I need to disble remote access during nightly mysql maintenance on Linux server so that no one can query the database during that time. I can't do SERVICE MYSQL STOP because then I couldn't do what I needed to do (truncate and rebuild a couple tables). Is there a way to turn off external access for a short time?
Thanks in advance.
Here is a great way without touching anything in the OS:
Step 1) Export all users to SQL file like this:
mysql -h localhost -u root
-p rootpassword --skip-column-names -A -e"SELECT CONCAT('SHOW GRANTS FOR ''',user,'''#''',host,''';') FROM
mysql.user WHERE user<>''" | mysql
-hlocalhost -uroot -prootpassword --skip-column-names -A | sed 's/$/;/g' > /root/MySQLGrants.sql
Step 2) Disable all users except root#localhost
DELETE FROM mysql.user WHERE CONCAT(user,host) <> 'rootlocalhost';
FLUSH PRIVILEGES;
Step 3) Perform your maintenance
Step 4) Reload the Grants
mysql -h localhost -u root -p rootpassword < /root/MySQLGrants.sql
Give this a Try !!!!
PS
service mysql restart --skip-networking
would still be the simplest and fastest way plus logging off all connections before maintenance
just run service mysql restart after your maintenance
Since 5.7.5 there's an "official way" to deal with that:
MySQL Server now supports an “offline mode” with these
characteristics:
Connected client users who do not have the SUPER privilege are
disconnected on the next request, with an appropriate error.
Disconnection includes terminating running statements and releasing
locks. Such clients also cannot initiate new connections, and receive
an appropriate error.
Connected client users who have the SUPER privilege are not
disconnected, and can initiate new connections to manage the server.
Replication slave threads are permitted to keep applying data to the
server.
Only users who have the SUPER privilege can control offline mode. To
put a server in offline mode, change the value of the new offline_mode
system variable from OFF to ON. To resume normal operations, change
offline_mode from ON to OFF. In offline mode, clients that are refused
access receive an ER_SERVER_OFFLINE_MODE error.
Disable the login credentials used by the remote apps?
Firewall the MySQL port so it can't be accessed by the remote apps?
There are some another method to temporary disable access to MySQL database during maintenance.
Edit /etc/mysql/my.conf'
Change bind-address to:
bind-address = 127.0.0.1
Restart MySQL:
service mysql restart --skip-networking
Nobody will access MySQL server from remote until you have change bind-address to original value and restart MySQL again.
Related
I am using "mysql -u root -p" command to start mysql but I am getting error as:
Access denied for user 'root'#localhost''
I always have to use sudo to to launch it. Other applications start normally. How do I get around it? I am doing jdbc connection (java). Mysql doesn't give access to database in java. I think requiring sudo command is the problem.
System:
Ubuntu 18.04 LTS dual booted with Windows 10.
I always have to use sudo to to launch it
No. You need to use sudo to get the client to authenticate against the server.
The reason for this is that recent versions of MySQL (and MariaDB, PerconaDB) use SO_PEERCRED to very that the username asserted in the connection string (root) is the same user as started the client (this makes use of a password somewhat redundant).
Since SO_PERRCRED only works on filesystem sockets (AF_UNIX) you may be able to bypass the constraint by connecting via a network socket, e.g.
mysql -h 127.0.0.1 -u root -p
But do be aware that MySQL typically has separate user records for connections via network (host != 'localhost') and filesystem (host='localhost') sockets.
But as per the question #Ciarambola flagged, 'root' is a special case and should not be used for routine access - you should create a new user.
Mysql doesn't give access to database in java
You should never use an admin account as the embedded credentials in an application. If you make that account with the same name as your user you won't need to use sudo when you connect to 'localhost'.
I have a strange issue on a web server (Windows Server 2012) with MySQL 5.7.16.
I can't connect anymore to mysql server, I don't know why.
If I type mysql -uroot -ppassword appear an error
ERROR 1130 <HY000>: Host '::1' is not allowed to connect to this MySQL server or
ERROR 1130 <HY000>: Host '127.0.0.1' is not allowed to connect to this MySQL server
I tried to use another user with all privileges and I've seen that in host there is only localhost (not 127.0.0.1 or ::1)
How can I login with root#localhost and not with root#127.0.0.1?
It's very frustrating...
Every account trying to use #127.0.0.1 or #::1 but there exist only localhost in host and I can't change it.
If I type mysql -uroot -ppassword I see
ERROR 1130 <HY000>: Host '127.0.0.1' is not allowed to connect to this MySQL server
Same if I type mysql -uroot -ppassword -h localhost or anything else
Ok i Fixed...
I've comment "skip_name_resolve" in my.ini and everything is back to work.. i really don't know why because this record was in my.ini also yesterday..last week.. last month..
