I'm struggling to get a Dockerised MySQL instance to support SSL.
The service in my docker-compose file looks like this:
mysql:
image: mysql:5.7
container_name: mysql
command: --default-authentication-plugin=mysql_native_password --ssl-ca=/etc/ssl/mysql/ca.pem --ssl-cert=/etc/ssl/mysql/server-cert.pem --ssl-key=/etc/ssl/mysql/server-key.pem
restart: always
expose:
- 3306
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
MYSQL_DATABASE: "${MYSQL_DATABASE}"
MYSQL_USER: "${MYSQL_USER}"
MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
volumes:
- "./data/db:/var/lib/mysql"
- "./config/mysql/my.cnf:/etc/mysql/conf.d/ssl.cnf"
- "./config/mysql/certs:/etc/ssl/mysql"
When I start up the stack I get these errors from the MySQL container:
[ERROR] SSL error: Unable to get private key from '/etc/ssl/mysql/server-key.pem'
[Warning] Failed to set up SSL because of the following SSL library error: Unable to get private key
I've tried to chown the key from root to mysql and then bring up the stack again, but that doesn't seem to work.
I generated the key files from the commands at https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html, like this:
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
The files on the host have the following permissions:
drwxrwxr-x 2 andrew andrew 4096 Dec 11 10:25 ./
drwxrwxr-x 3 andrew andrew 4096 Dec 10 19:27 ../
-rw-rw-r-- 1 999 docker 1675 Dec 10 19:20 ca-key.pem
-rw-rw-r-- 1 999 docker 1294 Dec 10 19:20 ca.pem
-rw-rw-r-- 1 999 docker 1123 Dec 10 19:20 client-cert.pem
-rw-rw-r-- 1 999 docker 1679 Dec 10 19:20 client-key.pem
-rw-rw-r-- 1 999 docker 989 Dec 10 19:20 client-req.pem
-rw-rw-r-- 1 999 docker 1127 Dec 10 19:20 server-cert.pem
-rw------- 1 999 docker 1675 Dec 11 10:25 server.key
-rw-rw-r-- 1 999 docker 1704 Dec 11 09:43 server-key.pem
-rw-rw-r-- 1 999 docker 956 Dec 11 09:43 server-req.pem
This happens if I manually generate the certificates and mount them as a volume, or if I run a shell on the container and run the command mysql_ssl_rsa_setup --datadir=/etc/ssl/mysql --verbose (after clearing out the certificates that I created). In other words when I run openssl verify -CAfile ca.pem server-cert.pem client-cert.pem I see that both certificates are "OK" (no matter which way I generate them).
Why can't MySQL find the private key from that file?
There were two problems.
When I generated the certificate it had the wrong permissions. Running chown 999:docker on the certificates helps let MySQL read it in the container. When I was using the MySQL tool to generate certificates I was skipping this step.
The second problem was that the common name (CN) of the CA certificate needs to be different from the CN of the server certificate.
In the section where it gives the commands to generate the certificates, the MySQL manual says:
To generate test files, you can press Enter to all prompts. To
generate files for production use, you should provide nonempty
responses.
But a little higher on the page it has a warning about the CN needing to be different.
Related
I need to start a MySQL container based on a MySQL image having an existing database as part of the image and set as the default database. It needs to run with non-root user of mysql since running as root is not permitted on our private Kubernetes cluster. Referencing another solution from SO for starting MySQL with a pre-existing database, created below Dockerfile. It started up a container successfully locally on Docker desktop UNTIL I made changes to try and make container runnable as user mysql.
The database schema was output from existing database on a VM using mysqdump and out to eddie_backup2.sql.
