MySQL in the Oracle Cloud – IaaS Getting Started

By | January 14, 2019

In this blog post I’ll be starting another series with MySQL on the Oracle Cloud, but focusing this  post on IaaS initial setups.  In “the series” I’ll review at a high level, building an InnoDB Cluster on IaaS Compute in the Oracle Cloud, mostly focusing certain cloud characteristics as they pertain to building, staging and managing of the MySQL environments. Later I’ll move into MySQL performing in this cloud environment under different HA conditions.

In this particular post, I’ll discuss preparing Object storage command-line access plus other Compute Best Practices that I think are interesting.  Look forward to a walkthrough of the IAM Services and explore aspects of the Oracle Cloud’s IaaS components that one might encounter with MySQL usage scenarios, such as VCNs, Block Storage, Security Lists, etc.

Oracle Cloud Infrastructure & MySQL

Compartments & Base Privileges

Basic privileges and access in “Identify & Access Management” are provided by a “User“, added to a “Group” which contain “Policies” that define access to “Resources” in a given “Compartment” or “Tenancy“.   As this Oracle Cloud Infrastucture Blog points out:

Every cloud resource belongs to one and only one compartment. And policies grant permission to access specific resources inside specific compartments… – Author Zach Okun

Compartments are logical, hierarchical and layered structures, such that a Compartment can have multiple child compartments. In the Getting Started documentation page about “adding users“, it lays out the general premise on giving permissions to users for access to resources.  They are:

  • Create a “Compartment” Sandbox then add “Resources” inside it (now or later)
  • Create a “Group” named SandboxGroup and a required description
  • Create a “Policy” that associates Resource access in that “compartment
    • “Allow group SandboxGroup to manage all-resources in compartment Sandbox
  • Create a “User” [and give temporary password] (if they don’t already exist)
  • Add the “User” to the “Group” created above

If you want to shortcut all of those tasks and just assign full privileges to the whole Cloud Account (or Tenancy), then…

  • Create a “User”
  • Add the “User” to the Administrators “group“.    ….DONE!

Further Compartment Documentation

In a quick google search on “Oracle Cloud Compartments”, this URL on Oracle Infrastructure Fundementals came up.  The linked PDF page 18 (titled: IAM Service Resources – Tenants, Compartments) highlights some important core points.

  • Compartments are global (tenancy) & they are logical components used to organize and isolate and resources
  • Permissions are inherited into child containers in a hierarchical manner, and currently compartments “can be” multiple levels in depth (PDF is out of date on that particular item)
  • Resources can be connected/shared across compartments

Example Scenario of Compartments, User Privileges via Policies

I want to create an api-user account for enabling me to use OCI command line tools to access an object storage bucket.  I also want it and have the ability to read the storage bucket and manage objects (files) within it.

I want this setup  so that my own personal privileges aren’t used as others on my team may also have acceess to the compute instance’s OS account I was using (be it ‘mysql’ or ‘root’ OS account).  Later, this OCI access will be used to allow command line OCI tools to save MySQL backups to Object Storage, including other MySQL artifacts that we may want to store and capture by date, and so on.

  • Yes the MySQL Enterprise Backup can use a swift API to send/retrieve backups directly with its usage.
  • However, according to the Object Storage FAQ, Swift API Object stores are created in the root compartment, not always ideal.  However, it seems that Native Object storage bucket can be created in preferred compartments, and after the fact, those can be used by a Swift (Amazon S3 Compatibility) API.
    • Thus… native object storage buckets are capable of supporting Swift API allowing users flexibility

Create an API User with Limited Privileges

  1. I create an Object storage Bucket “Resource” named Andrew-OCI-MySQL-ObjStore in the “Compartment” named MySQL-Demo.
  2. Next, I create an API “UserAndrews-api-user and provisioned it with a public API key for its access to resources (in this case, the object storage bucket).
  3. I create a “Group” called Andrew-Group-Test and add the API “UserAndrews-api-user into that “Group“.
  4. I then create a “Policy” named Andrew-api-privs in the “Compartment” named MySQL-Demo with the following two statements to provision the access I desired:
    • “Allow group Andrew-Group-Test to read buckets in compartment MySQL-Demo
    • “Allow group Andrew-Group-Test to manage objects in compartment MySQL-Demo

This seemingly round about manner for creating and allocating resources, and then granting privileges may seem a bit complicated.  But this creates a robust environment for enabling large enterprises to manage multiple projects and lines-of-business, or teams of Developers, Operations staff and QA to all work in tandum in a secure least privilege manner.

VCNs – Virtual Cloud Networks

If you don’t do too much networking because you’re generally not that involved with most of this day to day work, then dust off those skills and get back in the game.  It doesn’t need to be complicated, certainly my networking skillset is not sophisticated – just enough to be dangerous.

What does a VCN do for you?

