5 files changed, 57 insertions, 50 deletions

diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 2ada9b113b6..256797dc9d0 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -143,33 +143,32 @@ ENDIF(UNIX)
 
 IF(INSTALL_LAYOUT MATCHES "STANDALONE")
   SET(prefix ".")
-ELSE()
-  SET(prefix "${CMAKE_INSTALL_PREFIX}")
-ENDIF()
-
-SET(bindir ${prefix}/${INSTALL_BINDIR})
-SET(sbindir ${prefix}/${INSTALL_SBINDIR})
-SET(scriptdir ${prefix}/${INSTALL_BINDIR})
-SET(libexecdir ${prefix}/${INSTALL_SBINDIR})
-SET(pkgdatadir ${prefix}/${INSTALL_MYSQLSHAREDIR})
-IF(INSTALL_LAYOUT MATCHES "STANDALONE")
+  SET(bindir ${prefix}/${INSTALL_BINDIR})
+  SET(sbindir ${prefix}/${INSTALL_SBINDIR})
+  SET(scriptdir ${prefix}/${INSTALL_BINDIR})
+  SET(libexecdir ${prefix}/${INSTALL_SBINDIR})
+  SET(pkgdatadir ${prefix}/${INSTALL_MYSQLSHAREDIR})
   SET(localstatedir ${prefix}/data)
 ELSE()
+  SET(prefix "${CMAKE_INSTALL_PREFIX}")
+  SET(bindir ${INSTALL_BINDIRABS})
+  SET(sbindir ${INSTALL_SBINDIRABS})
+  SET(scriptdir ${INSTALL_BINDIRABS})
+  SET(libexecdir ${INSTALL_SBINDIRABS})
+  SET(pkgdatadir ${INSTALL_MYSQLSHAREDIRABS})
   SET(localstatedir ${MYSQL_DATADIR})
 ENDIF()
 
 IF(UNIX)
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/mysql_install_db.sh
   ${CMAKE_CURRENT_BINARY_DIR}/mysql_install_db ESCAPE_QUOTES @ONLY)
-  SET(DEST ${INSTALL_SCRIPTDIR})
-  SET(EXT)
   EXECUTE_PROCESS(
   COMMAND chmod +x ${CMAKE_CURRENT_BINARY_DIR}/mysql_install_db
   )
 
 INSTALL_SCRIPT(
  "${CMAKE_CURRENT_BINARY_DIR}/mysql_install_db"
-  DESTINATION ${DEST}
+  DESTINATION ${INSTALL_SCRIPTDIR}
   COMPONENT Server
   )
 ENDIF()
@@ -180,15 +179,15 @@ IF(INSTALL_SYSCONFDIR)
 ELSE()
   SET(sysconfdir "/etc")
 ENDIF()
-SET(bindir ${prefix}/${INSTALL_BINDIR})
-SET(libexecdir ${prefix}/${INSTALL_SBINDIR})
-SET(scriptdir ${prefix}/${INSTALL_BINDIR})
-SET(datadir ${prefix}/${INSTALL_MYSQLSHAREDIR})
-SET(pkgdatadir ${prefix}/${INSTALL_MYSQLSHAREDIR})
+SET(bindir ${INSTALL_BINDIRABS})
+SET(libexecdir ${INSTALL_SBINDIRABS})
+SET(scriptdir ${INSTALL_BINDIRABS})
+SET(datadir ${INSTALL_MYSQLSHAREDIRABS})
+SET(pkgdatadir ${INSTALL_MYSQLSHAREDIRABS})
 SET(libsubdir  ${INSTALL_LIBDIR})
-SET(pkgincludedir ${prefix}/${INSTALL_INCLUDEDIR})
-SET(pkglibdir ${prefix}/${INSTALL_LIBDIR})
-SET(pkgplugindir ${prefix}/${INSTALL_PLUGINDIR})
+SET(pkgincludedir ${INSTALL_INCLUDEDIRABS})
+SET(pkglibdir ${INSTALL_LIBDIRABS})
+SET(pkgplugindir ${INSTALL_PLUGINDIRABS})
 SET(localstatedir ${MYSQL_DATADIR})
 
 SET(RPATH_OPTION "")
diff --git a/scripts/mysqld_multi.sh b/scripts/mysqld_multi.sh
index e3f8e50122c..ca259e5396d 100644
--- a/scripts/mysqld_multi.sh
+++ b/scripts/mysqld_multi.sh
@@ -490,6 +490,7 @@ sub get_mysqladmin_options
 
 # Return a list of option files which can be opened.  Similar, but not
 # identical, to behavior of my_search_option_files()
+# TODO implement and use my_print_defaults --list-groups instead
 sub list_defaults_files
 {
   my %opt;
@@ -501,9 +502,7 @@ sub list_defaults_files
 
   return ($opt{file}) if exists $opt{file};
 
-  my %seen;  # Don't list the same file more than once
-  return grep { defined $_ and not $seen{$_}++ and -f $_ and -r $_ }
-              ('@sysconfdir@/my.cnf',
+  return      ('@sysconfdir@/my.cnf',
                '@sysconfdir@/mysql/my.cnf',
                '@prefix@/my.cnf',
                ($ENV{MYSQL_HOME} ? "$ENV{MYSQL_HOME}/my.cnf" : undef),
@@ -543,11 +542,12 @@ sub find_groups
     }
   }
 
