因此,我有一个自动化功能,可以使用 bitnami 镜像将 MariaDB 数据库 v.11.4 部署到 docker 容器。另外,我注入以下配置文件:
[server]
connect_timeout=10
innodb_buffer_pool_size=2415919104
innodb_file_per_table=ON
innodb_flush_method=O_DIRECT
innodb_lock_wait_timeout=50
innodb_log_buffer_size=16777216
innodb_log_file_size=128M
innodb_strict_mode=ON
key_buffer_size=48M
max_allowed_packet=16M
max_connections=150
skip_name_resolve=ON
table_open_cache=2600
require_secure_transport=ON
ssl_cert=/opt/bitnami/mariadb/ssl/certificate.pem
ssl_key=/opt/bitnami/mariadb/ssl/key.pem
ssl_ca=/opt/bitnami/mariadb/ssl/intermediate.pem
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_version=TLSv1.2,TLSv1.3
expire_logs_days=1
max_binlog_size=1073741824
log_bin_trust_function_creators=OFF
local_infile=OFF
lock_wait_timeout=86400
max_connect_errors=100
open_files_limit=0
sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
bind-address=0.0.0.0
[client-mariadb]
ssl
但是在数百次尝试连接后容器崩溃了:
user# docker logs my-container
mariadb 17:56:41.40 INFO ==>
mariadb 17:56:41.41 INFO ==> Welcome to the Bitnami mariadb container
mariadb 17:56:41.41 INFO ==> Subscribe to project updates by watching https://github.com/bitnami/containers
mariadb 17:56:41.41 INFO ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
mariadb 17:56:41.41 INFO ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
mariadb 17:56:41.41 INFO ==>
mariadb 17:56:41.42 INFO ==> ** Starting MariaDB setup **
mariadb 17:56:41.43 INFO ==> Validating settings in MYSQL_*/MARIADB_* env vars
mariadb 17:56:41.44 INFO ==> Initializing mariadb database
mariadb 17:56:41.45 INFO ==> Updating 'my.cnf' with custom configuration
mariadb 17:56:41.45 INFO ==> Setting slow_query_log option
mariadb 17:56:41.46 INFO ==> Setting long_query_time option
mariadb 17:56:41.46 INFO ==> Injecting custom configuration 'my_custom.cnf'
mariadb 17:56:41.46 INFO ==> Installing database
/opt/bitnami/mariadb/bin/mysql: Deprecated program name. It will be removed in a future release, use '/opt/bitnami/mariadb/bin/mariadb' instead
mariadb 17:56:43.51 INFO ==> Starting mariadb in background
2024-08-12 17:56:43 0 [Note] Starting MariaDB 11.4.2-MariaDB-log source revision 3fca5ed772fb75e3e57c507edef2985f8eba5b12 as process 111
2024-08-12 17:56:43 0 [Note] InnoDB: Compressed tables use zlib 1.2.13
2024-08-12 17:56:43 0 [Note] InnoDB: Number of transaction pools: 1
2024-08-12 17:56:43 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
2024-08-12 17:56:43 0 [Note] mysqld: O_TMPFILE is not supported on /opt/bitnami/mariadb/tmp (disabling future attempts)
2024-08-12 17:56:43 0 [Note] InnoDB: Using Linux native AIO
2024-08-12 17:56:43 0 [Note] InnoDB: Initializing buffer pool, total size = 2.250GiB, chunk size = 36.000MiB
2024-08-12 17:56:43 0 [Note] InnoDB: Completed initialization of buffer pool
2024-08-12 17:56:43 0 [Note] InnoDB: Buffered log writes (block size=512 bytes)
2024-08-12 17:56:43 0 [Note] InnoDB: End of log at LSN=47763
2024-08-12 17:56:43 0 [Note] InnoDB: Opened 3 undo tablespaces
2024-08-12 17:56:43 0 [Note] InnoDB: 128 rollback segments in 3 undo tablespaces are active.
2024-08-12 17:56:43 0 [Note] InnoDB: Setting file './ibtmp1' size to 12.000MiB. Physically writing the file full; Please wait ...
2024-08-12 17:56:43 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB.
2024-08-12 17:56:43 0 [Note] InnoDB: log sequence number 47763; transaction id 14
2024-08-12 17:56:43 0 [Note] Plugin 'FEEDBACK' is disabled.
2024-08-12 17:56:43 0 [Note] Plugin 'wsrep-provider' is disabled.
2024-08-12 17:56:43 0 [Note] InnoDB: Loading buffer pool(s) from /bitnami/mariadb/data/ib_buffer_pool
2024-08-12 17:56:43 0 [Note] InnoDB: Buffer pool(s) load completed at 240812 17:56:43
2024-08-12 17:56:43 0 [Note] Server socket created on IP: '127.0.0.1'.
