Thursday, January 9, 2020

Connect to Docker Mysql remotely using public IP

You want to connect to mysql server which is installed and configured inside docker container, from host or from remote server. To achieve this you need to make sure your host system has public IP. Docker container is a virtual machine. The system where docker is installed known as Host Machine. You can connect from Host Machine to Docker container Mysql server using private IP and public IP both.

Here I am going to show how to connect docker container mysql server using public IP.

1. Your docker container mysql server port (default 3306) should be mapped with one of the port of host system. If no mysql server is running on host system then you can map the same port i.e. 3306 but if a mysql server is running on host system, you need to map docker container mysql server with another port of host system. Suppose it is 3500. When you launch the container using docker run command, you can pass attribute -p with it to map ports between container and host system.


2. Now next thing is, your docker container mysql server config should not be binded to local host or 127.0.0.1 only. It means, this mysql server can be connected from localhost only. As we are connecting mysql server remotely, this option should be commented.

#bind-address = 127.0.0.1
Once you comment it in mysql config, restart the mysql server.

3. Now you need to give global access permission to mysql user. It is your mysql user, you are going to connect into mysql server using this username.
To give global access to mysql user, Host should be % in user table and db table both for the mysql user.
Make sure you have updated Host as % for same combination of user and database in db table.


4. Now make sure port 3500 is opened in your firewall and it can be accessed remotely

5. Now try to connect docker mysql using public ip

mysql -u mysqlusername -p -h 209.45.xx.xx -P 3500
As 3500 is the port where we mapped docker mysql port to Host system port, we will pass this in command to connect to docker mysql server through host system.

Now you should be able to conenct to docker mysql server remotely.

Tuesday, December 17, 2019

AWS RDS - Update Your Amazon RDS SSL/TLS Certificates by February 5, 2020

If you got the mail from AWS about updating your client side certificate for RDS connection, this is a very simple explanation about what you need to do. Your first concern is functionality of your application should not be affected and everything should be working as smoothly as now.

When you connect to database, either you connect to it securely or non-securely. If you connect to database non-securely, you do not need to worry about the mail you received as it affects only those connection which are made securely. Suppose your RDS is mysql or postgres and you connect to it from php framework or Python, you need to check the database connection code and if ssl/tls parameter is defined with client certificate file, it means you are using secured method to connect to RDS. You need to download latest client side certificate file from here or here and replace with existing one.

Another way of checking it, you need to check the parameter rds.force_ssl in parameter groups settings of your RDS instance. If its value is set to 0, it means insecure RDS conenction can also be made but if its value is 1 then no insecure connection can be made. Your code must have used client side certificate file to make it working successfully.

Similarly if force ssl is on, you can not connect to database on command line without addressing client side certificate file.
Here is an example to connect Postgresql RDS server on comamnd line
psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"

Secure Mysql connection on RDS
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
If you enable set rds.force_ssl and restart your instance, non-SSL connections are refused with the following message for postgresql
psql: FATAL: no pg_hba.conf entry for host "host.ip", user "someuser", database "postgres", SSL off
and similar message will be displayed for mysql and other RDS database types.

Thursday, December 12, 2019

Add Swap Space in AWS EC2 Centos or Linux AMI

Here are the steps to create swap space in AWS EC2 CentOS or Linux AMI

1. Create an EBS volume (ssd gp2) of the size you want for your swap space. Suppose it is 4G.
2. Attach the volume into your instance. Suppose attached mount point is /dev/xvdf
3. Now run
sudo mkswap /dev/xvdf

4. sudo swapon /dev/xvdf
5. Edit file /etc/fstab and add following line in /etc/fstab
/dev/xvdf none swap sw 0 0
6. Now you can verify the added swap space.
sudo swapon --show