我试图在docker容器中的mariadb上启用ssl,我在/etc/mysql/my.cnf文件中做了以下更改
ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem
注意:我使用了带-和\u的变量名,因为我不确定使用哪个方案
我还在上面提到的路径中提供了证书,这里是“show variables like'%ssl%';”的结果
MariaDB [(none)]> show variables like '%ssl%';
+---------------------+----------------------------+
| Variable_name | Value |
+---------------------+----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/certs/client-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/certs/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/certs/server-key.pem |
| version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
+---------------------+----------------------------+
10 rows in set (0.001 sec)
但这是我在mysql命令行上运行“status”命令时得到的结果
MariaDB [(none)]> status
--------------
mysql Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Connection id: 42
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic mariadb.org binary distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 5 min 52 sec
它说ssl没有被使用,现在我不确定ssl是否被启用,或者我是否丢失了任何标志?我怎样才能知道它是否被启用?
这是完整的my.cnf文件
# MariaDB database server configuration file.
#
# You can copy this file to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
# user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
# bind-address = 127.0.0.1
#
# * Fine Tuning
#
max_connections = 100
connect_timeout = 5
wait_timeout = 600
max_allowed_packet = 16M
thread_cache_size = 128
sort_buffer_size = 4M
bulk_insert_buffer_size = 16M
tmp_table_size = 32M
max_heap_table_size = 32M
#
# * MyISAM
#
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched. On error, make copy and try a repair.
myisam_recover_options = BACKUP
key_buffer_size = 128M
# open-files-limit = 2000
table_open_cache = 400
myisam_sort_buffer_size = 512M
concurrent_insert = 2
read_buffer_size = 2M
read_rnd_buffer_size = 1M
#
# * Query Cache Configuration
#
# Cache only tiny result sets, so we can fit more in the query cache.
query_cache_limit = 128K
query_cache_size = 64M
# for more write intensive setups, set to DEMAND or OFF
# query_cache_type = DEMAND
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
# general_log_file = /var/log/mysql/mysql.log
# general_log = 1
#
# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
#
# we do want to know about network errors and such
# log_warnings = 2
#
# Enable the slow query log to see queries with especially long duration
# slow_query_log[={0|1}]
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 10
# log_slow_rate_limit = 1000
# log_slow_verbosity = query_plan
# log-queries-not-using-indexes
# log_slow_admin_statements
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
# server-id = 1
# report_host = master1
# auto_increment_increment = 2
# auto_increment_offset = 1
# log_bin = /var/log/mysql/mariadb-bin
# log_bin_index = /var/log/mysql/mariadb-bin.index
# not fab for performance, but safer
# sync_binlog = 1
expire_logs_days = 10
max_binlog_size = 100M
# slaves
# relay_log = /var/log/mysql/relay-bin
# relay_log_index = /var/log/mysql/relay-bin.index
# relay_log_info_file = /var/log/mysql/relay-bin.info
# log_slave_updates
# read_only
#
# If applications support it, this stricter sql_mode prevents some
# mistakes like inserting invalid dates etc.
# sql_mode = NO_ENGINE_SUBSTITUTION,TRADITIONAL
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
default_storage_engine = InnoDB
# you can't just change log file size, requires special procedure
# innodb_log_file_size = 50M
innodb_buffer_pool_size = 256M
innodb_log_buffer_size = 8M
innodb_file_per_table = 1
innodb_open_files = 400
innodb_io_capacity = 400
innodb_flush_method = O_DIRECT
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem
#
# * Galera-related settings
#
[galera]
# Mandatory settings
# wsrep_on=ON
# wsrep_provider=
# wsrep_cluster_address=
# binlog_format=row
# default_storage_engine=InnoDB
# innodb_autoinc_lock_mode=2
#
# Allow server to accept connections on all interfaces.
#
# bind-address=0.0.0.0
#
# Optional setting
# wsrep_slave_threads=1
# innodb_flush_log_at_trx_commit=0
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
# no-auto-rehash # faster start of mysql but no tab completion
[isamchk]
key_buffer = 16M
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!include /etc/mysql/mariadb.cnf
!includedir /etc/mysql/conf.d/
1条答案
按热度按时间rsl1atfo1#
我无法重现这个问题: