MDEV-26562: galera-sst-mariabackup is failing due to missing xtrabackup_checkpoints

This commit contains workaround for a bug known as 'Red Hat issue 1870279'
(connection reset by peer issue in socat versions 1.7.3.3 to 1.7.4.0) which
further causes crashes during SST using mariabackup (when openssl is used).

Also fixed broken logic of automatic generation of the Diffie-Hellman parameters
for socat version less than 1.7.3 (which defaults to 512-bit values instead of
2048-bit ones).

2 files changed, 70 insertions, 39 deletions

diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh
index 35021ace8b6..44c6a7b4476 100644
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@@ -1187,28 +1187,27 @@ check_port()
 check_for_dhparams()
 {
     ssl_dhparams="$DATA/dhparams.pem"
-    if [ ! -r "$ssl_dhparams" ]; then
-        get_openssl
-        if [ -n "$OPENSSL_BINARY" ]; then
-            wsrep_log_info \
-                "Could not find dhparams file, creating $ssl_dhparams"
-            local bug=0
-            local errmsg
-            errmsg=$("$OPENSSL_BINARY" \
-                         dhparam -out "$ssl_dhparams" 2048 2>&1) || bug=1
-            if [ $bug -ne 0 ]; then
-                wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam -out \"$ssl_dhparams\" 2048"
-                wsrep_log_info "output: $errmsg"
-                wsrep_log_error "******** ERROR *****************************************"
-                wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *"
-                wsrep_log_error "********************************************************"
-                ssl_dhparams=""
-            fi
-        else
-            # Rollback: if openssl is not installed, then use
-            # the default parameters:
+    get_openssl
+    if [ -n "$OPENSSL_BINARY" ]; then
+        wsrep_log_info \
+            "Could not find dhparams file, creating $ssl_dhparams"
+        local bug=0
+        local errmsg
+        errmsg=$("$OPENSSL_BINARY" \
+                 dhparam -out "$ssl_dhparams" -dsaparam 2048 2>&1) || bug=1
+        if [ $bug -ne 0 ]; then
+            wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam"\
+                           "-out \"$ssl_dhparams\" -dsaparam 2048"
+            wsrep_log_info "output: $errmsg"
+            wsrep_log_error "******** ERROR *****************************************"
+            wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *"
+            wsrep_log_error "********************************************************"
             ssl_dhparams=""
         fi
+    else
+        # Rollback: if openssl is not installed, then use
+        # the default parameters:
+        ssl_dhparams=""
     fi
 }
 
@@ -1310,29 +1309,39 @@ verify_cert_matches_key()
 #
 check_for_version()
 {
-    y1="${1#*.}"
+    local y1="${1#*.}"
     [ "$y1" = "$1" ] && y1=""
-    z1=${y1#*.}
+    local z1="${y1#*.}"
     [ "$z1" = "$y1" ] && z1=""
-    x1="${1%%.*}"
+    local w1="${z1#*.}"
+    [ "$w1" = "$z1" ] && w1=""
+    local x1="${1%%.*}"
     y1="${y1%%.*}"
     z1="${z1%%.*}"
+    w1="${w1%%.*}"
     [ -z "$y1" ] && y1=0
     [ -z "$z1" ] && z1=0
-    y2="${2#*.}"
+    [ -z "$w1" ] && w1=0
+    local y2="${2#*.}"
     [ "$y2" = "$2" ] && y2=""
-    z2="${y2#*.}"
+    local z2="${y2#*.}"
     [ "$z2" = "$y2" ] && z2=""
-    x2="${2%%.*}"
+    local w2="${z2#*.}"
+    [ "$w2" = "$z2" ] && w2=""
+    local x2="${2%%.*}"
     y2="${y2%%.*}"
     z2="${z2%%.*}"
+    w2="${w2%%.*}"
     [ -z "$y2" ] && y2=0
     [ -z "$z2" ] && z2=0
+    [ -z "$w2" ] && w2=0
     [ $x1 -lt $x2 ] && return 1
     [ $x1 -gt $x2 ] && return 0
     [ $y1 -lt $y2 ] && return 1
     [ $y1 -gt $y2 ] && return 0
     [ $z1 -lt $z2 ] && return 1
+    [ $z1 -gt $z2 ] && return 0
+    [ $w1 -lt $w2 ] && return 1
     return 0
 }
 
diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh
index 8e025f94a3e..5521dd51098 100644
--- a/scripts/wsrep_sst_mariabackup.sh
+++ b/scripts/wsrep_sst_mariabackup.sh
@@ -218,6 +218,21 @@ get_keys()
     stagemsg="$stagemsg-XB-Encrypted"
 }
 
