49cf70e748
This is done for security reasons as we don't trust the code running inside migrations. To run this: - bind mysql to 0.0.0.0 - run makenetnamespace.sh as root at boot, passing in the mysql root password so that user perms can be setup - add this to the sudo config: turbo-hipster ALL=(root) NOPASSWD: /sbin/ip netns exec nonet * Change-Id: I86190fbd515ecf7683194923df14e5b707ab21c5
17 lines
653 B
Bash
Executable File
17 lines
653 B
Bash
Executable File
#!/bin/bash
|
|
|
|
# Create a network namespace with no network access
|
|
sudo ip netns add nonet
|
|
sudo ip link add veth0 type veth peer name veth1
|
|
sudo ifconfig veth0 172.16.0.1/24 up
|
|
sudo ip link set veth1 netns nonet
|
|
sudo ip netns exec nonet ifconfig veth1 172.16.0.2/24 up
|
|
|
|
# Firewall mysql connections from outside
|
|
sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth0 -j DROP
|
|
sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth1 -j DROP
|
|
|
|
# Mysql permissions
|
|
mysql -u root --password=$1 -e "create user 'nova'@'172.16.0.2' identified by 'tester';"
|
|
mysql -u root --password=$1 -e "grant all privileges on *.* to 'nova'@'172.16.0.2' with grant option;"
|