Dockerfile:
FROM containerregistry-na.foocompany/container-external/mysql:5.7.29 as builder
# That file does the DB initialization but also runs mysql daemon, by removing the last line it will only init
RUN ["sed", "-i", "s/exec \"$#\"/echo \"not running $#\"/", "/usr/local/bin/docker-entrypoint.sh"]
ENV MYSQL_ALLOW_EMPTY_PASSWORD="y"
ENV MYSQL_USER="eddie" MYSQL_PASSWORD="eddie_pwd" MYSQL_DATABASE="eddie"
ADD eddie_backup2.sql /tmp/eddie_backup2.sql
COPY setup.sql docker-entrypoint-initdb.d/
# Need to change the datadir to something else that /var/lib/mysql because the parent docker file defines it as a volume.
# https://docs.docker.com/engine/reference/builder/#volume :
# Changing the volume from within the Dockerfile: If any build steps change the data within the volume after
# it has been declared, those changes will be discarded.
RUN ["/usr/local/bin/docker-entrypoint.sh", "mysqld", "--datadir", "/initialized-db" ]
# added below line to change ownership
RUN ["/bin/bash", "-c", "chown -R mysql:mysql /initialized-db/"]
# starting with mysql image again and using the generated datadirectory from above interim image
FROM containerregistry.foocompany.net/container-external/mysql:5.7.29 as actual_base
COPY --from=builder /initialized-db /var/lib/mysql
# change owner to mysql and list immediately to verify it was done
RUN ["/bin/bash", "-c", "chown -R mysql:mysql ./var/lib/mysql/ -v && ls -lrt /var/lib/mysql"]
USER mysql
CMD mysqld --datadir=/var/lib/mysql --user=mysql
MySQL script setup.sql run at initialisation, as it is located in special directory where the process looks:
use eddie;
source /tmp/eddie_backup2.sql ;
However, the logs indicated an issue with permissions to write to Innodb* folders. I think these are or should be present under /var/lib/mysql . That is as far as I got.
docker build --no-cache -t eddie-mysql:0.3 .
Logs:
changed ownership of './var/lib/mysql/performance_schema/file_summary_by_event_n
ame.frm' from root:root to mysql:mysql
changed ownership of './var/lib/mysql/performance_schema/events_transactions_sum
mary_by_thread_by_event_name.frm' from root:root to mysql:mysql
changed ownership of './var/lib/mysql/performance_schema/hosts.frm' from root:ro
ot to mysql:mysql
changed ownership of './var/lib/mysql/performance_schema' from root:root to mysq
l:mysql
changed ownership of './var/lib/mysql/ib_buffer_pool' from root:root to mysql:my
sql
changed ownership of './var/lib/mysql/ca.pem' from root:root to mysql:mysql
changed ownership of './var/lib/mysql/private_key.pem' from root:root to mysql:m
ysql
changed ownership of './var/lib/mysql/ibdata1' from root:root to mysql:mysql
changed ownership of './var/lib/mysql/auto.cnf' from root:root to mysql:mysql
changed ownership of './var/lib/mysql/client-key.pem' from root:root to mysql:my
sql
ownership of './var/lib/mysql/' retained as mysql:mysql
total 176196
-rw------- 1 mysql mysql 1680 Oct 2 15:07 server-key.pem
-rw-r--r-- 1 mysql mysql 1112 Oct 2 15:07 server-cert.pem
-rw-r----- 1 mysql mysql 50331648 Oct 2 15:07 ib_logfile1
-rw-r--r-- 1 mysql mysql 1112 Oct 2 15:07 ca.pem
-rw------- 1 mysql mysql 1676 Oct 2 15:07 ca-key.pem
-rw-r----- 1 mysql mysql 56 Oct 2 15:07 auto.cnf
-rw------- 1 mysql mysql 1680 Oct 2 15:07 client-key.pem
-rw-r--r-- 1 mysql mysql 1112 Oct 2 15:07 client-cert.pem
-rw-r--r-- 1 mysql mysql 452 Oct 2 15:07 public_key.pem
-rw------- 1 mysql mysql 1680 Oct 2 15:07 private_key.pem
-rw-r----- 1 mysql mysql 79691776 Oct 2 15:07 ibdata1
-rw-r----- 1 mysql mysql 50331648 Oct 2 15:07 ib_logfile0
-rw-r----- 1 mysql mysql 1452 Oct 2 15:07 ib_buffer_pool
drwxr-x--- 2 mysql mysql 12288 Oct 2 15:07 sys
drwxr-x--- 2 mysql mysql 4096 Oct 2 15:07 performance_schema
drwxr-x--- 2 mysql mysql 4096 Oct 2 15:07 mysql
drwxr-x--- 2 mysql mysql 4096 Oct 2 15:07 eddie
Removing intermediate container 29e35ac511ea
---> ce46892514e4
Step 13/14 : USER mysql
---> Running in fd1831317581
Removing intermediate container fd1831317581
---> ae9d3e300cbf
Step 14/14 : CMD mysqld --datadir=/var/lib/mysql --user=mysql
---> Running in 17143095e06f
Removing intermediate container 17143095e06f
---> 9712fc738c4c
Successfully built 9712fc738c4c
Successfully tagged eddie-mysql:0.3
It can be seen above ibdata1 ownership changed to mysql. This is relevant later . .
