Unless you keep your computer disconnected from a network and under a secure lock; there will always be potentials for security compromise.
This article explains an isolated and much secure MySQL setup layout. The container VPS for “database node” was a centos-5-minimal (centos-5-i386-minimal.tar.gz) and not assigned any IP address for added security. Here is the complete solution.
To install mysql inside “database node”
[root@centos ~]# vzyum 103 install mysql-server -y
The article mentioned at OpenVZ Wiki was helpful in whole planning but I did not like the idea of cron-script.
- Expensive polling! it is a wastage of resources.
- There will be a downtime until next cron-run.
So, I kept on experimenting for better solution. I tried mounting /vz/private/103/var/lib/mysql/ into “web node” but it was not working flawlessly. My following attempt with common shared directory worked like charm.
I created a common shared location /vz/shared and had it mounted as /shared in each VPS using mount script (you must chmod them to 755).
Content of /etc/vz/conf/101.mount (web node)
Content of /etc/vz/conf/102.mount (web node)
Content of /etc/vz/conf/103.mount (database node)
#!/bin/bash
# Mount script to bind-mount /var/something into a VPS
# Suggested by Sudhaker Raj (http://sudhaker.com)[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1. /etc/vz/vz.conf
. $VE_CONFFILEecho -n “Mounting shared directory inside $VEID…”
if [[ -d /vz/shared ]]
then
mkdir -p $VE_ROOT/shared
mount -n –bind /vz/shared $VE_ROOT/shared
echo ” done”
else
echo ” failed”
fi
Next step was to change the mysql socket location from /var/lib/mysql/mysql.sock to /shared/mysql/mysql.sock
Content of /vz/private/101/etc/my.cnf
Content of /vz/private/102/etc/my.cnf
Content of /vz/private/103/etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
#socket=/var/lib/mysql/mysql.sock
socket=/shared/mysql/mysql.sock[mysql.server]
user=mysql
basedir=/var/lib[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid[client]
socket=/shared/mysql/mysql.sock
And do not forget to make relevant changes into php.ini and other applications using MySQL.
Bingo! Now both “web node” can communicate with the mysql server running inside isolated container as if it was local.
We also need correct permissions so that other processes can access the socket.
[root@vz103 ~]# chmod o+rx /shared/mysql
[root@vz103 ~]# ls -l /shared/
total 8
drwxr-xr-x 2 mysql mysql 4096 Apr 5 15:44 mysql
drwxr-xr-x 2 root root 4096 Apr 3 15:03 tmp
Cheers,
Sudhaker
Responses to “Isolated MySQL Installation inside OpenVZ Cluster”
May 14th, 2008 at 10:47 am
Not sure why but it does not work if you mount folder from /vz/private/* path 
It shows same inode # but does not work.
I got it working only after mounting a shared folder (/vz/shared) in such a way it makes a common path inside both VZ nodes (i.e. /shared).
If you happen to know the solution, please post back.
April 24th, 2008 at 8:32 pm
I wonder what I’m missing, because I get the following error from other OpenVZ containers, when trying to connect to the shared socket:
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/mnt/socket/mysqld/mysqld.sock’ (111)
# From another container:
# ls -l /mnt/socket/mysqld/*
-rw-rw—- 1 102 102 4 Apr 25 04:25 /mnt/socket/mysqld/mysqld.pid
srwxrwxrwx 1 102 102 0 Apr 25 04:25 /mnt/socket/mysqld/mysqld.sock=
“ls -i” displays the same inode fot the socket file.
Any hint?
(using Ubuntu Hardy, AMD64, OpenVZ kernel from Git)