Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-813

Quay cannot connect to mysql db when SSL/TLS is required


    • 0

      Quay connects to mysql using TCP/IP and then appears to switch to SSL/TLS when available.

      Quay database config:

          ca: conf/stack/database.pem
      DB_URI: mysql+pymysql://dbquay:REDACTED@quay.example.com/quay

      mysql general log:

      2020-06-24T22:51:37.439449Z	  104 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-24T22:51:45.429138Z	  105 Connect	dbquay@34.72.153.xx on quay using SSL/TLS

      Set mysql to required SSL/TLS with configuration flag 'require_secure_transport=ON' in the my.cnf file.

      Result in mysql logs show quay attempting to connect only via TCP/IP (which will always fail):

      2020-06-25T18:06:42.414958Z	  116 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-25T18:06:50.615549Z	  117 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-25T18:06:58.599843Z	  118 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-25T18:07:07.023908Z	  119 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-25T18:07:16.953001Z	  120 Connect	dbquay@34.72.153.xx on quay using TCP/IP
      2020-06-25T18:07:28.469559Z	  121 Connect	dbquay@34.72.153.xx on quay using TCP/IP

      Quay error:

      sqlalchemy.exc.InternalError: (pymysql.err.InternalError) (3159, u'Connections using insecure transport are prohibited while --require_secure_transport=ON.')
      (Background on this error at: http://sqlalche.me/e/2j85)

      This is a major issue because many clients cannot use quay in production unless the mysql connection is always TLS/SSL.

      Attempted to force TLS by passing various flags along in the DB_CONNECTION_ARGS portion of the config.yaml (ie ssl=true, ssl-mode=required etc) did not fix the issue.

            kmullins@redhat.com Kurtis Mullins (Inactive)
            kybrown@redhat.com Kyle Brown (Inactive)
            luffy zhang luffy zhang
            0 Vote for this issue
            4 Start watching this issue
