virtualbox.org

The default MySQL configuration is to listen only to the localhost (127.0.0.1). If the server is bound to the host's IP, then it becomes accessible to other computers on the LAN, which I would like to avoid. I really want to keep this default configuration, because I think it's the safest and most secure - within reason.

However, the problem with this setup is that the guest cannot connect to "localhost", because that would be itself - not the host.

Is it possible for a guest to connect to a MySQL service on the host that is bound to localhost only? If so, then how?

Does the guest see an IP, which is really the localhost loopback on the host? I googled for that info, but I failed to find it...

Thanks!

Nope not possible, localhost always points to itself, use the user account limitations such as user@ip_address will restrict to that address only.

you've got to be careful with localhost vs 127.0.0.1 as they mean two different things to mysql - one means listen locally on the network interface, the other means listen locally on a socket.

but there's no way localhost or 127.0.0.1 on a guest will be accessible on the host or vice versa.

One thing I think should be possible is to let you guest have at least two network cards. One configured like you have it now. One as "host only".
Then you have to bind mysql to that ip only. then you host could reach mysql but nobody else.

In /etc/my.cnf
[mysqld]
[...]
bind-address=192.168.56.x
where x is replaced with what you get or with a static ip you set on this net.

So the general recommendation for such cases would be to setup a (second) host-only network adapter? That certainly needs some configuration work then on both host and guest to ensure that this net traffic really goes (only) over this connection. I think I need to read a little more in the manual to get this working.

I would be interested in such a configuration for connections between Windows guests and a Samba server on my Linux host, where I would prefer when these connections are not seen from outside the machine.

JRO

Thanks for the suggestions!

If I bound the host MySQL to the IP of the guest, would all other host processes, needing MySQL, also have to point to that address? Would there be a way for them to still reach MySQL via localhost?

Thanks!

I'm not sure about this, but you can try it out. What if you use NAT on the Guest, and connect to 10.0.2.2? That should point to 'localhost' on the Host system.

Another way which would not interfere with any of your existing configuration, would be to set-up a simple SSH tunnel from the guest to the host. This can also be set-up through an initscript. Every Linux distribution comes with SSH, or at least can be added to the installation very easily.

I personally use an SSH tunnel to my remote web server to easily manage the MySQL server using such tools as MySQL Administrator or MySQL Query Browser in a very secure fasion. On my local system, I point the admin application to 127.0.0.1:3306 and the SSH tunnel does the rest. My web server never exposes port 3306 to the outside world, but is accessible through a simple SSH tunnel I create on demand.

To create the SSH tunnel for an initscript on the guest, use this command: ssh -L 3306:localhost:3306 -Nf user@host

If course, you will need to use key-based authentication if using this in an initscript so that ssh does not ask for a password.

Here is a brief explaination of the switches above:

N) Do not execute a remote command. This is useful for just forwarding ports.
f) Requests ssh to go to background just before command execution.

To create the public/private keys for SSH authentication, use this command on the guest: ssh-keygen

This will create two files, one file of which needs to be copied to the host and placed in the remote users ~/.ssh/authorized_keys file
You will need to run ssh-keygen as the root user, if you choose to place the ssh command in the initscripts.
As long as you enable the option in the guests sshd_config file for that remote users cannot log in as root, nobody can remotely take advantage of this key authentication file.

A more secure way would be running the SSH forwarding command as a completely different user from the initscript using the su command, preferrably a user which cannot be logged into.