From 5d2deeb9048f22e6cdfa035a9e5f5b95ab7acec5 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 31 May 2024 10:05:00 +1000 Subject: [PATCH 01/18] Add 11.6 --- 11.6/Dockerfile | 142 ++++++++ 11.6/docker-entrypoint.sh | 715 ++++++++++++++++++++++++++++++++++++++ 11.6/healthcheck.sh | 353 +++++++++++++++++++ update.sh | 4 +- versions.json | 28 ++ 5 files changed, 1240 insertions(+), 2 deletions(-) create mode 100644 11.6/Dockerfile create mode 100755 11.6/docker-entrypoint.sh create mode 100755 11.6/healthcheck.sh diff --git a/11.6/Dockerfile b/11.6/Dockerfile new file mode 100644 index 00000000..7282f520 --- /dev/null +++ b/11.6/Dockerfile @@ -0,0 +1,142 @@ +# vim:set ft=dockerfile: +FROM ubuntu:noble + +# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql + +# add gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +# gosu key is B42F6819007F00F88E364FD4036A9C25BF357DD4 +ENV GOSU_VERSION 1.17 + +ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8 +# pub rsa4096 2016-03-30 [SC] +# 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8 +# uid [ unknown] MariaDB Signing Key +# sub rsa4096 2016-03-30 [E] +# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD +# install "pwgen" for randomizing passwords +# install "tzdata" for /usr/share/zoneinfo/ +# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files +# install "zstd" for .sql.zst docker-entrypoint-initdb.d files +# hadolint ignore=SC2086 +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + ca-certificates \ + gpg \ + gpgv \ + libjemalloc2 \ + pwgen \ + tzdata \ + xz-utils \ + zstd ; \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get install -y --no-install-recommends \ + dirmngr \ + gpg-agent \ + wget; \ + rm -rf /var/lib/apt/lists/*; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + for key in $GPG_KEYS; do \ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + done; \ + gpg --batch --export "$GPG_KEYS" > /etc/apt/trusted.gpg.d/mariadb.gpg; \ + if command -v gpgconf >/dev/null; then \ + gpgconf --kill all; \ + fi; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark >/dev/null; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true + +RUN mkdir /docker-entrypoint-initdb.d + +# Ensure the container exec commands handle range of utf8 characters based of +# default locales in base image (https://github.com/docker-library/docs/blob/135b79cc8093ab02e55debb61fdb079ab2dbce87/ubuntu/README.md#locales) +ENV LANG C.UTF-8 + +# OCI annotations to image +LABEL org.opencontainers.image.authors="MariaDB Community" \ + org.opencontainers.image.title="MariaDB Database" \ + org.opencontainers.image.description="MariaDB Database for relational SQL" \ + org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ + org.opencontainers.image.base.name="docker.io/library/ubuntu:noble" \ + org.opencontainers.image.licenses="GPL-2.0" \ + org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ + org.opencontainers.image.vendor="MariaDB Community" \ + org.opencontainers.image.version="11.6.0" \ + org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" + +# bashbrew-architectures: amd64 arm64v8 ppc64le s390x +ARG MARIADB_VERSION=1:11.6.0+maria~ubu2404 +ENV MARIADB_VERSION $MARIADB_VERSION +# release-status:Alpha +# release-support-type:Unknown +# (https://downloads.mariadb.org/rest-api/mariadb/) + +# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions +ARG REPOSITORY="http://archive.mariadb.org/mariadb-11.6.0/repo/ubuntu/ noble main main/debug" + +RUN set -e;\ + echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \ + { \ + echo 'Package: *'; \ + echo 'Pin: release o=MariaDB'; \ + echo 'Pin-Priority: 999'; \ + } > /etc/apt/preferences.d/mariadb +# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies +# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed + +# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) +# also, we set debconf keys to make APT a little quieter +# hadolint ignore=DL3015 +RUN set -ex; \ + { \ + echo "mariadb-server" mysql-server/root_password password 'unused'; \ + echo "mariadb-server" mysql-server/root_password_again password 'unused'; \ + } | debconf-set-selections; \ + apt-get update; \ +# postinst script creates a datadir, so avoid creating it by faking its existance. + mkdir -p /var/lib/mysql/mysql ; touch /var/lib/mysql/mysql/user.frm ; \ +# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos + apt-get install -y --no-install-recommends mariadb-server="$MARIADB_VERSION" mariadb-backup socat \ + ; \ + rm -rf /var/lib/apt/lists/*; \ +# purge and re-create /var/lib/mysql with appropriate ownership + rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ + mkdir -p /var/lib/mysql /run/mysqld; \ + chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ +# ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime + chmod 1777 /run/mysqld; \ +# comment out a few problematic configuration values + find /etc/mysql/ -name '*.cnf' -print0 \ + | xargs -0 grep -lZE '^(bind-address|log|user\s)' \ + | xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \ +# don't reverse lookup hostnames, they are usually another container + printf "[mariadb]\nhost-cache-size=0\nskip-name-resolve\n" > /etc/mysql/mariadb.conf.d/05-skipcache.cnf; \ +# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation) + if [ -L /etc/mysql/my.cnf ]; then \ +# 10.5+ + sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/\n\2\n\1/}' /etc/mysql/mariadb.cnf; \ + fi + + +VOLUME /var/lib/mysql + +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 3306 +CMD ["mariadbd"] diff --git a/11.6/docker-entrypoint.sh b/11.6/docker-entrypoint.sh new file mode 100755 index 00000000..7a6e286c --- /dev/null +++ b/11.6/docker-entrypoint.sh @@ -0,0 +1,715 @@ +#!/bin/bash +set -eo pipefail +shopt -s nullglob + +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset +# and make them the same value (so user scripts can use either) +_mariadb_file_env() { + local var="$1"; shift + local maria="MARIADB_${var#MYSQL_}" + file_env "$var" "$@" + file_env "$maria" "${!var}" + if [ "${!maria:-}" ]; then + export "$var"="${!maria}" + fi +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + # ShellCheck: mysql appears unused. Verify use (or export if used externally) + # shellcheck disable=SC2034 + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + # ShellCheck can't follow non-constant source. Use a directive to specify location. + # shellcheck disable=SC1090 + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +_verboseHelpArgs=( + --verbose --help +) + +mysql_check_config() { + local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + fi +} + +# Fetch value from server config +# We use mariadbd --verbose --help instead of my_print_defaults because the +# latter only show values present in config files, and not server defaults +mysql_get_config() { + local conf="$1"; shift + "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" +} + +# Do a temporary startup of the MariaDB server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ + --expire-logs-days=0 \ + --loose-innodb_buffer_pool_load_at_startup=0 & + declare -g MARIADB_PID + MARIADB_PID=$! + mysql_note "Waiting for server startup" + # only use the root password if the database has already been initialized + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + local i + for i in {30..0}; do + if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mariadb-admin will block until +# the shutdown is complete. +docker_temp_server_stop() { + kill "$MARIADB_PID" + wait "$MARIADB_PID" +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done + if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' + fi + # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. + if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." + fi + if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." + fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" + + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + # See https://github.com/MariaDB/mariadb-docker/issues/363 + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; + + # memory.pressure + local cgroup; cgroup=$( "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then + # --skip-write-binlog usefully disables binary logging + # but also outputs LOCK TABLES to improve the IO of + # Aria (MDEV-23326) for 10.4+. + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ + | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" + export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD + mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" + fi + + # Creates root users for non-localhost hosts + local rootCreate= + local rootPasswordEscaped= + if [ -n "$MARIADB_ROOT_PASSWORD" ]; then + # Sets root password and creates root users for non-localhost hosts + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") + fi + + # default root to listen for connections from anywhere + if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then + # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + else + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + fi + fi + + local mysqlAtLocalhost= + local mysqlAtLocalhostGrants= + # Install mysql@localhost user + if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then + read -r -d '' mysqlAtLocalhost <<-EOSQL || true + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; + EOSQL + if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then + if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then + mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" + fi + mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; + fi + fi + + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + + local rootLocalhostPass= + if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then + # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d + rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" + fi + + local createDatabase= + # Creates a custom database and user if specified + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Creating database ${MARIADB_DATABASE}" + createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" + fi + + local createUser= + local userGrants= + if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then + mysql_note "Creating user ${MARIADB_USER}" + if [ -n "$MARIADB_PASSWORD_HASH" ]; then + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" + userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" + fi + fi + + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" + # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set + # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. + docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL + -- Securing system users shouldn't be replicated + SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + + DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; + EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); + + ${rootLocalhostPass} + ${rootCreate} + ${mysqlAtLocalhost} + ${mysqlAtLocalhostGrants} + ${createHealthCheckUsers} + -- end of securing system users, rest of init now... + SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; + -- create users/databases + ${createDatabase} + ${createUser} + ${createReplicaUser} + ${userGrants} + + ${changeMasterTo} + ${startReplica} + EOSQL +} + +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + +# backup the mysql database +docker_mariadb_backup_system() +{ + if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ + && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then + mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" + return + fi + local backup_db="system_mysql_backup_unknown_version.sql.zst" + local oldfullversion="unknown_version" + if [ -r "$DATADIR"/mysql_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -n "$oldfullversion" ]; then + backup_db="system_mysql_backup_${oldfullversion}.sql.zst" + fi + fi + + mysql_note "Backing up system database to $backup_db" + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + mysql_error "Unable backup system database for upgrade from $oldfullversion." + fi + mysql_note "Backing up complete" +} + +# perform mariadb-upgrade +# backup the mysql database if this is a major upgrade +docker_mariadb_upgrade() { + if [ -z "$MARIADB_AUTO_UPGRADE" ] \ + || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + return + fi + mysql_note "Starting temporary server" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + mysql_note "Temporary server started." + + docker_mariadb_backup_system + + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + + mysql_note "Starting mariadb-upgrade" + mariadb-upgrade --upgrade-system-tables + mysql_note "Finished mariadb-upgrade" + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" +} + + +_check_if_upgrade_is_needed() { + if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + mysql_note "MariaDB upgrade information missing, assuming required" + return 0 + fi + local mariadbVersion + mariadbVersion="$(_mariadb_version)" + IFS='.-' read -ra newversion <<<"$mariadbVersion" + IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + + if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ + || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ + || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then + return 0 + fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi + mysql_note "MariaDB upgrade not required" + return 1 +} + +# check arguments for an option that would cause mariadbd to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mariadbd + if [ "${1:0:1}" = '-' ]; then + set -- mariadbd "$@" + fi + + #ENDOFSUBSTITUTIONS + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + docker_mariadb_init "$@" + # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline + #elif mariadb-upgrade --check-if-upgrade-is-needed; then + elif _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + fi + exec "$@" +} + +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/11.6/healthcheck.sh b/11.6/healthcheck.sh new file mode 100755 index 00000000..5aea4e8e --- /dev/null +++ b/11.6/healthcheck.sh @@ -0,0 +1,353 @@ +#!/bin/bash +# +# Healthcheck script for MariaDB +# +# Runs various tests on the MariaDB server to check its health. Pass the tests +# to run as arguments. If all tests succeed, the server is considered healthy, +# otherwise it's not. +# +# Arguments are processed in strict order. Set replication_* options before +# the --replication option. This allows a different set of replication checks +# on different connections. +# +# --su{=|-mariadb} is option to run the healthcheck as a different unix user. +# Useful if mariadb@localhost user exists with unix socket authentication +# Using this option disregards previous options set, so should usually be the +# first option. +# +# Some tests require SQL privileges. +# +# TEST MINIMUM GRANTS REQUIRED +# connect none* +# innodb_initialized USAGE +# innodb_buffer_pool_loaded USAGE +# galera_online USAGE +# galera_ready USAGE +# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) +# mariadbupgrade none, however unix user permissions on datadir +# +# The SQL user used is the default for the mariadb client. This can be the unix user +# if no user(or password) is set in the [mariadb-client] section of a configuration +# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration +# different from elsewhere. +# +# Note * though denied error message will result in error log without +# any permissions. + +set -eo pipefail + +_process_sql() +{ + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + -B "$@" +} + +# TESTS + + +# CONNECT +# +# Tests that a connection can be made over TCP, the final state +# of the entrypoint and is listening. The authentication used +# isn't tested. +connect() +{ + set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + -h localhost --protocol tcp -e 'select 1' 2>&1 \ + | grep -qF "Can't connect" + local ret=${PIPESTATUS[1]} + set -eo pipefail + if (( "$ret" == 0 )); then + # grep Matched "Can't connect" so we fail + return 1 + fi + return 0 +} + +# INNODB_INITIALIZED +# +# This tests that the crash recovery of InnoDB has completed +# along with all the other things required to make it to a healthy +# operational state. Note this may return true in the early +# states of initialization. Use with a connect test to avoid +# these false positives. +innodb_initialized() +{ + local s + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") + [ "$s" == 1 ] +} + +# INNODB_BUFFER_POOL_LOADED +# +# Tests the load of the innodb buffer pool as been complete +# implies innodb_buffer_pool_load_at_startup=1 (default), or if +# manually SET innodb_buffer_pool_load_now=1 +innodb_buffer_pool_loaded() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") + if [[ $s =~ 'load completed' ]]; then + return 0 + fi + return 1 +} + +# GALERA_ONLINE +# +# Tests that the galera node is in the SYNCed state +galera_online() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") + # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes + # not https://xkcd.com/221/ + if [[ $s -eq 4 ]]; then + return 0 + fi + return 1 +} + +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + +# REPLICATION +# +# Tests the replication has the