The variable skip_name_resolve gives better performance because the server does not try to resolve the names of the connecting clients or look for them every time in the host name cache (even localhost is resolved/searched), but the manual states that config also limits the #localhost connections. The solution is to copy the #localhost users with #127.0.0.1, like this:
CREATE USER 'root'#'127.0.0.1' IDENTIFIED BY 'root-password';
CREATE USER 'root'#'::1' IDENTIFIED BY 'root-password';
FLUSH PRIVILEGES;
where ::1 is localhost for IPv6 addressing. This way we keep the root and local accounts limited to the local server. Using '%' open the potential clients to the world, and we don't want that. Disabling skip_name_resolve also requires the server having an accesible and fast DNS resolver to minimize latency.
I noted that I can connect with a local phpmyadmin even if the user has #localhost; this is because phpmyadmin connects thru a local unix socket, a special type of file used to communicate between processes, and does not need networking.
EDIT: As #Francisco R noted, the new root users also should have full access to all databases by issuing the following commands:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'127.0.0.1'
GRANT ALL PRIVILEGES ON *.* TO 'root'#'::1'
FLUSH PRIVILEGES
I had the same message after a fresh installation with the no-install zip and solved it as follows. Perhaps this could have been a solution for your problem too:
Stop the MySQL server or service.
Open a Command Prompt window with administrative rights and go to the bin folder in the MySQL install directory.
Start MySQL with skip-grants-table and don't forget your config file:
mysqld --defaults-file=[filename] --skip-grant-tables
Open another Command Prompt window and go to the bin folder again.
Now you can login:
mysql -u root -p
Show the users with:
SELECT user, host FROM mysql.user;
Verify there is one 'root' with host 'localhost'.
Change the host:
UPDATE mysql.user SET host='%' WHERE user='root';
Exit the mysql program and close the Command Prompt window.
Type Ctrl-C in the other Command Prompt window to stop the server, then close the Command Prompt Window.
Start MySQL as you normally would and verify that you can login.
Make sure that when you created the user you have specified % as the hostname, otherwise the user will only be able to connect from the localhost.
I came here looking for a solution using Local by flywheel for wordpress development to the same problem, BUT, in a linux machine.
Just if someone faces the same problem, the solution listed here works.
Just comment skip_name_resolve in the file conf/mysql/my.cnf.hbs under the file tree created by Local
Thanks!
Looks that you need to modify your hosts file. C:\Windows\System32\Drivers\etc\hosts
just add the line and save it, (to be able to edit and save you may need to open it as administrator)
127.0.0.1 localhost
so I have two free gears on OpenShift.
One is a PHP with MySql 5.7 from:
https://github.com/icflorescu/openshift-cartridge-mysql
To which I can remote login from my PC without any problem by SSH tunnel.
Now on the second gear I wanted to create Spring Boot app that would connect to DB on the first gear. Using env | grep MYSQL on first gear I receive:
OPENSHIFT_MYSQL_DB_PORT=13306
OPENSHIFT_MYSQL_DB_HOST=127.10.104.130
So this + my logging data was put into Spring application.properties, after successfull build Spring crashed at data pool creation because it could not connect to database so I SSHed into second hear and tried accessing MySQL instance from first gear via:
mysql -u root -h 127.10.104.130 -P 13306 but I get error message:
Can not connect to MySQL Server on '127.10.104.130' (113)
After that I tried:
mysql -u root -h myAppName-domain.rhcloud.com -P 13306 which results in longer time of connection but ultimatelly failling with:
Can not connect to MySQL Server on 'myAppName-domain.rhcloud.com' (110)
And I can easly ping gear#1 from gear#2 so I am confused - do I need some extra sql config or firewall settings? I am also doing tail on mysql logs and nothing is showing up like connection is not even made.
If you are connecting on another gear you have to use the OPENSHIFT_MYSQL_DB_PROXY_PORT instead.
The easiest way I find to tell if its a database issue or a network issue is to simply try to telnet to the remote mysql host.
Ex - this should result in a connection timeout if you are on a different gear.
telnet 127.10.104.130 13306
But this should connect:
telnet <mysql app id>.domain.rhcloud.com <WHATEVER THE PROXY PORT IS>
I'm the author of the openshift-cartridge-mysql mentioned above.
It's been a while since I've published that cartridge, but if I remember correctly, the setup script is quite unassuming and there's nothing created by default, so you have to create your own users, databases and explicitly grant the appropriate privileges.
Connect from your PC either by ssh or by Workbench over ssh tunnel, create your user and database, then execute something like:
GRANT ... ; FLUSH PRIVILEGES;
You can learn more on MySQL's GRANT command in the official manual.
There's a line in the repo README exemplifying how you could grant remote access to root, which is not as unsafe as it looks because you can only access the DB gear from your main application gear.