docker run -d --name abc eddie-mysql:0.3
docker logs 746a210065840
Below log indicates ibdata is not writeable by user mysql even though according to image build log it is owned by mysql !
2020-10-02T15:13:08.264040Z 0 [Note] InnoDB: Completed initialization of buffer
pool
2020-10-02T15:13:08.265201Z 0 [Note] InnoDB: If the mysqld execution user is aut
horized, page cleaner thread priority can be changed. See the man page of setpri
ority().
2020-10-02T15:13:08.275162Z 0 [ERROR] InnoDB: The innodb_system data file 'ibdat
a1' must be writable
2020-10-02T15:13:08.275231Z 0 [ERROR] InnoDB: The innodb_system data file 'ibdat
a1' must be writable
2020-10-02T15:13:08.275263Z 0 [ERROR] InnoDB: Plugin initialization aborted with
error Generic error
2020-10-02T15:13:08.876474Z 0 [ERROR] Plugin 'InnoDB' init function returned err
or.
2020-10-02T15:13:08.876491Z 0 [ERROR] Plugin 'InnoDB' registration as a STORAGE
ENGINE failed.
2020-10-02T15:13:08.876494Z 0 [ERROR] Failed to initialize builtin plugins.
2020-10-02T15:13:08.876496Z 0 [ERROR] Aborting
2020-10-02T15:13:08.876500Z 0 [Note] Binlog end
2020-10-02T15:13:08.876723Z 0 [Note] Shutting down plugin 'CSV'
2020-10-02T15:13:08.877008Z 0 [Note] mysqld: Shutdown complete
This may not be the most elegant solution but as mentioned earlier I could see that user mysql owns the file as a result of the chown added to my dockerfile. However discovered, it did not have write permission to it (confimred that after temporarily adding RUN ls -lrt /var/lib/mysql -v to list folder perms for debugging purposes ) which makes sense given the error message. Seems there is no publicly available image that takes care of this use case of starting a mySQL container as non root user.
So amended my Dockerfile to give most priveleged permissions to file ibdata1 (as well as the containing folder for good measure) right after mysqld initialisation with no-default data directory:
RUN ["/usr/local/bin/docker-entrypoint.sh", "mysqld", "--datadir", "/initialized-db" ]
RUN ["/bin/bash", "-c", "chown -R mysql:mysql /initialized-db/"]
RUN ["/bin/bash", "-c", "chmod ugo=rwx -R /initialized-db/"]
RUN chmod -R ugo+rwx /initialized-db/ibdata1
Here is the pertinent part of the build log:
Step 9/13 : RUN ["/bin/bash", "-c", "chown -R mysql:mysql /initialized-db/"]
---> Running in 973c96b0f535
Removing intermediate container 973c96b0f535
---> f190deb49406
Step 10/13 : RUN ["/bin/bash", "-c", "chmod ugo=rwx -R /initialized-db/"]
---> Running in 2e4612d7674c
Removing intermediate container 2e4612d7674c
---> efa6715342e2
Step 11/13 : RUN chmod -R ugo+rwx /initialized-db/ibdata1
---> Running in 3c2e288c19b7
Removing intermediate container 3c2e288c19b7
---> 1c0e7a32b2a4
Step 12/13 : FROM some-private-registry.net/container-external/mysql:5.7
.29 as actual_base
---> 5d9483f9a7b2
Step 13/13 : COPY --from=builder /initialized-db /var/lib/mysql
---> 19f51e56ae40
I could then run the image as user mysql:
docker container run -d --user mysql --name foo_name --user mysql foo-mysql:1.0
I am trying to run the offical docker image of Mysql 5.7.28 on MacOS, but I cannot manage to make it persistent.