required set of functions: +# --replication_all -> Checks all replication sources +# --replication_name=n -> sets the multisource connection name tested +# --replication_io -> IO thread is running +# --replication_sql -> SQL thread is running +# --replication_seconds_behind_master=n -> less than or equal this seconds of delay +# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay +# (ref: https://mariadb.com/kb/en/delayed-replication/) +replication() +{ + # SHOW REPLICA available 10.5+ + # https://github.com/koalaman/shellcheck/issues/2383 + # shellcheck disable=SC2016,SC2026 + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ + { + # required for trim of leading space. + shopt -s extglob + # Row header + read -t 5 -r + # read timeout + [ $? -gt 128 ] && return 1 + while IFS=":" read -t 1 -r n v; do + # Trim leading space + n=${n##+([[:space:]])} + # Leading space on all values by the \G format needs to be trimmed. + v=${v:1} + case "$n" in + Slave_IO_Running) + if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Slave_SQL_Running) + if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Seconds_Behind_Master) + # A NULL value is the IO thread not running: + if [ -n "${repl['seconds_behind_master']}" ] && + { [ "$v" = NULL ] || + (( "${repl['seconds_behind_master']}" < "$v" )); }; then + return 1 + fi + ;; + SQL_Remaining_Delay) + # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL + # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ + if [ -n "${repl['sql_remaining_delay']}" ] && + [ "$v" != NULL ] && + (( "${repl['sql_remaining_delay']}" < "$v" )); then + return 1 + fi + ;; + esac + done + # read timeout + [ $? -gt 128 ] && return 1 + return 0 + } + # reachable in command not found(?) + # shellcheck disable=SC2317 + return $? +} + +# mariadbupgrade +# +# Test the lock on the file $datadir/mysql_upgrade_info +# https://jira.mariadb.org/browse/MDEV-27068 +mariadbupgrade() +{ + local f="$datadir/mysql_upgrade_info" + if [ -r "$f" ]; then + flock --exclusive --nonblock -n 9 9<"$f" + return $? + fi + return 0 +} + + +# MAIN + +if [ $# -eq 0 ]; then + echo "At least one argument required" >&2 + exit 1 +fi + +#ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ +# Global variables used by tests +declare -A repl +declare -A def +nodefaults= +datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi + +_repl_param_check() +{ + case "$1" in + seconds_behind_master) ;& + sql_remaining_delay) + if [ -z "${repl['io']}" ]; then + repl['io']=1 + echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 + fi + ;; + all) + if [ -n "${repl['name']}" ]; then + unset 'repl[name]' + echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 + fi + ;; + name) + if [ -n "${repl['all']}" ]; then + unset 'repl[all]' + echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 + fi + ;; + esac +} + +_test_exists() { + declare -F "$1" > /dev/null + return $? +} + +while [ $# -gt 0 ]; do + case "$1" in + --su=*) + u="${1#*=}" + shift + exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" + ;; + --su) + shift + u=$1 + shift + exec gosu "$u" "${BASH_SOURCE[0]}" "$@" + ;; + --su-mysql) + shift + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + ;; + --replication_*=*) + # Change the n to what is between _ and = and make lower case + n=${1#*_} + n=${n%%=*} + n=${n,,*} + # v is after the = + v=${1#*=} + repl[$n]=$v + _repl_param_check "$n" + ;; + --replication_*) + # Without =, look for a non --option next as the value, + # otherwise treat it as an "enable", just equate to 1. + # Clearing option is possible with "--replication_X=" + n=${1#*_} + n=${n,,*} + if [ "${2:0:2}" == '--' ]; then + repl[$n]=1 + else + repl[$n]=$2 + shift + fi + _repl_param_check "$n" + ;; + --datadir=*) + datadir=${1#*=} + ;; + --datadir) + shift + datadir=${1} + ;; + --no-defaults) + def=() + nodefaults=1 + ;; + --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) + n=${1:11} # length --defaults- + n=${n%%=*} + n=${n//-/_} + # v is after the = + v=${1#*=} + def[$n]=$v + nodefaults= + ;; + --defaults-file|--defaults-extra-file|--defaults-group-suffix) + n=${1:11} # length --defaults- + n=${n//-/_} + if [ "${2:0:2}" == '--' ]; then + def[$n]="" + else + def[$n]=$2 + shift + fi + nodefaults= + ;; + --*) + test=${1#--} + ;; + *) + echo "Unknown healthcheck option $1" >&2 + exit 1 + esac + if [ -n "$test" ]; then + if ! _test_exists "$test" ; then + echo "healthcheck unknown option or test '$test'" >&2 + exit 1 + elif ! "$test"; then + echo "healthcheck $test failed" >&2 + exit 1 + fi + test= + fi + shift +done diff --git a/update.sh b/update.sh index 6a0172ee..539cbb7f 100755 --- a/update.sh +++ b/update.sh @@ -4,6 +4,8 @@ set -Eeuo pipefail # Usage ./update.sh [version(multiple)...] # +development_version=11.6 + defaultSuite='noble' declare -A suites=( [10.4]='focal' @@ -184,8 +186,6 @@ all() | jq -r '.major_releases[] | [ .release_id ], [ .release_status ], [ .release_support_type ] | @tsv')" } -development_version=11.5 - in_development() { releaseStatus=Alpha diff --git a/versions.json b/versions.json index 5800e9b4..00af9aa3 100644 --- a/versions.json +++ b/versions.json @@ -179,5 +179,33 @@ "ppc64le", "s390x" ] + }, + "11.6": { + "milestone": "11.6", + "version": "11.6.0", + "fullVersion": "1:11.6.0+maria~ubu2404", + "releaseStatus": "Alpha", + "supportType": "Unknown", + "base": "ubuntu:noble", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] + }, + "11.6-ubi": { + "milestone": "11.6", + "version": "11.6.0", + "fullVersion": "11.6.0", + "releaseStatus": "Alpha", + "supportType": "Unknown", + "base": "ubi9", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] } } From a8aeff35c6e7729cb8551920cdeaa93ac5a9e7ca Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 11 Jun 2024 17:59:14 +1000 Subject: [PATCH 02/18] 11.6 ubi --- 11.6-ubi/Dockerfile | 111 ++++++ 11.6-ubi/MariaDB.repo | 7 + 11.6-ubi/docker-entrypoint.sh | 719 ++++++++++++++++++++++++++++++++++ 11.6-ubi/docker.cnf | 16 + 11.6-ubi/healthcheck.sh | 355 +++++++++++++++++ versions.json | 14 + 6 files changed, 1222 insertions(+) create mode 100644 11.6-ubi/Dockerfile create mode 100644 11.6-ubi/MariaDB.repo create mode 100755 11.6-ubi/docker-entrypoint.sh create mode 100644 11.6-ubi/docker.cnf create mode 100755 11.6-ubi/healthcheck.sh diff --git a/11.6-ubi/Dockerfile b/11.6-ubi/Dockerfile new file mode 100644 index 00000000..9e7182f5 --- /dev/null +++ b/11.6-ubi/Dockerfile @@ -0,0 +1,111 @@ +FROM redhat/ubi9-minimal + +# user 999/ group 999, that we want to use for compatibility with the ubuntu image. +RUN groupadd --gid 999 -r mysql && \ + useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999 + +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \ + case "$rpmArch" in \ + aarch64) dpkgArch='arm64' ;; \ + armv7*) dpkgArch='armhf' ;; \ + i686) dpkgArch='i386' ;; \ + ppc64le) dpkgArch='ppc64el' ;; \ + s390x|riscv64) dpkgArch=$rpmArch ;; \ + x86_64) dpkgArch='amd64' ;; \ + *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \ + esac; \ + curl --fail --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch} ; \ + curl --fail --location --output /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + chmod a+x /usr/local/bin/gosu; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + gosu --version; \ + gosu nobody true + +COPY --chmod=0644 docker.cnf /etc/my.cnf.d/ + +COPY MariaDB.repo /etc/yum.repos.d/ + +# HasRequiredLabel requirement from Red Hat OpenShift Software Certification +# https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html/red_hat_openshift_software_certification_policy_guide/assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction#con-image-metadata-requirements_openshift-sw-cert-policy-container-images +LABEL name="MariaDB Server" \ + vendor="MariaDB Community" \ + version="11.6.0" \ + release="Refer to Annotations org.opencontainers.image.{revision,source}" \ + summary="MariaDB Database" \ + description="MariaDB Database for relational SQL" + +# OCI annotations to image +LABEL org.opencontainers.image.authors="MariaDB Community" \ + org.opencontainers.image.title="MariaDB Database" \ + org.opencontainers.image.description="MariaDB Database for relational SQL" \ + org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ + org.opencontainers.image.base.name="docker.io/redhat/ubi9-minimal" \ + org.opencontainers.image.licenses="GPL-2.0" \ + org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ + org.opencontainers.image.vendor="MariaDB Community" \ + org.opencontainers.image.version="11.6.0" \ + org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" + +# bashbrew-architectures: amd64 arm64v8 ppc64le s390x +ARG MARIADB_VERSION=11.6.0 +# release-status:Alpha +# release-support-type:Unknown +# (https://downloads.mariadb.org/rest-api/mariadb/) + +# missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions) +# procps, pv(epel) - missing dependencies of galera sst script +# tzdata re-installed as only a fake version is part of the ubi-minimal base image. +# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key +RUN set -eux ; \ + curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ + rpmkeys --import /tmp/epelkey.txt ; \ + curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ + rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ + curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ + rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ + microdnf update -y ; \ + microdnf reinstall -y tzdata ; \ + microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ + mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ + chmod ugo+rwx,o+t /run/mariadb ; \ + microdnf install -y MariaDB-backup-11.6.0 MariaDB-server-11.6.0 ; \ + # compatibility with DEB Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ + # compatibility with RPM Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib64/galera/libgalera_smm.so ; \ + microdnf clean all ; \ + rmdir /var/lib/mysql/mysql ; \ + chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ + mkdir /licenses ; \ + ln -s /usr/share/doc/MariaDB-server-11.6.0/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/licenses /licenses/package-licenses ; \ + ln -s Apache-2.0-license /licenses/gosu + +VOLUME /var/lib/mysql + +RUN mkdir /docker-entrypoint-initdb.d + +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY docker-entrypoint.sh /usr/local/bin/ + +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 3306 +CMD ["mariadbd"] diff --git a/11.6-ubi/MariaDB.repo b/11.6-ubi/MariaDB.repo new file mode 100644 index 00000000..d9223c37 --- /dev/null +++ b/11.6-ubi/MariaDB.repo @@ -0,0 +1,7 @@ +[mariadb] +name = MariaDB +#baseurl = https://rpm.mariadb.org/11.6/rhel/$releasever/$basearch +baseurl = https://archive.mariadb.org/mariadb-11.6/yum/rhel/$releasever/$basearch +#microdnf cannot read to the second key here. +#gpgkey=https://archive.mariadb.org/PublicKey +gpgcheck=1 diff --git a/11.6-ubi/docker-entrypoint.sh b/11.6-ubi/docker-entrypoint.sh new file mode 100755 index 00000000..067998c2 --- /dev/null +++ b/11.6-ubi/docker-entrypoint.sh @@ -0,0 +1,719 @@ +#!/bin/bash +set -eo pipefail +shopt -s nullglob + +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset +# and make them the same value (so user scripts can use either) +_mariadb_file_env() { + local var="$1"; shift + local maria="MARIADB_${var#MYSQL_}" + file_env "$var" "$@" + file_env "$maria" "${!var}" + if [ "${!maria:-}" ]; then + export "$var"="${!maria}" + fi +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + # ShellCheck: mysql appears unused. Verify use (or export if used externally) + # shellcheck disable=SC2034 + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + # ShellCheck can't follow non-constant source. Use a directive to specify location. + # shellcheck disable=SC1090 + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +_verboseHelpArgs=( + --verbose --help +) + +mysql_check_config() { + local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + fi +} + +# Fetch value from server config +# We use mariadbd --verbose --help instead of my_print_defaults because the +# latter only show values present in config files, and not server defaults +mysql_get_config() { + local conf="$1"; shift + "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" +} + +# Do a temporary startup of the MariaDB server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ + --expire-logs-days=0 \ + --loose-innodb_buffer_pool_load_at_startup=0 \ + --skip-ssl --ssl-cert='' --ssl-key='' --ssl-ca='' \ + & + declare -g MARIADB_PID + MARIADB_PID=$! + mysql_note "Waiting for server startup" + # only use the root password if the database has already been initialized + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + local i + for i in {30..0}; do + if docker_process_sql "${extraArgs[@]}" --database=mysql \ + --skip-ssl --skip-ssl-verify-server-cert \ + <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mariadb-admin will block until +# the shutdown is complete. +docker_temp_server_stop() { + kill "$MARIADB_PID" + wait "$MARIADB_PID" +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done + if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' + fi + # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. + if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." + fi + if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." + fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" + + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + # See https://github.com/MariaDB/mariadb-docker/issues/363 + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; + + # memory.pressure + local cgroup; cgroup=$( "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then + # --skip-write-binlog usefully disables binary logging + # but also outputs LOCK TABLES to improve the IO of + # Aria (MDEV-23326) for 10.4+. + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ + | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" + export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD + mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" + fi + + # Creates root users for non-localhost hosts + local rootCreate= + local rootPasswordEscaped= + if [ -n "$MARIADB_ROOT_PASSWORD" ]; then + # Sets root password and creates root users for non-localhost hosts + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") + fi + + # default root to listen for connections from anywhere + if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then + # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + else + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + fi + fi + + local mysqlAtLocalhost= + local mysqlAtLocalhostGrants= + # Install mysql@localhost user + if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then + read -r -d '' mysqlAtLocalhost <<-EOSQL || true + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; + EOSQL + if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then + if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then + mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" + fi + mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; + fi + fi + + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + + local rootLocalhostPass= + if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then + # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d + rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" + fi + + local createDatabase= + # Creates a custom database and user if specified + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Creating database ${MARIADB_DATABASE}" + createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" + fi + + local createUser= + local userGrants= + if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then + mysql_note "Creating user ${MARIADB_USER}" + if [ -n "$MARIADB_PASSWORD_HASH" ]; then + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" + userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" + fi + fi + + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" + # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set + # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. + docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL + -- Securing system users shouldn't be replicated + SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + + DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; + EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); + + ${rootLocalhostPass} + ${rootCreate} + ${mysqlAtLocalhost} + ${mysqlAtLocalhostGrants} + ${createHealthCheckUsers} + -- end of securing system users, rest of init now... + SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; + -- create users/databases + ${createDatabase} + ${createUser} + ${createReplicaUser} + ${userGrants} + + ${changeMasterTo} + ${startReplica} + EOSQL +} + +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + +# backup the mysql database +docker_mariadb_backup_system() +{ + if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ + && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then + mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" + return + fi + local backup_db="system_mysql_backup_unknown_version.sql.zst" + local oldfullversion="unknown_version" + if [ -r "$DATADIR"/mysql_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -n "$oldfullversion" ]; then + backup_db="system_mysql_backup_${oldfullversion}.sql.zst" + fi + fi + + mysql_note "Backing up system database to $backup_db" + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + mysql_error "Unable backup system database for upgrade from $oldfullversion." + fi + mysql_note "Backing up complete" +} + +# perform mariadb-upgrade +# backup the mysql database if this is a major upgrade +docker_mariadb_upgrade() { + if [ -z "$MARIADB_AUTO_UPGRADE" ] \ + || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + return + fi + mysql_note "Starting temporary server" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + mysql_note "Temporary server started." + + docker_mariadb_backup_system + + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + + mysql_note "Starting mariadb-upgrade" + mariadb-upgrade --upgrade-system-tables + mysql_note "Finished mariadb-upgrade" + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" +} + + +_check_if_upgrade_is_needed() { + if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + mysql_note "MariaDB upgrade information missing, assuming required" + return 0 + fi + local mariadbVersion + mariadbVersion="$(_mariadb_version)" + IFS='.