Saturday, May 16, 2020

How to Install MySQL Enterprise Edition on Docker and Monitor it with MySQL Enterprise Monitor(MEM)?



Introduction

Before I talk about installation of MySQL inside docker, it's more important to know
what is Docker?
- Docker is a tool designed to create , deploy ,and run an application any where.
-It allow us to package up application with all requirements such as libraries and other dependencies and ship it all as a PACKAGE.
who uses Docker?
Developer : Docker enables developer to develop application without spending much time on IT infrastructure.
Sysadmin :-Docker enables sysadmin to streamline the software delivery, such as develop and deploy bug fixes and new features without any roadblock. 
Enterprise :-Docker works in the cloud , on premise ,and supports both traditional and micro services deployments.
why Docker?
-Easily adapts to your working environment.
-Simple to use.
- Eliminate friction in development life cycle.

More info at :- https://docs.docker.com/engine/docker-overview/

Let's Install MySQL Enterprise Edition 8.0.19 with Docker

WarningThe MySQL Docker images maintained by the MySQL team are built specifically for Linux platforms. Other platforms are not supported, and users using these MySQL Docker images on them are doing so at their own risk. See the discussion here for some known limitations for running these containers on non-Linux operating systems.

More about MySQL Enterprise Edition:- https://www.mysql.com/products/enterprise/
Step 1 :- Download MySQL EE binaries from MOS portal->patch & Updates
Step 2:- Download the Binaries by clicking on product name and unzip to obtain tarball inside.
              See at step-1 in yellow color.
Step 3:-Load the image by running below command
             # docker load -i mysql-enterprise-server-8.0.19.tar
Suppose you have downloaded mysql-enterprise-server-8.0.19.tar file into windows laptop then push it into Linux Machine where Docker is running, then go to the directory and load the 
mysql-enterprise-server-8.0.19.tar file.
Step 4:-  to verify
#docker images

Step 5:- Starting MySQL Server Instance
#docker run --name MySQLEnterpriseContainer -d  -p 3306:3306  mysql/enterprise-server:8.0

The --name option, for supplying a custom name for your server container, is optional; if no container name is supplied, a random one is generated.
mysql/enterprise-server:8.0 :- image_name:tag

Note:- Don’t give full version 8.0.19. TAG has to be 8.0 or else below error will generated.
Step 6:- To verify
#docker ps

Step 7:- Get Random Password by typing below command
#docker logs MySQLEnterpriseContainer 2>&1 | grep GENERATED

Step 8:-Connecting to MySQL Server from within the Container
docker exec -it MySQLEnterpriseContainer mysql -uroot –p
Enter Generated Password : HOpnuMIxibVYMijv3syRYK4KjEc
Step 9:-Change Temporary Password
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MySQL8.0';

Step 10:- Change Create Table and Insert Records to test...

Create database test;
Create table test.sales(Empname Varchar(20), CountryName Varchar(20));
Insert into test.sales select 'Ram','Delhi';
Insert into test.sales select 'Radha','Delhi';
Insert into test.sales select 'Rakesh','Mumbai';
Insert into test.sales select 'Rajesh','Mumbai';


Extra Commands to play...




TO Get into the Docker Container to find the data directory , base directory , executing linux bash commands etc.

shell> docker exec -it MySQLEnterpriseContainer bash


bash-4.2#ls /var/lib/mysql

To stop the MySQL Server container we have created, use this command:

docker stop MySQLEnterpriseContainer
docker start MySQLEnterpriseContainer
docker restart MySQLEnterpriseContainer

To delete the MySQL container, stop it first, and then use the docker rm command:
docker stop MySQLEnterpriseContainer
docker rm MySQLEnterpriseContainer

Accessing Docker MySQL Database from Physical Host through MySQL Workbench Tool

Assume MySQL Enterprise Workbench is installed on Windows Machine : 192.168.0.3
Docker MySQL is Installed on Docker Host : 192.168.227.128 
Step 1:- Make Sure MySQL is able to communicate with remote host.
update mysql.user set host='%' where user='root';

flush privileges;
Step 2:- Make sure Docker MySQL port is published out side hosts. 
                see Step 05  -p 3306:3306

Step 3:-Connect MySQL Enterprise Workbench to Docker MySQL DB.
             