+  my %seen;
   my @defaults_files = list_defaults_files();
-  #warn "@{[sort keys %gids]} -> @defaults_files\n";
-  foreach my $file (@defaults_files)
+  while (@defaults_files)
   {
-    next unless open CONF, "< $file";
+    my $file = shift @defaults_files;
+    next unless defined $file and not $seen{$file}++ and open CONF, '<', $file;
 
     while (<CONF>)
     {
@@ -560,6 +560,14 @@ sub find_groups
           push @groups, "$1$2";
         }
       }
+      elsif (/^\s*!include\s+(\S.*?)\s*$/)
+      {
+        push @defaults_files, $1;
+      }
+      elsif (/^\s*!includedir\s+(\S.*?)\s*$/)
+      {
+        push @defaults_files, <$1/*.cnf>;
+      }
     }
 
     close CONF;
diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh
index fb8289d06df..5f67507b577 100644
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@@ -48,6 +48,7 @@ case "$1" in
     '--defaults-extra-file')
         readonly WSREP_SST_OPT_EXTRA_DEFAULT="$1=$2"
         shift
+        ;;
     '--defaults-group-suffix')
         WSREP_SST_OPT_CONF_SUFFIX="$2"
         shift
diff --git a/scripts/wsrep_sst_mysqldump.sh b/scripts/wsrep_sst_mysqldump.sh
index 21c4bf62130..5f25c2c9d13 100644
--- a/scripts/wsrep_sst_mysqldump.sh
+++ b/scripts/wsrep_sst_mysqldump.sh
@@ -76,17 +76,6 @@ fi
 # word, it is arguably more secure than passing password on the command line.
 [ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
 
-# Refs https://github.com/codership/mysql-wsrep/issues/141
-# Passing password in MYSQL_PWD environment variable is considered
-# "extremely insecure" by MySQL Guidelines for Password Security
-# (https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html)
-# that is even less secure than passing it on a command line! It is doubtful:
-# the whole command line is easily observable by any unprivileged user via ps,
-# whereas (at least on Linux) unprivileged user can't see process environment
-# that he does not own. So while it may be not secure in the NSA sense of the
-# word, it is arguably more secure than passing password on the command line.
-[ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
-
 STOP_WSREP="SET wsrep_on=OFF;"
 
 # mysqldump cannot restore CSV tables, fix this issue
diff --git a/scripts/wsrep_sst_xtrabackup-v2.sh b/scripts/wsrep_sst_xtrabackup-v2.sh
index 68e250d2157..2b432cb1089 100644
--- a/scripts/wsrep_sst_xtrabackup-v2.sh
+++ b/scripts/wsrep_sst_xtrabackup-v2.sh
@@ -191,9 +191,9 @@ get_transfer()
             exit 2
         fi
 
-        if [[ $encrypt -eq 2 || $encrypt -eq 3 ]] && ! socat -V | grep -q WITH_OPENSSL;then 
-            wsrep_log_info "NOTE: socat is not openssl enabled, falling back to plain transfer"
-            encrypt=-1
+        if [[ $encrypt -eq 2 || $encrypt -eq 3 ]] && ! socat -V | grep -q "WITH_OPENSSL 1";then
+            wsrep_log_error "Encryption requested, but socat is not OpenSSL enabled (encrypt=$encrypt)"
+            exit 2
         fi
 
         if [[ $encrypt -eq 2 ]];then 
@@ -204,25 +204,35 @@ get_transfer()
             fi
             stagemsg+="-OpenSSL-Encrypted-2"
             if [[ "$WSREP_SST_OPT_ROLE"  == "joiner" ]];then
-                wsrep_log_info "Decrypting with PEM $tpem, CA: $tcert"
-                tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=$tpem,cafile=${tcert}${sockopt} stdio"
+                wsrep_log_info "Decrypting with cert=${tpem}, cafile=${tcert}"
+                tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},cafile=${tcert}${sockopt} stdio"
             else
-                wsrep_log_info "Encrypting with PEM $tpem, CA: $tcert"
-                tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=$tpem,cafile=${tcert}${sockopt}"
+                wsrep_log_info "Encrypting with cert=${tpem}, cafile=${tcert}"
+                tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},cafile=${tcert}${sockopt}"
             fi
         elif [[ $encrypt -eq 3 ]];then
             wsrep_log_info "Using openssl based encryption with socat: with key and crt"
-            if [[ -z $tpem || -z $tkey ]];then 
+            if [[ -z $tpem || -z $tkey ]];then
                 wsrep_log_error "Both certificate and key files required"
                 exit 22
             fi
             stagemsg+="-OpenSSL-Encrypted-3"
             if [[ "$WSREP_SST_OPT_ROLE"  == "joiner" ]];then
-                wsrep_log_info "Decrypting with certificate $tpem, key $tkey"
-                tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=$tpem,key=${tkey},verify=0${sockopt} stdio"
+                if [[ -z $tcert ]];then
+                    wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, verify=0"
+                    tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},verify=0${sockopt} stdio"
+                else
+                    wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
+                    tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},cafile=${tcert}${sockopt} stdio"
+                fi
             else
-                wsrep_log_info "Encrypting with certificate $tpem, key $tkey"
-                tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=$tpem,key=${tkey},verify=0${sockopt}"
+                if [[ -z $tcert ]];then
+                    wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, verify=0"
+                    tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},verify=0${sockopt}"
+                else
+                    wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
+                    tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${sockopt}"
+                fi
             fi
 
         else