I am using OpenShift router, by default the router is based on haproxy. When I create a domain such as aa.bb.cc, then I can access my service via this route.
I saw router (haproxy) pods are running my cluster, my question is, when I curl http://aa.bb.cc, how does domain aa.bb.cc reach to haproxy pods? What component is resolving domain aa.bb.cc?
That would be the DNS Server containing the wildcard domain. The flow us typically the following:
*.apps.example.com
+
+-----------------+ |
| DNS Server | |
+-----+-----------+ | OpenShift Cluster
^ | |
| | |
| | LB IP |
| | |
| v |
+-+----+--+ +--------------+ | +---------------+ +----------+
| | | | | | | | |
| Clients +------> Loadbalancer +-----> HAProxy +--------------->+ App Pods |
| | | | | | | | |
+---------+ +--------------+ | +---------------+ +----------+
|
+
Your client will use its regular DNS server to resolve the application domain. Typically, there is a wildcard DNS entry for all application Routes running on an OpenShift cluster (for example *.apps.example.com). So when your client requests myapp.apps.example.com, the IP of the Loadbalancer for the OpenShift cluster is returned.
The Loadbalancer in turn knows about all the Nodes where an OpenShift Router is running. So the Loadbalancer will forward the request to any of these Nodes.
As you noted, the OpenShift Router running HAProxy is then looking at the HTTP Host Header or the SNI extension for TLS connections to check where the connection needs to be forwarded to.
The HAProxy has a dynamic configuration that is derived from the Routes / Services in the cluster and then forwards your request to your Application Pods.
Related
My application that is running on a client uses a MySQL database running on a server. So multiple clients are connected to the same server. That works well when the server is online. But now I would like to enhance my application to be able to run in an offline mode.
+--------------+
| |
+-----------+ SERVER +----------+
| | | |
| +-------+------+ |
| | |
+------+-------+ +-------+------+ +-------+------+
| | | | | |
| Client 1 | | Client 2 | | Client X |
| | | | | |
+--------------+ +--------------+ +--------------+
Now comes the problem: what happens when the client is offline? I need a copy of my MySQL database on each client too. By default the application interacts with the MySQL on the server. If this server is not accessible (for what reason ever: server is offline or client has no internet connection) it should use the MySQL running on the client. If the client/server connection is available again the databases need to be synched automatically.
My question is now: how to achieve this? First of all I checked the MySQL-replication, but in my scenario I have multiple "masters" and an unknown number of clients. So I afraid that replication is not my solution. Is it possible to solve my problem with MaxScale? I never worked with that so I really appreciate any help.
USE mysql;
DROP PROCEDURE IF EXISTS ShowUsers;
DELIMITER $
CREATE PROCEDURE `ShowUsers`(IN KnownUsers varchar(500), IN KnownHosts varchar(500))
BEGIN
SELECT
user,host
FROM
user
WHERE
NOT FIND_IN_SET(host, KnownHosts)
AND
NOT FIND_IN_SET(user, KnownUsers)
ORDER BY user, host ASC;
END $
DELIMITER ;
Example complete data to work with:
+-------------+-------------+
| user | host |
+-------------+-------------+
| knownuser1 | 192.168.1.5 |
| knownuser2 | 192.168.1.5 |
| unknownuser | 192.168.1.5 | # I want this result to show
| someuser1 | 192.168.1.6 |
| someuser2 | 192.168.1.6 |
| someuser3 | 192.168.1.6 |
| root | localhost |
+-------------+-------------+
I have marked the result I would want to show from running the procedure, basically the two IN parameters are known users, and known hosts those that should be have a user record on this database.
Calling the function like this
# users and hostnames(ips) to match for exclusion from results.
SET #Usernames = 'knownuser1,knownuser2';
SET #Hostnames = '192.168.1.5';
CALL ShowUsers(#Usernames, #Hostnames);
Expected Result:
+-------------+-------------+
| user | host |
+-------------+-------------+
| unknownuser | 192.168.1.5 | # I want this result to show
| someuser1 | 192.168.1.6 |
| someuser2 | 192.168.1.6 |
| someuser3 | 192.168.1.6 |
| root | localhost |
+-------------+-------------+
Actual Result:
+-------------+-------------+
| user | host |
+-------------+-------------+
| someuser1 | 192.168.1.6 |
| someuser2 | 192.168.1.6 |
| someuser3 | 192.168.1.6 |
| root | localhost |
+-------------+-------------+
Explanation (off this topic but I think I should clarify) The reason I want this procedure to work, I have a master server with multiple remote slaves, the slaves need to have access to the masters database which means they also have to have "root" access, they can create/reconfigure their own access credentials. The problem with this is if one of those servers were ever compromised it would leave open the chance to have a new user added with credentials to basically all of the database. Wide open and free to take.
