= Dockerfile mariadb + SSL
{{tag>dockerfile}}
=== Dockerfile
<code ruby; Dockerfile>
FROM mariadb:latest

ADD --chown=mysql:root ./data/certs/server-key.pem /etc/mysql/certs/server.key
ADD ./data/certs/server-cert.pem /etc/mysql/certs/server.crt
ADD ./data/certs/ca-cert.pem /etc/mysql/certs/CA.crt
ADD ./data/certs/ssl.cnf /etc/mysql/conf.d/ssl.cnf

</code>

<code bash>docker build --tag mariadb:ssl .</code>

== certificados
<code bash>
mkdir -p data/db
mkdir -p data/certs
cd data/certs
# CA key
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
# server key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# client key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# check key ok
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
</code>

=== -config
fichero de configuración para pasar los parámetros a los **req**
    * <code bash>openssl req -new -key self-ssl.key -out self-ssl.csr -config csr.conf</code>
    * <code properties; csr.conf>[req]
default_bits = 2048
distinguished_name = dn
prompt             = no

[dn]
C="TW"
ST="Taiwan"
L="Taipei"
O="YIDAS"
OU="Service"
emailAddress="yourmail@mail.com"
CN="yourdomain.com"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.0 = *.yourdomain.com
DNS.1 = *.dev.yourdomain.com</code>
      * importante que el CN (Common Name) sea distinto en los diferentes **req**
    * /via: [[https://gist.github.com/yidas/af42d2952d85c0951c1722fcd68716c6]]

== ejecución
<code bash>
docker run -it --name mariadb -p 3306:3306 -v ${PWD}data/db:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=admin mariadbssl
</code>
<code bash>docker run -it --name mariadb -p 3306:3306 -v /var/lib/mysql:/var/lib/mysql -v /etc/newcerts:/etc/newcerts -e MYSQL_DATABASE=DB -e MYSQL_USER=user -e MYSQL_PASSWORD=userpass -e MYSQL_ROOT_PASSWORD=admin mariadb:ssl</code>
más información: [[https://hub.docker.com/_/mariadb]]

== SQL tips
  * <code bash>mysql --host=127.0.0.1 -u root -padmin</code>
  * <code sql>grant all on *.* to 'cross'@'192.168.0.17' identified by '123456'  require ssl;</code>
  * <code bash>mysql --host=127.0.0.1 -u cross -p123456 --ssl-ca=data/certs/ca-cert.pem --ssl-cert=data/certs/client-cert.pem --ssl-key=data/certs/client-key.pem -e 'status'</code>


/based: [[https://github.com/chio-nzgft/docker-MariaDB-with-SSL]]