unable to use private ports on inter-container communication

[alehostert]

Hello there!

I'm trying to setup MySQL communication between two containers, both using Speedia OS.

Container A doesn't have MariaDB. Container B have only MariaDB running:

Context

The default OS configuration set's MariaDB 10.11 bind-address to 127.0.0.1 (which is pretty right, IMO):

root@container-b:/speedia# grep -ir bind /etc/mysql/mariadb.conf.d/50-server.cnf 
bind-address            = 127.0.0.1

With this, I'm able to connect to MariaDB:

• on localhost (expected):

root@container-b:/speedia# telnet 127.0.0.1 3306
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
X
11.4.3-MariaDB-deb11#tC/_sGD�bAZ%DfWacL2Umysql_native_password

• remotelly, using the public port (30002 on my case) (expected, either):

alehostert@my-local-machine ➜  ~ telnet ${publicIpAddress} 30002
Trying ${publicIpAddress}...
Connected to ${publicIpAddress}.
Escape character is '^]'.
X
11.4.3-MariaDB-deb11,]rD=D|e�fRD?PQ*zJBN?mysql_native_password

• inter-container, from Container A using the public port (30002 on my case):

root@container-a:/speedia# telnet ${publicIpAddress} 30002
Trying ${publicIpAddress}...
Connected to ${publicIpAddress}.
Escape character is '^]'.
X
11.4.3-MariaDB-deb11i@Bilc.V�GAOJc4y'SMhDmysql_native_password

The issue

But I can't connect to Container B from Container A using the local Control private port (40007 on my case):

root@container-a:/speedia# telnet ${publicIpAddress} 40007
Trying ${publicIpAddress}...
Connected to ${publicIpAddress}.
Escape character is '^]'.
Connection closed by foreign host.

Using the mysql cli we can see the problem:

root@container-a:/speedia# mysql -h ${publicIpAddress} -P 40007

ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11

This happens because the bind-address will not allow connections from outside, after all it's configured to listen only to 127.0.0.1 interface. To change the bind-address to 0.0.0.0 will allow the connection from 40007.

Setting the bind-address to the host local network IP address will allow the inter-container communication, but will break the remote access (obviously).

The only way to communicate between private port and not to break remote access is to set the bind-address to 0.0.0.0.

To help picture this, I made this spreadsheet:

https://docs.google.com/spreadsheets/d/1cmqIv8k7p9DxklwQx2qn1vv98994qyK_hAMg0t0tPGM/edit?usp=sharing

---

I think the decision here is to set bind-address to 0.0.0.0, allowing the inter-container communication and avoiding the extra step by passing through nginx proxying 30002 to 40007.

The end-user will have to control the remote access on the granting, which is % by default, tho.

And, if it's the case, I should probably had open this issue on the OS repo :smile:

[alehostert]

BTW, MariaDB 10.11 added the option to set more interfaces on bind-address, comma separated:

MariaDB starting with 10.11

Multiple comma-separated addresses can now be given to bind_address to allow the server to listen on more than one specific interface while not listening on others.

https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/

With this, I'm able to connect via private port (inter-container) AND from outside (remote connection):

root@container-b:/speedia# grep -ir bind /etc/mysql/mariadb.conf.d/50-server.cnf 
# bind-address            = 127.0.0.1
bind-address            = 127.0.0.1,10.0.1.2

root@container-a:/speedia# telnet ${publicIpAddress} 40007
Trying ${publicIpAddress}...
Connected to ${publicIpAddress}.
Escape character is '^]'.
X
11.4.3-MariaDB-deb11/P'p!MDK�+5g+;(W\KABhmysql_native_password

alehostert@my-local-machine ➜  ~ telnet ${publicIpAddress} 30002
Trying ${publicIpAddress}...
Connected to ${publicIpAddress}.
Escape character is '^]'.
X
11.4.3-MariaDB-deb11YcfV]Q[V�}60.5]Y%L.A;mysql_native_password