Tony Breeds wrote:
On Tue, 19 Dec 2023 at 21:25, ddorra@t-online.de ddorra@t-online.de wrote:
Hello, I can't connect to to my trove mysql DB from an instance in a selfservice network. Strange thing is I CAN connect to the trove instance via ssh: ubuntu@dozbox2:~$ telnet 192.168.0.176 22 Trying 192.168.0.176... Connected to 192.168.0.176. Escape character is '^]'. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7 But I CANNOT reach the DB port from on the troave instance: ubuntu@box2:~$ telnet 192.168.0.176 3306 Trying 192.168.0.176... telnet: Unable to connect to remote host: No route to host Within the Trove instance I CAN work with the client... root@ms3:/var/log/trove# mysql -h 192.168.0.176 -u dbadmin -p -P 3306 Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 331 I don't know much about trove but I wonder if the database process is
only listening on localhost? That would explain the behaviour you're seeing.
Yes I think that this is the right direction. For some time now Trove installs the DB into a docker container.
root@ms57plain:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ac9694b81e61 mysql:5.7.29 "docker-entrypoint.s…" 36 minutes ago Up 36 minutes database root@ms57plain:~#
I wonder why no ports are shown... maybe this is managed by iptable rules?
Surprisingly I see no listening to port 3306 via tcp on host level.
root@ms57plain:~# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 3867/systemd-resolv tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1074/sshd tcp 0 0 10.10.10.84:54326 10.0.0.120:5672 ESTABLISHED 1002/python3 tcp 0 304 10.9.9.126:22 10.9.9.128:47442 ESTABLISHED 5157/sshd: root@pts tcp 0 0 10.9.9.126:22 10.9.9.128:57180 ESTABLISHED 5054/sshd: root@pts tcp 0 0 10.10.10.84:44266 10.0.0.120:5672 ESTABLISHED 1002/python3 tcp6 0 0 :::3306 :::* LISTEN 4881/mysqld tcp6 0 0 :::22 :::* LISTEN 1074/sshd
But the docker config shows the 3306
root@ms57plain:~# docker inspect ac9694b81e61 [ { ...... "AttachStderr": false, "ExposedPorts": { "3306/tcp": {}, "33060/tcp": {} }, "Tty": false, .....
I'm wondering that the ssh is explicitly mentioned in the iptable rules due to security group settings - but 3306 is missing?? Bug or feature??
root@ms57plain:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N openstack-INPUT -A INPUT -j openstack-INPUT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A openstack-INPUT -i lo -j ACCEPT -A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
Any Ideas?
BR Dieter