I used mount point on docker host as well volume created with docker volume, but it doesn't work.
I use the following to create the container:
docker run \
--detach \
--name=dockMysql \
--env="MYSQL_ROOT_PASSWORD=password" \
--publish 127.0.0.1:3307:3306 \
--volume=/Users/myuser/docker/dockMysql/data:/var/lib/mysql \
mysql:5.7.28
The data path: /Users/myuser/docker/dockMysql/data has all per
$ ls -l
drwxrwxrwx 6 root admin 192 May 24 2019 Users
$ pwd
/Users/myuser/docker/dockMysql/data
$ ls
auto.cnf ca.pem client-key.pem ib_logfile0 ibdata1 mysql private_key.pem server-cert.pem sys
ca-key.pem client-cert.pem ib_buffer_pool ib_logfile1 ibtmp1 performance_schema public_key.pem server-key.pem
It seems mysql writes data in the host directory provided but doesn't save the data upon restart of the container.
Anyone has any idea?
Thanks,
Ionut
I read this doc https://hyperledger-fabric-ca.readthedocs.io/en/release-1.0/users-guide.html#mysql-ssl-configuration to set fabric-ca-server connect to mysql with ssl.
I use openssl generate the CA files, and copy client side files to the fabric-ca-server(by volumns in docker-compose)
here is the variables about tls in fabric-ca-server:
- FABRIC_CA_SERVER_DB_TLS_CERTFILES=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_CERTFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_KEYFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I get logs in fabric-ca containers:
CA Files: [/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem]
2018/05/23 08:20:32 [DEBUG] Client Cert File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
2018/05/23 08:20:32 [DEBUG] Client Key File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
2018/05/23 08:20:32 [DEBUG] Check client TLS certificate for valid dates
2018/05/23 08:20:32 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[250 75 118 17 13 151 30 107 89 252 20 23 73 26 157 142 242 68 135 173 169 174 26 220 55 109 100 221 107 41 99 135]]
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/dbutil/dbutil.go:182 github.com/hyperledger/fabric-ca/lib/dbutil.NewUserRegistryMySQL
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:539 github.com/hyperledger/fabric-ca/lib.(*CA).initDB
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:155 github.com/hyperledger/fabric-ca/lib.(*CA).init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:126 github.com/hyperledger/fabric-ca/lib.initCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:266 github.com/hyperledger/fabric-ca/lib.(*Server).initDefaultCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:97 github.com/hyperledger/fabric-ca/lib.(*Server).Init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:116 github.com/hyperledger/fabric-ca/lib.(*Server).Start
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main
/opt/go/src/runtime/proc.go:192 runtime.main
/opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit
Caused by: Key type not recognized
2018/05/23 08:20:32 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I also use other ways to connect to the mysql:one is starting a another mysql container as a client to connect to mysql server with ssl ;another is using MySQLWorkbench in my host machine with ssl by exposing mysql server port to my host machine.
with this state SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
enter image description here
so , I wonder the certification I generated works, but something wrong in the fabric-ca code ?
with help and trying many times, I find the solution:
first, the environment of ca in docker-compose.yml must set as
FABRIC_CA_SERVER_DB_DATASOURCE=****:****#tcp(mysql_ca:3306)/fabric_ca?parseTime=true&tls=custom
the mysql_ca is name of mysql container, and the &tls=custom must be added.
