MySQL InnoDB Cluster, automatic provisioning, firewall and SELinux


You may have noticed that in many of my demos, I disable firewall and SELinux (I even use --initialize-insecure sometimes 😉 ). This is just to make things easier… But in fact enabling iptables and SELinux are not complicated.


These examples are compatible with Oracle Linux, RedHat and CentOS. If you use another distro, the principle is the same.

For the firewall, we need first to allow incoming traffic to MySQL and MySQL X ports: 3306 and 33060:

# firewall-cmd --zone=public --add-port=3306/tcp --permanent
# firewall-cmd --zone=public --add-port=33060/tcp --permanent

If you don’t plan to restart the firewall, you just need to run the same commands without --permanent to make then immediately active.

Then we need to allow the Group Replication’s communication port. This is usually 33061 but it can be configured in group_replication_local_address:

# firewall-cmd --zone=public --add-port=33061/tcp --permanent

Now that the firewalls rules are setup, we can restart firewalld and check it:

# systemctl restart firewalld.service
# iptables -L -n | grep 'dpt:3306'
 ACCEPT     tcp  --              tcp dpt:3306 ctstate NEW
 ACCEPT     tcp  --              tcp dpt:33060 ctstate NEW
 ACCEPT     tcp  --              tcp dpt:33061 ctstate NEW


When SELinux is enabled, if you don’t allow some ports to be accessed, adding a server to a group will fail.

To see which ports are allowed for mysqld, the following command can be executed:

# semanage port -l | grep -w mysqld_port_t
mysqld_port_t                  tcp      1186, 3306, 63132-63164

With MySQL 8.0.16 and 8.0.17, we need more ports to be accessible. GCS seems to use a port from 30,000 to 50,000:

# semanage port -a -t mysqld_port_t -p tcp 30000-50000

If you have already added the access for MySQL X (33060), XCOM (33061), and admin port (33062), you have to remove them before adding the required range:

# semanage port -d -t mysqld_port_t -p tcp 33060
# semanage port -d -t mysqld_port_t -p tcp 33061
# semanage port -d -t mysqld_port_t -p tcp 33062

If you prefer, you can instead use the following rule:

setsebool -P mysql_connect_any 1

This problem is fixed in our next release.


Using firewall and SELinux is really not complicated even with MySQL InnoDB Cluster.

If you want to setup the MySQL Router on system with iptables and SELinux, you will have to do the same for the ports you will use. The defaults ones are 6446, 6447, 64460 and 64470.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

2 thoughts on “MySQL InnoDB Cluster, automatic provisioning, firewall and SELinux

  1. Hi there,
    I have an issue with adding instance to already created cluster. Cluster consists of only one instance for now. I’m using mysql shell to manage instances.

    When I try to add new instance to cluster, I get an error. In logs I can see the following:
    [Repl] Plugin group_replication reported: ‘[GCS] Error connecting to all peers. Member join failed. Local port: 33061’ 2020-12-26T14:40:29.234106Z 0 [ERROR] [MY-011735] [Repl] Plugin group_replication reported: ‘[GCS] The member was unable to join the group. Local port: 33061’

    Do you have an idea?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.