In my previous post, I used Nebula to setup a secured network between 2 virtual machines.
This time, I’ll try to make a MySQL client and server communicate through a Nebula tunnel. And to make it a little bit more difficult, I’ll use podman to run the client and the server in containers.
I begin by restarting the virtual machines :
vagrant up
To restart Nebula automatically, I’m using systemd. I generate the config file for Nebula service :
cat <<EOF > nebula.service
echo
[Unit]
Description=Nebula service
[Service]
Type=simple
ExecStart=/opt/nebula/nebula -config /etc/nebula/config.yml
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
Then I push this file in the boxA temporary folder. I wish I could place it directly at his place at /etc/systemd/system but, to do that, I would need more privilege :
vagrant upload nebula.service /tmp/ boxA
Now, inside boxA, I can “sudo” to place the config file in the apropriate folder :
vagrant ssh boxA -c "sudo mv /tmp/nebula.service /etc/systemd/system/"
And, I activate this service so it starts at boot time.
vagrant ssh boxA -c "sudo systemctl enable nebula"
I do the same for boxB, beginning by copying the config file :
vagrant upload nebula.service /tmp/ boxB
Then I move it to the right place :
vagrant ssh boxB -c "sudo mv /tmp/nebula.service /etc/systemd/system/"
Finaly I activate the service :
vagrant ssh boxB -c "sudo systemctl enable nebula"
Now, it is Podman turn to be installed, first on boxA :
vagrant ssh boxA -c "sudo apt install -y podman && sudo reboot"
Then on boxB :
vagrant ssh boxB -c "sudo apt install -y podman && sudo reboot"
Just after Podman installation, I need to reboot the virtual machines, so podman can be launched as rootless (in the user session).
And because I configured Nebula as a systemd service, the tunnel will start as well.
I just need to wait that the 2 virtual machines finish to boot. I can see their status with vagrant status :
> vagrant status
Current machine states:
boxA running (virtualbox)
boxB running (virtualbox)
I install the MySQL image and start the server onboxA :
vagrant ssh boxA -c "podman run -p 192.168.168.100:3306:3306 --name=db --env MYSQL_ALLOW_EMPTY_PASSWORD='true' -dt docker.io/library/mysql"
podman run : I use Podman without sudo (it’s one big advantage on Docker) to start the container with MySQL.
-p 192.168.168.100:3306:3306 : I publish the MySQL port on the Nebula IP so I can access the server from another machine on this network.
–name=db : I name this container db so I can easily manipulate it later.
–env MYSQL_ALLOW_EMPTY_PASSWORD=‘true’ : I choose an empty password for this test. Of course, I would not do that in production.
-dt docker.io/library/mysql": at last I specify the MySQL image to use.
To check if the server is correctly started, I can use podman ps :
> vagrant ssh boxA -c "podman ps"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d6c2625aafb4 docker.io/library/mysql mysqld 30 seconds ago Up 30 seconds ago 192.168.168.100:3306->3306/tcp db
It is working !
So now, I try to access this server from boxB. I use nearly the same podman command as before, but this time I run the MySQL client :
If all is ok I will be prompted by MySQL :
> vagrant ssh boxB -c "podman run -ti --rm docker.io/library/mysql mysql -h192.168.168.100 -uroot"
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.29 MySQL Community Server - GPL
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.01 sec)
mysql>
Hourra!