second, while generating the ssl cert, the common name must be same as the name of mysql container.also, the common name can be specified in cli:
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -subj /CN=mysql_ca -out server-req.pem
I was playing with docker and mounted my local mysql to a docker container and connected MySql-Workbench so I could view the DB (experimenting) here is the command I ran.
docker run -d --name alldb-mysql -v /var/lib/mysql:/var/lib/mysql -e MYSQL_USER=root -e MYSQL_PASSWORD=password -p 3306:3306 mysql:latest
after I stopped my container and removed it, I can't start/restart mysql (local install). when I run sudo /etc/init.d/mysql start it returns
[....] Starting mysql (via systemctl): mysql.serviceJob for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.
failed!
so I checked systemctl status mysql.service
mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: activating (start-post) (Result: exit-code) since Mon 2017-04-03 22:26:15 IST; 26s ago
Process: 5470 ExecStart=/usr/sbin/mysqld (code=exited, status=1/FAILURE)
Process: 5465 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 5470 (code=exited, status=1/FAILURE); : 5471 (mysql-systemd-s)
Tasks: 2
Memory: 1.6M
CPU: 222ms
CGroup: /system.slice/mysql.service
└─control
├─5471 /bin/bash /usr/share/mysql/mysql-systemd-start post
└─6579 sleep 1
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.980564Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explici
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.980614Z 0 [Warning] Can't create test file /var/lib/mysql/n.lower-test
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.980638Z 0 [Note] /usr/sbin/mysqld (mysqld 5.7.17-0ubuntu0.16.04.1) starting as process 5470 .
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.981928Z 0 [Warning] Can't create test file /var/lib/mysql/n.lower-test
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.981936Z 0 [Warning] Can't create test file /var/lib/mysql/n.lower-test
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.982122Z 0 [ERROR] failed to set datadir to /var/lib/mysql/
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.982142Z 0 [ERROR] Aborting
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.982162Z 0 [Note] Binlog end
Apr 03 22:26:15 n mysqld[5470]: 2017-04-03T21:26:15.982213Z 0 [Note] /usr/sbin/mysqld: Shutdown complete
Apr 03 22:26:15 n systemd[1]:
I also tried to login mysql with my detail:
mysql -uroot -ppassword1 which returned
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
when I run the following command ls -la /var/lib/ | grep mysql on the var lib directory it returns.
drwx------ 12 root docker 4096 Apr 3 21:17 mysql
drwx------ 2 mysql mysql 4096 Feb 23 22:35 mysql-files
drwx------ 2 mysql mysql 4096 Feb 23 22:35 mysql-keyring
drwxr-xr-x 2 root root 4096 Jan 18 21:45 mysql-upgrade
By the looks of things I (well docker did) messed up my ownership on my mysql directory.
If I run ls -la /var/lib/mysql it returns
ls: cannot open directory '/var/lib/mysql': Permission denied
and running same command with sudo sudo ls -la /var/lib/mysql
it returns
total 188480
drwx------ 12 root docker 4096 Apr 3 21:17 .
drwxr-xr-x 80 root root 4096 Mar 29 19:28 ..
