小贝子编程

无法通过密钥环文件启用加密



好的,我遵循Mysql官方文档在docker上的Mysql数据库上启用加密:

  • 使用keyring_file基于文件的插件
  • Keyring插件安装
  • keyring_file数据

下面是我所做的:

  1. /etc/mysql/my.cnf中添加了early-plugin-loadkeyring_file_data(我使用了echo stuff >> file,因为mysql docker image没有文本编辑器(,所以现在是:
[mysqld]
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
secure-file-priv= NULL
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Custom config should go here
!includedir /etc/mysql/conf.d/
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
  1. 使用创建了密钥环文件
cd /usr/local/mysql
mkdir mysql-keyring
chmod 750 mysql-keyring
chown mysql mysql-keyring
chgrp mysql mysql-keyring
  1. 重新启动容器以重新启动mysql
  2. 连接到mysql并检查插件可用性(whith no luck(
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
  1. 已检查日志中的错误:
2020-03-15T12:30:08.669015Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/usr/local/mysql/mysql-keyring/keyring' not found (OS errno 20 - Not a directory)'
2020-03-15T12:30:08.669036Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'
2020-03-15T12:30:08.669053Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.

所以看起来我正确地启用了插件,但文件出现了问题。

我是不是少了几步?

钥匙圈文件

root@8c3670db35d4:/# ls -la /usr/local/mysql/mysql-keyring/
total 8
drwxr-s--- 2 mysql mysql 4096 Mar 15 12:34 .
drwxr-sr-x 3 root  staff 4096 Mar 15 12:33 ..
-rw-r----- 1 mysql mysql    0 Mar 15 12:34 keyring

您确定在容器中正确创建了keyring文件吗?这就是我如何通过一个精心制作的Dockerfile实现上述目标的原因。

  1. 为您的图像项目创建一个文件夹(使用您喜欢的任何文件夹(
    mkdir /tmp/testMysqlKeyring
cd /tmp/testMysqlKeyring
  2. 创建一个mysql keyring dropin配置文件keyring.cnf,内容如下:
    [mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

  3. 创建具有以下内容的Dockerfile

    FROM mysql:8
# Place the dropin config file in the relevant folder
COPY keyring.cnf /etc/mysql/conf.d/
# Create the keyring folder and adapt perms
RUN mkdir -p /usr/local/mysql/mysql-keyring && 
chmod 750 /usr/local/mysql/mysql-keyring && 
chown mysql.mysql /usr/local/mysql/mysql-keyring
  4. 根据以上配置构建映像:
    docker build -t file_keyringed_mysql:latest .
  5. 从该映像运行一个容器(稍后您将适应您的确切卷和环境…(
    docker run -d --rm --name my_keyring_test -e MYSQL_ALLOW_EMPTY_PASSWORD=true file_keyringed_mysql:latest
  6. 检查插件是否正确安装在容器内
    $ docker exec my_keyring_test mysql -e "SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%';"
PLUGIN_NAME     PLUGIN_STATUS
keyring_file    ACTIVE

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium