Dockerfile mariadb + SSL

Dockerfile

FROM mariadb:latest
 
ADD --chown=mysql:root ./data/certs/server-key.pem /etc/mysql/certs/server.key
ADD ./data/certs/server-cert.pem /etc/mysql/certs/server.crt
ADD ./data/certs/ca-cert.pem /etc/mysql/certs/CA.crt
ADD ./data/certs/ssl.cnf /etc/mysql/conf.d/ssl.cnf

docker build --tag mariadb:ssl .

mkdir -p data/db
mkdir -p data/certs
cd data/certs
# CA key
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
# server key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# client key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# check key ok
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

fichero de configuración para pasar los parámetros a los req

• openssl req -new -key self-ssl.key -out self-ssl.csr -config csr.conf

• csr.conf

  [req]
  default_bits = 2048
  distinguished_name = dn
  prompt             = no
   
  [dn]
  C="TW"
  ST="Taiwan"
  L="Taipei"
  O="YIDAS"
  OU="Service"
  emailAddress="yourmail@mail.com"
  CN="yourdomain.com"
   
  [req_ext]
  subjectAltName = @alt_names
   
  [alt_names]
  DNS.0 = *.yourdomain.com
  DNS.1 = *.dev.yourdomain.com

  • importante que el CN (Common Name) sea distinto en los diferentes req
• /via: https://gist.github.com/yidas/af42d2952d85c0951c1722fcd68716c6

docker run -it --name mariadb -p 3306:3306 -v ${PWD}data/db:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=admin mariadbssl

docker run -it --name mariadb -p 3306:3306 -v /var/lib/mysql:/var/lib/mysql -v /etc/newcerts:/etc/newcerts -e MYSQL_DATABASE=DB -e MYSQL_USER=user -e MYSQL_PASSWORD=userpass -e MYSQL_ROOT_PASSWORD=admin mariadb:ssl

más información: https://hub.docker.com/_/mariadb

• mysql --host=127.0.0.1 -u root -padmin

• GRANT ALL ON *.* TO 'cross'@'192.168.0.17' IDENTIFIED BY '123456'  require ssl;

• mysql --host=127.0.0.1 -u cross -p123456 --ssl-ca=data/certs/ca-cert.pem --ssl-cert=data/certs/client-cert.pem --ssl-key=data/certs/client-key.pem -e 'status'

/based: https://github.com/chio-nzgft/docker-MariaDB-with-SSL