说明:
- MySql社区版的加密方式只支持keyring_file的方式;
- 目前我找到的加密只能针对表来,不能针对整个库使用。
1. 宿主机创建映射目录
正常情况下,我个人喜欢创建两个目录,一个映射配置文件,一个映射存储文件。
映射配置文件
sudo mkdir -p /opt/mysql/config映射存储文件
sudo mkdir -p /data/mysql/data
2. 创建映射配置文件
从其他地方拷贝两个映射文件my.cnf,mysql.cnf。这个建议从你自己的镜像里面拷贝。具体拷贝方法,请移步从镜像中拷贝my.cnf,mysql.cnf。
1)my.cnf文件
# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# The MySQL Server configuration file.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
[mysqld]
# 配置加密方式使用keyring_file
early-plugin-load=keyring_file.so
# 配置加密需要的keyring地址,如果没有会默认创建,但是需要有目录权限
keyring_file_data=/opt/mysql/mysql-keyring/keyring
# 设置表空间加密
innodb_file_per_table=1
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
datadir = /var/lib/mysql
secure-file-priv= ''
default-time_zone = '+8:00'
sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Custom config should go here
!includedir /etc/mysql/conf.d/
这个文件主要修改的地方如下:
- early-plugin-load=keyring_file.so # 配置加密方式使用keyring_file
- keyring_file_data=/opt/mysql/mysql-keyring/keyring # 配置加密需要的keyring地址,如果没有会默认创建,但是需要有目录权限
- innodb_file_per_table=1 # 设置表空间加密
2)mysql.cnf文件
# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2.0,
# as published by the Free Software Foundation.
#
# This program is also distributed with certain software (including
# but not limited to OpenSSL) that is licensed under separate terms,
# as designated in a particular file or component or in included license
# documentation. The authors of MySQL hereby grant you an additional
# permission to link the program and your derivative works with the
# separately licensed software that they have included with MySQL.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License, version 2.0, for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# The MySQL Client configuration file.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
[mysql]
#sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
这个文件,主要屏蔽了#sql_mode,mysql8以上版本,本机登录会有问题。具体原因没有查找。
3. 配置启动docker容器
sudo docker run --name mysql --restart=always --privileged=true -p 3306:3306 -v /opt/mysql/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/config/my.cnf:/etc/mysql/my.cnf -v /data/mysql/data:/var/lib/mysql -v /etc/localtime:/etc/localtime:ro -e MYSQL_ROOT_PASSWORD="root123" -d mysql --lower_case_table_names=1
参数解释:
容器名字:--name mysql
随docker服务启动:--restart=always
给容器授权:--privileged=true
端口映射:-p 3306:3306 #前面为宿主机端口,:后面为容器内部端口
配置文件映射:-v /opt/mysql/mysql3307/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/mysql3307/config/my.cnf:/etc/mysql/my.cnf
存储文件映射(目录):-v /data/mysql/data3307:/var/lib/mysql
宿主机与容器内部时间同步:-v /etc/localtime:/etc/localtime:ro
设置MySql密码:-e MYSQL_ROOT_PASSWORD="root123"
设置MySql忽略大小写:--lower_case_table_names=1
其实这个时候,MySql虽然服务已经启动,但是加密的插件没有部署好。是因为“/opt/mysql/mysql-keyring”该目录不存在,而且MySql容器内部默认使用的用户是mysql,不是root,没有目录权限。所以初始化插件失败。
1)进入容器
#查看容器运行情况,找到容器ID
sudo docker ps
NAMES
c66a9075448c mysql "docker-entrypoint.s…" 37 minutes ago
#进入容器
docker exec -it c66a9075448c /bin/bash
2)创建目录,并且更改目录所属用户
mkdir -p /opt/mysql/mysql-keyring
cd /opt/mysql
chmod 750 mysql-keyring
chown mysql mysql-keyring
chgrp mysql mysql-keyring
- 重启MySQL服务
sudo docker restart c66a9075448c
#查询容器是否已运行
