Accidentally expose port?

Question

I'm a beginner in both docker and mysql , and I use below command to run a mysql container

docker container run --publish 3306:3306 --name mysqlDB -d --env MYSQL_RANDOM_ROOT_PASSWORD=yes mysql

Now it run successfully and in order to grab the generated password, I run below command

docker container logs [containerID]

Within the logs I can find my GENERATED ROOT PASSWORD , but as I try to read the logs I noticed the below log

[System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 33060

May I know what is this means? Is there by any chance I opened a port 33060? And how do I verify it?

Answer 1

This seems to be a MySQL plugin that adds document-oriented APIs to MySQL. Here you can find some more info: https://www.percona.com/blog/2019/01/07/understanding-mysql-x-all-flavors/

That port number seems to be unrelated to your bindings, that's just adefault port number for that plugin.

Also, that port number is not exposed, so, there is nothing to fear, attack surface is still the same.

And if you want to disable that thing, here are the instructions: https://dev.mysql.com/doc/refman/8.0/en/x-plugin-disabling.html (command line option is probably your best bet -- considering docker environment).

To make sure port is not exposed you can run container and do docker ps , you'll see something like this:

$ docker ps
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS                                            NAMES
43dd96119ded        lb_geo-api               "/bin/sh -c 'exec sh…"   6 months ago        Up 7 days           80/tcp, 0.0.0.0:4203->8080/tcp                   lb_geo-api_1_a86ebad528fc

Last column -- "PORTS" -- is the list of ports and their bindings on your host:

• 80/tcp -- port 80 can is exposed from inside container but not mapped to host port, so, nobody from outside can connect there
• 0.0.0.0:4203->8080/tcp -- port 8080 is exposed and is mapped to port 4203 on all network adapters, and it can be connected from outside

So, if there is no port 33060 in your output, or if it is there but not mapped -- you're safe. In any case only you can map it when you start the container, so, if you did not do that, then it is not mapped.

Answer 2

I was surprised by a MySQL log entry equivalent to yours, @Isaac, which led me to your question, although I'm not working with Docker. Here is what I think I've learned and what I've done.

MySQL's "X plugin" extends MySQL to be able to function as a document store. See MySQL manual section on server plugins , manual section on document store features , and April 2018 document store availability announcement .

By default, for its X plugin features, MySQL listens on port 33060, bound to all IP addresses. See manual section on X plugin options and system variables (indicating default values for "mysqlx_port" and "mysqlx_bind_address"), and X plugin option and variable reference . For its traditional features, MySQL still uses port 3306 by default.

I believe the default X plugin port and network address are what are reflected in the log entry you posted. In particular, I believe the excerpt X Plugin ... bind-address: '::' indicates MySQL's default wildcard ip address binding for X plugin connections.

If you'd like to use the X plugin features but refrain from listening to all IP addresses for them, you can specify the address(es) to which it listens for TCP/IP connections with the mysqlx_bind_address option . The command line format would be --mysqlx-bind-address=addr Alternatively, you could set that system variable in a MySQL option file, like this for example:

[mysqld]
<... other mysqld option group settings>
mysqlx_bind_address = 127.0.0.1

The MySQL manual provides helpful general information about specifying options on the command line or in an option file . Here is some information about setting MySQL options in a Docker container , although I have never tried it.

It seems there are distinct settings for the network addresses listened to by MySQL's X-plugin-enabled features and MySQL's traditional features. You set the network address(es) for the traditional features with the bind_address option . So if you want to limit both sets of features to listening for TCP/IP connections from localhost, you could, for example, put this in your MySQL options file, which is what I've just tried in mine:

[mysqld]
bind_address = 127.0.0.1
mysqlx_bind_address = 127.0.0.1

In contrast, it appears, you could set a single system variable -- skip_networking -- to permit only local, non-TCP/IP connections (eg, Unix sockets, or Windows named pipes or shared memory) for both traditional and X Plugin features.

If you don't want to use the X plugin features at all, you could disable them as @alx suggested.

To verify which network addresses and ports MySQL is listening on, you have a variety of options . In my non-docker Linux environment, I found

netstat -l | grep tcp

and

sudo lsof -i | grep mysql

helpful.

Answer 3

You have published your port. That --publish 3306:3306 actually publishes your container port to host port and now your host port 3306 is occupied by mysql. If you do not want that you can just remove --published 3306:3306 and container port will not be bound to host port.