Skip to content

Add ability to change host value for root user to secure container #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 4, 2017
Merged

Add ability to change host value for root user to secure container #249

merged 1 commit into from
Jan 4, 2017

Conversation

yosifkit
Copy link
Member

@yosifkit yosifkit commented Dec 31, 2016
edited
Loading

Now you can easily remove remote MySQL root access or secure to a specific IP address (DNS name would require custom cnf to override the provided config files). root@localhost will always work regardless of this new value.

$ docker run -d --name mysql -e MYSQL_ROOT_PASSWORD=pass -e MYSQL_ROOT_HOST=localhost -e MYSQL_DATABASE=db -e MYSQL_USER=user -e MYSQL_PASSWORD=pass2 mysql:5.6
$ docker run -it --rm --link mysql mysql:5.7 mysql -hmysql -uroot -ppass
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'172.17.0.5' (using password: YES)
$ docker run -it --rm --link mysql mysql:5.7 mysql -hmysql -uuser -ppass2 db
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> ^DBye

fixes #231

Borrows heavily from mysql@6fbb227

tianon
tianon reviewed Dec 31, 2016
View reviewed changes
5.5/Dockerfile
@@ -68,6 +68,9 @@ RUN mkdir -p /var/lib/mysql /var/run/mysqld \
# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
&& chmod 777 /var/run/mysqld

# default root to listen for connections from anywhere
ENV MYSQL_ROOT_HOST %
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to cause issues with file_env (-e MYSQL_ROOT_HOST_FILE=... will lead to error: both MYSQL_ROOT_HOST and MYSQL_ROOT_HOST_FILE are set (but are exclusive)), so needs to be specified as the default in the script instead (via the second argument to file_env).

@yosifkit
Copy link
Member Author

yosifkit commented Jan 3, 2017

Updated to work properly with MYSQL_ROOT_HOST_FILE; cannot use an empty value to remove the root@% user, you must use localhost or MYSQL_ROOT_HOST_FILE=/dev/null or another empty file.

yosifkit
yosifkit commented Jan 3, 2017
View reviewed changes
5.5/docker-entrypoint.sh
rootCreate=
# default root to listen for connections from anywhere
file_env 'MYSQL_ROOT_HOST' '%'
if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this check also look for loopback IP addresses like 127.0.0.1 or ::1?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found the answer: No; localhost for mysql is just the unix socket, so IP addresses do not factor in to it.

@yosifkit
Copy link
Member Author

yosifkit commented Jan 4, 2017

cc @ltangvald

@ltangvald
Copy link
Collaborator

Looks good.

@tianon tianon merged commit f93c4f5 into docker-library:master Jan 4, 2017
@tianon tianon deleted the roothost branch January 4, 2017 19:15
tianon added a commit to infosiftr/stackbrew that referenced this pull request Jan 6, 2017
@tianon
Update docker-library images
bc3989c 
- `busybox`: 1.26.1 (docker-library/busybox#22)
- `docker`: 1.13.0-rc5
- `mysql`: add `MYSQL_ROOT_HOST` support (docker-library/mysql#249)
- `ruby`: put `xz-utils` back in non-slim (docker-library/ruby#109)
- `wordpress`: add `php7.1` variants (docker-library/wordpress#193)
@tianon tianon mentioned this pull request Jan 6, 2017
Merged
@tianon tianon mentioned this pull request Apr 5, 2017
Closed
tianon added a commit to infosiftr/mariadb that referenced this pull request Apr 5, 2017
@tianon
Resync entrypoint features from MySQL
6cc5115 
Especially docker-library/mysql#249 and docker-library/mysql#266.
@tianon tianon mentioned this pull request Apr 5, 2017
Merged
tianon added a commit to infosiftr/mariadb that referenced this pull request Apr 5, 2017
@tianon
Resync entrypoint features from MySQL
21eed39 
Especially docker-library/mysql#249 and docker-library/mysql#266.
tianon added a commit to infosiftr/stackbrew that referenced this pull request Apr 6, 2017
@tianon
Update docker-library images
442ce19 
- `docker`: 17.04.0-ce (docker-library/docker#48)
- `mariadb`: resync `mysql` entrypoint (MariaDB/mariadb-docker#102; see also docker-library/mysql#249 and docker-library/mysql#266)
- `percona`: `5.7.17-13-1.jessie`
- `rabbitmq`: multi-version refactoring (docker-library/rabbitmq#134)
@tianon tianon mentioned this pull request Apr 6, 2017
Merged
yosifkit added a commit to infosiftr/percona that referenced this pull request Oct 23, 2017
@yosifkit
Resync changes from mysql/mariadb: improve bind-address comment out, …
52abf70 
…add `MYSQL_ROOT_HOST` support

See also docker-library/mysql#336 and docker-library/mysql#249
@yosifkit yosifkit mentioned this pull request Oct 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Increase security by adding possibility to have 'root'@'localhost' and not only 'root'@'%'
3 participants
@yosifkit @ltangvald @tianon