What is blocking my mysql connection?

Question

We run several docker images on a VM.

sudo iptables -S shows a lot of docker networking.

We try to connect to an external MySQL database in another net.

mysql --host=mysql.example.org --user=thisuser thatdatabase

We get error message:

ERROR 2002 (HY000): Can't connect to MySQL server on 'mysql.example.org' (115)

Network logs show that external firewall does not recognize a connect attempt.

We tried to shut down docker and try again with no avail.

sudo traceroute mysql.example.org
traceroute to mysql.example.org (111.222.333.444), 30 hops max, 60 byte packets
1  localvm.example.org (172.17.0.1)  3071.799 ms !H  3071.763 ms !H  3071.754 ms !H

The 172.17.0.1 is -not- the ip-address from the local system.

On another vanilla system we can connect to this instance.

We tried to use a explicit route with no avail.

ip route add 222.333.444.0/24 dev ens192

traceroute mysql.example.org
traceroute to mysql.example.org (correct external ip-address), 30 hops max, 60 byte packets
1  localvm.example.org (correct local ip-address)  3068.673 ms !H  3068.566 ms !H  3068.532 ms !H

Any suggestions how to narrow down errors?

Is it time to start wireshark?

VM is Debian 10, client is mysql Ver 15.1 Distrib 10.3.22-MariaDB

I realized that docker services added IPTABLES-rules. Now, how do i add iptables rule to allow TCP/3306 connection to mysql.example.org? — Bodo, Jun 16 '20 at 09:54
If i want to allow connections -from- foreign systems i should use iptables -A INPUT -i eth0 -s aa.bb.cc.dd -p tcp --destination-port 3306 -j ACCEPT But i have to allow connections -to- a foreign system. — Bodo, Jun 16 '20 at 09:59
@Gerard: Host is a well configured VMWare. VM client is Debian 10 — Bodo, Jun 16 '20 at 10:02
The "external" database server has a private IP address? Better add your routing info to the question, where you can format it properly. — Gerard H. Pille, Jun 16 '20 at 12:55

Bodo · Answer 1 · 2020-06-17T08:58:54.980

Turned out that we had to tell docker not to use 172.17.0.0/24 network.

According to how-do-i-configure-the-default-bridge-docker0

we changed

/etc/docker/daemon.json
{
  "bip": "172.26.0.1/16"
}

systemctl restart docker;systemctl status docker

Old route entry was

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ....            0.0.0.0         UG    100    0        0 ens192
...........     0.0.0.0         255.255.255.0   U     100    0        0 ens192
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

route now shows different net:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.26.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

Now its not conflicting with the existing server and connection is possible.

Thanks very much to all for your help!

If you have leftover routes you can delete them with: route del -net 172.17.0.0 netmask 255.255.0.0 — Bodo, Jun 30 '20 at 09:04

score 0 · Answer 2 · answered Jun 17 '20 at 12:08

normally means that there is no MySQL server running on the system or that you are using an incorrect Unix socket file name or TCP/IP port number when trying to connect to the server. You should also check that the TCP/IP port you are using has not been blocked by a firewall or port blocking service.

What is blocking my mysql connection?

2 Answers2