-' read -ra newversion <<<"$mariadbVersion" + IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + + if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ + || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ + || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then + return 0 + fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi + mysql_note "MariaDB upgrade not required" + return 1 +} + +# check arguments for an option that would cause mariadbd to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mariadbd + if [ "${1:0:1}" = '-' ]; then + set -- mariadbd "$@" + fi + + #ENDOFSUBSTITUTIONS + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + docker_mariadb_init "$@" + # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline + #elif mariadb-upgrade --check-if-upgrade-is-needed; then + elif _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + fi + exec "$@" +} + +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/11.6-ubi/docker.cnf b/11.6-ubi/docker.cnf new file mode 100644 index 00000000..f3af00a0 --- /dev/null +++ b/11.6-ubi/docker.cnf @@ -0,0 +1,16 @@ +# Ubuntu container compatibility + +[mariadb] +host-cache-size=0 +skip-name-resolve + +expire_logs_days=10 +character-set-server=utf8mb4 + +character-set-collations=utf8mb4=uca1400_ai_ci # 11.3+ + +[client-server] +socket=/run/mariadb/mariadb.sock + +!includedir /etc/mysql/mariadb.conf.d +!includedir /etc/mysql/conf.d diff --git a/11.6-ubi/healthcheck.sh b/11.6-ubi/healthcheck.sh new file mode 100755 index 00000000..7f2b0a69 --- /dev/null +++ b/11.6-ubi/healthcheck.sh @@ -0,0 +1,355 @@ +#!/bin/bash +# +# Healthcheck script for MariaDB +# +# Runs various tests on the MariaDB server to check its health. Pass the tests +# to run as arguments. If all tests succeed, the server is considered healthy, +# otherwise it's not. +# +# Arguments are processed in strict order. Set replication_* options before +# the --replication option. This allows a different set of replication checks +# on different connections. +# +# --su{=|-mariadb} is option to run the healthcheck as a different unix user. +# Useful if mariadb@localhost user exists with unix socket authentication +# Using this option disregards previous options set, so should usually be the +# first option. +# +# Some tests require SQL privileges. +# +# TEST MINIMUM GRANTS REQUIRED +# connect none* +# innodb_initialized USAGE +# innodb_buffer_pool_loaded USAGE +# galera_online USAGE +# galera_ready USAGE +# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) +# mariadbupgrade none, however unix user permissions on datadir +# +# The SQL user used is the default for the mariadb client. This can be the unix user +# if no user(or password) is set in the [mariadb-client] section of a configuration +# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration +# different from elsewhere. +# +# Note * though denied error message will result in error log without +# any permissions. + +set -eo pipefail + +_process_sql() +{ + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + -B "$@" +} + +# TESTS + + +# CONNECT +# +# Tests that a connection can be made over TCP, the final state +# of the entrypoint and is listening. The authentication used +# isn't tested. +connect() +{ + set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + -h localhost --protocol tcp -e 'select 1' 2>&1 \ + | grep -qF "Can't connect" + local ret=${PIPESTATUS[1]} + set -eo pipefail + if (( "$ret" == 0 )); then + # grep Matched "Can't connect" so we fail + return 1 + fi + return 0 +} + +# INNODB_INITIALIZED +# +# This tests that the crash recovery of InnoDB has completed +# along with all the other things required to make it to a healthy +# operational state. Note this may return true in the early +# states of initialization. Use with a connect test to avoid +# these false positives. +innodb_initialized() +{ + local s + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") + [ "$s" == 1 ] +} + +# INNODB_BUFFER_POOL_LOADED +# +# Tests the load of the innodb buffer pool as been complete +# implies innodb_buffer_pool_load_at_startup=1 (default), or if +# manually SET innodb_buffer_pool_load_now=1 +innodb_buffer_pool_loaded() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") + if [[ $s =~ 'load completed' ]]; then + return 0 + fi + return 1 +} + +# GALERA_ONLINE +# +# Tests that the galera node is in the SYNCed state +galera_online() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") + # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes + # not https://xkcd.com/221/ + if [[ $s -eq 4 ]]; then + return 0 + fi + return 1 +} + +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + +# REPLICATION +# +# Tests the replication has the required set of functions: +# --replication_all -> Checks all replication sources +# --replication_name=n -> sets the multisource connection name tested +# --replication_io -> IO thread is running +# --replication_sql -> SQL thread is running +# --replication_seconds_behind_master=n -> less than or equal this seconds of delay +# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay +# (ref: https://mariadb.com/kb/en/delayed-replication/) +replication() +{ + # SHOW REPLICA available 10.5+ + # https://github.com/koalaman/shellcheck/issues/2383 + # shellcheck disable=SC2016,SC2026 + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ + { + # required for trim of leading space. + shopt -s extglob + # Row header + read -t 5 -r + # read timeout + [ $? -gt 128 ] && return 1 + while IFS=":" read -t 1 -r n v; do + # Trim leading space + n=${n##+([[:space:]])} + # Leading space on all values by the \G format needs to be trimmed. + v=${v:1} + case "$n" in + Slave_IO_Running) + if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Slave_SQL_Running) + if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Seconds_Behind_Master) + # A NULL value is the IO thread not running: + if [ -n "${repl['seconds_behind_master']}" ] && + { [ "$v" = NULL ] || + (( "${repl['seconds_behind_master']}" < "$v" )); }; then + return 1 + fi + ;; + SQL_Remaining_Delay) + # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL + # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ + if [ -n "${repl['sql_remaining_delay']}" ] && + [ "$v" != NULL ] && + (( "${repl['sql_remaining_delay']}" < "$v" )); then + return 1 + fi + ;; + esac + done + # read timeout + [ $? -gt 128 ] && return 1 + return 0 + } + # reachable in command not found(?) + # shellcheck disable=SC2317 + return $? +} + +# mariadbupgrade +# +# Test the lock on the file $datadir/mysql_upgrade_info +# https://jira.mariadb.org/browse/MDEV-27068 +mariadbupgrade() +{ + local f="$datadir/mysql_upgrade_info" + if [ -r "$f" ]; then + flock --exclusive --nonblock -n 9 9<"$f" + return $? + fi + return 0 +} + + +# MAIN + +if [ $# -eq 0 ]; then + echo "At least one argument required" >&2 + exit 1 +fi + +#ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ +# Global variables used by tests +declare -A repl +declare -A def +nodefaults= +datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi + +_repl_param_check() +{ + case "$1" in + seconds_behind_master) ;& + sql_remaining_delay) + if [ -z "${repl['io']}" ]; then + repl['io']=1 + echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 + fi + ;; + all) + if [ -n "${repl['name']}" ]; then + unset 'repl[name]' + echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 + fi + ;; + name) + if [ -n "${repl['all']}" ]; then + unset 'repl[all]' + echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 + fi + ;; + esac +} + +_test_exists() { + declare -F "$1" > /dev/null + return $? +} + +while [ $# -gt 0 ]; do + case "$1" in + --su=*) + u="${1#*=}" + shift + exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" + ;; + --su) + shift + u=$1 + shift + exec gosu "$u" "${BASH_SOURCE[0]}" "$@" + ;; + --su-mysql) + shift + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + ;; + --replication_*=*) + # Change the n to what is between _ and = and make lower case + n=${1#*_} + n=${n%%=*} + n=${n,,*} + # v is after the = + v=${1#*=} + repl[$n]=$v + _repl_param_check "$n" + ;; + --replication_*) + # Without =, look for a non --option next as the value, + # otherwise treat it as an "enable", just equate to 1. + # Clearing option is possible with "--replication_X=" + n=${1#*_} + n=${n,,*} + if [ "${2:0:2}" == '--' ]; then + repl[$n]=1 + else + repl[$n]=$2 + shift + fi + _repl_param_check "$n" + ;; + --datadir=*) + datadir=${1#*=} + ;; + --datadir) + shift + datadir=${1} + ;; + --no-defaults) + def=() + nodefaults=1 + ;; + --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) + n=${1:11} # length --defaults- + n=${n%%=*} + n=${n//-/_} + # v is after the = + v=${1#*=} + def[$n]=$v + nodefaults= + ;; + --defaults-file|--defaults-extra-file|--defaults-group-suffix) + n=${1:11} # length --defaults- + n=${n//-/_} + if [ "${2:0:2}" == '--' ]; then + def[$n]="" + else + def[$n]=$2 + shift + fi + nodefaults= + ;; + --*) + test=${1#--} + ;; + *) + echo "Unknown healthcheck option $1" >&2 + exit 1 + esac + if [ -n "$test" ]; then + if ! _test_exists "$test" ; then + echo "healthcheck unknown option or test '$test'" >&2 + exit 1 + elif ! "$test"; then + echo "healthcheck $test failed" >&2 + exit 1 + fi + test= + fi + shift +done diff --git a/versions.json b/versions.json index 0ae2c874..27d291ea 100644 --- a/versions.json +++ b/versions.json @@ -165,5 +165,19 @@ "arm64v8", "ppc64le" ] + }, + "11.6-ubi": { + "milestone": "11.6", + "version": "11.6.0", + "fullVersion": "11.6.0", + "releaseStatus": "Alpha", + "supportType": "Unknown", + "base": "ubi9", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] } } From 1c10627556ea94ae67048089f80b533994b15f8c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 20 Jun 2024 15:56:09 +1000 Subject: [PATCH 03/18] UBI default config adjusted by MDEV-34430 (collation) and MDEV-19123 charset --- 11.4-ubi/docker.cnf | 2 +- 11.5-ubi/docker.cnf | 1 - 11.6-ubi/docker.cnf | 2 -- docker.cnf | 2 +- update.sh | 6 ++++++ 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/11.4-ubi/docker.cnf b/11.4-ubi/docker.cnf index f3af00a0..ccf8b16a 100644 --- a/11.4-ubi/docker.cnf +++ b/11.4-ubi/docker.cnf @@ -7,7 +7,7 @@ skip-name-resolve expire_logs_days=10 character-set-server=utf8mb4 -character-set-collations=utf8mb4=uca1400_ai_ci # 11.3+ +character-set-collations=utf8mb4=uca1400_ai_ci # 11.3, 11.4 [client-server] socket=/run/mariadb/mariadb.sock diff --git a/11.5-ubi/docker.cnf b/11.5-ubi/docker.cnf index f3af00a0..844c2cfb 100644 --- a/11.5-ubi/docker.cnf +++ b/11.5-ubi/docker.cnf @@ -7,7 +7,6 @@ skip-name-resolve expire_logs_days=10 character-set-server=utf8mb4 -character-set-collations=utf8mb4=uca1400_ai_ci # 11.3+ [client-server] socket=/run/mariadb/mariadb.sock diff --git a/11.6-ubi/docker.cnf b/11.6-ubi/docker.cnf index f3af00a0..41dad70a 100644 --- a/11.6-ubi/docker.cnf +++ b/11.6-ubi/docker.cnf @@ -5,9 +5,7 @@ host-cache-size=0 skip-name-resolve expire_logs_days=10 -character-set-server=utf8mb4 -character-set-collations=utf8mb4=uca1400_ai_ci # 11.3+ [client-server] socket=/run/mariadb/mariadb.sock diff --git a/docker.cnf b/docker.cnf index ba96c9cd..d2b9a0fd 100644 --- a/docker.cnf +++ b/docker.cnf @@ -7,7 +7,7 @@ skip-name-resolve expire_logs_days=10 character-set-server=utf8mb4 -character-set-collations=utf8mb4=uca1400_ai_ci # 11.3+ +character-set-collations=utf8mb4=uca1400_ai_ci # 11.3, 11.4 collation-server=utf8mb4_general_ci # 10* [client-server] diff --git a/update.sh b/update.sh index a36f790b..086c349a 100755 --- a/update.sh +++ b/update.sh @@ -55,6 +55,12 @@ update_version() sed -e '/character-set-collations/d' docker.cnf > "$dir/docker.cnf" else sed -e '/collation-server/d' docker.cnf > "$dir/docker.cnf" + if [[ $version != 11.4 ]]; then + sed -i -e '/character-set-collations/d' "$dir/docker.cnf" + fi + if [[ $version != 11.[45] ]]; then + sed -i -e '/character-set/d' "$dir/docker.cnf" + fi fi sed -e "s!%%MARIADB_VERSION%%!${version%-*}!" MariaDB-ubi.repo > "$dir"/MariaDB.repo fi From e3e20e14ab7575cae07208c7c4d48de16c98752f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 20 Jun 2024 16:02:44 +1000 Subject: [PATCH 04/18] ci: mariadb operator incompatible with MariaDB 10.5 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eca34c89..d83b70cf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,7 +63,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Check for registry credentials - if: github.repository == 'MariaDB/mariadb-docker' && github.ref == 'refs/heads/master' + if: github.repository == 'MariaDB/mariadb-docker' && github.ref == 'refs/heads/master' && {{ matrix.directory != 10.5 }} run: | missing=() [[ -n "${{ secrets.MARIADB_OPERATOR_TOKEN }}" ]] || missing+=(MARIADB_OPERATOR_TOKEN) From 6d6407c8d9d83f160d601fd68e20fa964cc0c894 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 20 Jun 2024 16:10:20 +1000 Subject: [PATCH 05/18] 10.4 EOL --- 10.4/Dockerfile | 145 -------- 10.4/docker-entrypoint.sh | 708 -------------------------------------- 10.4/healthcheck.sh | 353 ------------------- update.sh | 13 - versions.json | 13 - 5 files changed, 1232 deletions(-) delete mode 100644 10.4/Dockerfile delete mode 100755 10.4/docker-entrypoint.sh delete mode 100755 10.4/healthcheck.sh diff --git a/10.4/Dockerfile b/10.4/Dockerfile deleted file mode 100644 index b8aa5b19..00000000 --- a/10.4/Dockerfile +++ /dev/null @@ -1,145 +0,0 @@ -# vim:set ft=dockerfile: -FROM ubuntu:focal - -# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql - -# add gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -# gosu key is B42F6819007F00F88E364FD4036A9C25BF357DD4 -ENV GOSU_VERSION 1.17 - -ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8 -# pub rsa4096 2016-03-30 [SC] -# 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8 -# uid [ unknown] MariaDB Signing Key -# sub rsa4096 2016-03-30 [E] -# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD -# install "pwgen" for randomizing passwords -# install "tzdata" for /usr/share/zoneinfo/ -# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files -# install "zstd" for .sql.zst docker-entrypoint-initdb.d files -# hadolint ignore=SC2086 -RUN set -eux; \ - apt-get update; \ - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - ca-certificates \ - gpg \ - gpgv \ - libjemalloc2 \ - pwgen \ - tzdata \ - xz-utils \ - zstd ; \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get install -y --no-install-recommends \ - dirmngr \ - gpg-agent \ - wget; \ - rm -rf /var/lib/apt/lists/*; \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - GNUPGHOME="$(mktemp -d)"; \ - export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - gpg --batch --export "$GPG_KEYS" > /etc/apt/trusted.gpg.d/mariadb.gpg; \ - if command -v gpgconf >/dev/null; then \ - gpgconf --kill all; \ - fi; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark >/dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - -RUN mkdir /docker-entrypoint-initdb.d - -# Ensure the container exec commands handle range of utf8 characters based of -# default locales in base image (https://github.com/docker-library/docs/blob/135b79cc8093ab02e55debb61fdb079ab2dbce87/ubuntu/README.md#locales) -ENV LANG C.UTF-8 - -# OCI annotations to image -LABEL org.opencontainers.image.authors="MariaDB Community" \ - org.opencontainers.image.title="MariaDB Database" \ - org.opencontainers.image.description="MariaDB Database for relational SQL" \ - org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ - org.opencontainers.image.base.name="docker.io/library/ubuntu:focal" \ - org.opencontainers.image.licenses="GPL-2.0" \ - org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ - org.opencontainers.image.vendor="MariaDB Community" \ - org.opencontainers.image.version="10.4.34" \ - org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" - -# bashbrew-architectures: amd64 arm64v8 ppc64le -ARG