You may have noticed that in many of my demos, I disable firewall and SELinux (I even use
--initialize-insecure sometimes 😉 ). This is just to make things easier… But in fact enabling iptables and SELinux are not complicated.
These examples are compatible with Oracle Linux, RedHat and CentOS. If you use another distro, the principle is the same.
For the firewall, we need first to allow incoming traffic to MySQL and MySQL X ports: 3306 and 33060:
# firewall-cmd --zone=public --add-port=3306/tcp --permanent # firewall-cmd --zone=public --add-port=33060/tcp --permanent
If you don’t plan to restart the firewall, you just need to run the same commands without
--permanentto make then immediately active.
Then we need to allow the Group Replication’s communication port. This is usually
33061 but it can be configured in
# firewall-cmd --zone=public --add-port=33061/tcp --permanent
Now that the firewalls rules are setup, we can restart
firewalld and check it:
# systemctl restart firewalld.service # iptables -L -n | grep 'dpt:3306' ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 ctstate NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:33060 ctstate NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:33061 ctstate NEW
When SELinux is enabled, if you don’t allow some ports to be accessed, adding a server to a group will fail.
To see which ports are allowed for
mysqld, the following command can be executed:
# semanage port -l | grep -w mysqld_port_t mysqld_port_t tcp 1186, 3306, 63132-63164
With MySQL 8.0.16 and 8.0.17, we need more ports to be accessible. GCS seems to use a port from
# semanage port -a -t mysqld_port_t -p tcp 30000-50000
If you have already added the access for MySQL X (
33060), XCOM (
33061), and admin port (
33062), you have to remove them before adding the required range:
# semanage port -d -t mysqld_port_t -p tcp 33060 # semanage port -d -t mysqld_port_t -p tcp 33061 # semanage port -d -t mysqld_port_t -p tcp 33062
If you prefer, you can instead use the following rule:
setsebool -P mysql_connect_any 1
This problem is fixed in our next release.
Using firewall and SELinux is really not complicated even with MySQL InnoDB Cluster.
If you want to setup the MySQL Router on system with iptables and SELinux, you will have to do the same for the ports you will use. The defaults ones are
Useful links to bookmark 🙂
MySQL Port Reference Tables
MySQL Port Diagram
I have an issue with adding instance to already created cluster. Cluster consists of only one instance for now. I’m using mysql shell to manage instances.
When I try to add new instance to cluster, I get an error. In logs I can see the following:
[Repl] Plugin group_replication reported: ‘[GCS] Error connecting to all peers. Member join failed. Local port: 33061’ 2020-12-26T14:40:29.234106Z 0 [ERROR] [MY-011735] [Repl] Plugin group_replication reported: ‘[GCS] The member was unable to join the group. Local port: 33061’
Do you have an idea?