好的,我遵循Mysql官方文档在docker上的Mysql数据库上启用加密:
- 使用keyring_file基于文件的插件
- Keyring插件安装
- keyring_file数据
下面是我所做的:
- 在
/etc/mysql/my.cnf
中添加了early-plugin-load
和keyring_file_data
(我使用了echo stuff >> file
,因为mysql docker image没有文本编辑器(,所以现在是:
[mysqld]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
datadir = /var/lib/mysql
secure-file-priv= NULL
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Custom config should go here
!includedir /etc/mysql/conf.d/
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
- 使用创建了密钥环文件
cd /usr/local/mysql
mkdir mysql-keyring
chmod 750 mysql-keyring
chown mysql mysql-keyring
chgrp mysql mysql-keyring
- 重新启动容器以重新启动mysql
- 连接到mysql并检查插件可用性(whith no luck(
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
- 已检查日志中的错误:
2020-03-15T12:30:08.669015Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/usr/local/mysql/mysql-keyring/keyring' not found (OS errno 20 - Not a directory)'
2020-03-15T12:30:08.669036Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'
2020-03-15T12:30:08.669053Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.
所以看起来我正确地启用了插件,但文件出现了问题。
我是不是少了几步?
钥匙圈文件
root@8c3670db35d4:/# ls -la /usr/local/mysql/mysql-keyring/
total 8
drwxr-s--- 2 mysql mysql 4096 Mar 15 12:34 .
drwxr-sr-x 3 root staff 4096 Mar 15 12:33 ..
-rw-r----- 1 mysql mysql 0 Mar 15 12:34 keyring
您确定在容器中正确创建了keyring文件吗?这就是我如何通过一个精心制作的Dockerfile实现上述目标的原因。
- 为您的图像项目创建一个文件夹(使用您喜欢的任何文件夹(
mkdir /tmp/testMysqlKeyring cd /tmp/testMysqlKeyring
- 创建一个mysql keyring dropin配置文件
keyring.cnf
,内容如下:[mysqld] early-plugin-load=keyring_file.so keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
-
创建具有以下内容的
Dockerfile
FROM mysql:8 # Place the dropin config file in the relevant folder COPY keyring.cnf /etc/mysql/conf.d/ # Create the keyring folder and adapt perms RUN mkdir -p /usr/local/mysql/mysql-keyring && chmod 750 /usr/local/mysql/mysql-keyring && chown mysql.mysql /usr/local/mysql/mysql-keyring
- 根据以上配置构建映像:
docker build -t file_keyringed_mysql:latest .
- 从该映像运行一个容器(稍后您将适应您的确切卷和环境…(
docker run -d --rm --name my_keyring_test -e MYSQL_ALLOW_EMPTY_PASSWORD=true file_keyringed_mysql:latest
- 检查插件是否正确安装在容器内
$ docker exec my_keyring_test mysql -e "SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%';" PLUGIN_NAME PLUGIN_STATUS keyring_file ACTIVE