But ideally you'd want to limit the access as much as possible (to a specific user coming from a specific host/IP, such as your main application gear). Something like this:
GRANT ALL ON appdb.* TO 'appuser'#'appgear';
Don't forget to FLUSH PRIVILEGES when you're done.
I hope this helps,
#icflorescu
I'm using homestead and trying login to my mysql database via phpmyadmin. I have used same settings couple years already.
Yesterday I started working and I run the command homestead up - but this time everything seemed a bit different than usually. For example, vagrant insecure key detected and then vagrant automatically replace that with a newly generated keypair - okay, thats not bad, and I guess thats completely fine.
After that its stop and start nginx and php5-fpm nine times and then comes ==> default: mysql:
==> default: [Warning] Using a password on the command line interface can be insecure.
==> default: Please use --connect-expired-password option or invoke mysql in interactive mode.
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.
Okay, well I logged in homestead ssh and then mysql -u homestead -p password and set the new password. No errors thrown. Great.
Then I tried to log in my database phpmyadmin.app with the homestead username and new password but.. for some reason my databases are disappeared.
Well... after great Google search session I noticed when I write mysql> select * from mysql.user; command, there is two homestead users. First one is under 0.0.0.0 ip and second is under % - I'm pretty sure that this causes my problem one way or another, because the homestead user which uses % is made same day when this problem first time occurred.
Or.. I'm completely wrong direction and the problem causes for different reason(s). Whatever the case, I'm here to ask some help from a bit smarter guys than me.
Should I remove the second homestead user, or what would you suggest?
I really appreciate your time.
First see my mysql answer for a related issue.
For these kinds of problems with Laravel Homestead, I recommend throwing away and reinitializing the Vagrant box. Homestead is just a sandbox (as long as you back up your client machine data, there is no harm in rebuilding the sandbox).
First, back up any MySQL databases or other client machine information with a tool like mysqldump or Sequel Pro, as it will be lost when your box is re-provisioned.
Then:
# from host machine
cd ~/Homestead
vagrant destroy
vagrant box prune
vagrant up --provision
# if still seeing MySQL errors during provisioning, do the steps in https://stackoverflow.com/a/46106953/539149 or:
vagrant ssh
# log into mysql (for Homestead your password is likely "secret")
mysql -h localhost -u homestead -p
SET PASSWORD = PASSWORD('secret');
-- A) set password to never expire:
ALTER USER 'root'#'localhost' PASSWORD EXPIRE NEVER;
-- or B) to change password as well:
ALTER USER 'root'#'localhost' IDENTIFIED BY 'new_password', 'root'#'localhost' PASSWORD EXPIRE NEVER;
-- quit mysql
quit
# exit back to host shell
exit
vagrant up --provision
How did you set the password? It sounds like in the process, you probably created a new user which didn't have the proper permissions. This explains why you weren't able to see the databases when connecting as that user.
Then, you went and deleted that user, which would have put you back where you started, except you also changed the host from 0.0.0.0 to 'localhost'. I'm not familiar with using the 0.0.0.0 syntax in this location, but presumably it means all TCP hosts just like when used in my.cnf for bind-address. Normally I use '%', but I hesitate to suggest that because if 0.0.0.0 was working, I wouldn't mess with it. But anyway, 'localhost' is different from '%' or any other TCP connection; localhost specifically refers to socket connections, whereas the others refer to TCP connections. Probably your applications are using the tcp protocol, and you just removed permissions for that user (by telling MySQL to only allow connections over the socket protocol).
I suggest any of these solutions:
Revert the existing user to the 0.0.0.0 hostname
Change the existing user's hostname to %
Add a new user, but give proper permissions to the database that user needs to access
Tell your applications to access MySQL using the socket protocol rather than tcp networking (depending on your exact system configuration).
I had this problem for many days and it really drives me crazy. Dont know why, my Homestead and its credential to access to mysql was fine until recently. Basically I just create a new user and stop using homestead as user.
If you can still ssh to it and sudo su, you can try this.
1) vagrant ssh
2) sudo su
3) mysql -u root -p ( when you are as super user, mysql wont ask you password)
4) Then simply set a new user.
CREATE USER 'newuser'#'localhost' IDENTIFIED BY 'password';
then
GRANT ALL PRIVILEGES ON * . * TO 'newuser'#'localhost';
5) Then, login to phpmyadmin using the new user.
I tried to update my Mysql instance to support remote access. I went to MySQL Administration UI and added % (any host) for user root and removed all other entries.
Now I cannot access MySQL as root from any machine including localhost. What is the best way to fix this?
Stop MySQL server
Restart it on the command line, skipping authorizations: mysqld.exe --skip-grant-tables
Fix your permissions (add both a localhost and a 127.0.0.1 record for root to the mysql.user table)
Stop MySQL server
Start MySQL normally