[SOLVED] MySQL Remote access forbidden only to a specific client
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
MySQL Remote access forbidden only to a specific client
Hi,
I'm hit by a weird problem which is preventing a single specific instance of mysql-client to connect to a remote mysql-server. Connecting a client from other hosts to the same server works.
Details of setup:
A MySQL server is located at central.hwcharts.com; it is the master of a basic master-slave replication which replicates toward host0.hwcharts.com, located on a different physical machine which virtualizes (OpenVZ) the VM where the slave runs in.
The replication itself works flawlessly, but the problem is that a mysql-client launched from the "slave" machine cannot connect to the master:
Code:
mysql -h central.hwcharts.com -u hwcharts -pvery-long-pass hwcharts
ERROR 2003 (HY000): Can't connect to MySQL server on 'central.hwcharts.com' (111)
The same exact command executed from two other generic machines works OK and successfully connects to the master DB. Details on picture:
Code:
+---------------------------------------------------------------------+
+--------------------+ | host0.hwcharts.com |
|central.hwcharts.com| |---------------------------------------------------------------------|
|--------------------| | |
| | | +-----+ +--------+ +-------------+ |
| MySQL master |-------->| NAT |---+--->| OpenVZ |---+--->| MySQL slave | |
| | | +-----+ | +--------+ | +-------------+ |
+--------------------+ | | | +------------------------------+ |
| | | | another generic VM | |
| | +--->| MySLQ-client works from here | |
| | +----------------------------- + |
| | |
| | +------------------------------+ |
| | | generic physical computer | |
| +--->| MySLQ-client works from here | |
| +------------------------------+ |
| |
+---------------------------------------------------------------------+
central.hwcharts.com is a rented VPS on its own; host0.hwcharts.com instead maps the IP to my home modem.
MySQL version is 5.5.31 on every machine, for both client and server software.
Operating systems are:
$ telnet central.hwcharts.com 3306
Trying 75.127.3.156...
Connected to central.hwcharts.com.
Escape character is '^]'.
Y
5.5.31-1~dotdeb.0-logBq3IUNf�*b2o\^DxSrd!mysql_native_password
Wild guess: MySQL-slave-server does not have proper nameserver configured. The master-slave replication is done with ip-adress not hostname.
---
Edit: Sorry didn't see your reply, obviously hostname lookup works fine.
Last edited by pingu; 01-21-2014 at 08:51 AM.
Reason: Oops...
$ mysql -h central.hwcharts.com -uroot -p -e "use mysql; select User, Host from user;"
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on 'central.hwcharts.com' (111)
Executed from one of the "generic" VM, from inside the same OpenVZ host:
Code:
$ mysql -h central.hwcharts.com -uroot -p -e "use mysql; select User, Host from user;"
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'87.19.245.199' (using password: YES)
Are you sure replication works?
It is not enough checking SHOW SLAVE STATUS, to be absolutely sure you have to check the records in slave's db.
Can you connect to slaves db with mysql client on itself?
@pingu
I've checked right now, replication works: any change to master's tables (hwcharts.*) is immediately propagated to the slave database, flawlessly.
MySQL client-server connection also works fine between the following combination of hosts, except between host0.hwcharts.com and central.hwcharts.com:
Code:
From client To server Works? Comment
host0.hwcharts.com ("slave" VM host) central.hwcharts.com No
host0.hwcharts.com (any other host) central.hwcharts.com Yes
host0.hwcharts.com host0.hwcharts.com Yes localhost connection
central.hwcharts.com central.hwcharts.com Yes localhost connection
The grants for user 'hwcharts'@'%' (the only hwcharts user) in master DB are:
Code:
show grants;
+---------------------------------------------------------------------------------------------------------+
| Grants for hwcharts@% |
+---------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'hwcharts'@'%' IDENTIFIED BY PASSWORD '*non-null-hash-replaced-xxxxxxxxxxxxxxxxx' |
| GRANT ALL PRIVILEGES ON `hwcharts`.* TO 'hwcharts'@'%' |
+---------------------------------------------------------------------------------------------------------+
User hwcharts is not defined for any other host, as shown is post #7.
It is of course good to check the permissioms on the mysql server.
But the message you get - "Can't connect to MySQL server" - makes me believe that you don't reach the server at all.
I think you need to find out where the connection is stopped. You have 4 systems to check, taken from your diagram:
MySQL slave
OpenVZ
NAT (home DSL router)
MySQL master
I suggest you run tcpdump on all these while trying to connect, it will at least show how far the request goes. Maybe you can't on the NAT device but if so just leave it out for now.
Also please post firewall rules for all systems. ("iptables -L")
And a small note: you have posted valid url's & ip-adress in this thread, maybe not a good idea! There are always bad robots out there sniffing for places to hack.
Easy fix is to write posts in whatever text-editor you have and do a search-replace. Then post with fake ip & url, and edit your earlier posts too.
A very wild shot in the dark, should not be possible but I've seen a few really weird home "routers" before...
Could it be that you can have only one connection at a time from a client?
Check it by opening two connections to mysql server from one client. You could also stop the slave and then try to connect via terminal.
Well, as I said not very likely - but then it is a weird problem!
Come to think of it, when did you start the replication, what have you done after that?
If you started replication and then later changed firewall rules the existing connection could still be kept alive but no new connections can be made. This applies on the client side too, it doesn't have to be the central-server that blocks.
So think of it, what has been done on the servers in the communication chain after replication was set up?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.