MySQL docker container finds wrong hostname

Question

For my micro-services every service has a different DB user that should only able to connect to the DB using that user from the given micro-service.

so the user productapiuser should only be able to connect from host productapi.myapp.com. So I added that user to mysql productapiuser@productapi.myapp.com and granted it the rights to do select on all tables related to the product api.

CREATE USER 'productapiuser'@'productapi.myapp.com' IDENTIFIED BY 'mypassword';

GRANT SELECT ON 'product_db'.'product_table' TO 'productapiuser'@'productapi.myapp.com';

Then I removed the skip-name-resolve from the /etc/mysql/conf.d/docker.cnf and restarted the container. I let the skip-host-cache stay put for now so I wouldn't have to worry about cache errors just yet.

I added the hostname and domain name to the docker-compose.yml

version: "1.29"
services:
  mysql:
    hostname: mysql
    domainname: mysql.myapp.com
    environment:
      - MYSQL_ROOT_PASSWORD=mypassword
  productapi:
    build: ~/myapp/
    hostname: productapi
    domainname: productapi.myapp.com

I then build the containers and start them using

docker-compose -f docker-compose.yml build mysql
docker-compose -f docker-compose.yml build productapi

docker-compose -f docker-compose.yml run --use-aliases mysql
docker-compose -f docker-compose.yml run --use-aliases productapi

The database gives the error

SQLSTATE[HY000] [1045] Access denied for user 'productapiuser'@'9c2f03b4d50c_docker-compose-developers-productapi-1.docker-compo' (using password: YES)

Which is clearly the wrong hostname. So i installed ping on my DB and did

ping productapi and ping productapi.myapp.com

both give the output:

PING productapi (172.19.0.4) 56(84) bytes of data.
64 bytes from 9c2f03b4d50c_docker-compose-developers-productapi-1.docker-compose-developers_default (172.19.0.4): icmp_seq=1 ttl=64 time=0.097 ms

Which somehow links the hostname to another hostname: 9c2f03b4d50c_docker-compose-developers-productapi-1.docker-compose-developers_default

I installed nslookup in the DB container and did a lookup for

# nslookup productapi
Server:         127.0.0.11
Address:        127.0.0.11#53

Non-authoritative answer:
Name:   productapi
Address: 172.19.0.4

then I did an nslookup for the ip and it gives:

# nslookup 172.19.0.4
4.0.19.172.in-addr.arpa name = 9c2f03b4d50c_docker-compose-developers-productapi-1.docker-compose-developers_default.

Authoritative answers can be found from:

My question why is it that the host and domain name I put in the .yaml file seems to be working on a different service as DNS? and how can MySQL resolve the hostname/domainname I give in my docker-compose.yml when MySQL does a lookup on the ip-address?

or maybe even what is needed to make this work? will it work?

UPDATE: @luuk pointed out that I should use docker-compose run --use-aliases productapi to start the container. The problem is the nslookup of 172.19.0.4 still gives the output:

4.0.19.172.in-addr.arpa name = 9c2f03b4d50c_docker-compose-developers-productapi-1.docker-compose-developers_default.

According to these two answers: https://stackoverflow.com/a/51216303/1735311 https://dba.stackexchange.com/a/90468/50646

"Once the hostname is resolved, there's an additional DNS lookup in the opposite direction, to verify that the hostname discovered in the first DNS query, foo.example.com, does indeed map to an A record that resolves back to the original IP address (e.g an A record foo.example.com → 203.0.113.113)."

So my problem has to do with the way DNS requests are resolved within the Docker environment. So how do you adjust the A and PTR records within your docker environment?

You should use: `docker-compose run --use-aliases` in your config, see: https://stackoverflow.com/a/47264089/724039 — Luuk, May 27 '23 at 11:00
@Luuk I saw this but since my ```ping`` and ```nslookup``` already worked I thought it was not applicable. If I start the containers using the --use-aliases the output of the ```nslookup`` stay exactly the same. The tests I run to take A LOT longer to give back a fail though. The error is different too!!! oo that is atleast a step in the right direction! — St. Jan, May 27 '23 at 11:26
A so this is not the solution needed. Once I updated the productapi container and the mysql container to use a hostname and networkname and run the containers with the --use-aliases, I am back to the same error as I had before. — St. Jan, May 27 '23 at 11:40

St. Jan · Accepted Answer · 2023-05-28T07:42:44.457

It is important that you keep in mind that aliases are aliases. If you want the nslookup to change you should change the name of the container and it's networks. Aliases are only mend to give 'extra' names and networks.

The docker-compose.yml should look as follow:

version: "1.29"
services:
  mysql:
    networks:
      - myapp
    environment:
      - MYSQL_ROOT_PASSWORD=mypassword
  productapi:
    build: ~/myapp/
    container_name: productapi
    networks:
      - myapp
networks:
  myapp:
    name: myapp.com

This way the A and PTR records within your docker environment will be set correct for your "main" hostname and network to be found by hostname and reverse lookup on ip-address.

The nsloopup will return the correct information:

# nslookup 172.25.0.5
5.0.25.172.in-addr.arpa name = productapi.myapp.com.

Authoritative answers can be found from:

And MySQL can now find the ip-address by hostname and find the same hostname when it does a revers lookup on ip-address.

MySQL docker container finds wrong hostname

1 Answers1