2024-08-12 17:56:43 0 [Warning] 'user' entry 'root@67ff831aa227' ignored in --skip-name-resolve mode.
2024-08-12 17:56:43 0 [Warning] 'proxies_priv' entry '@% root@67ff831aa227' ignored in --skip-name-resolve mode.
2024-08-12 17:56:43 0 [Note] mysqld: Event Scheduler: Loaded 0 events
2024-08-12 17:56:43 0 [Note] /opt/bitnami/mariadb/sbin/mysqld: ready for connections.
Version: '11.4.2-MariaDB-log' socket: '/opt/bitnami/mariadb/tmp/mysql.sock' port: 3306 Source distribution
2024-08-12 17:56:45 4 [Warning] Aborted connection 4 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
2024-08-12 17:56:47 5 [Warning] Aborted connection 5 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
2024-08-12 17:56:49 6 [Warning] Aborted connection 6 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
2024-08-12 17:56:51 7 [Warning] Aborted connection 7 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
2024-08-12 17:56:53 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
2024-08-12 17:56:55 9 [Warning] Aborted connection 9 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
....
....
mariadb 18:06:56.90 ERROR ==> Timed out waiting for MySQL to be accessible
mariadb 18:06:56.90 INFO ==> Stopping mariadb
2024-08-12 18:06:56 0 [Note] /opt/bitnami/mariadb/sbin/mysqld (initiated by: unknown): Normal shutdown
2024-08-12 18:06:56 0 [Note] InnoDB: FTS optimize thread exiting.
2024-08-12 18:06:56 0 [Note] InnoDB: Starting shutdown...
2024-08-12 18:06:56 0 [Note] InnoDB: Dumping buffer pool(s) to /bitnami/mariadb/data/ib_buffer_pool
2024-08-12 18:06:56 0 [Note] InnoDB: Buffer pool(s) dump completed at 240812 18:06:56
2024-08-12 18:06:57 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
2024-08-12 18:06:57 0 [Note] InnoDB: Shutdown completed; log sequence number 47763; transaction id 15
2024-08-12 18:06:57 0 [Note] /opt/bitnami/mariadb/sbin/mysqld: Shutdown complete
经过一番挖掘,似乎 SSL 配置是破坏容器的原因,并且当将
ssl_cert, ssl_key, ssl_ca, ssl_cipher, tls_version请注意,如果我使用 bitnami 的 mariadb:10.11 映像,部署可以使用完全相同的配置文件完美运行。
有人可以告诉我 11.4 中 SSL 发生了什么变化吗?
我还尝试了 11.4.2 映像,我现在看到它几乎相同...目标当然是一个运行具有自签名 SSL 的 mariadb 11.4 服务器的健康 docker 容器。
出于安全原因,MariaDB Server 11.4(和 MariaDB Connector/C 3.4)对等证书验证是默认启用(这也会影响自签名证书)。
如果客户端从 MariaDB 服务器获取自签名对等证书,验证将失败,但以下情况除外:
指纹是对等证书二进制数据的加密哈希(SHA-256、SHA-384 或 SHA-512)。即使指纹匹配,过期或吊销的证书也不会被接受。
要获取服务器证书的指纹,您可以在服务器主机上使用 openssl 或 certtool (gnutls) 命令行客户端:
$ openssl x509 -noout -fingerprint -sha384 -inform pem -in /path/server-cert.pem
sha384 Fingerprint=C1:38:FD:6B:9B:A9:99:5A:E1:EF:08:00:34:A6:08:46:FA:A5:97:05:FD:62:EB:91:C7:BA:B6:73:BF:C6:D5:C2:0D:6A:D7:22:99:8D:8A:DE:C3:9C:5E:C6:5D:96:F6:63
或
certtool --fingerprint --hash=sha384 --infile=/path/server-cert.pem
c138fd6b9ba9995ae1ef080034a60846faa59705fd62eb91c7bab673bfc6d5c20d6ad722998d8adec39c5ec65d96f663
如果您的客户端不支持指纹验证,则肮脏的黑客(仅建议用于测试目的)是将服务器证书添加到中间 ca,并将此 ca 加载到客户端。
关于您的配置文件: 除非您想测试或基准测试不同的密码套件,否则永远不要通过 ssl_cipher 指定密码套件。在您的情况下,您将 TLSv1.3 与 TLSv1.2 密码相结合,这可能最终会出现错误,具体取决于所使用的 TLS 库。如果您确实需要使用某个密码套件(例如,在没有硬件加速的设备上使用 POLY_CHACHA),则应在全局 TLS 配置或 Windows 注册表 (Schannel) 中更改它。