I could lock the slaves out after initial configuration and manually open up the door, run an update and then lock it again which would be pretty laborious for the application and make the application virtually useless.
The idea I'm going with right now is to run this procedure via cron run script and check for unknown users/hosts and lock that slave server out of the database until I accept or reject the user from the main application.
The condition in the WHERE clause is:
NOT FIND_IN_SET(host, KnownHosts) AND NOT FIND_IN_SET(user, KnownUsers)
which is equivalent to:
NOT (FIND_IN_SET(host, KnownHosts) OR FIND_IN_SET(user, KnownUsers))
which means that you want to exclude the rows for which:
host is included in KnownHosts or user is included in KnownUsers.
So for your sample data, the row:
unknownuser | 192.168.1.5
will not be returned, because host = '192.168.1.5' and it is included in KnownHosts (= '192.168.1.5').
Maybe change the logical operator to OR, if this is the logic that you want to apply:
NOT FIND_IN_SET(host, KnownHosts) OR NOT FIND_IN_SET(user, KnownUsers)
When I run the command show processlist; I get details of the connections made to the server. Here are the connection details of my MySQL server,
mysql> show processlist;
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
| 1 | event_scheduler | localhost | NULL | Daemon | 13200075 | Waiting on empty queue | NULL |
| 4212 | root | localhost | NULL | Query | 0 | init | show processlist |
| 4214 | root | xxx.xx.xxx.xxx:50197 | testmysqldb | Sleep | 1 | | NULL |
| 4215 | root | xxx.xx.xxx.xxx:50198 | testmysqldb | Sleep | 3 | | NULL |
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
What does the "number" after the term hostname and a colon (:) mean? It generally appears when a remote connection is made, on Linux and appears even for local connection on Windows.
Thanks in Advance!!
It's the client's port number used for the connection.
"xxx.xx.xxx.xxx:50197" means that there's an open connection from IP address "xxx.xx.xxx.xxx" and port 50197, towards your MySQL server (probably on port 3306.)
This is the client's TCP Port.
You connect to the server for example on default port 3306 but the client uses a different port on its side of the connection. This port is listed there.
It's client port number i.e. a connection gets open between two processes (on the same host or physically apart) using sockets - Socket is host_ip:port_num
So when we connect to a mysql (on same machine - localhost or remote server) a connection is opened i.e.
client_ip:xxxxx --> mysql_ip:3306 (3306 is default for Mysql, can use other port as well)
Example:
xxx.xx.xxx.xxx:50197
We send query and receive response from the mysql (mysql_ip:3306) at client_ip:50197
Was recently managing my MySQL (5.5.41) on Linux machine and decided to remove/merge MySQL initially created root users.
Quoting MySQL 5.5 documentation (also nice article here)
On Unix, each root account permits connections from the local host. Connections can be made by specifying the host name localhost, the IP address 127.0.0.1, the IPv6 address ::1, or the actual host name or IP address.
The user table is as follows
+-----------+------------------+-------------------------------------------+
| Host | User | Password |
+-----------+------------------+-------------------------------------------+
| localhost | root | *ABC... |
| lamp | root | |
| 127.0.0.1 | root | *ABC... |
| ::1 | root | |
| localhost | john | *EFG... |
| lamp | john | |
| 127.0.0.1 | john | *EFG... |
| ::1 | john | |
+-----------+------------------+-------------------------------------------+
It is also set to listen only to localhost bind-address = 127.0.0.1. The question is
What could be the possible downfalls of merging multiple root users to a single one and using % wildcard as Host ?
Some of the passwords are blank thus not required to login. If % is used and password is set some users (lamp, IPv6 ::1) would not be able to login. Should this be avoided?
What could be the best pracice - to create a new user basing on initial create (127.0.0.1, ::1, localhost) or to stick with the % wildcard?
First off, i'd suggest you avoid using % wildcard (if it's not strictly necessary). If your users connect to the database from the same host the mysql server is running on, my advice is to use 127.0.0.1
All best practices point out that no-password login should be disabled.
As for IPv6, there's no point in having that user if you're not using it.
I'd suggest you read this http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips
I see frequently when I run mysqladmin proc or when I review the MySQL Server process list a user marked with: unauthenticated user trying to connect.
+-----+----------------------+--------------+-----------------+---------+------+------------------+------------------+-----------+---------------+-----------+
| Id | User | Host | db | Command | Time | State | Info | Rows_sent | Rows_examined | Rows_read |
+-----+----------------------+--------------+-----------------+---------+------+------------------+------------------+-----------+---------------+-----------+
| 40 | unauthenticated user | x.x.x.x:xxxx | | Connect | | Reading from net | | 0 | 0 | 0 |
What may causes such thing?
Is that normal, or should I investigate my system for any vulnerability or security breach?
Thanks
unauthenticated user is the user connected and not yet sent authentication credentials. Doesn't look like a hack attempt to me.