MySql(8.0)基于docker部署(加密存储表空间)

说明:

  • MySql社区版的加密方式只支持keyring_file的方式;
  • 目前我找到的加密只能针对表来,不能针对整个库使用。
1. 宿主机创建映射目录

正常情况下,我个人喜欢创建两个目录,一个映射配置文件,一个映射存储文件。

映射配置文件

sudo mkdir -p /opt/mysql/config

映射存储文件

sudo mkdir -p /data/mysql/data
2. 创建映射配置文件

从其他地方拷贝两个映射文件my.cnf,mysql.cnf。这个建议从你自己的镜像里面拷贝。具体拷贝方法,请移步从镜像中拷贝my.cnf,mysql.cnf。

1)my.cnf文件

# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA

#
# The MySQL  Server configuration file.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

[mysqld]
# 配置加密方式使用keyring_file
early-plugin-load=keyring_file.so
# 配置加密需要的keyring地址,如果没有会默认创建,但是需要有目录权限
keyring_file_data=/opt/mysql/mysql-keyring/keyring
# 设置表空间加密
innodb_file_per_table=1
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
secure-file-priv= ''
default-time_zone = '+8:00'
sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

# Custom config should go here
!includedir /etc/mysql/conf.d/

这个文件主要修改的地方如下:

  1. early-plugin-load=keyring_file.so # 配置加密方式使用keyring_file
  2. keyring_file_data=/opt/mysql/mysql-keyring/keyring # 配置加密需要的keyring地址,如果没有会默认创建,但是需要有目录权限
  3. innodb_file_per_table=1 # 设置表空间加密

2)mysql.cnf文件

# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2.0,
# as published by the Free Software Foundation.
#
# This program is also distributed with certain software (including
# but not limited to OpenSSL) that is licensed under separate terms,
# as designated in a particular file or component or in included license
# documentation.  The authors of MySQL hereby grant you an additional
# permission to link the program and your derivative works with the
# separately licensed software that they have included with MySQL.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License, version 2.0, for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA

#
# The MySQL  Client configuration file.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

[mysql]
#sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

这个文件,主要屏蔽了#sql_mode,mysql8以上版本,本机登录会有问题。具体原因没有查找。

3. 配置启动docker容器
sudo docker run --name mysql --restart=always --privileged=true -p 3306:3306 -v /opt/mysql/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/config/my.cnf:/etc/mysql/my.cnf -v /data/mysql/data:/var/lib/mysql -v /etc/localtime:/etc/localtime:ro -e  MYSQL_ROOT_PASSWORD="root123" -d mysql --lower_case_table_names=1

参数解释:

容器名字:--name mysql

随docker服务启动:--restart=always

给容器授权:--privileged=true

端口映射:-p 3306:3306 #前面为宿主机端口,:后面为容器内部端口

配置文件映射:-v /opt/mysql/mysql3307/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/mysql3307/config/my.cnf:/etc/mysql/my.cnf

存储文件映射(目录):-v /data/mysql/data3307:/var/lib/mysql

宿主机与容器内部时间同步:-v /etc/localtime:/etc/localtime:ro

设置MySql密码:-e MYSQL_ROOT_PASSWORD="root123"

设置MySql忽略大小写:--lower_case_table_names=1

其实这个时候,MySql虽然服务已经启动,但是加密的插件没有部署好。是因为“/opt/mysql/mysql-keyring”该目录不存在,而且MySql容器内部默认使用的用户是mysql,不是root,没有目录权限。所以初始化插件失败。

1)进入容器

#查看容器运行情况,找到容器ID
sudo docker ps
 NAMES
c66a9075448c        mysql                   "docker-entrypoint.s…"   37 minutes ago 
#进入容器
docker exec -it c66a9075448c /bin/bash

2)创建目录,并且更改目录所属用户

mkdir -p /opt/mysql/mysql-keyring
cd /opt/mysql
chmod 750 mysql-keyring
chown mysql mysql-keyring
chgrp mysql mysql-keyring
  1. 重启MySQL服务
sudo docker restart c66a9075448c
#查询容器是否已运行
sudo docker ps
4. 查询和配置加密方式

1)首先查询加密插件是否已正确配置

#查看容器运行情况,找到容器ID
sudo docker ps
 NAMES
c66a9075448c        mysql                   "docker-entrypoint.s…"   37 minutes ago 
#进入容器
docker exec -it c66a9075448c /bin/bash