Monitoring Docker MySQL Database from MySQL Enterprise Monitor

Assume MySQL Enterprise Monitor is istalled on Windows Machine and already monitoring many On-premises DB and Cloud Instances and NOW we want to also monitor MySQL DB which is running in DOCKER.
Assume MySQL Enterprise Workbench is installed on Windows Machine : 192.168.0.3

Docker MySQL is Installed on Docker Host : 192.168.227.128 

Login to MySQL Enterprise Monitor-->Add Instances.

To Monitor SQL Statements:-

Know More about MySQL Enterprise Monitor:-

Conclusion:-


Docker is an open platform for developing, shipping, and running applications. Docker enables you to separate your applications from your infrastructure so you can deliver software quickly.
Running MySQL is quite easy when ever environment demands Running multiple MySQL instances into single server DOCKER is best fit.

Using MySQL Enterprise Audit Filtering for only Insert/Update/Delete statements for Users


How to Audit only DML Actions ?

Step by step to Enable Fine Grained MySQL Auditing for Insert/Update/Delete Queries for all Users.


Before i talk about MySQL Audit Filtering , it is more important to know below details:-


  • What is MySQL Enterprise Audit ?
  • Features of MySQL Audit.
  • Why Audit is Important?
  •  How to Audit only DML statements for Particular/All Users ?
  • Audit Log Restrictions
  • Conclusions

What is MySQL Enterprise Audit?

At high level, database auditing is the process to guard against misuse of information, track the use of database resources and activity like
-Who accessed the database(Users)
- Where these queries has been executed(Host Name).
-What kind of queries has been executed to db(events/statements).
-When did this happened(Time)
Then we can have idea of “Why this happened”? ( Q & A for 5W)

Most Important Auditing will help organization to comply with popular compliance regulations including GDPR,HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard.


More Info: - https://dev.mysql.com/doc/refman/8.0/en/audit-log.html


Features of MySQL Audit

MySQL Enterprise Audit enable below top 10 features:-
1.       User Defined Custom Audit Log Events - Now you can add custom events to the MySQL Audit Log, providing added information related to SQL calls. For example, tracking numbers, help desk ticket references, or other application context.
2.       Encryption - Audit Files can now be encrypted using standard AES-256. These files can be shared and decrypted by external applications that have the encryption key.
3.       Compression - Using compression can Reduce audit storage by up to 10x. Files can be unzipped using standard tools.
4.       JSON Audit Data Format - Now you can decide between JSON or XML.
5.       Powerful Filtering to Protect Sensitive Data - Define what you audit using templates or design highly custom filters using simple JSON filter definition.
a.        Filter on connections, users, table access, access type, statement status (success/failure), query content, and more.
6.       Meet Regulatory compliance standards - Provide the data your organization and auditors need to be in compliance with requirements including PCI, HIPAA, FERPA, SOX and more.
7.       Achieve Security Goals through Comprehensive Auditing - Trust but verify DBA activity, prove your data’s validity and perform forensic analysis to investigate or discover data breaches.
8.       Easy Integration with Audit Vaults and Stores - Externally archive and analyze XML-based audit logs with ease using Oracle Audit Vault and other third party solutions including Splunk.
9.       Dynamic and Easy to Manage - Dynamically enable/disable audit stream, change filtering, and more with no downtime. Automatically rotate audit log files based on size.
10.   Low Overhead - Collects critical audit data without minimal performance impact. Use fine grain filtering to minimize audit log size and IO impact.

Why Audit is Important?

By auditing your database:-
1.       To enable accountability for actions. In order to hold users responsible for their actions, it is necessary to track what they have done. As example- Suppose some users has executed TRUCATE TABLE and you can investigate deeply if audit trail is in place through you will get to know why this user had executed this type of SQL statement.
2.       To investigate suspicious activity. Security may be set up correctly, but it is still useful to know if people are trying to access data or run commands that are beyond their authorization.

