Hello I've an issue on MySQL I can't connect to it remotely, I already looked for the answers posted here but none of them works for me!
This is the Error Message when I trying to connect to mysql
$> mysql -u user01 -h x.x.x.x -p
ERROR 2003 (HY000): Can't connect to MySQL server on 'x.x.x.x' (110)
Telnet
[root#machine2 ~]# telnet x.x.x.x 3306
Trying x.x.x.x...
telnet: connect to address x.x.x.x: Connection timed out
This the IPTABLES file
#Generated by iptables-save v1.4.7 on Thu Jan 4 21:58:18 2018
*filter
:INPUT ACCEPT [56:6256]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:3538]
-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
COMMIT
#Completed on Thu Jan 4 21:58:18 2018
-- I already create a user
CREATE USER 'user' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON *.* TO 'user';
FLUSH PRIVILEGES;
and this is my.cnf file
#For advice on how to change settings please see
#http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html
[mysqld]
port=3306
skip-name-resolve
skip-external-locking
innodb_buffer_pool_size=3G
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
and My port 3306 is already open
[root#localhost ~]# netstat -petulan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 12889 2056/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 13930 2441/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 13141 2133/cupsd
tcp 0 0 0.0.0.0:32895 0.0.0.0:* LISTEN 29 12977 2078/rpc.statd
tcp 0 0 x.x.x.x:22 x.x.x.x:49964 ESTABLISHED 0 7891927 4453/sshd
tcp 0 64 x.x.x.x:22 x.x.x.x:50203 ESTABLISHED 0 7892871 4482/sshd
tcp 0 0 :::3306 :::* LISTEN 27 7896831 6648/mysqld
tcp 0 0 :::111 :::* LISTEN 0 12892 2056/rpcbind
Is there something here wrong ?, thank you !
I'm using CentOS 6.9
Related
I've created an openshift 3.11 3 node cluster, 2 of which are compute
nodes. I've installed storageos on this cluster. One of the compute
nodes seems fine with the storageos installation, however the 2nd
compute node can't reach the 1st node. It appears that the error
is routing related.
the 2nd node will not route to the 1st node it appears.
[root#cortado-o1 standard]# oc get pod -n storageos
NAME READY STATUS RESTARTS AGE
storageos-47qgc 1/1 Running 0 6m
storageos-6bqqp 0/1 Running 3 7m
[root#cortado-o2 ~]# netstat -na | grep 5705
tcp6 0 0 :::5705
[root#cortado-o3 ~]# netstat -na | grep 5705
tcp 0 0 192.168.0.101:43588 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43548 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43522 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43458 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43628 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43602 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43562 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43502 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43476 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43412 192.168.0.101:5705 TIME_WAIT
tcp 0 0 192.168.0.101:43430 192.168.0.101:5705 TIME_WAIT
tcp6 0 0 :::5705 :::* LISTEN
[root#cortado-o3 ~]# !nc
nc 192.168.0.102 5705
Ncat: No route to host.
[root#cortado-o3 ~]# hostname --ip-address
192.168.0.101
time="2018-11-13T04:24:38Z" level=error msg="failed to join existing cluster" action=create category=etcd endpoint="192.168.0.102,192.168.0.101" error="Get http://192.168.0.102:5705/v1/members: dial tcp 192.168.0.102:5705: connect: no route to host" module=cp
time="2018-11-13T04:24:38Z" level=info msg="not first cluster node, joining first node" action=create address=192.168.0.101 category=etcd host=cortado-o3 module=cp target=192.168.0.101
time="2018-11-13T04:24:38Z" level=error msg="failed to join existing cluster" action=create category=etcd endpoint="192.168.0.102,192.168.0.101" error="503 Service Unavailable" module=cp
time="2018-11-13T04:24:38Z" level=info msg="retrying cluster join in 5 seconds..." action=create category=etcd module=cp
any suggestions? many thanks.
I can see on your netstat output that StorageOS is bound to the port, not that they can communicate. In fact the Ncat shows that there is no route to host, so they can't connect. StorageOS needs to be able to communicate among its nodes.