MARIADB_MAJOR=10.4 -ENV MARIADB_MAJOR $MARIADB_MAJOR -ARG MARIADB_VERSION=1:10.4.34+maria~ubu2004 -ENV MARIADB_VERSION $MARIADB_VERSION -# release-status:Stable -# release-support-type:Long Term Support -# (https://downloads.mariadb.org/rest-api/mariadb/) - -# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions -ARG REPOSITORY="http://archive.mariadb.org/mariadb-10.4.34/repo/ubuntu/ focal main main/debug" - -RUN set -e;\ - echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \ - { \ - echo 'Package: *'; \ - echo 'Pin: release o=MariaDB'; \ - echo 'Pin-Priority: 999'; \ - } > /etc/apt/preferences.d/mariadb -# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies -# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed - -# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) -# also, we set debconf keys to make APT a little quieter -# hadolint ignore=DL3015 -RUN set -ex; \ - { \ - echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password password 'unused'; \ - echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password_again password 'unused'; \ - } | debconf-set-selections; \ - apt-get update; \ -# postinst script creates a datadir, so avoid creating it by faking its existance. - mkdir -p /var/lib/mysql/mysql ; touch /var/lib/mysql/mysql/user.frm ; \ -# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos - apt-get install -y --no-install-recommends mariadb-server="$MARIADB_VERSION" mariadb-backup socat \ - ; \ - rm -rf /var/lib/apt/lists/*; \ -# purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ - mkdir -p /var/lib/mysql /var/run//mysqld; \ - chown -R mysql:mysql /var/lib/mysql /var/run//mysqld; \ -# ensure that /var/run//mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime - chmod 1777 /var/run//mysqld; \ -# comment out a few problematic configuration values - find /etc/mysql/ -name '*.cnf' -print0 \ - | xargs -0 grep -lZE '^(bind-address|log|user\s)' \ - | xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \ -# don't reverse lookup hostnames, they are usually another container - printf "[mariadb]\nhost-cache-size=0\nskip-name-resolve\n" > /etc/mysql/mariadb.conf.d/05-skipcache.cnf; \ -# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation) - if [ -L /etc/mysql/my.cnf ]; then \ -# 10.5+ - sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/\n\2\n\1/}' /etc/mysql/mariadb.cnf; \ - fi - - -VOLUME /var/lib/mysql - -COPY healthcheck.sh /usr/local/bin/healthcheck.sh -COPY docker-entrypoint.sh /usr/local/bin/ -RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat -ENTRYPOINT ["docker-entrypoint.sh"] - -EXPOSE 3306 -CMD ["mysqld"] diff --git a/10.4/docker-entrypoint.sh b/10.4/docker-entrypoint.sh deleted file mode 100755 index ab540da0..00000000 --- a/10.4/docker-entrypoint.sh +++ /dev/null @@ -1,708 +0,0 @@ -#!/bin/bash -set -eo pipefail -shopt -s nullglob - -# logging functions -mysql_log() { - local type="$1"; shift - printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" -} -mysql_note() { - mysql_log Note "$@" -} -mysql_warn() { - mysql_log Warn "$@" >&2 -} -mysql_error() { - mysql_log ERROR "$@" >&2 - exit 1 -} - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - mysql_error "Both $var and $fileVar are set (but are exclusive)" - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset -# and make them the same value (so user scripts can use either) -_mariadb_file_env() { - local var="$1"; shift - local maria="MARIADB_${var#MYSQL_}" - file_env "$var" "$@" - file_env "$maria" "${!var}" - if [ "${!maria:-}" ]; then - export "$var"="${!maria}" - fi -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions -docker_process_init_files() { - # mysql here for backwards compatibility "${mysql[@]}" - # ShellCheck: mysql appears unused. Verify use (or export if used externally) - # shellcheck disable=SC2034 - mysql=( docker_process_sql ) - - echo - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - mysql_note "$0: running $f" - "$f" - else - mysql_note "$0: sourcing $f" - # ShellCheck can't follow non-constant source. Use a directive to specify location. - # shellcheck disable=SC1090 - . "$f" - fi - ;; - *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; - *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; - *) mysql_warn "$0: ignoring $f" ;; - esac - echo - done -} - -# arguments necessary to run "mysqld --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) -_verboseHelpArgs=( - --verbose --help -) - -mysql_check_config() { - local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors - if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" - fi -} - -# Fetch value from server config -# We use mysqld --verbose --help instead of my_print_defaults because the -# latter only show values present in config files, and not server defaults -mysql_get_config() { - local conf="$1"; shift - "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ - | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' - # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" -} - -# Do a temporary startup of the MariaDB server, for init purposes -docker_temp_server_start() { - "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ - --expire-logs-days=0 \ - --loose-innodb_buffer_pool_load_at_startup=0 \ - & - declare -g MARIADB_PID - MARIADB_PID=$! - mysql_note "Waiting for server startup" - # only use the root password if the database has already been initialized - # so that it won't try to fill in a password file when it hasn't been set yet - extraArgs=() - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - extraArgs+=( '--dont-use-mysql-root-password' ) - fi - local i - for i in {30..0}; do - if docker_process_sql "${extraArgs[@]}" --database=mysql \ - <<<'SELECT 1' &> /dev/null; then - break - fi - sleep 1 - done - if [ "$i" = 0 ]; then - mysql_error "Unable to start server." - fi -} - -# Stop the server. When using a local socket file mysqladmin will block until -# the shutdown is complete. -docker_temp_server_stop() { - kill "$MARIADB_PID" - wait "$MARIADB_PID" -} - -# Verify that the minimally required password settings are set for new databases. -docker_verify_minimum_env() { - # Restoring from backup requires no environment variables - declare -g DATABASE_INIT_FROM_BACKUP - for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do - if [ -f "${file}" ]; then - DATABASE_INIT_FROM_BACKUP='true' - return - fi - done - if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then - mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' - fi - # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. - if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then - mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." - fi - if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then - mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." - fi - if [ -n "$MARIADB_REPLICATION_USER" ]; then - if [ -z "$MARIADB_MASTER_HOST" ]; then - # its a master, we're creating a user - if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then - mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" - fi - else - # its a replica - if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then - mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." - fi - if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then - mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" - fi - fi - fi - if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then - mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." - fi -} - -# creates folders for the database -# also ensures permission for user mysql of run as root -docker_create_db_directories() { - local user; user="$(id -u)" - - # TODO other directories that are used by default? like /var/lib/mysql-files - # see https://github.com/docker-library/mysql/issues/562 - mkdir -p "$DATADIR" - - if [ "$user" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + - # See https://github.com/MariaDB/mariadb-docker/issues/363 - find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; - - fi -} - -_mariadb_version() { - echo -n "10.4.34-MariaDB" -} - -# initializes the database directory -docker_init_database_dir() { - mysql_note "Initializing database files" - installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal ) - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - - local mariadbdArgs=() - for arg in "${@:2}"; do - # Check if the argument contains whitespace - if [[ "$arg" =~ [[:space:]] ]]; then - mysql_warn "Not passing argument \'$arg\' to mariadb-install-db because mariadb-install-db does not support arguments with whitespace." - else - mariadbdArgs+=("$arg") - fi - done - mysql_install_db "${installArgs[@]}" "${mariadbdArgs[@]}" \ - --skip-test-db \ - --default-time-zone=SYSTEM --enforce-storage-engine= \ - --skip-log-bin \ - --expire-logs-days=0 \ - --loose-innodb_buffer_pool_load_at_startup=0 \ - --loose-innodb_buffer_pool_dump_at_shutdown=0 - mysql_note "Database files initialized" -} - -# Loads various settings that are used elsewhere in the script -# This should be called after mysql_check_config, but before any other functions -docker_setup_env() { - # Get config - declare -g DATADIR SOCKET PORT - DATADIR="$(mysql_get_config 'datadir' "$@")" - SOCKET="$(mysql_get_config 'socket' "$@")" - PORT="$(mysql_get_config 'port' "$@")" - - - # Initialize values that might be stored in a file - _mariadb_file_env 'MYSQL_ROOT_HOST' '%' - _mariadb_file_env 'MYSQL_DATABASE' - _mariadb_file_env 'MYSQL_USER' - _mariadb_file_env 'MYSQL_PASSWORD' - _mariadb_file_env 'MYSQL_ROOT_PASSWORD' - # No MYSQL_ compatibility needed for new variables - file_env 'MARIADB_PASSWORD_HASH' - file_env 'MARIADB_ROOT_PASSWORD_HASH' - # env variables related to replication - file_env 'MARIADB_REPLICATION_USER' - file_env 'MARIADB_REPLICATION_PASSWORD' - file_env 'MARIADB_REPLICATION_PASSWORD_HASH' - # env variables related to master - file_env 'MARIADB_MASTER_HOST' - file_env 'MARIADB_MASTER_PORT' 3306 - - # set MARIADB_ from MYSQL_ when it is unset and then make them the same value - : "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}" - export MYSQL_ALLOW_EMPTY_PASSWORD="$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" MARIADB_ALLOW_EMPTY_ROOT_PASSWORD - : "${MARIADB_RANDOM_ROOT_PASSWORD:=${MYSQL_RANDOM_ROOT_PASSWORD:-}}" - export MYSQL_RANDOM_ROOT_PASSWORD="$MARIADB_RANDOM_ROOT_PASSWORD" MARIADB_RANDOM_ROOT_PASSWORD - : "${MARIADB_INITDB_SKIP_TZINFO:=${MYSQL_INITDB_SKIP_TZINFO:-}}" - export MYSQL_INITDB_SKIP_TZINFO="$MARIADB_INITDB_SKIP_TZINFO" MARIADB_INITDB_SKIP_TZINFO - - declare -g DATABASE_ALREADY_EXISTS - if [ -d "$DATADIR/mysql" ]; then - DATABASE_ALREADY_EXISTS='true' - fi -} - -# Execute the client, use via docker_process_sql to handle root password -docker_exec_client() { - # args sent in can override this db, since they will be later in the command - if [ -n "$MYSQL_DATABASE" ]; then - set -- --database="$MYSQL_DATABASE" "$@" - fi - mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@" -} - -# Execute sql script, passed via stdin -# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args] -# ie: docker_process_sql --database=mydb <<<'INSERT ...' -# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb "$DATADIR"/.my-healthcheck.cnf - $maskPreserve -} - -# Initializes database with timezone info and root password, plus optional extra db/user -docker_setup_db() { - # Load timezone info into database - if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then - # --skip-write-binlog usefully disables binary logging - # but also outputs LOCK TABLES to improve the IO of - # Aria (MDEV-23326) for 10.4+. - mysql_tzinfo_to_sql --skip-write-binlog /usr/share/zoneinfo \ - | docker_process_sql --dont-use-mysql-root-password --database=mysql - # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet - fi - # Generate random root password - if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then - MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" - export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD - mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" - fi - - # Creates root users for non-localhost hosts - local rootCreate= - local rootPasswordEscaped= - if [ -n "$MARIADB_ROOT_PASSWORD" ]; then - # Sets root password and creates root users for non-localhost hosts - rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") - fi - - # default root to listen for connections from anywhere - if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then - # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc - # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 - if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then - read -r -d '' rootCreate <<-EOSQL || true - CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; - GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; - GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; - EOSQL - else - read -r -d '' rootCreate <<-EOSQL || true - CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; - GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; - GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; - EOSQL - fi - fi - - local mysqlAtLocalhost= - local mysqlAtLocalhostGrants= - # Install mysql@localhost user - if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then - read -r -d '' mysqlAtLocalhost <<-EOSQL || true - CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; - EOSQL - if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then - if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then - mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" - fi - mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; - fi - fi - - local createHealthCheckUsers - createHealthCheckUsers=$(create_healthcheck_users) - - local rootLocalhostPass= - if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then - # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d - rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" - fi - - local createDatabase= - # Creates a custom database and user if specified - if [ -n "$MARIADB_DATABASE" ]; then - mysql_note "Creating database ${MARIADB_DATABASE}" - createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" - fi - - local createUser= - local userGrants= - if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then - mysql_note "Creating user ${MARIADB_USER}" - if [ -n "$MARIADB_PASSWORD_HASH" ]; then - createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" - else - # SQL escape the user password, \ followed by ' - local userPasswordEscaped - userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") - createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" - fi - - if [ -n "$MARIADB_DATABASE" ]; then - mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" - userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" - fi - fi - - # To create replica user - local createReplicaUser= - local changeMasterTo= - local startReplica= - if [ -n "$MARIADB_REPLICATION_USER" ] ; then - if [ -z "$MARIADB_MASTER_HOST" ]; then - # on master - mysql_note "Creating user ${MARIADB_REPLICATION_USER}" - createReplicaUser=$(create_replica_user) - else - # on replica - local rplPasswordEscaped - rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") - # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. - # shellcheck disable=SC2153 - changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" - startReplica="START SLAVE;" - fi - fi - - mysql_note "Securing system users (equivalent to running mysql_secure_installation)" - # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set - # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. - docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL - -- Securing system users shouldn't be replicated - SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; - SET @@SESSION.SQL_LOG_BIN=0; - -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set - SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); - - DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; - EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); - - ${rootLocalhostPass} - ${rootCreate} - ${mysqlAtLocalhost} - ${mysqlAtLocalhostGrants} - ${createHealthCheckUsers} - -- end of securing system users, rest of init now... - SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; - -- create users/databases - ${createDatabase} - ${createUser} - ${createReplicaUser} - ${userGrants} - - ${changeMasterTo} - ${startReplica} - EOSQL -} - -# create a new installation -docker_mariadb_init() -{ - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then - shopt -s dotglob - for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do - mkdir -p "$DATADIR"/.init - tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init - mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back - - mv "$DATADIR"/.restore/** "$DATADIR"/ - if [ -f "$DATADIR/.init/backup-my.cnf" ]; then - mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" - mysql_note "Adding startup configuration:" - my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mysqld - fi - rm -rf "$DATADIR"/.init "$DATADIR"/.restore - if [ "$(id -u)" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + - fi - done - if _check_if_upgrade_is_needed; then - docker_mariadb_upgrade "$@" - fi - return - fi - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - # Wait until after /docker-entrypoint-initdb.d is performed before setting - # root@localhost password to a hash we don't know the password for. - if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then - mysql_note "Setting root@localhost password hash" - docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL - SET @@SESSION.SQL_LOG_BIN=0; - SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; - EOSQL - fi - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MariaDB init process done. Ready for start up." - echo -} - -# backup the mysql database -docker_mariadb_backup_system() -{ - if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ - && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then - mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" - return - fi - local backup_db="system_mysql_backup_unknown_version.sql.zst" - local oldfullversion="unknown_version" - if [ -r "$DATADIR"/mysql_upgrade_info ]; then - read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true - if [ -n "$oldfullversion" ]; then - backup_db="system_mysql_backup_${oldfullversion}.sql.zst" - fi - fi - - mysql_note "Backing up system database to $backup_db" - if ! mysqldump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then - mysql_error "Unable backup system database for upgrade from $oldfullversion." - fi - mysql_note "Backing up complete" -} - -# perform mariadb-upgrade -# backup the mysql database if this is a major upgrade -docker_mariadb_upgrade() { - if [ -z "$MARIADB_AUTO_UPGRADE" ] \ - || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then - mysql_note "MariaDB upgrade (mysql_upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" - return - fi - mysql_note "Starting temporary server" - docker_temp_server_start "$@" --skip-grant-tables \ - --loose-innodb_buffer_pool_dump_at_shutdown=0 \ - --skip-slave-start - mysql_note "Temporary server started." - - docker_mariadb_backup_system - - if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then - mysql_note "Creating healthcheck users" - local createHealthCheckUsers - createHealthCheckUsers=$(create_healthcheck_users) - docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL - -- Healthcheck users shouldn't be replicated - SET @@SESSION.SQL_LOG_BIN=0; - -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set - SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); - FLUSH PRIVILEGES; - $createHealthCheckUsers -EOSQL - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - if _check_if_upgrade_is_needed; then - # need a restart as FLUSH PRIVILEGES isn't reversable - mysql_note "Restarting temporary server for upgrade" - docker_temp_server_start "$@" --skip-grant-tables \ - --loose-innodb_buffer_pool_dump_at_shutdown=0 \ - --skip-slave-start - else - return 0 - fi - fi - - mysql_note "Starting mariadb-upgrade" - mysql_upgrade --upgrade-system-tables - mysql_note "Finished mariadb-upgrade" - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" -} - - -_check_if_upgrade_is_needed() { - if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then - mysql_note "MariaDB upgrade information missing, assuming required" - return 0 - fi - local mariadbVersion - mariadbVersion="$(_mariadb_version)" - IFS='.-' read -ra newversion <<<"$mariadbVersion" - IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true - - if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ - || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ - || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then - return 0 - fi - if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then - mysql_note "MariaDB heathcheck configation file missing, assuming desirable" - return 0 - fi - mysql_note "MariaDB upgrade not required" - return 1 -} - -# check arguments for an option that would cause mysqld to stop -# return true if there is one -_mysql_want_help() { - local arg - for arg; do - case "$arg" in - -'?'|--help|--print-defaults|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if command starts with an option, prepend mysqld - if [ "${1:0:1}" = '-' ]; then - set -- mysqld "$@" - fi - - #ENDOFSUBSTITUTIONS - # skip setup if they aren't running mysqld or want an option that stops mysqld - if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then - mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." - - mysql_check_config "$@" - # Load various environment variables - docker_setup_env "$@" - docker_create_db_directories - - # If container is started as root user, restart as dedicated mysql user - if [ "$(id -u)" = "0" ]; then - mysql_note "Switching to dedicated user 'mysql'" - exec gosu mysql "${BASH_SOURCE[0]}" "$@" - fi - - # there's no database, so it needs to be initialized - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - docker_mariadb_init "$@" - # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline - #elif mysql_upgrade --check-if-upgrade-is-needed; then - elif _check_if_upgrade_is_needed; then - docker_mariadb_upgrade "$@" - fi - fi - exec "$@" -} - -# If we are sourced from elsewhere, don't perform any further actions -if ! _is_sourced; then - _main "$@" -fi diff --git a/10.4/healthcheck.sh b/10.4/healthcheck.sh deleted file mode 100755 index 0cc1a844..00000000 --- a/10.4/healthcheck.sh +++ /dev/null @@ -1,353 +0,0 @@ -#!/bin/bash -# -# Healthcheck script for MariaDB -# -# Runs various tests on the MariaDB server to check its health. Pass the tests -# to run as arguments. If all tests succeed, the server is considered healthy, -# otherwise it's not. -# -# Arguments are processed in strict order. Set replication_* options before -# the --replication option. This allows a different set of replication checks -# on different connections. -# -# --su{=|-mysql} is option to run the healthcheck as a different unix user. -# Useful if mysql@localhost user exists with unix socket authentication -# Using this option disregards previous options set, so should usually be the -# first option. -# -# Some tests require SQL privileges. -# -# TEST MINIMUM GRANTS REQUIRED -# connect none* -# innodb_initialized USAGE -# innodb_buffer_pool_loaded USAGE -# galera_online USAGE -# galera_ready USAGE -# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) -# mariadbupgrade none, however unix user permissions on datadir -# -# The SQL user used is the default for the mysql client. This can be the unix user -# if no user(or password) is set in the [mariadb-client] section of a configuration -# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration -# different from elsewhere. -# -# Note * though denied error message will result in error log without -# any permissions. - -set -eo pipefail - -_process_sql() -{ - mysql ${nodefaults:+--no-defaults} \ - ${def['file']:+--defaults-file=${def['file']}} \ - ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ - ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ - -B "$@" -} - -# TESTS - - -# CONNECT -# -# Tests that a connection can be made over TCP, the final state -# of the entrypoint and is listening. The authentication used -# isn't tested. -connect() -{ - set +e +o pipefail - # (on second extra_file) - # shellcheck disable=SC2086 - mysql ${nodefaults:+--no-defaults} \ - ${def['file']:+--defaults-file=${def['file']}} \ - ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ - ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ - -h localhost --protocol tcp -e 'select 1' 2>&1 \ - | grep -qF "Can't connect" - local ret=${PIPESTATUS[1]} - set -eo pipefail - if (( "$ret" == 0 )); then - # grep Matched "Can't connect" so we fail - return 1 - fi - return 0 -} - -# INNODB_INITIALIZED -# -# This tests that the crash recovery of InnoDB has completed -# along with all the other things required to make it to a healthy -# operational state. Note this may return true in the early -# states of initialization. Use with a connect test to avoid -# these false positives. -innodb_initialized() -{ - local s - s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") - [ "$s" == 1 ] -} - -# INNODB_BUFFER_POOL_LOADED -# -# Tests the load of the innodb buffer pool as been complete -# implies innodb_buffer_pool_load_at_startup=1 (default), or if -# manually SET innodb_buffer_pool_load_now=1 -innodb_buffer_pool_loaded() -{ - local s - s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") - if [[ $s =~ 'load completed' ]]; then - return 0 - fi - return 1 -} - -# GALERA_ONLINE -# -# Tests that the galera node is in the SYNCed state -galera_online() -{ - local s - s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") - # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes - # not https://xkcd.com/221/ - if [[ $s -eq 4 ]]; then - return 0 - fi - return 1 -} - -# GALERA_READY -# -# Tests that the Galera provider is ready. -galera_ready() -{ - local s - s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") - if [ "$s" = "ON" ]; then - return 0 - fi - return 1 -} - -# REPLICATION -# -# Tests the replication has the required set of functions: -# --replication_all -> Checks all replication sources -# --replication_name=n -> sets the multisource connection name tested -# --replication_io -> IO thread is running -# --replication_sql -> SQL thread is running -# --replication_seconds_behind_master=n -> less than or equal this seconds of delay -# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay -# (ref: https://mariadb.com/kb/en/delayed-replication/) -replication() -{ - # SHOW REPLICA available 10.5+ - # https://github.com/koalaman/shellcheck/issues/2383 - # shellcheck disable=SC2016,SC2026 - _process_sql -e "SHOW ${repl['all']:+all} SLAVE${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ - { - # required for trim of leading space. - shopt -s extglob - # Row header - read -t 5 -r - # read timeout - [ $? -gt 128 ] && return 1 - while IFS=":" read -t 1 -r n v; do - # Trim leading space - n=${n##+([[:space:]])} - # Leading space on all values by the \G format needs to be trimmed. - v=${v:1} - case "$n" in - Slave_IO_Running) - if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then - return 1 - fi - ;; - Slave_SQL_Running) - if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then - return 1 - fi - ;; - Seconds_Behind_Master) - # A NULL value is the IO thread not running: - if [ -n "${repl['seconds_behind_master']}" ] && - { [ "$v" = NULL ] || - (( "${repl['seconds_behind_master']}" < "$v" )); }; then - return 1 - fi - ;; - SQL_Remaining_Delay) - # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL - # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ - if [ -n "${repl['sql_remaining_delay']}" ] && - [ "$v" != NULL ] && - (( "${repl['sql_remaining_delay']}" < "$v" )); then - return 1 - fi - ;; - esac - done - # read timeout - [ $? -gt 128 ] && return 1 - return 0 - } - # reachable in command not found(?) - # shellcheck disable=SC2317 - return $? -} - -# mariadbupgrade -# -# Test the lock on the file $datadir/mysql_upgrade_info -# https://jira.mariadb.org/browse/MDEV-27068 -mariadbupgrade() -{ - local f="$datadir/mysql_upgrade_info" - if [ -r "$f" ]; then - flock --exclusive --nonblock -n 9 9<"$f" - return $? - fi - return 0 -} - - -# MAIN - -if [ $# -eq 0 ]; then - echo "At least one argument required" >&2 - exit 1 -fi - -#ENDOFSUBSTITUTIONS -# Marks the end of mysql -> mariadb name changes in 10.6+ -# Global variables used by tests -declare -A repl -declare -A def -nodefaults= -datadir=/var/lib/mysql -if [ -f $datadir/.my-healthcheck.cnf ]; then - def['extra_file']=$datadir/.my-healthcheck.cnf -fi - -_repl_param_check() -{ - case "$1" in - seconds_behind_master) ;& - sql_remaining_delay) - if [ -z "${repl['io']}" ]; then - repl['io']=1 - echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 - fi - ;; - all) - if [ -n "${repl['name']}" ]; then - unset 'repl[name]' - echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 - fi - ;; - name) - if [ -n "${repl['all']}" ]; then - unset 'repl[all]' - echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 - fi - ;; - esac -} - -_test_exists() { - declare -F "$1" > /dev/null - return $? -} - -while [ $# -gt 0 ]; do - case "$1" in - --su=*) - u="${1#*=}" - shift - exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" - ;; - --su) - shift - u=$1 - shift - exec gosu "$u" "${BASH_SOURCE[0]}" "$@" - ;; - --su-mysql) - shift - exec gosu mysql "${BASH_SOURCE[0]}" "$@" - ;; - --replication_*=*) - # Change the n to what is between _ and = and make lower case - n=${1#*_} - n=${n%%=*} - n=${n,,*} - # v is after the = - v=${1#*=} - repl[$n]=$v - _repl_param_check "$n" - ;; - --replication_*) - # Without =, look for a non --option next as the value, - # otherwise treat it as an "enable", just equate to 1. - # Clearing option is possible with "--replication_X=" - n=${1#*_} - n=${n,,*} - if [ "${2:0:2}" == '--' ]; then - repl[$n]=1 - else - repl[$n]=$2 - shift - fi - _repl_param_check "$n" - ;; - --datadir=*) - datadir=${1#*=} - ;; - --datadir) - shift - datadir=${1} - ;; - --no-defaults) - def=() - nodefaults=1 - ;; - --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) - n=${1:11} # length --defaults- - n=${n%%=*} - n=${n//-/_} - # v is after the = - v=${1#*=} - def[$n]=$v - nodefaults= - ;; - --defaults-file|--defaults-extra-file|--defaults-group-suffix) - n=${1:11} # length --defaults- - n=${n//-/_} - if [ "${2:0:2}" == '--' ]; then - def[$n]="" - else - def[$n]=$2 - shift - fi - nodefaults= - ;; - --*) - test=${1#--} - ;; - *) - echo "Unknown healthcheck option $1" >&2 - exit 1 - esac - if [ -n "$test" ]; then - if ! _test_exists "$test" ; then - echo "healthcheck unknown option or test '$test'" >&2 - exit 1 - elif ! "$test"; then - echo "healthcheck $test failed" >&2 - exit 1 - fi - test= - fi - shift -done diff --git a/update.sh b/update.sh index 086c349a..8e11747b 100755 --- a/update.sh +++ b/update.sh @@ -8,7 +8,6 @@ development_version=11.6 defaultSuite='noble' declare -A suites=( - [10.4]='focal' [10.5]='focal' [10.6]='focal' [10.11]='jammy' @@ -92,18 +91,6 @@ update_version() vmin=${version%-ubi} # Start using the new executable names case "$vmin" in - 10.4) - sed -i -e '/--old-mode/d' \ - -e 's/REPLICATION REPLICA/REPLICATION SLAVE/' \ - -e 's/START REPLICA/START SLAVE/' \ - -e '/memory\.pressure/,+7d' \ - -e '/--skip-ssl/d' \ - "$version/docker-entrypoint.sh" - sed -i -e 's/ REPLICA\$/ SLAVE$/' \ - -e '/--skip-ssl/d' \ - "$dir"/healthcheck.sh - sed -i -e 's/\/run/\/var\/run\//g' "$dir/Dockerfile" - ;; # almost nothing to see/do here 10.5) sed -i -e '/--old-mode/d' \ -e '/--skip-ssl/d' \ diff --git a/versions.json b/versions.json index 27d291ea..81c58052 100644 --- a/versions.json +++ b/versions.json @@ -153,19 +153,6 @@ "s390x" ] }, - "10.4": { - "milestone": "10.4", - "version": "10.4.34", - "fullVersion": "1:10.4.34+maria~ubu2004", - "releaseStatus": "Stable", - "supportType": "Long Term Support", - "base": "ubuntu:focal", - "arches": [ - "amd64", - "arm64v8", - "ppc64le" - ] - }, "11.6-ubi": { "milestone": "11.6", "version": "11.6.0", From aecdf2e61356f7ecf31a171e4eed180b7021570a Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 20 Jun 2024 18:00:53 +1000 Subject: [PATCH 06/18] Rebase templates on the latest version rather than earliest Correct healthcheck.sh comments. Few minor errors in later versions corrected. 