无法通过密钥环文件启用加密

Question

好的，我正在按照官方 Mysql 文档在 docker 上的 mysql 数据库上启用加密：

• 使用 keyring_file 基于文件的插件
• 钥匙圈插件安装
• 密钥环文件数据

这就是我所做的：

1. 添加了和early-plugin-load（我使用了mysql docker 映像没有文本编辑器），所以现在是：keyring_file_data/etc/mysql/my.cnfecho stuff >> file

[mysqld]
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
secure-file-priv= NULL
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

# Custom config should go here
!includedir /etc/mysql/conf.d/
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

1. 创建了密钥环文件

[mysqld]
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
secure-file-priv= NULL
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

# Custom config should go here
!includedir /etc/mysql/conf.d/
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

2. 重新启动容器以重新启动mysql
3. 连接到 mysql 并检查插件可用性（没有运气）

cd /usr/local/mysql
mkdir mysql-keyring
chmod 750 mysql-keyring
chown mysql mysql-keyring
chgrp mysql mysql-keyring

4. 检查日志是否有错误：

2020-03-15T12:30:08.669015Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/usr/local/mysql/mysql-keyring/keyring' not found (OS errno 20 - Not a directory)'
2020-03-15T12:30:08.669036Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'
2020-03-15T12:30:08.669053Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.

所以看起来我正确启用了该插件，但文件有问题。

我错过了一些步骤吗？

密钥环文件

root@8c3670db35d4:/# ls -la /usr/local/mysql/mysql-keyring/
total 8
drwxr-s--- 2 mysql mysql 4096 Mar 15 12:34 .
drwxr-sr-x 3 root  staff 4096 Mar 15 12:33 ..
-rw-r----- 1 mysql mysql    0 Mar 15 12:34 keyring

Answer 1

您确定在容器内正确创建了密钥环文件吗？这就是我如何使用正确制作的 Dockerfile 来实现上述目标。

1. 为您的图像项目创建一个文件夹（使用您喜欢的任何文件夹）

   mkdir /tmp/testMysqlKeyring
   cd /tmp/testMysqlKeyring
   

2. 创建一个 mysql keyring dropin 配置文件，keyring.cnf内容如下：

   [mysqld]
   early-plugin-load=keyring_file.so
   keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
   

3. 创建一个Dockerfile包含以下内容的

   FROM mysql:8
   
   # Place the dropin config file in the relevant folder
   COPY keyring.cnf /etc/mysql/conf.d/
   
   # Create the keyring folder and adapt perms
   RUN mkdir -p /usr/local/mysql/mysql-keyring && \
       chmod 750 /usr/local/mysql/mysql-keyring && \
       chown mysql.mysql /usr/local/mysql/mysql-keyring
   

4. 从上面的配置构建图像：

   docker build -t file_keyringed_mysql:latest .
   

5. 从该映像运行一个容器（稍后您将适应您的确切卷和环境......）

   docker run -d --rm --name my_keyring_test -e MYSQL_ALLOW_EMPTY_PASSWORD=true file_keyringed_mysql:latest
   

6. 检查插件是否正确安装在容器内

   $ docker exec my_keyring_test mysql -e "SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%';"
   PLUGIN_NAME     PLUGIN_STATUS
   keyring_file    ACTIVE