The StorageOS docs have a reference about the prerequisites of the ports and how to open them. https://docs.storageos.com/docs/prerequisites/firewalls
It depends on your OpenShift installation if you use ufw, firewalld or straight ip tables.
For ufw try this:
ufw default allow outgoing
ufw allow 5701:5711/tcp
ufw allow 5711/udp
For firewalld try this:
firewall-cmd --permanent --new-service=storageos
firewall-cmd --permanent --service=storageos --add-port=5700-5800/tcp
firewall-cmd --add-service=storageos --zone=public --permanent
firewall-cmd --reload
For straight iptables:
# Inbound traffic
iptables -I INPUT -i lo -m comment --comment 'Permit loopback traffic' -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -m comment --comment 'Permit established traffic' -j ACCEPT
iptables -A INPUT -p tcp --dport 5701:5711 -m comment --comment 'StorageOS' -j ACCEPT
iptables -A INPUT -p udp --dport 5711 -m comment --comment 'StorageOS' -j ACCEPT
# Outbound traffic
iptables -I OUTPUT -o lo -m comment --comment 'Permit loopback traffic' -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -m comment --comment 'Permit outbound traffic' -j ACCEPT
Check also the troubleshooting page of storageos for this particular issue.
https://docs.storageos.com/docs/platforms/openshift/troubleshoot/install#peer-discovery---networking
In addition, less than 3 node cluster is not supported. You can have 1 node for testing or 3+. But having 2 nodes makes impossible to ensure quorum in a distributed environment unless you use StorageOS pointing the kv store to a external etcd.
I am trying to connect to Server A (Ubuntu 16.04) remotely from Server B (Ubuntu 16.04). I can already use MySQL fine with remote#[Server A IP] on Server A, but I am having trouble accessing that user from Server B. I have gone through the procedure of checking ufw firewalls, configuration files, and the MySQL user, but I cannot seem to find what the issue is. What are possible steps I can go through to provide more information, or is the issue in some information I provided?
Server A with database
Configuration Files
/etc/mysql/my.cnf
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
[mysqld]
innodb-file-format=barracuda
innodb-file-per-table=1
innodb-large-prefix=1
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
[mysql]
default-character-set = utf8mb4
/etc/mysql/mariadb.cnf
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
[mysqld]
innodb-file-format=barracuda
innodb-file-per-table=1
innodb-large-prefix=1
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
[mysql]
default-character-set = utf8mb4
/etc/mysql/mariadb.conf.d/50-server.cnf
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
# Bind to all addresses
# bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer_size = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.0 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.0]
Results from Commands
$ netstat -nat |grep :3306
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 127.0.0.1:54160 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:53974 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:42564 ESTABLISHED
tcp6 0 0 127.0.0.1:42566 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:49010 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:39372 ESTABLISHED
tcp6 0 0 127.0.0.1:54104 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:42576 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:49178 127.0.0.1:3306 TIME_WAIT
tcp6 0 0 127.0.0.1:3306 127.0.0.1:39326 ESTABLISHED
tcp6 0 0 127.0.0.1:39266 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:53976 ESTABLISHED
tcp6 0 0 127.0.0.1:49142 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:49494 ESTABLISHED
tcp6 0 0 127.0.0.1:42590 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:54104 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:39264 ESTABLISHED
tcp6 0 0 127.0.0.1:49434 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:49216 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:49010 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:39372 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:49142 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:42590 ESTABLISHED
tcp6 0 0 127.0.0.1:54162 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:54106 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:49494 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:42576 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:49434 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:54160 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:53974 ESTABLISHED
tcp6 0 0 127.0.0.1:39264 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:42566 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:49216 ESTABLISHED
tcp6 0 0 127.0.0.1:39326 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:54162 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:39266 ESTABLISHED
tcp6 0 0 127.0.0.1:42564 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:53976 127.0.0.1:3306 ESTABLISHED
tcp6 0 0 127.0.0.1:3306 127.0.0.1:54106 ESTABLISHED
Also
MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';
+--------+---------------+
| User | Host |
+--------+---------------+
| remote | [ Server A IP ] |
+--------+---------------+
and
ufw status | grep 3306
3306 ALLOW [ Server B IP ]
Server B trying to connect to Server A
$ mysql -u remote -h [ Server A IP ] -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '[ Server A IP ]' (111 "Connection refused")
also
ufw status | grep 3306
3306 ALLOW [ Server A IP ]
and
telnet 158.69.174.80 3306
Trying 158.69.174.80...