Creating a default VCN in a given Compartment will give you:

  • A VCN with a default network mask of 10.0.0.0/16 with an Internet Gateway and associated route table pre-configured
  • It will also give you a default Subnet created in each Availability Domain for the given region the VCN was built in.
  • Each subnet will be given it’s own public network, with private portion masked like: 10.0.0.0/24, 10.0.1.0/24, 10.0.0.2/24
  • Default security list rules to allow inbound ICMP and SSH access
    • Default compute instances further limit ssh access by default
  • Within a VCN, Subnet traffic can traverse and discover targets in the other subnets for that VCN.  This is all done using private IP addresses.

Note: You don’t need to have the system build a full default VCN for you.

  • You can have it build just the VCN, which you can customize.
  • Then you can create customized Subnets from scratch and continue using patterns as you would in your company.

Other Interesting Network Related Items

Local and Remote VCN Peering

  • Other VCNs in the same tenancy and same Cloud Region can use local VCN peering to access other VCN networks. Similar access is enabled across Cloud Regions by using remote VCN peering.
  • This sort of access uses private IPs in one VCN to communicate with other VCNs, all the while never leaving the Oracle Cloud  to do so.

Other Interesting Network Services

  • Internet Gateways – These work to provide Cloud services that have public IPs special access to the internet, in the respect that if the target public IP is an Oracle Cloud resource, it will route that traffic internally without the request going to the internet.
  • Service Gateways – Provides Regional Oracle Cloud VCNs private IP access to public Object Storage services without that traffic ever traversing the internet.  This service offers further services for Object storage that Internet Gateway doesn’t provide…otherwise they’re pretty similar in concept.
  • NAT Gateways – Like any good NAT Server, but this one is highly available and really simple to provision. Add it to your VCN with a standard route table configuration for everything, like  (0.0.0.0/0), and then add a custom created private Subnet to your VCN.  The traffic in that private-only subnet will now have access to the internet through the NAT Gateway.

Security Lists for MySQL

Security Lists are pretty simple and straight forward but offer some extended capabilities for more complex network traffic rules.  Defaults in a VCN are noted above. For the VCNs I created, they were intended to host traffic for MySQL and related services.  So here, generally speaking, is what I added to my security rules, and the reason why.  As always look to this Guide on Ports for MySQL as its helpful when configuring these sorts of network setups.

**Remember to use that ports blog for your OS setup later on too (firewall, selinux, etc)**

  • TCP/Port 80 – for source traffic 10.0.0.0/16 (for my VCN traffic only)
    • Used for the MySQL Repo Server
  • TCP/Port 443 – for source traffic 0.0.0.0/0
    •  Used for the MySQL Enterprise Monitor
      • Agents on servers push metric data to the Service Manager (the monitor)
      • End Users login to the monitor using this same port
  • TCP/Ports 3306,33060,33061
    • MySQL usage in the VCN across all the subnets 0.0.0.0/0

Best Practices for OCI Compute

There is an interesting document page outlining “Best Practices for your Compute Instance” on the Oracle Cloud.  Although some items may not apply to everyone’s focus or interest, its good to review.  I’d like to focus on a couple items though that peaked my interest.

User Access using ssh

User access for SSH-enabled users identifies a setup for the process for creating new users like the default opc Linux user account.  This way customers have documentation on this process, thereby not needing to rely on the shared ‘opc’ user account for access, and instead create their own accounts.  This setup of adding SSH-enabled users might even be a script-able item that could stream line its implementation.  A similar process exists for Windows OS users too from the same URL above.

Oracle Cloud’s Own NTP Server Usage

Oracle Linux comes delivered with the Linux distributions default NTP server setup, which requires doing all this clock synchronization over the internet. Orcle provides the documentation for enabling Oracle Cloud’s own NTP Service, making the process far more efficient as its highly available servers are directly in the cloud environment.

I’ve taken their notes for the modifications and created my own script for using after the image is built, as below:

Fault Domains

Each Availability Domain in an Oracle Cloud Region has its own internal fault resilient setup by means of “Fault Domains“.  Each AD has 3 fault domains which contain isolated racks of compute resources that back cloud services.

When launching new compute resources, you can optionally choose which fault domain to use.  This can only be chosen when a new compute resource is initially created.

Fault domains are also highly valuable for:

  • Those whom want resources to remain in a single Availibility Domain
  • Those who have no choice, when a region only has one Availability Domain.

Resource Availability Scope

It’s worth noting here, a layout of what Resource Availability looks like in the Oracle Cloud. Visit the URL for the complete list

  • Global Resources are items such as API Signing keys, Compartments, etc…
  • Regional Resources are items such as Buckets, DRGs, Internat and NAT Gateways, etc…
  • Availability Domain-Specific Resource are items such as Subnets, Compute Instances attached Volumes, etc…

OCI Utilities for Oracle Linux

It can be handy to have the OCI utilities available and understood so that they can be a tool we utilitize to navigate the Oracle Cloud with more benefit.  The initial installation is all that I want to highlight here.  We’ll look into further setup later on.  These utilities will integrate with the Object store “UserAndrews-api-user identified above, and will be brought up again in a future blog post.

Comments are welcome!