Docker MySQL Container Incoming Connection from Gateway Address Instead of Source Container - mysql

I have a basic stack of containers on their own user-defined network with a subnet of 172.21.0.0/16. My MySQL container's address is 172.21.0.2 and the PHP/Apache container's address is 172.21.0.3.
Until this point I had to permit MySQL to allow incoming connections via PHP from 172.21.0.3, which made perfect sense. Now, it seems as though the connections are coming from 172.21.0.1, the gateway, and this doesn't make much sense to me. My (basic to intermediate) understanding suggests that the gateway should only be used when traffic is destined for an address outside of its local network - but obviously in this case MySQL and PHP/Apache are on the same network.
Two of our environments have started acting like this, and while it's a simple fix to permit connections from the gateway address, I'm hesitant to proceed without an understanding as to what has happened and why. This also seems to add extra delay to database queries within the application.
Logging in to an affected environment via phpMyAdmin displays "User: root#172.21.0.1" in the "Database Server" information pane. An unaffected environment displays "root#phpmyadmin_1.test_default" (user#[container].[network]).
Both environments are using the exact same images, and the same version of Docker - 18.06.1-ce. Other than a version upgrade of Docker, nothing else has changed with regards to the docker-compose.yml I was using.
Why has my environment started acting like this? Should I prefer the connection coming in from the actual source, and not via the gateway? How can I return to that way of operation?
Thank you for any guidance or knowledge.

For anyone else that experiences a similar rut, I'm of the mind that this was caused by an upgrade of Docker from 18.03.1-ce to 18.06.1-ce via Docker's own repository. Performing a server reboot after this operation has (for now) restored sense to the networking of the stack.
The connection to my MySQL container is now correctly coming from the PHP/Apache container and not from the gateway address of the bridge network. The lag this introduced is gone, and I'm able to remove the privilege associated with the gateway address.

Related

How can I connect a local MySQL database to the IBM Node-Red platform

I am using MySQL workbench on windows, which I want to connect to a Node-Red running on the IBM cloud. Since I don't run them on the same server the host 127.0.0.1 and port 3306 does not seem to work. What permissions should I give?
I'm going to make a LOT of assumptions here, because there really isn't enough information in your question.
First assumption, by "running on IBM" you mean that Node-RED is running on the IBM Cloud hosting service.
The short answer is you can not do what you want.
The longer version is that you probably could actually make this work but doing it is a REALLY bad idea.
Second assumption, you are doing this from home (even if you are doing it from a office location the same problems are likely to apply). This means you are connected to a local LAN using RFC 1918 address range (e.g. 192.168.0.x), this means you are behind a router that is performing NAT (Network Address Translation). This means you are going to need to set up portforwarding on the router so that when traffic arrives at the router it will send it on to your Windows machine. How you do this will depend on your router.
Next problem, your broadband probably doesn't have a static IP address which means it will change every time your connection drops. There are work arounds for this using things like Dynamic DNS. But that's too complicated to get into here.
Assuming you get all of that sorted out you still have the problem that you have now exposed your mysql database to the internet, so you need to make sure you have enabled all the right security measures to prevent people logging in and at best seeing all your data.
There are 2 much better solutions to this
Run Node-RED on the same machine or at least on the same local network as the database.
Use one of IBM Clouds hosted database solutions, these are a lot easier to connect to a IBM Cloud instance of Node-RED.
If you do not want to open ports to your network I recommend using a free MYSQL remote server
A simple website is https://remotemysql.com
Just take the screenshot of the credentials of your database after registration.
Keep in mind if your database is empty it will get deleted after some time.

Accessing MySQL running on Docker Swarm

I have what is going to be a production MySQL database, and we want to access such remotely but haven't found a secure way to do it.
Docker Swarm do not have support for host bound ports such as 127.0.0.1:3303:3303, however normal mode does. Making a port public becomes also public in all swarm nodes.
Using firewalls is not really an option since we would have to configure these on every single node in the swarm.
We have on table only two options
Opening the port and only allowing connections through TLS and enforcing REQUIRE options Issuer and Subject, to only one single user and probably read_only. Still seems to be highly insecure due to having the open port.
Creating a temporary dockerized sshd service and making it available in the same network as MySQL service, it is more hazzle to manage these ssh containers. Still more secure since it would be turn on/off when needed
Question: Is there any other/better options to approach this? and how badly insecure is it to have open port + tls connections?
If you have a good argument against accessing MySQL remotely I would appreciate it

Setting up servers with fault tolerance using Go and MySQL (failover)

I am working in a project where we are using Go as a web server and MySQL.
We have been told to implement fault tolerance to handle a hardware crash. We were given 2 servers which have MySQL and the Go-server on them.
We have succesfully set up replication in MySQL, but we are struggling with the failover part. Our thought was to get an extra server with HAProxy to have a primary server and then being able to failover to the backup server.
We also considered using MySQL failover, but did not see how we could redirect the traffic using it.
Is this a reasonable plan? Or what would you recommend that we do instead?
If you want two identical servers connecting to their local MySQL instances, you need a way of deciding which one is the production server. There are a number of solutions for that, including
Setting up a reverse proxy, as you mention, but then, your proxy
itself becomes a SPOF,
Using a floating IP, also known as a failover
IP, but this only works if your host supports it. Cloud providers
typically support them, as well as some bare metal server providers.
There is nothing specific to Go as far as I know.

Secure Remote mySQL Connection

Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.

Remote (Non-LocalHost) MySQL Calls... Safe/Recommended for Management Purposes?

I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.