Restarting Broken Galera Clueter removes SSH directory

1

Hello,

Everytime I restart broken galera cluster (percona mysql version 8.0.35) node it removes the ssh directory and then I have to reconfigure passwordless ssh between the node and our backup server for remote backups.
Is there any way to avoid cleanup up hidden directories like .ssh while restarting mysql galera.

Can some one please help me here.

2

There should not be a .ssh directory inside your data directory. The data directory should not be the $HOME for your mysql OS account. In fact, you should not be able to SSH to the server as the mysql OS user at all; this is extremely bad practice. You should SSH as a regular user, then have sudo privileges to root to perform any OS-related maintenance tasks, like backups or node initialization.

There is not because this is considered bad practice to store non-database data in the database’s datadir.

3

Hello,
I don’t understand why it is a bad practice.
I agree connecting to root user for maintenance operations seems fine.
But I shouldn’t use mysql account at all, doesn’t seem to be good, it needs to connect for routine database tasks like user management and database creations.
I am thinking to change my data directory to /var/lib/mysql/data or something similar.

4

It’s the same reason for any daemon process. This has been industry bad-practice for decades. Going all the way back to early 2000s, installing a daemon process would create a user specifically for that process and the login shell would be set to /bin/false or /bin/nologin. For example, when you run apache, you don’t SSH to the server as apache user in order to change HTML/JS/images/etc.

Additionally, allowing remote access directly as the user creates a huge attack vector. If a bad actor obtains access to that user, they immediately have full access to all the files on disk. By forcing connections to non-privileged users, you greatly increase security.

No, you should not.

You would create a mysql user account (ie: CREATE USER …) with proper privileges for tasks like user management, database creations, etc. Those do not require and should not require you to SSH to the server as the mysql OS user. You can SSH to the database server as bob and then use mysql -u adminuser to connect to mysql and do the tasks.