Installer un serveur MariaDB
C'est un serveur de base de données dont vous aurez certainement besoin pour alimenter vos sites web et applications.
Préparez databases/mariadb-server dans vos poudrières. Dans l'exemple qui suit popeye est l'hôte et maria est la jail.
Préparez une Jail
Construisez une jail nommée maria dans /jails/mariadb pour accueillir votre serveur de bases de données.
Adaptez zfs au service de base de données:
zfs set primarycache=metadata zroot/JAILS/master/mariadb zfs set sync=disabled zroot/JAILS/master/mariadb zfs set atime=off zroot/JAILS/master/mariadb zfs set recordsize=16k zroot/JAILS/master/mariadb
Adaptez la configuration de la jail maria :
- mariadb/etc/rc.conf.local
hostname="mariadb"
- /etc/jail.conf
maria { host.hostname = maria; ip4.addr = "lo1|192.168.0.200";# Adresse IP à attribuer. path ="/jails/mariadb"; # où est-elle ? mount.devfs; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; }
root@popeye:# jail -c maria root@popeye:# root@popeye:# pkg -j maria install databases/mariadb106-server root@popeye:# sysrc -j maria mysql_enable=YES
Ainsi que la jail:
root@popeye:# sysrc jail_enable="YES" root@popeye:# sysrc jail_list+="maria"
Préparation
Depuis la jail, initialisez le serveur:
root@popeye:# jexec maria root@mariadb:# service mysql-server start root@mariadb:# /usr/local/bin/mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer 'n'. Switch to unix_socket authentication [Y/n] y Enabled successfully! Reloading privilege tables.. ... Success! You already have your root account protected, so you can safely answer 'n'. Change the root password? [Y/n] n ... skipping. By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! root@mariadb:/ #
Un lien vers le serveur de base de données est disponible sous la socket /var/run/mysql/mysql.sock
Sous une jail, le serveur ne doit écouter que sous son adresse IP:
sysrc mysql_args="--bind-address=192.168.jail.ip"
Tests
Est-ce que le serveur est à l'écoute ?
:~ jexec maria sockstat -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS mysql mariadbd 6882 20 tcp4 192.168.0.200:3306 *:* mysql mariadbd 6882 21 stream /var/run/mysql/mysql.sock root sendmail 77254 3 tcp4 192.168.0.200:25 *:* root syslogd 64764 5 dgram /var/run/log root syslogd 64764 6 dgram /var/run/logpriv
Essayons, depuis l'hôte:
:~ telnet 192.168.0.200 3306 Trying 192.168.0.200... Connected to 192.168.0.200. Escape character is '^]'. HHost '192.168.0.200' is not allowed to connect to this MariaDB serverConnection closed by foreign host.
A l'aide du client:
root@popeye:#jexec maria root@mariadb:/ # mysql -u root root@localhost [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | +--------------------+ 4 rows in set (0.000 sec) root@localhost [(none)]>
Socket unix
Vous avez noté la ligne de sockstat(1):
mysql mariadbd 6882 21 stream /var/run/mysql/mysql.sock
Cela signifie que vous pouvez communiquer avec la serveur via une socket(2) unix. Vous n'avez même pas besoin de configuration réseau pour communiquer avec cette jail:
root@mariadb:/ # mysql -u root -S /var/run/mysql/mysql.sock Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 15 Server version: 10.6.10-MariaDB FreeBSD Ports Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. root@localhost [(none)]> bye; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'bye' at line 1 root@localhost [(none)]> quit Bye
root@mariadb:/ # mysql -u root -S /var/run/mysql/mysql.sock -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16 Server version: 10.6.10-MariaDB FreeBSD Ports Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. root@localhost [(none)]>
Dans ce cas, vous pouvez attribuer la valeur
disable à ip4 et ip6 de votre jail et l'isoler ainsi complètement du réseau.
david