Can't connect to database: Access denied for user - mysql

I am setting up a CakePHP 3.7 application and using docker compose. I have a mysql service as well that I'm trying to connect to, but I am getting this error: Access denied for user 'ws_user'#'172.20.0.3' (using password: YES)
I am granting permissions to the user like so: GRANT ALL PRIVILEGES ON mydb.* TO 'ws_user'#'%' IDENTIFIED BY '<superSecretPasswordHere>'.
If I use the root credentials, cakephp is able to make the connection just fine.
I also expose the mysql service on port 3030 to my local machine and I am able to connect with the ws_user credentials just fine.
I also setup mysql running on my local machine with the same credentials and cake is able to connect to host 172.17.0.1 just fine as well.
I'm perplexed as what could be the problem. It sure seems like it's a permissions problem (because of the error message), but I'm able to connect via the exposed port via the command line. My next thought was that it might be because of special characters in the password, but again, if I connect to mysql running on my host machine, it works fine with the same password.
Here is my docker-compose file:
version: '2'
# define all services
services:
# our service is called CakePHP ;-)
cakephp:
# we want to use the image which is build from our Dockerfile
build:
context: .
dockerfile: Dockerfile
# apache is running on port 80 but we want to expose this to port 4000 on our local machine
ports:
- "80:80"
# we are depending on the mysql backend
depends_on:
- mysql
# we mount the working dir into the container, handy for development
volumes:
- .:/var/www/html/
environment:
- SECURITY_SALT
- MYSQL_HOST
- MYSQL_USERNAME
- MYSQL_PASSWORD
mysql:
# we use the mysql base image, version 5.6.36
#image: mysql:5.6.39
build:
context: .
dockerfile: Dockerfile.mysql
ports:
- "3030:3006"
# we mount a datavolume to make sure we don't lose data
volumes:
- mysql_data:/var/lib/mysql
# setting some envvars to create the DB
environment:
- MYSQL_ROOT_PASSWORD
- MYSQL_DATABASE
volumes:
mysql_data:

From "cakephp" you connect to "mysql:3306". This should be in your connection string.
From your host you can connect to "127.0.0.1:3030" to verify that your database accepts remote login.
Then you should check the credentials that they are the same. I suggest you put them in a .env file and then test the connection by "copy-paste" of the values.
you can check the values that are actually passed to the containers by running:
docker-compose config
This shows you the exact version of the docker-compose file that will be sent to the docker engine.
Hope this works, otherwise drop me a comment.

Related

Access locally mysql on docker from remote through SSH tunnel

I'm trying to access my mysql database from workbench through SSH tunnel, mysql is in a container (working with docker-compose).
Here is my mysql container config in docker-compose :
mysql:
image: mysql:5.7
container_name: mysql
expose:
- 3306
ports:
- '3306:3306'
volumes:
- ./mysql:/var/lib/mysql
environment:
- "MYSQL_ROOT_PASSWORD=#####"
- "MYSQL_DATABASE=#####"
- "MYSQL_USER=#####"
- "MYSQL_PASSWORD=#####"
restart: always
But I'm getting a "Failed to Connect to MySQL" error, just like if my ports were not well reforwarding from SSH to MySQL container (and so, not hitting the good door).
Please note I did not allowed remote access from mysql, as I want to only keep SSH/localhost access possible.
Do you have any idea? Thanks
You are already exposing port 3306, so you should be able to access it from your system with below command -
mysql -u <mysql_user> -p -h localhost -p 3306
If not accessible, try if you are able to access it inside the docker session by logging in to mysql container in interactive mode.

I can't connect to mysql in docker from my localhost with DataGrip database client

I have the following docker-compose.yml file:
version: '3.2'
services:
mysql:
image: mysql:5.7
environment:
- MYSQL_ROOT_PASSWORD=verysecret
- MYSQL_DATABASE=yii2advanced
- MYSQL_USER=yii2advanced
- MYSQL_PASSWORD=secret
I run it via docker-compose up -d. But I can't connect from SQL client to my database (I use DataGrip from JetBrains). Here is my configuration:
The password of course is secret. I have already tried to check allowed hosts for yii2advanced user:
As you can see for my yii2advanced connection is allowed from any host. I have tried to change mysqld.cnf and set bind-address = 0.0.0.0. Tried to setbind-address to *. Tried to set not 127.0.0.1 but 172.17.0.1 in the settings of my SQL client. Tried to create manually new one user with full privileges. No effect. The problem still exists. I can't connect to mysql in the container from my localhost.
What is wrong?
By default, docker-compose create a bridge network that will isolate your application from outside including the localhost.
You need to expose 3306 port from isolated network to localhost.
Try this.
version: '3.2'
services:
mysql:
image: mysql:5.7
environment:
- MYSQL_ROOT_PASSWORD=verysecret
- MYSQL_DATABASE=yii2advanced
- MYSQL_USER=yii2advanced
- MYSQL_PASSWORD=secret
ports:
- 3306:3306 # <host port>:<container port>
Good to read docker network section. https://docs.docker.com/network/

