MariaDB packages bind MariaDB to 127.0.0.1 (the loopback IP address) by default as a security measure using the bind-address configuration directive. Old MySQL packages sometimes disabled TCP/IP networking altogether using the skip-networking directive. Before going in to how to configure these, let's explain what each of them actually does:
- skip-networking is fairly simple. It just tells MariaDB to run without any of the TCP/IP networking options.
- bind-address requires a little bit of background information. A given server usually has at least two networking interfaces (although this is not required) and can easily have more. The two most common are a Loopback network device and a physical Network Interface Card (NIC) which allows you to communicate with the network. MariaDB is bound to the loopback interface by default because it makes it impossible to connect to the TCP port on the server from a remote host (the bind-address must refer to a local IP address, or you will receive a fatal error and MariaDB will not start). This of course is not desirable if you want to use the TCP port from a remote host, so you must remove this bind-address directive (MariaDB only supports one bind-address, but binds to 0.0.0.0, or :: (every IP) if the bind-address directive is left out).
Finding the defaults file
To enable MariaDB to listen to remote connections, you need to edit your defaults file. See Configuring MariaDB with my.cnf for more detail.
Common locations for defaults files:
* /etc/my.cnf (*nix/BSD) * $MYSQL_HOME/my.cnf (*nix/BSD) *Most Notably /etc/mysql/my.cnf * SYSCONFDIR/my.cnf (*nix/BSD) * DATADIR\my.ini (Windows)
Editing the defaults file
Once you have located the defaults file, use a text editor to open the file and try to find lines like this under the [mysqld] section:
[mysqld] ... skip-networking ... bind-address = <some ip-address> ...
(The lines may not be in this order, and the order doesn't matter.)
If you are able to locate these lines, make sure they are both commented out (prefaced with hash (#) characters), so that they look like this:
[mysqld] ... #skip-networking ... #bind-address = <some ip-address> ...
(Again, the order of these lines don't matter)
Save the file and restart the mysqld daemon or service (see Starting and Stopping MariaDB).
Granting user connections from remote hosts
Now that your MariaDB server installation is setup to accept connections from remote hosts, we have to add a user that is allowed to connect from something other than 'localhost' (Users in MariaDB are defined as 'user'@'host', so 'chadmaynard'@'localhost' and 'chadmaynard'@'126.96.36.199' (or 'chadmaynard'@'server.domain.local') are different users that can have completely different permissions and/or passwords.
To create a new user:
- log into the mysql command line client (or your favorite graphical client if you wish)
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 36 Server version: 5.5.28-MariaDB-mariadb1~lucid mariadb.org binary distribution Copyright (c) 2000, 2012, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
- if you are interested in viewing any existing remote users, issue the following SQL statement on the mysql.user table:
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost'; +--------+-----------+ | User | Host | +--------+-----------+ | daniel | % | | root | 127.0.0.1 | | root | ::1 | | root | gandalf | +--------+-----------+ 4 rows in set (0.00 sec)
(If you have a fresh install, it is normal for no rows to be returned)
Now you have some decisions to make. At the heart of every grant statement you have these things:
- list of allowed privileges
- what database/tables these privileges apply to
- host this user can connect from
- and optionally a password
It is common for people to want to create a "root" user that can connect from anywhere, so as an example, we'll do just that, but to improve on it we'll create a root user that can connect from anywhere on my local area network (LAN), which has addresses in the subnet 192.168.100.0/24. This is an improvement because opening a MariaDB server up to the Internet and granting access to all hosts is bad practice.
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.100.%' IDENTIFIED BY 'my-new-password' WITH GRANT OPTION;
(% is a wildcard)
For more information about how to use GRANT, please see the GRANT page.
At this point we have accomplished our goal and we have a user 'root' that can connect from anywhere on the 192.168.100.0/24 LAN.
Port 3306 is configured in firewall
One more point to consider whether the firwall is configured to allow incoming request from remote clients:
On RHEL and CentOS 7, it may be necessary to configure the firewall to allow TCP access to MySQL from remote hosts. To do so, execute both of these commands:
firewall-cmd --add-port=3306/tcp firewall-cmd --permanent --add-port=3306/tcp
- if your system is running a software firewall (or behind a hardware firewall or NAT) you must allow connections destined to TCP port that MariaDB runs on (by default and almost always 3306).
- to undo this change, simply uncomment the bind-address line in your defaults file.
The initial version of this article was copied, with permission, from http://hashmysql.org/wiki/Remote_Clients_Cannot_Connect on 2012-10-30.