0

I can't seem to remotely connect to my database, via SSH tunnel. I'm relatively new to all this, so I was hoping someone might be able to give me some pointers.

I've got a cloud server on which I've installed Docker, and I'm running a database container (for another service, Wordpress):

compose.yaml

services: db: image: mariadb:latest container_name: database restart: always volumes: - db_data:/var/lib/mysql environment: MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD_FILE: /run/secrets/db_password secrets: - db_root_password - db_password ports: - '3306:3306' expose: - 3306

The database container works just fine, and the rest of my Docker services interact with the database with no issues.

If I connect to the remote machine via SSH, I can access the database within the Docker environment via a MariaDB client on the host, as the port 3306 is forwarded from the Docker container to the host:

➜ ssh -i mykey user@hostname ➜ docker compose up -d ➜ nc -vz localhost 3306 Connection to localhost (::1) 3306 port [tcp/mysql] succeeded! ➜ mariadb -h 127.0.0.1 -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 15 Server version: 11.2.2-MariaDB-1:11.2.2+maria~ubu2204 mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

However I'm not able to use my local database client (DBeaver). I've setup SSH tunneling in the client with the same credentials I use to connect to the host via CLI.

Testing the SSH connection within my DB client is successful. However once the SSH tunnel is established, the connection to the database fails:

Could not connect to 127.0.0.1:31987 : unexpected end of stream, read 0 bytes from 4 (socket was closed by server)

Would anyone be able to give me some pointers on what I'm doing wrong? Is this the right way to go about remotely accessing the database?

Am I making some bad assumptions about how SSH tunneling works? I assumed that once the tunnel is established, it would connect to port 3306 on my remote host, as if the client were actually on the remote host. I'm also not sure where port '31987' comes from, but I'm guessing it's the ephemeral port used by the client to connect to port 3306, but perhaps I'm also wrong about that?

I don't want the database port publicly accessible, so remote access to port 3306 on my remote host is firewalled.

I'm aware that I can install a new docker service, sshtunnel, and just tunnel into that, but I don't see why I cannot connect when tunneled into the host...

Thanks in advance for any tips!

Improve this question
1
  • Show the command you used for the SSH tunnel. Commented Jan 31, 2024 at 12:53

1 Answer 1

Reset to default
0

I would suggest to use network_mode host in your docker-compose. Because by default docker creates a seperate network which is very difficult to tunnel to.

 services: db: image: mariadb:latest container_name: database restart: always volumes: - db_data:/var/lib/mysql environment: MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD_FILE: /run/secrets/db_password secrets: - db_root_password - db_password networks: proxy: aliases: - test.mysql.docker sshtunnel: restart: always image: ghcr.io/linuxserver/openssh-server container_name: sshtunnel ports: - 2222:2222 volumes: - ~/.ssh/id_rsa.pub:/etc/tunnel/id_rsa.pub - ./openssh/sshd_config:/config/ssh_host_keys/sshd_config environment: - PUBLIC_KEY_FILE=/etc/tunnel/id_rsa.pub - USER_NAME=proxy - SUDO_ACCESS=true networks: - proxy networks: proxy: driver: bridge name: proxy

See here: https://madewithlove.com/blog/using-an-ssh-tunnel-to-connect-to-your-dev-mysql-with-docker/

Improve this answer
9
  • Thanks, I've just tried this and it doesn't seem to work unfortunately. Would a more correct solution thus be to create an sshtunnel service within my docker compose? Commented Jan 30, 2024 at 18:46
  • Yes that's an option I will edit my post to show you how Commented Jan 30, 2024 at 18:47
  • Edit my post based on madewithlove.com/blog/… Commented Jan 30, 2024 at 18:51
  • Thanks again! If you wouldn't mind, it leads me to another question: Is the way I'm going about this "wrong"? How would remote database access for a docker container on a remote machine normally be implemented (in a business context)? I've been trying to avoid web-interfaces, such as phpmyadmin, for security reasons, but having to implement a second ssh server dedicated to database access feels like a solution required because I've done something wrong in my design... Commented Jan 30, 2024 at 18:58
  • I haven't seen databases running in docker containers yet in my 15 years of experience , so I can't help you with that. In my experience usually databases run on a seperate database server, or using a PaaS service like Azure SQL. And usually remote access is done via VPN like OpenVPN or wireguard. Or a dedicated vpn appliance. But as long as you harden it properly there is nothing wrong it I think, and maybe implement the CIS benchmarks for docker and containers. But with doing an ssh tunnel your making it yourself a bit more difficult, I think using a VPN makes it easier to connect Commented Jan 30, 2024 at 19:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.