+get_socat_ver()
+{
+    [ -n "${SOCAT_VERSION+x}" ] && return
+    # Determine the socat version
+    SOCAT_VERSION=$(socat -V 2>&1 | \
+                    grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \
+                    head -n1 || :)
+    if [ -z "$SOCAT_VERSION" ]; then
+        wsrep_log_error "******** FATAL ERROR ******************"
+        wsrep_log_error "* Cannot determine the socat version. *"
+        wsrep_log_error "***************************************"
+        exit 2
+    fi
+}
+
 get_transfer()
 {
     if [ "$tfmt" = 'nc' ]; then
@@ -283,7 +298,7 @@ get_transfer()
             # If sockopt contains 'pf=ip6' somewhere in the middle,
             # this will not interfere with socat, but exclude the trivial
             # cases when sockopt contains 'pf=ip6' as prefix or suffix:
-            if [ "$sockopt" = "${sockopt#,pf=ip6}" -a \
+            if [ "$sockopt" = "${sockopt#,pf=ip6,}" -a \
                  "$sockopt" = "${sockopt%,pf=ip6}" ]
             then
                 sockopt=",pf=ip6$sockopt"
@@ -310,22 +325,25 @@ get_transfer()
         if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
             tcmd="socat -u openssl-listen:$SST_PORT,reuseaddr"
         else
-            tcmd="socat -u stdio openssl-connect:$REMOTEIP:$SST_PORT"
+            local addr="$REMOTEIP:$SST_PORT"
+            tcmd="socat -u stdio openssl-connect:$addr"
             action='Encrypting'
+            get_socat_ver
+            if ! check_for_version "$SOCAT_VERSION" '1.7.4.1'; then
+                if check_for_version "$SOCAT_VERSION" '1.7.3.3'; then
+                    # Workaround for a bug known as 'Red Hat issue 1870279'
+                    # (connection reset by peer) in socat versions 1.7.3.3
+                    # to 1.7.4.0:
+                    tcmd="socat stdio openssl-connect:$addr,linger=10"
+                    wsrep_log_info \
+                        "Use workaround for socat $SOCAT_VERSION bug"
+                fi
+            fi
         fi
 
-        if [ "${sockopt#*,dhparam=}" != "$sockopt" ]; then
+        if [ "${sockopt#*,dhparam=}" = "$sockopt" ]; then
             if [ -z "$ssl_dhparams" ]; then
-                # Determine the socat version
-                SOCAT_VERSION=$(socat -V 2>&1 | \
-                                grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \
-                                head -n1 || :)
-                if [ -z "$SOCAT_VERSION" ]; then
-                    wsrep_log_error "******** FATAL ERROR ******************"
-                    wsrep_log_error "* Cannot determine the socat version. *"
-                    wsrep_log_error "***************************************"
-                    exit 2
-                fi
+                get_socat_ver
                 if ! check_for_version "$SOCAT_VERSION" '1.7.3'; then
                     # socat versions < 1.7.3 will have 512-bit dhparams (too small)
                     # so create 2048-bit dhparams and send that as a parameter:
@@ -556,6 +574,10 @@ read_cnf()
                    "CERT='$tpem', KEY='$tkey', MODE='$tmode'," \
                    "encrypt='$encrypt'"
 
+    if [ $encrypt -ge 2 ]; then
+        ssl_dhparams=$(parse_cnf "$encgroups" 'ssl-dhparams')
+    fi
+
     sockopt=$(parse_cnf sst sockopt "")
     progress=$(parse_cnf sst progress "")
     ttime=$(parse_cnf sst time 0)