A question from irc:

maelstrom> hi folks I have another tricky question, can aegir connect to mysql server via an ssh tunneling? the mySql server is bhind a ssh bastion any help is appreciated ;)

The answer turned out to be YES you can.

I'm dumping my thoughts here to maybe add it to documentation later....

Start with the regular remote server docs from http://docs.aegirproject.org/en/3.x/usage/advanced/remote-servers/#remot...

1) Setup the remote MySQL server to listen to an alternate port, 3312 in this example ( in /etc/mysql/my.cnf)

2) Add a line to /etc/hosts on both master and slave server
127.0.0.2 myremoteserver.example.com.mysql

3) Add the tunnel to your ssh config in ~/.ssh/config

Host myremoteserver.example.com
LocalForward  127.0.0.1:3312  127.0.0.1:3312

4) ssh to myremoteserver.example.com to open the tunnel ... somewhere in screen? Or any other means of keeping the tunnel active.

5) add a 'Web' server 'node' in hostmaster to myremoteserver.example.com
6) add a 'Database' server 'node' in hostmaster, using the sepecial myremoteserver.example.com.mysql name

7) add a platform on the remote server
8) Add a site as usual on the remote servers

Comments

helmo created an issue. See original summary.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented

It's a bit of a drawback that mysql needs to listen on the special port remotely as well. That could conflict if it's also used for other applications.

As MySQL does not support listening on multiple ports you could use iptables to forward the port on the remote server ... see http://stackoverflow.com/questions/790242/how-to-add-a-port-to-mysql-server

SamirMtl’s picture

SamirMtl CreditAttribution: SamirMtl commented

Thanks Helmo
It just work fine ;)
In addition, the ~/.ssh/config file can be look like this 

<del>Host myremoteserver.example.com
LocalForward  127.0.0.1:3312  127.0.0.1:3306</del>

So there are no need to configure mysql port of the server, which prevents any conflict with other applications
Another interesting point to deal with the ssh tunneling and launching a permanent one, please see this link : http://www.harding.motd.ca/autossh/

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented

@SamirMtl: Were you able to install and verify an new site on the remote server? I had the errors from Drupal connecting to port 3312 on the remote server itself.

SamirMtl’s picture

SamirMtl CreditAttribution: SamirMtl commented

@helmo you're right
i have supposed that if i can do somthing like this as aegir user : mysql -u -p -P 3312 --host=
so aegir server can perform the remote database connection
But on adding database server on aegir i have an error (.. Can't connect to MySQL serve..)

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented
Related issues: +#2798121: Manage extra db GRANT for 127.0.0.1 to allow SSH tunneling for remote SQL access (BOA unfork)