11.6 upgrade file corrected. More resiliant to version changes. Remove mysql/mariadb safe.cnf file that isn't distributed from Dockerfile. --- 10.11-ubi/healthcheck.sh | 4 +- 10.11/healthcheck.sh | 4 +- 10.5/docker-entrypoint.sh | 8 ++-- 10.5/healthcheck.sh | 2 +- 10.6-ubi/healthcheck.sh | 4 +- 10.6/healthcheck.sh | 4 +- 11.1/healthcheck.sh | 4 +- 11.2/Dockerfile | 2 +- 11.2/healthcheck.sh | 4 +- 11.4-ubi/healthcheck.sh | 4 +- 11.4/Dockerfile | 2 +- 11.4/healthcheck.sh | 4 +- 11.5-ubi/healthcheck.sh | 4 +- 11.5/Dockerfile | 2 +- 11.5/healthcheck.sh | 4 +- 11.6-ubi/docker-entrypoint.sh | 8 ++-- 11.6-ubi/healthcheck.sh | 8 ++-- 11.6/Dockerfile | 2 +- 11.6/docker-entrypoint.sh | 8 ++-- 11.6/healthcheck.sh | 8 ++-- Dockerfile.template | 3 +- docker-entrypoint.sh | 40 +++++++++--------- healthcheck.sh | 10 ++--- update.sh | 80 +++++++++++++++++++---------------- 24 files changed, 114 insertions(+), 109 deletions(-) diff --git a/10.11-ubi/healthcheck.sh b/10.11-ubi/healthcheck.sh index 5aea4e8e..5d0a42f7 100755 --- a/10.11-ubi/healthcheck.sh +++ b/10.11-ubi/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/10.11/healthcheck.sh b/10.11/healthcheck.sh index 5aea4e8e..5d0a42f7 100755 --- a/10.11/healthcheck.sh +++ b/10.11/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/10.5/docker-entrypoint.sh b/10.5/docker-entrypoint.sh index 07e1ab4a..69d590cf 100755 --- a/10.5/docker-entrypoint.sh +++ b/10.5/docker-entrypoint.sh @@ -221,16 +221,16 @@ docker_init_database_dir() { installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal ) # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - local mariadbdArgs=() + local mysqldArgs=() for arg in "${@:2}"; do # Check if the argument contains whitespace if [[ "$arg" =~ [[:space:]] ]]; then - mysql_warn "Not passing argument \'$arg\' to mariadb-install-db because mariadb-install-db does not support arguments with whitespace." + mysql_warn "Not passing argument \'$arg\' to mysql_install_db because mysql_install_db does not support arguments with whitespace." else - mariadbdArgs+=("$arg") + mysqldArgs+=("$arg") fi done - mysql_install_db "${installArgs[@]}" "${mariadbdArgs[@]}" \ + mysql_install_db "${installArgs[@]}" "${mysqldArgs[@]}" \ --skip-test-db \ --default-time-zone=SYSTEM --enforce-storage-engine= \ --skip-log-bin \ diff --git a/10.5/healthcheck.sh b/10.5/healthcheck.sh index 34674448..b23a9b84 100755 --- a/10.5/healthcheck.sh +++ b/10.5/healthcheck.sh @@ -26,7 +26,7 @@ # replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) # mariadbupgrade none, however unix user permissions on datadir # -# The SQL user used is the default for the mysql client. This can be the unix user +# The SQL user used is the default for the mariadb client. This can be the unix user # if no user(or password) is set in the [mariadb-client] section of a configuration # file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration # different from elsewhere. diff --git a/10.6-ubi/healthcheck.sh b/10.6-ubi/healthcheck.sh index 5aea4e8e..5d0a42f7 100755 --- a/10.6-ubi/healthcheck.sh +++ b/10.6-ubi/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/10.6/healthcheck.sh b/10.6/healthcheck.sh index 5aea4e8e..5d0a42f7 100755 --- a/10.6/healthcheck.sh +++ b/10.6/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.1/healthcheck.sh b/11.1/healthcheck.sh index 784f9bde..06b29f76 100755 --- a/11.1/healthcheck.sh +++ b/11.1/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.2/Dockerfile b/11.2/Dockerfile index 657e955f..b867754b 100644 --- a/11.2/Dockerfile +++ b/11.2/Dockerfile @@ -114,7 +114,7 @@ RUN set -ex; \ ; \ rm -rf /var/lib/apt/lists/*; \ # purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ + rm -rf /var/lib/mysql; \ mkdir -p /var/lib/mysql /run/mysqld; \ chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ # ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime diff --git a/11.2/healthcheck.sh b/11.2/healthcheck.sh index 784f9bde..06b29f76 100755 --- a/11.2/healthcheck.sh +++ b/11.2/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.4-ubi/healthcheck.sh b/11.4-ubi/healthcheck.sh index 9138c779..e13db0da 100755 --- a/11.4-ubi/healthcheck.sh +++ b/11.4-ubi/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.4/Dockerfile b/11.4/Dockerfile index baf1bfb2..ad9cf624 100644 --- a/11.4/Dockerfile +++ b/11.4/Dockerfile @@ -114,7 +114,7 @@ RUN set -ex; \ ; \ rm -rf /var/lib/apt/lists/*; \ # purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ + rm -rf /var/lib/mysql; \ mkdir -p /var/lib/mysql /run/mysqld; \ chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ # ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime diff --git a/11.4/healthcheck.sh b/11.4/healthcheck.sh index 9138c779..e13db0da 100755 --- a/11.4/healthcheck.sh +++ b/11.4/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.5-ubi/healthcheck.sh b/11.5-ubi/healthcheck.sh index 9138c779..e13db0da 100755 --- a/11.5-ubi/healthcheck.sh +++ b/11.5-ubi/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.5/Dockerfile b/11.5/Dockerfile index f70beff3..cdb2d6c9 100644 --- a/11.5/Dockerfile +++ b/11.5/Dockerfile @@ -114,7 +114,7 @@ RUN set -ex; \ ; \ rm -rf /var/lib/apt/lists/*; \ # purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ + rm -rf /var/lib/mysql; \ mkdir -p /var/lib/mysql /run/mysqld; \ chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ # ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime diff --git a/11.5/healthcheck.sh b/11.5/healthcheck.sh index 9138c779..e13db0da 100755 --- a/11.5/healthcheck.sh +++ b/11.5/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # diff --git a/11.6-ubi/docker-entrypoint.sh b/11.6-ubi/docker-entrypoint.sh index 067998c2..c2be494f 100755 --- a/11.6-ubi/docker-entrypoint.sh +++ b/11.6-ubi/docker-entrypoint.sh @@ -573,8 +573,8 @@ docker_mariadb_backup_system() fi local backup_db="system_mysql_backup_unknown_version.sql.zst" local oldfullversion="unknown_version" - if [ -r "$DATADIR"/mysql_upgrade_info ]; then - read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -r "$DATADIR"/mariadb_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mariadb_upgrade_info || true if [ -n "$oldfullversion" ]; then backup_db="system_mysql_backup_${oldfullversion}.sql.zst" fi @@ -641,14 +641,14 @@ EOSQL _check_if_upgrade_is_needed() { - if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then mysql_note "MariaDB upgrade information missing, assuming required" return 0 fi local mariadbVersion mariadbVersion="$(_mariadb_version)" IFS='.-' read -ra newversion <<<"$mariadbVersion" - IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + IFS='.-' read -ra oldversion < "$DATADIR"/mariadb_upgrade_info || true if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ diff --git a/11.6-ubi/healthcheck.sh b/11.6-ubi/healthcheck.sh index 7f2b0a69..e13db0da 100755 --- a/11.6-ubi/healthcheck.sh +++ b/11.6-ubi/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # @@ -201,11 +201,11 @@ replication() # mariadbupgrade # -# Test the lock on the file $datadir/mysql_upgrade_info +# Test the lock on the file $datadir/mariadb_upgrade_info # https://jira.mariadb.org/browse/MDEV-27068 mariadbupgrade() { - local f="$datadir/mysql_upgrade_info" + local f="$datadir/mariadb_upgrade_info" if [ -r "$f" ]; then flock --exclusive --nonblock -n 9 9<"$f" return $? diff --git a/11.6/Dockerfile b/11.6/Dockerfile index 7282f520..6eee160d 100644 --- a/11.6/Dockerfile +++ b/11.6/Dockerfile @@ -114,7 +114,7 @@ RUN set -ex; \ ; \ rm -rf /var/lib/apt/lists/*; \ # purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \ + rm -rf /var/lib/mysql; \ mkdir -p /var/lib/mysql /run/mysqld; \ chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ # ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime diff --git a/11.6/docker-entrypoint.sh b/11.6/docker-entrypoint.sh index 067998c2..c2be494f 100755 --- a/11.6/docker-entrypoint.sh +++ b/11.6/docker-entrypoint.sh @@ -573,8 +573,8 @@ docker_mariadb_backup_system() fi local backup_db="system_mysql_backup_unknown_version.sql.zst" local oldfullversion="unknown_version" - if [ -r "$DATADIR"/mysql_upgrade_info ]; then - read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -r "$DATADIR"/mariadb_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mariadb_upgrade_info || true if [ -n "$oldfullversion" ]; then backup_db="system_mysql_backup_${oldfullversion}.sql.zst" fi @@ -641,14 +641,14 @@ EOSQL _check_if_upgrade_is_needed() { - if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then mysql_note "MariaDB upgrade information missing, assuming required" return 0 fi local mariadbVersion mariadbVersion="$(_mariadb_version)" IFS='.-' read -ra newversion <<<"$mariadbVersion" - IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + IFS='.-' read -ra oldversion < "$DATADIR"/mariadb_upgrade_info || true if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ diff --git a/11.6/healthcheck.sh b/11.6/healthcheck.sh index 7f2b0a69..e13db0da 100755 --- a/11.6/healthcheck.sh +++ b/11.6/healthcheck.sh @@ -10,8 +10,8 @@ # the --replication option. This allows a different set of replication checks # on different connections. # -# --su{=|-mariadb} is option to run the healthcheck as a different unix user. -# Useful if mariadb@localhost user exists with unix socket authentication +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication # Using this option disregards previous options set, so should usually be the # first option. # @@ -201,11 +201,11 @@ replication() # mariadbupgrade # -# Test the lock on the file $datadir/mysql_upgrade_info +# Test the lock on the file $datadir/mariadb_upgrade_info # https://jira.mariadb.org/browse/MDEV-27068 mariadbupgrade() { - local f="$datadir/mysql_upgrade_info" + local f="$datadir/mariadb_upgrade_info" if [ -r "$f" ]; then flock --exclusive --nonblock -n 9 9<"$f" return $? diff --git a/Dockerfile.template b/Dockerfile.template index 57a966c2..970a35bb 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -138,8 +138,7 @@ VOLUME /var/lib/mysql COPY healthcheck.sh /usr/local/bin/healthcheck.sh COPY docker-entrypoint.sh /usr/local/bin/ -RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] EXPOSE 3306 -CMD ["mysqld"] +CMD ["mariadbd"] diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index e6bba572..56897cdd 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -95,7 +95,7 @@ docker_process_init_files() { done } -# arguments necessary to run "mysqld --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) _verboseHelpArgs=( --verbose --help ) @@ -103,12 +103,12 @@ _verboseHelpArgs=( mysql_check_config() { local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" fi } # Fetch value from server config -# We use mysqld --verbose --help instead of my_print_defaults because the +# We use mariadbd --verbose --help instead of my_print_defaults because the # latter only show values present in config files, and not server defaults mysql_get_config() { local conf="$1"; shift @@ -147,7 +147,7 @@ docker_temp_server_start() { fi } -# Stop the server. When using a local socket file mysqladmin will block until +# Stop the server. When using a local socket file mariadb-admin will block until # the shutdown is complete. docker_temp_server_stop() { kill "$MARIADB_PID" @@ -229,7 +229,7 @@ _mariadb_version() { docker_init_database_dir() { mysql_note "Initializing database files" installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal ) - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) + # "Other options are passed to mariadbd." (so we pass all "mariadbd" arguments directly here) local mariadbdArgs=() for arg in "${@:2}"; do @@ -240,7 +240,7 @@ docker_init_database_dir() { mariadbdArgs+=("$arg") fi done - mysql_install_db "${installArgs[@]}" "${mariadbdArgs[@]}" \ + mariadb-install-db "${installArgs[@]}" "${mariadbdArgs[@]}" \ --skip-test-db \ --old-mode='UTF8_IS_UTF8MB3' \ --default-time-zone=SYSTEM --enforce-storage-engine= \ @@ -298,7 +298,7 @@ docker_exec_client() { if [ -n "$MYSQL_DATABASE" ]; then set -- --database="$MYSQL_DATABASE" "$@" fi - mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@" + mariadb --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@" } # Execute sql script, passed via stdin @@ -366,7 +366,7 @@ docker_setup_db() { # --skip-write-binlog usefully disables binary logging # but also outputs LOCK TABLES to improve the IO of # Aria (MDEV-23326) for 10.4+. - mysql_tzinfo_to_sql --skip-write-binlog /usr/share/zoneinfo \ + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ | docker_process_sql --dont-use-mysql-root-password --database=mysql # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet fi @@ -523,7 +523,7 @@ docker_mariadb_init() if [ -f "$DATADIR/.init/backup-my.cnf" ]; then mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" mysql_note "Adding startup configuration:" - my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mysqld + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd fi rm -rf "$DATADIR"/.init "$DATADIR"/.restore if [ "$(id -u)" = "0" ]; then @@ -573,15 +573,15 @@ docker_mariadb_backup_system() fi local backup_db="system_mysql_backup_unknown_version.sql.zst" local oldfullversion="unknown_version" - if [ -r "$DATADIR"/mysql_upgrade_info ]; then - read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -r "$DATADIR"/mariadb_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mariadb_upgrade_info || true if [ -n "$oldfullversion" ]; then backup_db="system_mysql_backup_${oldfullversion}.sql.zst" fi fi mysql_note "Backing up system database to $backup_db" - if ! mysqldump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then mysql_error "Unable backup system database for upgrade from $oldfullversion." fi mysql_note "Backing up complete" @@ -592,7 +592,7 @@ docker_mariadb_backup_system() docker_mariadb_upgrade() { if [ -z "$MARIADB_AUTO_UPGRADE" ] \ || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then - mysql_note "MariaDB upgrade (mysql_upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" return fi mysql_note "Starting temporary server" @@ -631,7 +631,7 @@ EOSQL fi mysql_note "Starting mariadb-upgrade" - mysql_upgrade --upgrade-system-tables + mariadb-upgrade --upgrade-system-tables mysql_note "Finished mariadb-upgrade" mysql_note "Stopping temporary server" @@ -641,14 +641,14 @@ EOSQL _check_if_upgrade_is_needed() { - if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then mysql_note "MariaDB upgrade information missing, assuming required" return 0 fi local mariadbVersion mariadbVersion="$(_mariadb_version)" IFS='.-' read -ra newversion <<<"$mariadbVersion" - IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + IFS='.-' read -ra oldversion < "$DATADIR"/mariadb_upgrade_info || true if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ @@ -663,7 +663,7 @@ _check_if_upgrade_is_needed() { return 1 } -# check arguments for an option that would cause mysqld to stop +# check arguments for an option that would cause mariadbd to stop # return true if there is one _mysql_want_help() { local arg @@ -678,9 +678,9 @@ _mysql_want_help() { } _main() { - # if command starts with an option, prepend mysqld + # if command starts with an option, prepend mariadbd if [ "${1:0:1}" = '-' ]; then - set -- mysqld "$@" + set -- mariadbd "$@" fi #ENDOFSUBSTITUTIONS @@ -705,7 +705,7 @@ _main() { docker_mariadb_init "$@" # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline - #elif mysql_upgrade --check-if-upgrade-is-needed; then + #elif mariadb-upgrade --check-if-upgrade-is-needed; then elif _check_if_upgrade_is_needed; then docker_mariadb_upgrade "$@" fi diff --git a/healthcheck.sh b/healthcheck.sh index 5c8e01c3..e13db0da 100755 --- a/healthcheck.sh +++ b/healthcheck.sh @@ -26,7 +26,7 @@ # replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) # mariadbupgrade none, however unix user permissions on datadir # -# The SQL user used is the default for the mysql client. This can be the unix user +# The SQL user used is the default for the mariadb client. This can be the unix user # if no user(or password) is set in the [mariadb-client] section of a configuration # file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration # different from elsewhere. @@ -38,7 +38,7 @@ set -eo pipefail _process_sql() { - mysql ${nodefaults:+--no-defaults} \ + mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ @@ -59,7 +59,7 @@ connect() set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 - mysql ${nodefaults:+--no-defaults} \ + mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ @@ -201,11 +201,11 @@ replication() # mariadbupgrade # -# Test the lock on the file $datadir/mysql_upgrade_info +# Test the lock on the file $datadir/mariadb_upgrade_info # https://jira.mariadb.org/browse/MDEV-27068 mariadbupgrade() { - local f="$datadir/mysql_upgrade_info" + local f="$datadir/mariadb_upgrade_info" if [ -r "$f" ]; then flock --exclusive --nonblock -n 9 9<"$f" return $? diff --git a/update.sh b/update.sh index 8e11747b..c76a30e8 100755 --- a/update.sh +++ b/update.sh @@ -94,49 +94,55 @@ update_version() 10.5) sed -i -e '/--old-mode/d' \ -e '/--skip-ssl/d' \ + -e 's/mariadb-upgrade\([^_"]\)/mysql_upgrade\1/' \ + -e 's/mariadb-dump/mysqldump/' \ + -e 's/mariadb-admin/mysqladmin/' \ + -e 's/\bmariadb --protocol\b/mysql --protocol/' \ + -e 's/mariadb-install-db/mysql_install_db/g' \ + -e 's/--mariadbd/--mysqld/' \ + -e 's/mariadb-tzinfo-to-sql/mysql_tzinfo_to_sql/' \ + -e '0,/#ENDOFSUBSTITUTIONS/s/mariadbd/mysqld/g' \ -e '/memory\.pressure/,+7d' "$dir/docker-entrypoint.sh" - sed -i '/backwards compat/d' "$dir/Dockerfile" sed -i -e '/--skip-ssl/d' \ - "$dir"/healthcheck.sh + -e '0,/#ENDOFSUBSTITUTIONS/s/\tmariadb/\tmysql/' "$dir/healthcheck.sh" + sed -i -e '/^CMD/s/mariadbd/mysqld/' "$dir/Dockerfile" + sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ + "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" ;; - *) - sed -i -e '/^CMD/s/mysqld/mariadbd/' \ - -e '/backwards compat/d' "$dir/Dockerfile" - sed -i -e 's/mysql_upgrade\([^_]\)/mariadb-upgrade\1/' \ - -e 's/mysqldump/mariadb-dump/' \ - -e 's/mysqladmin/mariadb-admin/' \ - -e 's/\bmysql --protocol\b/mariadb --protocol/' \ - -e 's/mysql_install_db/mariadb-install-db/' \ - -e 's/mysql_tzinfo_to_sql/mariadb-tzinfo-to-sql/' \ + 10.6) + sed -i -e '/memory\.pressure/,+7d' \ + -e 's/--mariadbd/--mysqld/' \ "$dir/docker-entrypoint.sh" - if [ "$vmin" = 10.6 ]; then - # my_print_defaults didn't recognise --mysqld until 10.11 - sed -i -e '0,/#ENDOFSUBSTITUTIONS/s/\([^-]\)mysqld/\1mariadbd/g' \ - "$dir/docker-entrypoint.sh" - else - sed -i -e '0,/#ENDOFSUBSTITUTIONS/s/\mysqld/mariadbd/g' \ - "$dir/docker-entrypoint.sh" - fi - sed -i -e '0,/#ENDOFSUBSTITUTIONS/s/\bmysql\b/mariadb/' "$dir/healthcheck.sh" - if [[ ! "${vmin}" =~ 10.[678] ]]; then - # quoted $ intentional - # shellcheck disable=SC2016 - sed -i -e '/^ARG MARIADB_MAJOR/d' \ - -e '/^ENV MARIADB_MAJOR/d' \ - -e 's/-\$MARIADB_MAJOR//' \ - "$dir/Dockerfile" - else - sed -i -e '/memory\.pressure/,+7d' "$dir/docker-entrypoint.sh" - fi - if [[ $vmin = 10.