3.       Compliance issues. Many applications have quasi-legal requirements for audit. Typically, these are based around access to personal or financial information.


How to Audit only DML statements for Particular/All Users?


To use Audit Filtering, it consists of three basic steps:-
Installation In Details:-
Step 1:- Execute audit filter script .sql into mysql console as below
mysql> source /usr/share/mysql-8.0/audit_log_filter_linux_install.sql
Database changed
Query OK, 0 rows affected, 1 warning (0.89 sec)
Query OK, 0 rows affected, 3 warnings (0.15 sec)
Query OK, 0 rows affected (0.24 sec)
.
.
.
Query OK, 0 rows affected (0.01 sec)
+--------+
| Result |
+--------+
| OK     |
+--------+
1 row in set (0.01 sec)

 

Step 2:- Verify the Installation
SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%';
+-------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+-------------+---------------+
| audit_log   | ACTIVE        |
+-------------+---------------+
Step 3:- Define the filter
Example”- Our Requirement is , How to Track only Insert/Update/Delete for all Users.
mysql>SELECT audit_log_filter_set_filter(
'AuditLog_InsertUpdateDelete', '{
  "filter": {
    "class": {
      "name": "table_access",
        "event": {          "name": [ "insert", "update", "delete" ]        }    }  } }
');
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| audit_log_filter_set_filter(
'AuditLog_InsertUpdateDelete', '{
  "filter": {
    "class": {
      "name": "table_access",
        "event": {          "name": [ "insert", "update", "delete" ]        }    }  } }
') |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| OK                                                                                                                                                                                                                   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.17 sec)
Step 4:- Assign the filter to all users.
SELECT audit_log_filter_set_user('%', 'AuditLog_InsertUpdateDelete') AS 'Result';
Here
 % à All Users
If you want to track particular DBAs then assign filter for the users( ex- User Name: Radha)
SELECT audit_log_filter_set_user('Radha@localhost', 'AuditLog_InsertUpdateDelete') AS 'Result';
Here
 'Radha@localhost' à Particular Username.
mysql> SELECT audit_log_filter_set_user('%', 'AuditLog_InsertUpdateDelete') AS 'Result';
+--------+
| Result |
+--------+
| OK     |
+--------+
1 row in set (0.18 sec)
Step 5:- Let’s Verify whether Audit for Insert/Delete/Update is working or not.
Login MySQL for any users and execute SQL commands, and verify the Log whether it contains only INSERT/UPDATE/DELETE query or not , If Only these commands are available the our MySQL Audit Filtering is working for us.
List SQL Statement Executed on DB
mysql> create database AuditTest;
Query OK, 1 row affected (0.27 sec)
mysql> use AuditTest;
Database changed
mysql> create table employee(Empname Varchar(25),DeptName Varchar(20));
Query OK, 0 rows affected (0.39 sec)
mysql> Insert Into employee Values('Chandani','Hindi');
Query OK, 1 row affected (0.17 sec)
mysql> Insert Into employee Values('Palak','IT');
Query OK, 1 row affected (0.01 sec)
mysql> select * from employee;
+----------+----------+
| Empname  | DeptName |
+----------+----------+
| Chandani | Hindi    |
| Palak    | IT       |
