mysqldockeruser-management

Problem with Reverse Lookup Hostnames in MySQL Docker

I am trying to configure the official MySQL docker container that it has different users for all my micro-services and only those micro-service can connect to using their user.

It seems logical to use the Docker service name as written in the Docker-compose.yml in combination with the build-in MySQL host limitation functionality.

So I added a user in MySQL:

CREATE USER 'user1'@`docker_service_name` IDENTIFIED BY 'my_password';
GRANT SELECT ON `my_database`.'*' to 'user1'@`docker_service_name`;

When I try to connect from docker_service_name I get the error:

SQLSTATE[HY000] [1045] Access denied for user 'user1'@'172.19.0.6' (using password: YES) (Connection: mysql, SQL: select * from `table1` where exists (.....)

This is of course true, the user that is allowed to connect from everywhere doesn't exist (and I don't want it to exist).

After some research I found this question: How to set up mysql host limitation working with docker container

the answer says:

right here the official dockerfile for mysql:5.7, and at line 70 we can find:

#don't reverse lookup hostnames, they are usually another container && echo '[mysqld]\nskip-host-cache\nskip-name-resolve' > /etc/mysql/

I don't understand why reverse name lookup is disabled because "they are usually another container". Why is this? Will it do any harm if I enable this?

Solution

  • As pointed out by James Schultz in the comment there is an open bug report with MySQL.

    The reason why this is enabled by default seems to be:

    But why is this option by default?

    1. Docker relies on the host DNS
    2. Containers uses the DNS configured in /etc/resolv.conf at creation time
    3. If that DNS becomes unreachable (eg. disconnection, connection to a new wifi, ...) that DNS won't work anymore mysql authentication lags, waiting for client hostname resolution.

    So if you don't care lag or are sure you DNS is exceptionally well connected, editing the my.cnf of your MySQL Docker container seems to be your best bet.

    you should remove (or comment out) the line:

    skip-name-resolve

    To do this in a Docker file add the following

    #for  image: mysql:8.0.33-debian
RUN sed -i -e "/^skip-name-resolve/d" /etc/my.cnf

    If your working with docker-compose you can add this to your .yml, the "mysqld" starts mysql so that the container will keep running.

    #for image: mysql:8.0.33-debian
entrypoint: ['/bin/sh', '-c', 'sed -i -e "/^skip-name-resolve/d" /etc/mysql/conf.d/docker.cnf && /usr/local/bin/docker-entrypoint.sh mysqld']