technical linux

Experiment Nebula Mesh - Part 2

Saturday, September 10, 2022 · 4 minutes · 642 words

In my previous post, I used Nebula to setup a secured network between 2 virtual machines.

This time, I’ll try to make a MySQL client and server communicate through a Nebula tunnel. And to make it a little bit more difficult, I’ll use podman to run the client and the server in containers.

I begin by restarting the virtual machines :

vagrant up

To restart Nebula automatically, I’m using systemd. I generate the config file for Nebula service :

cat <<EOF > nebula.service
Description=Nebula service
ExecStart=/opt/nebula/nebula -config /etc/nebula/config.yml

Then I push this file in the boxA temporary folder. I wish I could place it directly at his place at /etc/systemd/system but, to do that, I would need more privilege :

vagrant upload nebula.service /tmp/ boxA

Now, inside boxA, I can “sudo” to place the config file in the apropriate folder :

vagrant ssh boxA -c "sudo mv /tmp/nebula.service /etc/systemd/system/"

And, I activate this service so it starts at boot time.

vagrant ssh boxA -c "sudo systemctl enable nebula"

I do the same for boxA, beginning by copying the config file :

vagrant upload nebula.service /tmp/ boxB

Then I move it to the right place :

vagrant ssh boxB -c "sudo mv /tmp/nebula.service /etc/systemd/system/"

Finaly I activate the service :

vagrant ssh boxB -c "sudo systemctl enable nebula"

Now, it is Podman turn to be installed, first on boxA :

vagrant ssh boxA -c "sudo apt install -y podman && sudo reboot"

Then on boxB :

vagrant ssh boxB -c "sudo apt install -y podman && sudo reboot"

Just after Podman installation, I need to reboot the virtual machines, so podman can be launched as rootless (in the user session).

And because I configured Nebula as a systemd service, the tunnel will start as well.

I just need to wait that the 2 virtual machines finish to boot. I can see their status with vagrant status :

> vagrant status

Current machine states: 

boxA                      running (virtualbox)
boxB                      running (virtualbox)

I install the MySQL image and start the server onboxA :

vagrant ssh boxA -c "podman run -p --name=db --env MYSQL_ALLOW_EMPTY_PASSWORD='true' -dt"

podman run : I use Podman without sudo (it’s one big advantage on Docker) to start the container with MySQL.

-p : I publish the MySQL port on the Nebula IP so I can access the server from another machine on this network.

–name=db : I name this container db so I can easily manipulate it later.

–env MYSQL_ALLOW_EMPTY_PASSWORD=‘true’ : I choose an empty password for this test. Of course, I would not do that in production.

-dt": at last I specify the MySQL image to use.

To check if the server is correctly started, I can use podman ps :

> vagrant ssh boxA -c "podman ps"

CONTAINER ID  IMAGE                    COMMAND  CREATED         STATUS             PORTS                           NAMES
d6c2625aafb4  mysqld   30 seconds ago  Up 30 seconds ago>3306/tcp  db

It is working !

So now, I try to access this server from boxB. I use nearly the same podman command as before, but this time I run the MySQL client :

If all is ok I will be prompted by MySQL :

> vagrant ssh boxB -c "podman run -ti --rm mysql -h192.168.168.100 -uroot"
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.29 MySQL Community Server - GPL

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
4 rows in set (0.01 sec)