sudo docker ps
4. 查询和配置加密方式
1)首先查询加密插件是否已正确配置
#查看容器运行情况,找到容器ID
sudo docker ps
NAMES
c66a9075448c mysql "docker-entrypoint.s…" 37 minutes ago
#进入容器
docker exec -it c66a9075448c /bin/bash
########进入容器后######
mysql -u root -p
##输入密码,进入mysql
######进入mysql后#####
#配置使用mysql库
mysql> use mysql;
#查询插件
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE |
+--------------+---------------+
看到上图,表示插件已经正确加载,如果没有加载成功,可以参考MySql的官网文件进行配置。
2)配置加密表
正确的使用方法为:在CREATE TABLE 后面加 ENCRYPTION='Y',如下图所示:
/*
1. 为新表加密
2. 插入数据至新表
3. 取消表加密
4. 开启表加密
5. 查看加密表
*/
mysql> CREATE TABLE mydata.test_1 (id INT primary key,age int) ENCRYPTION='Y';
Query OK, 0 rows affected (0.02 sec)
mysql> insert into test_1 select 9,9;
Query OK, 1 row affected (0.00 sec)
Records: 1 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE mydata.test_1 ENCRYPTION='N';
Query OK, 0 rows affected (0.03 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE mydata.test_1 ENCRYPTION='Y';
Query OK, 0 rows affected (0.02 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> show create table mydata.test_1;select * from mydata.test_1;
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| test_1 | CREATE TABLE `test_1` (
`id` int(11) NOT NULL,
`age` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.11 sec)
+----+------+
| id | age |
+----+------+
| 9 | 9 |
+----+------+
1 row in set (0.00 sec)
/*
删除当前的 keyring,使用备份的 keyring 恢复到原路径并重启,此时再查看 mydata.test_1 会查看成功。因为 mydata.test_1 加密解密用的 keyring 一样
*/
[root@localhost ~]# rm -rf /opt/mysql/keyring/3306/keyring
[root@localhost ~]# mv /root/keyring /opt/mysql/keyring/3306/
[root@localhost ~]# systemctl restart mysqld_3306
[root@localhost ~]# mysql -h10.186.63.90 -uroot -p -P3306 -e"show create table mydata.test_1;select * from mydata.test_1;"
Enter password:
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| test_1 | CREATE TABLE `test_1` (
`id` int(11) NOT NULL,
`age` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
+----+------+
| id | age |
+----+------+
| 9 | 9 |
+----+------+
3)查询加密表
-- 查看加密的表:
SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%';
-- 查看未加密的表:
select concat(TABLE_SCHEMA,".",TABLE_NAME) from INFORMATION_SCHEMA.TABLES where (TABLE_SCHEMA,TABLE_NAME) not in (SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%' and table_schema not in ('information_schema','performance_schema','sys','mysql','universe')) and TABLE_SCHEMA in ('mydata');
5. 采坑较多的问题
问题1:加密插件无论如何配置都不好用?
解答: 我的解决思路如下:
1) 通过 sudo docker logs mysql 查看启动日志,发现如下问题
2020-06-17T06:22:55.048648Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20) starting as process 1
2020-06-17T06:22:55.055447Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/opt/mysql/mysql-keyring/keyring' not found (OS errno 2 - No such file or directory)'
2020-06-17T06:22:55.055506Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'
2020-06-17T06:22:55.055543Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.
2)很明显文件和文件夹都没有,按理说应该自动创建,为什么没有创建?是不是权限问题?可以手动创建并授权吗?
然后我手动创建目录/opt/mysql/mysql-keyring/,并授权,解决问题。
问题2:MySql的大小写忽略不好用
1)我已在my.cnf文件中配置 lower_case_table_names=1,但是大小写忽略,就是不能使用。而且服务启动经常失败。我也不知道具体原因。
2) 后面通过服务启动时设置 --lower_case_table_names=1 来解决问题。
网友评论