telnet: Unable to connect to remote host: Connection refused
You can see your issue here
MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';
+--------+---------------+
| User | Host |
+--------+---------------+
| remote | [ Server A IP ] |
+--------+---------------+
You really need [Server B IP] here
GRANT ALL ON <DB>.* TO 'remote'#'server_B_IP';
This should do it.
Set MYSQL bind-address to 0.0.0.0 because it usually only listens on 127.0.0.1 by default.
RUN sed -i -e"s/^bind-address\s*=\s*127.0.0.1/bind-address = 0.0.0.0/" /etc/mysql/my.cnf
The issue was because the MySQL user {user}#{IP} had the {IP} as the IP of the MySQL-hoster server, not the IP of server which was connecting to the host; {IP} is used for the IP of the client which is connecting to the server.
I just got a mysql problem .
when I start the mysql service with command
# service mysqld start
and the mysql service just listen on a IPv6's port 3306 which I though would be a IPv4's port 3306.
➜ ~ netstat -ntpl | grep 3306
tcp6 0 0 :::3306 :::* LISTEN 1897/mysqld
➜ ~
the my.cnf is follows:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
# Recommended in standard MySQL setup
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
system : CentOS Linux release 7.2.1511 (Core)
mysql version: mysqld Ver 5.6.35 for Linux on x86_64 (MySQL Community Server (GPL))
would someone do me a favor and find out how I can change it to listen on IPv4's 3306, thanks a lot .
I spent a few hours and found solution at last!
In .cnf file must be bind-address=0.0.0.0
but not *, not 127.0.0.1, not client_address
I don't know why, but only 0.0.0.0 get to me:
netstat -a | grep mysql
tcp mysql
else tcp6 mysql
Wishes!!!
sorry , I think the IPv4 's port 3306 is open , and the result I saw from command isn't true .
when I test the port , It can be connected.
➜ ~ telnet 115.*.*.222 3306
Trying 115.*.*.222...
Connected to 115.*.*.222.
Escape character is '^]'.
J
5.6.35"+d:0$bB�K.DH!fc;?hotmysql_native_password^CConnection closed by foreign host.
I want to whitelist 2 external ip-adresses vor port 3306 (mysql), but block all other IP-adresses to the port 3306 on a debian server running a mysql-instance. Both external ip-adresses should be able to connect to the mysql-server.
What is the best way in iptables?
What i did:
/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 1.1.1.1.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 85.x.x.x --dport 3306 -j ACCEPT
(1.1.1.1 is an internal ip and masked here for security purposes)
## Block all connections to 3306 ##
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
What happened:
every external ip is locked and can't connect
What should happen:
every external ip will be locked cand can't connect but not 1.1.1.1 and 85.x.x.x and 127.0.0.1
iptables -N mysql # create chain for mysql
iptables -A mysql --src 127.0.0.1 -j ACCEPT
iptables -A mysql --src 1.1.1.1.1 -j ACCEPT
iptables -A mysql --src 85.x.x.x -j ACCEPT
iptables -A mysql -j DROP # drop packets from other hosts
iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql # use chain for packets to MySQL port
I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:
iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.
Why not just turn off networking with MySQL?
Add to my.cnf:
skip-networking
It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
The above rule is for converting two lines into single one.
Answer to your second question:
If you do not want to provide mysql access from other than localhost, then it is perfect to configure this way. Simple. :-)
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
If you want to remove the filtering, use this:
iptables -D INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -D INPUT -p tcp --dport 3306 -j DROP
Note: Both might require root, so: sudo iptables (...)