In my env variable there is host for MySQL database. But it is ip in local network (starts with 127...). How can I make MySQL available for external world via domain name for db?
This is not possible. Openshift is a Platform-as-a-Service (PaaS) that shields the internals of the implementation in a paradigm that allows access through an API connector such as PHP and a database cartidge. Or through SSH tunneling. It does not expose an IP Address of your mysql server sitting there as port 3306 for use in development with such db libraries a c#, java, python, etc. Or with Mysql Workbench or the like.
In fact, it is not your mysql server as much as it is a shared one.
Infrastruture-as-a-Service (IaaS) platforms such as AWS EC2 would allow for those native port 3306 connections and a public IP Address exposed if you opened up the firewall for them.
With Openshift, in order to achieve connections with such things as Mysql Workbench, you need a pki key pair and an SSH tunnel. Same for a native app, say, written in c#, which would need the likes of SSH.NET . these are all configurations that are bearable for a single developer, but don't scale for a rollout to your users, generally speaking. Unless you are up for the task of doing that. That is, key management.
It is one of the drawbacks, but also one of the security guarantees you can bank on. You can also enjoy its simplicity. But it has its shortcomings. I have converted some people away from Openshift once they have realized this. The same limitations exist with major shared hosts where SSH is the only way in.
I hope I have answered your question.
Related
I need to access a postgres database from my java code which resides in openshift cluster. I need a way to do so. without initiating port forwarding manually through oc port forward command.
I have tried using openshift java client class openshift connection factory to get the connection by passing server url and username password through which I log in to the console but it dint help.
(This is mostly just a more detailed version of Will Gordon's comment, so credit to him.)
It sounds like you are trying to expose a service (specifically Postgres) outside of your cluster. This is very common.
However the best method to do so does depend a bit on your physical infrastructure because we are by definition trying to integrate with your networking. Look at the docs for Getting Traffic into your Cluster. Routes are probably not what you want, because Postgres is a TCP protocol. But one of the other options in that chapter (Load Balancer, External IP, or NodePort) is probably your best option depending on your networking infrastructure and needs.
I'm new to cloud computing so this might be an obvious question. I have a desktop Java application that will connect to an AWS RDS MySQL database using JDBC. Is using the endpoint, username and password for the database the preferred commercial way of connecting to the database?
To encrypt communication I plan to use SSL.
You could open your database instance to the outside, using regular credentials. But, a safer way to proceed might be to create an endpoint in AWS, possibly running in Java, which would expose one or more APIs which in turn would hit the MySQL database running in RDS. That is, you would not expose the RDS instance to the outside world directly, but only internally to this API, also running in AWS. Then, your desktop Java application would talk to this intermediary application when it needs to access the database.
The advantage of this suggestion is that it lessens the risk of your RDS instance being attacked via something like DOS. Of course, the API you create on top of the database could also be attacked. But, Java web application running in a container (and other similar applications in other languages) were designed to be exposed to the outside, much less so database instances.
I am facing this problem:
stackoverflow question
except my host doesn't seem to have cpanel. Since the answer given in the linked question is cpanel related it has not helped me. Is there anything I can do?
It seems you are trying to connect from a client machine located on your desk to a mySQL server instance located in a service provider's server farm. You're trying to use the ODBC "driver" for mySQL to do this, so you can look at your mySQL data with MS Access. (Right?)
You need to make sure this particular hosting service provider allows remote connections to their mySQL server instances. Some service providers, especially the lowest-cost ones, prevent these remote connections using firewalls or other network isolation techniques. (They do that because it's easier to control both security and performance when only their own web servers can connect to their mySQL servers. ) If your service provider prevents all these connections as a matter of policy, you're going to need another service provider.
If they DO allow remote connections, you may need to enable those connections for your mySQL database. That's what the "cpanel" function mentioned in the other question is about. cpanel is a popular control panel web application offered by many commercial hosting service providers to allow self-service control by their customers. If your service provider doesn't use cpanel, you'll have to find out what they do use. Even if they do use cpanel, they may still not allow remote mySQL connections.
You will also have to make sure your client machine (the one running ODBC) and user have authorization in the mySQL user database.
You would do well to put in a service ticket to your service provider asking if they do offer remote mySQL access. If they say "yes," then you can ask them for advice and help on setting it up.
Keep in mind that opening mySQL server instances for direct connection over the publicly accessible internet is not ordinarily considered a good security practice. If the data in your database is in any way private (peoples' identity information, for example) you need to be very careful indeed.
So...I want to put the Web Server on one EC2 instance and the MySQL database on a separate EC2 instance. Which I can do, but how would I point the web server over to the other instance that I am using for MySQL?
You know Amazon do offer a specialized MySQL instance instead of standard instances, just gives backups, etc.
I'm not sure whether you mean how do you expose MySQL service as a port, or how to identify the database instance.
You can expose MYSQL on a machine port as service and access through telnet or SSH (usually SSH). The default is 3306, I believe.
To get the IP of the database instance, create and assign an elastic IP to the DB instance and use that.
Every instance of EC2 that is spun up has a number of domain names associated with it.
You probably want to use the internal address for communication (saves you money). It looks something like domU-12-31-39-00-86-35.compute-1.internal and is treated like any other hostname.
The issue with using such internal addresses, rather than elastic IP, is that if things reboot, you need to update the internal addresses. Your mileage may vary, but I was part of a project that ran for months and saw no EC2 reboots (other than what the team rebooted themselves).
See http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?concepts-instance-addressing.html for more on addressing (look for "Using Instance IP Addresses" -- Amazon doesn't like deep linking, apparently).
I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.