Why access denied happen with mysql , with docker-compose

I'm trying to create mySQL container for development DB.
My app is made by golang.
Now, I created docker-compose.yml to run APP & DB.
mySQL container was created and I can start it, but Access denied shows up if when I tried to connect with this DB, via DB client (Sequel Pro).
it's my docker-compose.yml
version: '3'
services: app:
build:
context: .
dockerfile: "Dockerfile"
ports:
- "8080:8080"
volumes: mysql:
image: mysql:5.7.10
environment:
MYSQL_ROOT_PASSWORD: 'pass'
ports:
- '3306:3306'
volumes:
- mysql-data:/var/lib/mysql volumes: mysql-data:
driver: local
I did
$ docker-compose build
and
$ docker-compose up -d
Then containers are created, mySQL is as below, if exec command
$ docker ps -a
1f7540fdedc1 mysql:5.7.10 "/entrypoint.sh mysq…" 1 second ago Up 2 seconds 0.0.0.0:3306->3306/tcp XXX_mysql_1
After that,If I tried to connect this DB with sequel pro, I can see this message in kitematic.
Access denied for user 'root'#'172.18.0.1' (using password: YES)
ip, user name, password, port must be correct.
Also, if I create docker container for mySQL with using kitematic, I can connect with the container.
I don't know why access denied shows up.
Screenshot when access denied shows up
I have this similar problem fixed. Make sure you have the latest image of mysql version. docker pull mysql:5.7.10.
Then delete the associated volume (backup if there is existing data). If you are using the docker-compose yml version 3 you should map your environment like MYSQL_ROOT_PASSWORD=password. Verify that it is correctly set by going to the container and run command echo $MYSQL_ROOT_PASSWORD.
If you are logging in from the host machine try to pass the protocol flag.
mysql -u root -p --protocol=tcp (you may also pass the host localhost or 127.0.0.1) -h 127.0.0.1

MYSQL connection error using service name as user host

I have a couple of containers which need to connect to a mysql container. For this example I will use my webapi container. Currently I am able to do this if my "test" user host is set to the IP (172.18.0.4) of the container in the mysql user table.
My understanding is that I can use the service name from the docker-compose file since they will be on the same network, thus not relying on an IP. Although when I change the host of my "test" user to the service name of the container e.g. webapi. I get thrown a mysql error.
SQLSTATE[HY000] [1045] Access denied for user 'test'#'172.18.0.4' (using password: YES)
My docker-compose file is as
version: '2.3'
services:
webapp:
image: webapp:0.3
networks:
- frontend
depends_on:
- database
webapi:
image: webapi:0.2
networks:
- frontend
depends_on:
- database
database:
image: database:0.1
networks:
- frontend
- backend
volumes:
- mysql-data:/var/lib/mysql
networks:
frontend:
external: true
backend:
external: true
volumes:
mysql-data:
external:
name: mysql-data
Is there something I am doing wrong or is my understanding of being able to use the service name as the MYSQL user host incorrect?
The database image is built from the official MariaDB dockerfile.
I found this but forgot to reply back. Interestingly the dockerfile sets the skip-name-resolve which disables DNS host name lookup.
I found this a bit odd as docker pushes the developer into using the container names as the DNS records...
So if you come across this issue, remove the line where it echo's it into the .cnf file near the bottom of the Dockerfile.

How to connect to a MySQL Docker Container via SSH?

When I try to tunnel via SSH to the Host Mashine (vServer) and then try to connect via the internal docker Container-IP then I can't connect to MySQL.
This is my docker-compose file.
version: '2'
services:
mysql:
build: ./mysql
environment:
MYSQL_ROOT_PASSWORD: test
volumes:
- ./db:/var/lib/mysql
The only solution I found was to forward the MySQL-Port of the mysql container to the Host-Mashine.
version: '2'
services:
mysql:
build: ./mysql
environment:
MYSQL_ROOT_PASSWORD: test
volumes:
- ./db:/var/lib/mysql
ports:
- 3306:3306
Then I am able to connect via the Host IP to MySQL but this is without SSH its direct via TCP and the port.
This is a No-Go for me to bring the MySQL Service into the internet.
Reasons can be found here https://security.stackexchange.com/questions/63881/is-it-not-safe-to-open-mysqls-port-to-the-internet why it is not a good practice to bring your mysql port into the internet.
So what is a good practice to connect to my docker mysql container with SSH but keep the mysql ports closed?
One simple way is to bind the MySQL port only to the localhost address. That assumes the host has a mysql client available outside of Docker.
ports:
- 127.0.0.1:3306:3306
You could also omit the ports section completely (no port binding at all), and use the mysql client that's already inside the container.
docker-compose exec mysql bash
Then run the mysql command inside the container to do whatever queries you want to do.
An easy way to achieve this is to forward the ssh port of the docker conatiner to some port on your host, i.e.
ports:
- 22:<some free host port>
and then access the container via ssh to the host port you used. Note, that it is a bad idea to use port 22, since that will cause a conflict with the ssh server running on your host.