-rw-r----- 1 guest-okauxv docker 56 Feb 23 22:35 auto.cnf
drwxr-x--- 2 guest-okauxv docker 4096 Mar 24 23:51 concretepage
-rw-r--r-- 1 guest-okauxv docker 0 Feb 23 22:35 debian-5.7.flag
drwxr-x--- 2 guest-okauxv docker 4096 Mar 25 00:10 myfidser
drwxr-x--- 2 guest-okauxv docker 4096 Mar 4 00:54 myotherFliDB
drwxr-x--- 2 guest-okauxv docker 4096 Mar 1 12:33 testFFAPI
-rw-r----- 1 guest-okauxv docker 679 Apr 3 21:16 ib_buffer_pool
-rw-r----- 1 guest-okauxv docker 79691776 Apr 3 21:17 ibdata1
-rw-r----- 1 guest-okauxv docker 50331648 Apr 3 21:17 ib_logfile0
-rw-r----- 1 guest-okauxv docker 50331648 Feb 23 22:35 ib_logfile1
-rw-r----- 1 guest-okauxv docker 12582912 Apr 3 21:17 ibtmp1
drwxr-x--- 2 guest-okauxv docker 4096 Feb 23 22:35 mysql
drwxr-x--- 2 guest-okauxv docker 4096 Mar 25 16:58 NodeRestDB
drwxr-x--- 2 guest-okauxv docker 4096 Feb 23 22:35 performance_schema
drwxr-x--- 2 guest-okauxv docker 12288 Feb 23 22:35 sys
drwxr-x--- 2 guest-okauxv docker 4096 Mar 29 10:34 testDB
drwxr-x--- 2 guest-okauxv docker 4096 Mar 1 11:52 demoDB
By the looks of this, I (well docker did) managed to changed the owner and group of all the directories in mysql directory.
Do I need to do a complete reinstall of MySQL Server?
What is the simplest, easiest way to fix this?
your help will be much appreciated.
Updated with FIX
Just what Andy Shinn said in point one, I just ran sudo chown -R
mysql:mysql /var/lib/mysql to change the owner back and started mysql
by running sudo /etc/init.d/mysql start and mysql returned
[ ok ]Starting mysql (via systemctl): mysql.service.
G
Some more information will be needed. But two things come to mind.
It is likely the permission issue. Based on your output, why don't you first just try changing the owner and group back to mysql? This should be a simple sudo chown -R mysql:mysql /var/lib/mysql.
It is possible that running mysql:latest image is a different version of MySQL that you were running locally and it could have upgraded the MySQL data to newer formats which may be incompatible with older versions. Check that the version of MySQL you were running locally is the same that the mysql:latest image tag points to (at least the same minor version eg. 5.6 and 5.6).
What version is mysql:latest and what version were you running locally? Do you have any log output from the MySQL container that you started?
My task is to make all local and remote connections to MySQL encrypted and all clients must be verified by client SSL certificates.
But I can't even connect to MySQL from shell and always getting 'Access denied for user ssluser#localhost...)'
Platform:
Amazon EC2 micro with Amazon Linux AMI (all updates installed)
MySQL 5.7.7
I have created the self-signed certificate in accordance with this instruction
# Create CA certificate
# -----------
# CN = localdomain.com
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
# -----------
# CN = cn1.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
# -----------
# CN = cn2.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
I have created the MySQL DB user for testing
CREATE USER 'ssl-user'#'%' identified by '123';
GRANT USAGE ON *.* TO 'ssluser'#'%' identified by '123' REQUIRE X509;
FLUSH PRIVILEGES;
Edited my.cnf
[mysqld]
ssl-ca=/etc/pki/mysql_ssl/ca.pem
ssl-cert=/etc/pki/mysql_ssl/server-cert.pem
ssl-key=/etc/pki/mysql_ssl/server-key.pem
[client]
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/client-key.pem
and restarted mysqld...
Than I am trying to connect from shell
mysql -ussluser -p123123123 --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem
And always get 'Access denied for ssluser#localhost (using password: YES).
I also tried to use our purchased WildCard Comodo Certificates to only encrypt the connection (but not verify the client) with no success.
I am a bit confused because I know a lot of people actually do MySQL SSL, but I am still can't get it working.
Any help would be much appreciated.
Problem is solved.
I switched back to MySQL 5.6
Re-created CA, server and client certificates with this detailed instruction
Added to my.cnf the client SSL section
[client]
ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/сlient-key.pem
Created new mysql user
CREATE USER 'x509test'#'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'x509test'#'%' REQUIRE X509;
FLUSH PRIVILEGES;
And finally I am able to connect
$ mysql --user=x509test --password --ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem