Custom Query (196 matches)

LDAP replication authenticates over SSL certs. The problem with SSL certs is that they expire (also we have our own one-off CA for signing these certs). It would be great if we could use this nifty Kerberos thing for authenticating our LDAP servers to each other.

Last time we had an outage due to an expired cert, I got really really close to making GSSAPI authentication work, but it turns out that you can't modify an existing LDAPS replication agreement to turn into an LDAP-with-GSSAPI one, so you need to remove the replication agreement and create a new one, and for various complicated reasons I think the only way that we're really comfortable doing them is tearing down _all_ of the replication agreements at once, making GSSAPI work, and re-configuring replication anew with GSSAPI. This is a bit annoying.

We should first test that it will actually work, by setting up LDAP on two or three VMs and trying GSSAPI auth (with, like, ZONE realm principals).

Once we're comfortable with doing so, we should do this at a time (like, oh, early on a Sunday morning) when we can temporarily turn off account registrations and Pony so we don't have to deal with things needing to be replicated while we're breaking and recreating replication.

See the scripts-team thread "Re: failed scripts account setup" and zlogs of -c scripts -i ldap from May 2, 2010 for more background.

MySQL supports ​two major replication formats: statement-based, where the query is logged and replayed, and row-based, where the changed data is logged and replayed. Statement-based is much older and presumed more stable, and the default in 5.x; ​row-based handles a couple of nondeterministic queries that statement-based replication can't. MySQL 5.1.8 also introduced ​mixed-format logging, which uses statement-based replication where it can and row-based where necessary. 5.1.12 made mixed replication the default, until it was ​reverted in 5.1.29 on the grounds that 5.1 should be compatible with 5.0. We should decide on our own whether we want to use mixed replication (I think there's no compelling need to switch to row-based replication for everything). Among other obvious benefits, more reliable replication means that backups are more likely to match what you see on the primary.

Relatedly, MySQL used to permit users to set a session variable, ​`binlog_format`, to switch logging types for the duration of that session. However, this ability was ​restricted to users with the SUPER privilege (which has always been required for setting that as a _global_ variable), because someone claimed that DBAs might write code that required row-based replication and didn't want a mere user to be able to switch to statement-based replication and foil the DBA's plans. While I question the validity of such a possibility, we certainly don't have DBAs, so it might be worth locally reverting that patch so that users and applications have the option of switching to row-based replication if they prefer it. This would be especially important if we go through autoinstalled apps to see what, if anything, wouldn't work properly statement-based replication.

n-f is our ~stock Fedora machine. While it shouldn't run the scripts config in general, we should know if something funky happens to n-f (not that it's running much of anything, but still), so we should deploy the zephyr logger.

Also, it possibly shouldn't take password logins? There may be some other minimal set of config to take from the scripts web hosts without making it a scripts web host.