Security Basics

By default, Percona XtraDB Cluster does not provide any protection for stored data. There are several considerations to take into account for securing Percona XtraDB Cluster:

  • Securing the Network

    Anyone with access to your network can connect to any Percona XtraDB Cluster node either as a client or as another node joining the cluster. You should consider restricting access using VPN and filter traffic on ports used by Percona XtraDB Cluster.

  • Encrypting PXC Traffic

    Unencrypted traffic can potentially be viewed by anyone monitoring your network. In Percona XtraDB Cluster 8.0 traffic encryption is enabled by default.

  • Data-at-rest encryption

    Percona XtraDB Cluster supports tablespace encryption to provide at-rest encryption for physical tablespace data files.

    For more information, see the following blog post:

Security Modules

Most modern disributions include special security modules that control access to resources for users and applications. By default, these modules will most likely constrain communication between Percona XtraDB Cluster nodes.

The easiest solution is to disable or remove such programs, however, this is not recommended for production environments. You should instead create necessary security policies for Percona XtraDB Cluster.


SELinux is usually enabled by default in Red Hat Enterprise Linux and derivatives (including CentOS). During installation and configuration, you can set the mode to permissive by running the following command:

setenforce 0


This only changes the mode at runtime. To run SELinux in permissive mode after a reboot, set SELINUX=permissive in the /etc/selinux/config configuration file.

To use SELinux with Percona XtraDB Cluster, you need to create an access policy. For more information, see SELinux and MySQL.


AppArmor is included in Debian and Ubuntu. During installation and configuration, you can disable AppArmor for mysqld:

  1. Create the following symbolic link:

    $ sudo ln -s /etc/apparmor.d/usr /etc/apparmor.d/disable/.sbin.mysqld
  2. Restart AppArmor:

    $ sudo service apparmor restart


    If your system uses systemd, run the following command instead:

    $ sudo systemctl restart apparmor

To use AppArmor with Percona XtraDB Cluster, you need to create or extend the MySQL profile. For more information, see AppArmor and MySQL.

Contact Us

For free technical help, visit the Percona Community Forum.
To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or professional services, contact Percona Sales.