented in MDEV-27246.

MariaDB [mysql]> describe wsrep_allowlist\G
*************************** 1. row ***************************
  Field: ip
   Type: char(64)
   Null: NO
    Key: PRI
Default: NULL
  Extra: 
1 row in set (0.001 sec)

Altering it is as simple as executing: insert into mysql.wsrep_allowlist(ip) values('18.193.102.155'); and you will end up seeing something like:

MariaDB [mysql]> select * from wsrep_allowlist;
+----------------+
| ip             |
+----------------+
| 18.193.102.155 |
| 18.194.147.243 |
+----------------+
2 rows in set (0.000 sec)

And when another node tries to get connected, the potential DONOR nodes will see this in the error.log:

2024-03-18  8:19:02 0 [Warning] WSREP: Connection not allowed, IP 3.70.155.51 not found in allowlist.

And naturally, on the node trying to be the JOINER not in the allowlist, an error such as the following should be easily notable:

2024-03-18  8:19:14 0 [ERROR] WSREP: failed to open gcomm backend connection: 110: failed to reach primary view: 110 (Connection timed out)
	 at ./gcomm/src/pc.cpp:connect():160
2024-03-18  8:19:14 0 [ERROR] WSREP: ./gcs/src/gcs_core.cpp:gcs_core_open():221: Failed to open backend connection: -110 (Connection timed out)
2024-03-18  8:19:15 0 [ERROR] WSREP: ./gcs/src/gcs.cpp:gcs_open():1674: Failed to open channel 'mariadb' at 'gcomm://18.194.147.243,18.193.102.155': -110 (Connection timed out)
2024-03-18  8:19:15 0 [ERROR] WSREP: gcs connect failed: Connection timed out
2024-03-18  8:19:15 0 [ERROR] WSREP: wsrep::connect(gcomm://18.194.147.243,18.193.102.155) failed: 7

Adding the remaining node to the allowlist fixes this:

MariaDB [mysql]> insert into mysql.wsrep_allowlist(ip) values('3.70.155.51');
Query OK, 1 row affected (0.002 sec)

MariaDB [mysql]> select * from wsrep_allowlist;
+----------------+
| ip             |
+----------------+
| 18.193.102.155 |
| 18.194.147.243 |
| 3.70.155.51    |
+----------------+
3 rows in set (0.000 sec)

And now we are back to having a 3-node MariaDB Galera Cluster. There is some documentation at MariaDB on wsrep_allowlist, but we hope this blog post helps you get going quicker as it has a practical example.

Did you know about this cool MariaDB Galera Cluster feature? Will you be using it? Can you wait for when it is ported into Galera Cluster for MySQL?

Don’t forget to join our upcoming webinar on MariaDB: Top tips to drive your MariaDB Galera Cluster performance with new features.