+----------+----------+
2 rows in set (0.09 sec)
mysql> Delete From employee where DeptName='IT';
Query OK, 1 row affected (0.13 sec)
mysql> Update employee Set DeptName='English' where Empname='Chandani';
Query OK, 1 row affected (0.05 sec)
Rows matched: 1  Changed: 1  Warnings: 0
Audit Log Output
<AUDIT_RECORD>
  <TIMESTAMP>2020-03-16T11:54:54 UTC</TIMESTAMP>
  <RECORD_ID>2_2020-03-16T11:22:24</RECORD_ID>
  <NAME>TableInsert</NAME>
  <CONNECTION_ID>13</CONNECTION_ID>
  <USER>root[root] @ localhost []</USER>
  <OS_LOGIN/>
  <HOST>localhost</HOST>
  <IP/>
  <COMMAND_CLASS>insert</COMMAND_CLASS>
  <SQLTEXT>Insert Into employee Values('Chandani','Hindi')</SQLTEXT>
  <DB>AuditTest</DB>
  <TABLE>employee</TABLE>
 </AUDIT_RECORD>
 <AUDIT_RECORD>
  <TIMESTAMP>2020-03-16T11:55:02 UTC</TIMESTAMP>
  <RECORD_ID>3_2020-03-16T11:22:24</RECORD_ID>
  <NAME>TableInsert</NAME>
  <CONNECTION_ID>13</CONNECTION_ID>
  <USER>root[root] @ localhost []</USER>
  <OS_LOGIN/>
  <HOST>localhost</HOST>
  <IP/>
  <COMMAND_CLASS>insert</COMMAND_CLASS>
  <SQLTEXT>Insert Into employee Values('Palak','IT')</SQLTEXT>
  <DB>AuditTest</DB>
  <TABLE>employee</TABLE>
 </AUDIT_RECORD>
 <AUDIT_RECORD>
  <TIMESTAMP>2020-03-16T11:55:18 UTC</TIMESTAMP>
  <RECORD_ID>4_2020-03-16T11:22:24</RECORD_ID>
  <NAME>TableDelete</NAME>
  <CONNECTION_ID>13</CONNECTION_ID>
  <USER>root[root] @ localhost []</USER>
  <OS_LOGIN/>
  <HOST>localhost</HOST>
  <IP/>
  <COMMAND_CLASS>delete</COMMAND_CLASS>
  <SQLTEXT>Delete From employee where DeptName='IT'</SQLTEXT>
  <DB>AuditTest</DB>
  <TABLE>employee</TABLE>
 </AUDIT_RECORD>
 <AUDIT_RECORD>
  <TIMESTAMP>2020-03-16T11:55:34 UTC</TIMESTAMP>
  <RECORD_ID>5_2020-03-16T11:22:24</RECORD_ID>
  <NAME>TableUpdate</NAME>
  <CONNECTION_ID>13</CONNECTION_ID>
  <USER>root[root] @ localhost []</USER>
  <OS_LOGIN/>
  <HOST>localhost</HOST>
  <IP/>
  <COMMAND_CLASS>update</COMMAND_CLASS>
  <SQLTEXT>Update employee Set DeptName='English' where Empname='Chandani'</SQLTEXT>
  <DB>AuditTest</DB>
  <TABLE>employee</TABLE>
 </AUDIT_RECORD>
 <AUDIT_RECORD>
  <TIMESTAMP>2020-03-16T11:55:50 UTC</TIMESTAMP>
  <RECORD_ID>6_2020-03-16T11:22:24</RECORD_ID>
  
In Above Audit Reports, THERE is not any Logging happened against  CREATE , USE , DROP , SELECT SQL Statements , which means our MySQL Fined Grain Auditing is Working Fine!!!.

Audit Viewer from various dashboard Tools

You can see audit reports from varios tools , always opening audit log is cumbersome , hence i recommend you can use below tools
1. MySQL Enterprise Workbench Tool
2.Oracle Audit Vault Server
3.Splunk Dashboard

Only You will get MySQL Workbench Tool when you procure MySQL Enterprise Edition License.
Below are Sample Dashboard from Workbench


Audit Log Restrictions

MySQL Enterprise Audit is subject to these general restrictions:
1.       Only SQL statements are logged. Changes made by no-SQL APIs, such as memcached, Node.JS, and the NDB API, are not logged.
2.       Only top-level statements are logged, not statements within stored programs such as triggers or stored procedures.
3.       Contents of files referenced by statements such as LOAD DATA are not logged.
Conclusion:-
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.

As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.


Thank You for Using MySQL !!!.
Feel Free to try and share your feedback.