########进入容器后######
mysql -u root -p
##输入密码,进入mysql

######进入mysql后#####

#配置使用mysql库
mysql> use mysql;
#查询插件
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
       FROM INFORMATION_SCHEMA.PLUGINS
       WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME  | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE        |
+--------------+---------------+

看到上图,表示插件已经正确加载,如果没有加载成功,可以参考MySql的官网文件进行配置。

  1. 官网配置文档:https://dev.mysql.com/doc/refman/8.0/en/keyring-installation.html

2)配置加密表

正确的使用方法为:在CREATE TABLE 后面加 ENCRYPTION='Y',如下图所示:

/*
1. 为新表加密
2. 插入数据至新表
3. 取消表加密
4. 开启表加密
5. 查看加密表
*/

mysql> CREATE TABLE mydata.test_1 (id INT primary key,age int) ENCRYPTION='Y';
Query OK, 0 rows affected (0.02 sec)

mysql> insert into test_1 select 9,9;
Query OK, 1 row affected (0.00 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> ALTER TABLE mydata.test_1 ENCRYPTION='N'; 
Query OK, 0 rows affected (0.03 sec)
Records: 0  Duplicates: 0  Warnings: 0

mysql> ALTER TABLE mydata.test_1 ENCRYPTION='Y';
Query OK, 0 rows affected (0.02 sec)
Records: 0  Duplicates: 0  Warnings: 0

mysql> show create table mydata.test_1;select * from mydata.test_1;
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table  | Create Table                                                                                                                                               |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| test_1 | CREATE TABLE `test_1` (
  `id` int(11) NOT NULL,
  `age` int(11) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.11 sec)

+----+------+
| id | age  |
+----+------+
|  9 |    9 |
+----+------+
1 row in set (0.00 sec)

/*
删除当前的 keyring,使用备份的 keyring 恢复到原路径并重启,此时再查看 mydata.test_1 会查看成功。因为 mydata.test_1 加密解密用的 keyring 一样
*/

[root@localhost ~]# rm -rf /opt/mysql/keyring/3306/keyring 
[root@localhost ~]# mv /root/keyring /opt/mysql/keyring/3306/
[root@localhost ~]# systemctl restart mysqld_3306
[root@localhost ~]# mysql -h10.186.63.90 -uroot -p -P3306 -e"show create table mydata.test_1;select * from mydata.test_1;"
Enter password: 
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table  | Create Table                                                                                                                                               |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| test_1 | CREATE TABLE `test_1` (
  `id` int(11) NOT NULL,
  `age` int(11) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
+----+------+
| id | age  |
+----+------+
|  9 |    9 |
+----+------+

3)查询加密表

-- 查看加密的表:
SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%';

-- 查看未加密的表:
select concat(TABLE_SCHEMA,".",TABLE_NAME) from INFORMATION_SCHEMA.TABLES where (TABLE_SCHEMA,TABLE_NAME) not in (SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%' and table_schema not in ('information_schema','performance_schema','sys','mysql','universe')) and TABLE_SCHEMA in ('mydata');
5. 采坑较多的问题
问题1:加密插件无论如何配置都不好用?

解答: 我的解决思路如下:

1) 通过 sudo docker logs mysql 查看启动日志,发现如下问题

2020-06-17T06:22:55.048648Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20) starting as process 1
2020-06-17T06:22:55.055447Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/opt/mysql/mysql-keyring/keyring' not found (OS errno 2 - No such file or directory)'
2020-06-17T06:22:55.055506Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'
2020-06-17T06:22:55.055543Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.

2)很明显文件和文件夹都没有,按理说应该自动创建,为什么没有创建?是不是权限问题?可以手动创建并授权吗?

然后我手动创建目录/opt/mysql/mysql-keyring/,并授权,解决问题。

问题2:MySql的大小写忽略不好用

1)我已在my.cnf文件中配置 lower_case_table_names=1,但是大小写忽略,就是不能使用。而且服务启动经常失败。我也不知道具体原因。

2) 后面通过服务启动时设置 --lower_case_table_names=1 来解决问题。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 216,470评论 6 501
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 92,393评论 3 392
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 162,577评论 0 353
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 58,176评论 1 292
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 67,189评论 6 388
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 51,155评论 1 299
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,041评论 3 418
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,903评论 0 274
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 45,319评论 1 310
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,539评论 2 332
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,703评论 1 348
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,417评论 5 343
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,013评论 3 325
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,664评论 0 22
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,818评论 1 269
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,711评论 2 368
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,601评论 2 353