Dockerfile mariadb + SSL
Dockerfile
- Dockerfile
FROM mariadb:latest ADD --chown=mysql:root ./data/certs/server-key.pem /etc/mysql/certs/server.key ADD ./data/certs/server-cert.pem /etc/mysql/certs/server.crt ADD ./data/certs/ca-cert.pem /etc/mysql/certs/CA.crt ADD ./data/certs/ssl.cnf /etc/mysql/conf.d/ssl.cnf
docker build --tag mariadb:ssl .
certificados
mkdir -p data/db mkdir -p data/certs cd data/certs # CA key openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem # server key openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem # client key openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem # check key ok openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
-config
fichero de configuración para pasar los parámetros a los req
openssl req -new -key self-ssl.key -out self-ssl.csr -config csr.conf
- csr.conf
[req] default_bits = 2048 distinguished_name = dn prompt = no [dn] C="TW" ST="Taiwan" L="Taipei" O="YIDAS" OU="Service" emailAddress="yourmail@mail.com" CN="yourdomain.com" [req_ext] subjectAltName = @alt_names [alt_names] DNS.0 = *.yourdomain.com DNS.1 = *.dev.yourdomain.com
- importante que el CN (Common Name) sea distinto en los diferentes req
ejecución
docker run -it --name mariadb -p 3306:3306 -v ${PWD}data/db:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=admin mariadbssl
docker run -it --name mariadb -p 3306:3306 -v /var/lib/mysql:/var/lib/mysql -v /etc/newcerts:/etc/newcerts -e MYSQL_DATABASE=DB -e MYSQL_USER=user -e MYSQL_PASSWORD=userpass -e MYSQL_ROOT_PASSWORD=admin mariadb:ssl
más información: https://hub.docker.com/_/mariadb
SQL tips
mysql --host=127.0.0.1 -u root -padmin
GRANT ALL ON *.* TO 'cross'@'192.168.0.17' IDENTIFIED BY '123456' require ssl;
mysql --host=127.0.0.1 -u cross -p123456 --ssl-ca=data/certs/ca-cert.pem --ssl-cert=data/certs/client-cert.pem --ssl-key=data/certs/client-key.pem -e 'status'
/based: https://github.com/chio-nzgft/docker-MariaDB-with-SSL