* || $vmin =~ 11.[12] ]]; then - sed -i -e '/--skip-ssl/d' "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" - fi - if [[ $vmin =~ 11.[012345] ]]; then - sed -i -e 's/mysql_upgrade_info/mariadb_upgrade_info/' \ - "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + sed -i -e '/--skip-ssl/d' "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ + "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + ;; + 10.11) + sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ + -e '/--skip-ssl/d' \ + "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + # quoted $ intentional + # shellcheck disable=SC2016 + sed -i -e '/^ARG MARIADB_MAJOR/d' \ + -e '/^ENV MARIADB_MAJOR/d' \ + -e 's/-\$MARIADB_MAJOR//' \ + "$dir/Dockerfile" + ;; + *) + # quoted $ intentional + # shellcheck disable=SC2016 + sed -i -e '/^ARG MARIADB_MAJOR/d' \ + -e '/^ENV MARIADB_MAJOR/d' \ + -e 's/-\$MARIADB_MAJOR//' \ + "$dir/Dockerfile" + if [[ $vmin =~ 11.[12] ]]; then + sed -i -e '/--skip-ssl/d' \ + "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" fi - if [[ $vmin =~ 11.[01] ]]; then + if [ "$vmin" == 11.1 ]; then sed -i -e 's/50-mysqld_safe.cnf/50-mariadb_safe.cnf/' "$dir/Dockerfile" + else + sed -i -e 's/ \/[^ ]*50-mysqld_safe.cnf//' "$dir/Dockerfile" fi ;& esac From fb46c566261b95c3d19e9aaaa147b1c12d332868 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 20 Jun 2024 18:15:21 +1000 Subject: [PATCH 07/18] purge of noble ubuntu user Some users depend on a groupid of 1000 as empty. Its not really used by us so lets remove the entire ubuntu user and the ubuntu group that came with it. e.g; https://github.com/FREVA-CLINT/freva/pull/204 --- 11.4/Dockerfile | 2 +- 11.5/Dockerfile | 2 +- 11.6/Dockerfile | 2 +- Dockerfile.template | 2 +- update.sh | 9 ++++++++- 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/11.4/Dockerfile b/11.4/Dockerfile index ad9cf624..6e2248dd 100644 --- a/11.4/Dockerfile +++ b/11.4/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:noble # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases diff --git a/11.5/Dockerfile b/11.5/Dockerfile index cdb2d6c9..baa27756 100644 --- a/11.5/Dockerfile +++ b/11.5/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:noble # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases diff --git a/11.6/Dockerfile b/11.6/Dockerfile index 6eee160d..06bf0e38 100644 --- a/11.6/Dockerfile +++ b/11.6/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:noble # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases diff --git a/Dockerfile.template b/Dockerfile.template index 970a35bb..66b338cb 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -2,7 +2,7 @@ FROM ubuntu:%%SUITE%% # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases diff --git a/update.sh b/update.sh index c76a30e8..eb7eb8d2 100755 --- a/update.sh +++ b/update.sh @@ -105,7 +105,9 @@ update_version() -e '/memory\.pressure/,+7d' "$dir/docker-entrypoint.sh" sed -i -e '/--skip-ssl/d' \ -e '0,/#ENDOFSUBSTITUTIONS/s/\tmariadb/\tmysql/' "$dir/healthcheck.sh" - sed -i -e '/^CMD/s/mariadbd/mysqld/' "$dir/Dockerfile" + sed -i -e '/^CMD/s/mariadbd/mysqld/' \ + -e 's/ && userdel.*//' \ + "$dir/Dockerfile" sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" ;; @@ -116,6 +118,8 @@ update_version() sed -i -e '/--skip-ssl/d' "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + sed -i -e 's/ && userdel.*//' \ + "$dir/Dockerfile" ;; 10.11) sed -i -e 's/mariadb_upgrade_info/mysql_upgrade_info/' \ @@ -126,6 +130,7 @@ update_version() sed -i -e '/^ARG MARIADB_MAJOR/d' \ -e '/^ENV MARIADB_MAJOR/d' \ -e 's/-\$MARIADB_MAJOR//' \ + -e 's/ && userdel.*//' \ "$dir/Dockerfile" ;; *) @@ -138,6 +143,8 @@ update_version() if [[ $vmin =~ 11.[12] ]]; then sed -i -e '/--skip-ssl/d' \ "$dir/docker-entrypoint.sh" "$dir/healthcheck.sh" + sed -i -e 's/ && userdel.*//' \ + "$dir/Dockerfile" fi if [ "$vmin" == 11.1 ]; then sed -i -e 's/50-mysqld_safe.cnf/50-mariadb_safe.cnf/' "$dir/Dockerfile" From 0de351bfed7c9aa93908f252f61bf3985a59a092 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 21 Jun 2024 13:11:24 +1000 Subject: [PATCH 08/18] chowns are non-fatal There may be cases where specific files are readonly, like .my-healthcheck.cnf due to filesystem mounts. So lets make the ownership/permission changes optional. Closes: #573 --- 10.11-ubi/docker-entrypoint.sh | 6 +++--- 10.11/docker-entrypoint.sh | 6 +++--- 10.5/docker-entrypoint.sh | 6 +++--- 10.6-ubi/docker-entrypoint.sh | 6 +++--- 10.6/docker-entrypoint.sh | 6 +++--- 11.1/docker-entrypoint.sh | 6 +++--- 11.2/docker-entrypoint.sh | 6 +++--- 11.4-ubi/docker-entrypoint.sh | 6 +++--- 11.4/docker-entrypoint.sh | 6 +++--- 11.5-ubi/docker-entrypoint.sh | 6 +++--- 11.5/docker-entrypoint.sh | 6 +++--- 11.6-ubi/docker-entrypoint.sh | 6 +++--- 11.6/docker-entrypoint.sh | 6 +++--- docker-entrypoint.sh | 6 +++--- 14 files changed, 42 insertions(+), 42 deletions(-) diff --git a/10.11-ubi/docker-entrypoint.sh b/10.11-ubi/docker-entrypoint.sh index 4af730a2..2877fc47 100755 --- a/10.11-ubi/docker-entrypoint.sh +++ b/10.11-ubi/docker-entrypoint.sh @@ -204,9 +204,9 @@ docker_create_db_directories() { if [ "$user" = "0" ]; then # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) # See https://github.com/MariaDB/mariadb-docker/issues/363 - find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \) # memory.pressure local cgroup; cgroup=$( Date: Wed, 26 Jun 2024 18:30:38 +1000 Subject: [PATCH 09/18] @bstract sockets - do not chown --- 10.11-ubi/docker-entrypoint.sh | 4 +++- 10.11/docker-entrypoint.sh | 4 +++- 10.5/docker-entrypoint.sh | 4 +++- 10.6-ubi/docker-entrypoint.sh | 4 +++- 10.6/docker-entrypoint.sh | 4 +++- 11.1/docker-entrypoint.sh | 4 +++- 11.2/docker-entrypoint.sh | 4 +++- 11.4-ubi/docker-entrypoint.sh | 4 +++- 11.4/docker-entrypoint.sh | 4 +++- 11.5-ubi/docker-entrypoint.sh | 4 +++- 11.5/docker-entrypoint.sh | 4 +++- 11.6-ubi/docker-entrypoint.sh | 4 +++- 11.6/docker-entrypoint.sh | 4 +++- docker-entrypoint.sh | 4 +++- 14 files changed, 42 insertions(+), 14 deletions(-) diff --git a/10.11-ubi/docker-entrypoint.sh b/10.11-ubi/docker-entrypoint.sh index 2877fc47..1b3a263c 100755 --- a/10.11-ubi/docker-entrypoint.sh +++ b/10.11-ubi/docker-entrypoint.sh @@ -206,7 +206,9 @@ docker_create_db_directories() { # this will cause less disk access than `chown -R` find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) # See https://github.com/MariaDB/mariadb-docker/issues/363 - find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \) + if [ "${SOCKET:0:1}" != '@' ]; then # not abstract sockets + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \) + fi # memory.pressure local cgroup; cgroup=$( Date: Tue, 25 Jun 2024 15:30:16 +1000 Subject: [PATCH 10/18] correct healthcheck.sh under --require-secure-transport require-secure-transport on the server mandates that tls or unix socket be used. The healthcheck user doesn't have explict tls credentials, so would have failed. 11.4+ would have tls negiotated, except in #594 it was disabled for people that didn't configure ssl-ca correctly. To resolve this _process_sql adds an explict --protocol socket to get around the default configuration of 'protocol=tcp' in .my-healthcheck.sh. The protocol=tcp was there to catch people who put `healthcheck.sh --innodb_initialized` to discover it checked that in the starting phase of the container, without a tcp connection being available, it still returned true. We work around this my making a connection test always occur in the healthcheck. Remove the protocol=tcp from the generation of .my-healthcheck.cnf files. --connect, as a method that requires to test the connection, we add a mechanims that examines @@skip_networking and considers that if false, the connection is viable. We made a unix socket connection to do the test, which is active the same time as tcp sockets are. This alternate --connect method would have only worked the credentials of the healthcheck user where valid. If it isn't fall back to looking for "Can't connect". Closes: #596 --- .test/run.sh | 2 +- 10.11-ubi/docker-entrypoint.sh | 2 +- 10.11-ubi/healthcheck.sh | 26 +++++++++++++++++++++++--- 10.11/docker-entrypoint.sh | 2 +- 10.11/healthcheck.sh | 26 +++++++++++++++++++++++--- 10.5/docker-entrypoint.sh | 2 +- 10.5/healthcheck.sh | 26 +++++++++++++++++++++++--- 10.6-ubi/docker-entrypoint.sh | 2 +- 10.6-ubi/healthcheck.sh | 26 +++++++++++++++++++++++--- 10.6/docker-entrypoint.sh | 2 +- 10.6/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.1/docker-entrypoint.sh | 2 +- 11.1/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.2/docker-entrypoint.sh | 2 +- 11.2/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.4-ubi/docker-entrypoint.sh | 2 +- 11.4-ubi/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.4/docker-entrypoint.sh | 2 +- 11.4/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.5-ubi/docker-entrypoint.sh | 2 +- 11.5-ubi/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.5/docker-entrypoint.sh | 2 +- 11.5/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.6-ubi/docker-entrypoint.sh | 2 +- 11.6-ubi/healthcheck.sh | 26 +++++++++++++++++++++++--- 11.6/docker-entrypoint.sh | 2 +- 11.6/healthcheck.sh | 26 +++++++++++++++++++++++--- docker-entrypoint.sh | 2 +- healthcheck.sh | 26 +++++++++++++++++++++++--- 29 files changed, 337 insertions(+), 57 deletions(-) diff --git a/.test/run.sh b/.test/run.sh index b7ad77eb..bb3e7d92 100755 --- a/.test/run.sh +++ b/.test/run.sh @@ -765,7 +765,7 @@ fi --network=container:"$master_host" \ --health-cmd='healthcheck.sh --replication_io --replication_sql --replication_seconds_behind_master=0 --replication' \ --health-interval=3s \ - "$image" --server-id=2 --port 3307) + "$image" --server-id=2 --port 3307 --require-secure-transport=1) c="${DOCKER_LIBRARY_START_TIMEOUT:-10}" until docker exec "$cid" healthcheck.sh --connect --replication_io --replication_sql --replication_seconds_behind_master=0 --replication || [ "$c" -eq 0 ] diff --git a/10.11-ubi/docker-entrypoint.sh b/10.11-ubi/docker-entrypoint.sh index 1b3a263c..3e1aa001 100755 --- a/10.11-ubi/docker-entrypoint.sh +++ b/10.11-ubi/docker-entrypoint.sh @@ -355,7 +355,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/10.11-ubi/healthcheck.sh b/10.11-ubi/healthcheck.sh index 5d0a42f7..37227edd 100755 --- a/10.11-ubi/healthcheck.sh +++ b/10.11-ubi/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/10.11/docker-entrypoint.sh b/10.11/docker-entrypoint.sh index 1b3a263c..3e1aa001 100755 --- a/10.11/docker-entrypoint.sh +++ b/10.11/docker-entrypoint.sh @@ -355,7 +355,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/10.11/healthcheck.sh b/10.11/healthcheck.sh index 5d0a42f7..37227edd 100755 --- a/10.11/healthcheck.sh +++ b/10.11/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/10.5/docker-entrypoint.sh b/10.5/docker-entrypoint.sh index 82d29563..23e54062 100755 --- a/10.5/docker-entrypoint.sh +++ b/10.5/docker-entrypoint.sh @@ -346,7 +346,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/10.5/healthcheck.sh b/10.5/healthcheck.sh index b23a9b84..17528ce8 100755 --- a/10.5/healthcheck.sh +++ b/10.5/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/10.6-ubi/docker-entrypoint.sh b/10.6-ubi/docker-entrypoint.sh index d9dc489d..e049b08b 100755 --- a/10.6-ubi/docker-entrypoint.sh +++ b/10.6-ubi/docker-entrypoint.sh @@ -347,7 +347,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/10.6-ubi/healthcheck.sh b/10.6-ubi/healthcheck.sh index 5d0a42f7..37227edd 100755 --- a/10.6-ubi/healthcheck.sh +++ b/10.6-ubi/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/10.6/docker-entrypoint.sh b/10.6/docker-entrypoint.sh index d9dc489d..e049b08b 100755 --- a/10.6/docker-entrypoint.sh +++ b/10.6/docker-entrypoint.sh @@ -347,7 +347,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/10.6/healthcheck.sh b/10.6/healthcheck.sh index 5d0a42f7..37227edd 100755 --- a/10.6/healthcheck.sh +++ b/10.6/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.1/docker-entrypoint.sh b/11.1/docker-entrypoint.sh index 62de635e..5f814b6f 100755 --- a/11.1/docker-entrypoint.sh +++ b/11.1/docker-entrypoint.sh @@ -355,7 +355,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.1/healthcheck.sh b/11.1/healthcheck.sh index 06b29f76..b8909c75 100755 --- a/11.1/healthcheck.sh +++ b/11.1/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.2/docker-entrypoint.sh b/11.2/docker-entrypoint.sh index 54cf5b8f..61f1799c 100755 --- a/11.2/docker-entrypoint.sh +++ b/11.2/docker-entrypoint.sh @@ -355,7 +355,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.2/healthcheck.sh b/11.2/healthcheck.sh index 06b29f76..b8909c75 100755 --- a/11.2/healthcheck.sh +++ b/11.2/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -42,6 +42,7 @@ _process_sql() ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --protocol socket \ -B "$@" } @@ -55,6 +56,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -68,9 +79,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -225,6 +238,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -351,3 +365,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.4-ubi/docker-entrypoint.sh b/11.4-ubi/docker-entrypoint.sh index 7320fa9e..de35bc16 100755 --- a/11.4-ubi/docker-entrypoint.sh +++ b/11.4-ubi/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.4-ubi/healthcheck.sh b/11.4-ubi/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.4-ubi/healthcheck.sh +++ b/11.4-ubi/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.4/docker-entrypoint.sh b/11.4/docker-entrypoint.sh index 7320fa9e..de35bc16 100755 --- a/11.4/docker-entrypoint.sh +++ b/11.4/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.4/healthcheck.sh b/11.4/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.4/healthcheck.sh +++ b/11.4/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.5-ubi/docker-entrypoint.sh b/11.5-ubi/docker-entrypoint.sh index 8f3c834c..c6108657 100755 --- a/11.5-ubi/docker-entrypoint.sh +++ b/11.5-ubi/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.5-ubi/healthcheck.sh b/11.5-ubi/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.5-ubi/healthcheck.sh +++ b/11.5-ubi/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.5/docker-entrypoint.sh b/11.5/docker-entrypoint.sh index 8f3c834c..c6108657 100755 --- a/11.5/docker-entrypoint.sh +++ b/11.5/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.5/healthcheck.sh b/11.5/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.5/healthcheck.sh +++ b/11.5/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.6-ubi/docker-entrypoint.sh b/11.6-ubi/docker-entrypoint.sh index 248bae46..ddb2874f 100755 --- a/11.6-ubi/docker-entrypoint.sh +++ b/11.6-ubi/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.6-ubi/healthcheck.sh b/11.6-ubi/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.6-ubi/healthcheck.sh +++ b/11.6-ubi/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/11.6/docker-entrypoint.sh b/11.6/docker-entrypoint.sh index 248bae46..ddb2874f 100755 --- a/11.6/docker-entrypoint.sh +++ b/11.6/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/11.6/healthcheck.sh b/11.6/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/11.6/healthcheck.sh +++ b/11.6/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index dd0cdd00..f5b54ed6 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -357,7 +357,7 @@ create_healthcheck_users() { local maskPreserve maskPreserve=$(umask -p) umask 0077 - echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" > "$DATADIR"/.my-healthcheck.cnf $maskPreserve } diff --git a/healthcheck.sh b/healthcheck.sh index e13db0da..c5dcbd38 100755 --- a/healthcheck.sh +++ b/healthcheck.sh @@ -32,7 +32,7 @@ # different from elsewhere. # # Note * though denied error message will result in error log without -# any permissions. +# any permissions. USAGE recommend to avoid this. set -eo pipefail @@ -43,6 +43,7 @@ _process_sql() ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ -B "$@" } @@ -56,6 +57,16 @@ _process_sql() # isn't tested. connect() { + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. set +e +o pipefail # (on second extra_file) # shellcheck disable=SC2086 @@ -70,9 +81,11 @@ connect() set -eo pipefail if (( "$ret" == 0 )); then # grep Matched "Can't connect" so we fail - return 1 + connect_s=1 + else + connect_s=0 fi - return 0 + return $connect_s } # INNODB_INITIALIZED @@ -227,6 +240,7 @@ fi declare -A repl declare -A def nodefaults= +connect_s= datadir=/var/lib/mysql if [ -f $datadir/.my-healthcheck.cnf ]; then def['extra_file']=$datadir/.my-healthcheck.cnf @@ -353,3 +367,9 @@ while [ $# -gt 0 ]; do fi shift done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi From 4b165bdcddabe80917ae0ea3de9197991cc4f8d4 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 3 Jul 2024 08:37:35 +1000 Subject: [PATCH 11/18] Revert "ci: mariadb operator incompatible with MariaDB 10.5" This reverts commit e3e20e14ab7575cae07208c7c4d48de16c98752f. MariaDB Operator corrected https://github.com/mariadb-operator/mariadb-operator/issues/657 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d83b70cf..eca34c89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,7 +63,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Check for registry credentials - if: github.repository == 'MariaDB/mariadb-docker' && github.ref == 'refs/heads/master' && {{ matrix.directory != 10.5 }} + if: github.repository == 'MariaDB/mariadb-docker' && github.ref == 'refs/heads/master' run: | missing=() [[ -n "${{ secrets.MARIADB_OPERATOR_TOKEN }}" ]] || missing+=(MARIADB_OPERATOR_TOKEN) From 39eeacabec972b55597e7d93820f4344001a4a90 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 22 Jul 2024 18:20:14 +1000 Subject: [PATCH 12/18] initial incomplete support for main branch --- main-ubi/Dockerfile | 111 ++++++ main-ubi/MariaDB.repo | 7 + main-ubi/docker-entrypoint.sh | 721 ++++++++++++++++++++++++++++++++++ main-ubi/docker.cnf | 14 + main-ubi/healthcheck.sh | 375 ++++++++++++++++++ main/Dockerfile | 142 +++++++ main/docker-entrypoint.sh | 721 ++++++++++++++++++++++++++++++++++ main/healthcheck.sh | 375 ++++++++++++++++++ update.sh | 2 +- versions.json | 28 ++ 10 files changed, 2495 insertions(+), 1 deletion(-) create mode 100644 main-ubi/Dockerfile create mode 100644 main-ubi/MariaDB.repo create mode 100755 main-ubi/docker-entrypoint.sh create mode 100644 main-ubi/docker.cnf create mode 100755 main-ubi/healthcheck.sh create mode 100644 main/Dockerfile create mode 100755 main/docker-entrypoint.sh create mode 100755 main/healthcheck.sh diff --git a/main-ubi/Dockerfile b/main-ubi/Dockerfile new file mode 100644 index 00000000..17d5189c --- /dev/null +++ b/main-ubi/Dockerfile @@ -0,0 +1,111 @@ +FROM redhat/ubi9-minimal + +# user 999/ group 999, that we want to use for compatibility with the ubuntu image. +RUN groupadd --gid 999 -r mysql && \ + useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999 + +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \ + case "$rpmArch" in \ + aarch64) dpkgArch='arm64' ;; \ + armv7*) dpkgArch='armhf' ;; \ + i686) dpkgArch='i386' ;; \ + ppc64le) dpkgArch='ppc64el' ;; \ + s390x|riscv64) dpkgArch=$rpmArch ;; \ + x86_64) dpkgArch='amd64' ;; \ + *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \ + esac; \ + curl --fail --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch} ; \ + curl --fail --location --output /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + chmod a+x /usr/local/bin/gosu; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + gosu --version; \ + gosu nobody true + +COPY --chmod=0644 docker.cnf /etc/my.cnf.d/ + +COPY MariaDB.repo /etc/yum.repos.d/ + +# HasRequiredLabel requirement from Red Hat OpenShift Software Certification +# https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html/red_hat_openshift_software_certification_policy_guide/assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction#con-image-metadata-requirements_openshift-sw-cert-policy-container-images +LABEL name="MariaDB Server" \ + vendor="MariaDB Community" \ + version="main.0" \ + release="Refer to Annotations org.opencontainers.image.{revision,source}" \ + summary="MariaDB Database" \ + description="MariaDB Database for relational SQL" + +# OCI annotations to image +LABEL org.opencontainers.image.authors="MariaDB Community" \ + org.opencontainers.image.title="MariaDB Database" \ + org.opencontainers.image.description="MariaDB Database for relational SQL" \ + org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ + org.opencontainers.image.base.name="docker.io/redhat/ubi9-minimal" \ + org.opencontainers.image.licenses="GPL-2.0" \ + org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ + org.opencontainers.image.vendor="MariaDB Community" \ + org.opencontainers.image.version="main.0" \ + org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" + +# bashbrew-architectures: amd64 arm64v8 ppc64le s390x +ARG MARIADB_VERSION=main.0 +# release-status:Alpha +# release-support-type:Unknown +# (https://downloads.mariadb.org/rest-api/mariadb/) + +# missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions) +# procps, pv(epel) - missing dependencies of galera sst script +# tzdata re-installed as only a fake version is part of the ubi-minimal base image. +# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key +RUN set -eux ; \ + curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ + rpmkeys --import /tmp/epelkey.txt ; \ + curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ + rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ + curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ + rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ + microdnf update -y ; \ + microdnf reinstall -y tzdata ; \ + microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ + mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ + chmod ugo+rwx,o+t /run/mariadb ; \ + microdnf install -y MariaDB-backup-main.0 MariaDB-server-main.0 ; \ + # compatibility with DEB Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ + # compatibility with RPM Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib64/galera/libgalera_smm.so ; \ + microdnf clean all ; \ + rmdir /var/lib/mysql/mysql ; \ + chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ + mkdir /licenses ; \ + ln -s /usr/share/doc/MariaDB-server-main.0/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/licenses /licenses/package-licenses ; \ + ln -s Apache-2.0-license /licenses/gosu + +VOLUME /var/lib/mysql + +RUN mkdir /docker-entrypoint-initdb.d + +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY docker-entrypoint.sh /usr/local/bin/ + +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 3306 +CMD ["mariadbd"] diff --git a/main-ubi/MariaDB.repo b/main-ubi/MariaDB.repo new file mode 100644 index 00000000..38a0a4d1 --- /dev/null +++ b/main-ubi/MariaDB.repo @@ -0,0 +1,7 @@ +[mariadb] +name = MariaDB +#baseurl = https://rpm.mariadb.org/main/rhel/$releasever/$basearch +baseurl = https://archive.mariadb.org/mariadb-main/yum/rhel/$releasever/$basearch +#microdnf cannot read to the second key here. +#gpgkey=https://archive.mariadb.org/PublicKey +gpgcheck=1 diff --git a/main-ubi/docker-entrypoint.sh b/main-ubi/docker-entrypoint.sh new file mode 100755 index 00000000..3332255b --- /dev/null +++ b/main-ubi/docker-entrypoint.sh @@ -0,0 +1,721 @@ +#!/bin/bash +set -eo pipefail +shopt -s nullglob + +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset +# and make them the same value (so user scripts can use either) +_mariadb_file_env() { + local var="$1"; shift + local maria="MARIADB_${var#MYSQL_}" + file_env "$var" "$@" + file_env "$maria" "${!var}" + if [ "${!maria:-}" ]; then + export "$var"="${!maria}" + fi +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + # ShellCheck: mysql appears unused. Verify use (or export if used externally) + # shellcheck disable=SC2034 + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + # ShellCheck can't follow non-constant source. Use a directive to specify location. + # shellcheck disable=SC1090 + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +_verboseHelpArgs=( + --verbose --help +) + +mysql_check_config() { + local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + fi +} + +# Fetch value from server config +# We use mariadbd --verbose --help instead of my_print_defaults because the +# latter only show values present in config files, and not server defaults +mysql_get_config() { + local conf="$1"; shift + "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" +} + +# Do a temporary startup of the MariaDB server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ + --expire-logs-days=0 \ + --loose-innodb_buffer_pool_load_at_startup=0 \ + --skip-ssl --ssl-cert='' --ssl-key='' --ssl-ca='' \ + & + declare -g MARIADB_PID + MARIADB_PID=$! + mysql_note "Waiting for server startup" + # only use the root password if the database has already been initialized + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + local i + for i in {30..0}; do + if docker_process_sql "${extraArgs[@]}" --database=mysql \ + --skip-ssl --skip-ssl-verify-server-cert \ + <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mariadb-admin will block until +# the shutdown is complete. +docker_temp_server_stop() { + kill "$MARIADB_PID" + wait "$MARIADB_PID" +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done + if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' + fi + # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. + if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." + fi + if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." + fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" + + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) + # See https://github.com/MariaDB/mariadb-docker/issues/363 + if [ "${SOCKET:0:1}" != '@' ]; then # not abstract sockets + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \) + fi + + # memory.pressure + local cgroup; cgroup=$( "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then + # --skip-write-binlog usefully disables binary logging + # but also outputs LOCK TABLES to improve the IO of + # Aria (MDEV-23326) for 10.4+. + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ + | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" + export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD + mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" + fi + + # Creates root users for non-localhost hosts + local rootCreate= + local rootPasswordEscaped= + if [ -n "$MARIADB_ROOT_PASSWORD" ]; then + # Sets root password and creates root users for non-localhost hosts + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") + fi + + # default root to listen for connections from anywhere + if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then + # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + else + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + fi + fi + + local mysqlAtLocalhost= + local mysqlAtLocalhostGrants= + # Install mysql@localhost user + if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then + read -r -d '' mysqlAtLocalhost <<-EOSQL || true + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; + EOSQL + if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then + if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then + mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" + fi + mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; + fi + fi + + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + + local rootLocalhostPass= + if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then + # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d + rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" + fi + + local createDatabase= + # Creates a custom database and user if specified + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Creating database ${MARIADB_DATABASE}" + createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" + fi + + local createUser= + local userGrants= + if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then + mysql_note "Creating user ${MARIADB_USER}" + if [ -n "$MARIADB_PASSWORD_HASH" ]; then + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" + userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" + fi + fi + + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" + # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set + # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. + docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL + -- Securing system users shouldn't be replicated + SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + + DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; + EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); + + ${rootLocalhostPass} + ${rootCreate} + ${mysqlAtLocalhost} + ${mysqlAtLocalhostGrants} + ${createHealthCheckUsers} + -- end of securing system users, rest of init now... + SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; + -- create users/databases + ${createDatabase} + ${createUser} + ${createReplicaUser} + ${userGrants} + + ${changeMasterTo} + ${startReplica} + EOSQL +} + +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + +# backup the mysql database +docker_mariadb_backup_system() +{ + if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ + && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then + mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" + return + fi + local backup_db="system_mysql_backup_unknown_version.sql.zst" + local oldfullversion="unknown_version" + if [ -r "$DATADIR"/mariadb_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mariadb_upgrade_info || true + if [ -n "$oldfullversion" ]; then + backup_db="system_mysql_backup_${oldfullversion}.sql.zst" + fi + fi + + mysql_note "Backing up system database to $backup_db" + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + mysql_error "Unable backup system database for upgrade from $oldfullversion." + fi + mysql_note "Backing up complete" +} + +# perform mariadb-upgrade +# backup the mysql database if this is a major upgrade +docker_mariadb_upgrade() { + if [ -z "$MARIADB_AUTO_UPGRADE" ] \ + || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + return + fi + mysql_note "Starting temporary server" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + mysql_note "Temporary server started." + + docker_mariadb_backup_system + + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + + mysql_note "Starting mariadb-upgrade" + mariadb-upgrade --upgrade-system-tables + mysql_note "Finished mariadb-upgrade" + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" +} + + +_check_if_upgrade_is_needed() { + if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then + mysql_note "MariaDB upgrade information missing, assuming required" + return 0 + fi + local mariadbVersion + mariadbVersion="$(_mariadb_version)" + IFS='.-' read -ra newversion <<<"$mariadbVersion" + IFS='.-' read -ra oldversion < "$DATADIR"/mariadb_upgrade_info || true + + if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ + || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ + || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then + return 0 + fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi + mysql_note "MariaDB upgrade not required" + return 1 +} + +# check arguments for an option that would cause mariadbd to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mariadbd + if [ "${1:0:1}" = '-' ]; then + set -- mariadbd "$@" + fi + + #ENDOFSUBSTITUTIONS + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + docker_mariadb_init "$@" + # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline + #elif mariadb-upgrade --check-if-upgrade-is-needed; then + elif _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + fi + exec "$@" +} + +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/main-ubi/docker.cnf b/main-ubi/docker.cnf new file mode 100644 index 00000000..41dad70a --- /dev/null +++ b/main-ubi/docker.cnf @@ -0,0 +1,14 @@ +# Ubuntu container compatibility + +[mariadb] +host-cache-size=0 +skip-name-resolve + +expire_logs_days=10 + + +[client-server] +socket=/run/mariadb/mariadb.sock + +!includedir /etc/mysql/mariadb.conf.d +!includedir /etc/mysql/conf.d diff --git a/main-ubi/healthcheck.sh b/main-ubi/healthcheck.sh new file mode 100755 index 00000000..c5dcbd38 --- /dev/null +++ b/main-ubi/healthcheck.sh @@ -0,0 +1,375 @@ +#!/bin/bash +# +# Healthcheck script for MariaDB +# +# Runs various tests on the MariaDB server to check its health. Pass the tests +# to run as arguments. If all tests succeed, the server is considered healthy, +# otherwise it's not. +# +# Arguments are processed in strict order. Set replication_* options before +# the --replication option. This allows a different set of replication checks +# on different connections. +# +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication +# Using this option disregards previous options set, so should usually be the +# first option. +# +# Some tests require SQL privileges. +# +# TEST MINIMUM GRANTS REQUIRED +# connect none* +# innodb_initialized USAGE +# innodb_buffer_pool_loaded USAGE +# galera_online USAGE +# galera_ready USAGE +# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) +# mariadbupgrade none, however unix user permissions on datadir +# +# The SQL user used is the default for the mariadb client. This can be the unix user +# if no user(or password) is set in the [mariadb-client] section of a configuration +# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration +# different from elsewhere. +# +# Note * though denied error message will result in error log without +# any permissions. USAGE recommend to avoid this. + +set -eo pipefail + +_process_sql() +{ + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ + -B "$@" +} + +# TESTS + + +# CONNECT +# +# Tests that a connection can be made over TCP, the final state +# of the entrypoint and is listening. The authentication used +# isn't tested. +connect() +{ + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. + set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + -h localhost --protocol tcp -e 'select 1' 2>&1 \ + | grep -qF "Can't connect" + local ret=${PIPESTATUS[1]} + set -eo pipefail + if (( "$ret" == 0 )); then + # grep Matched "Can't connect" so we fail + connect_s=1 + else + connect_s=0 + fi + return $connect_s +} + +# INNODB_INITIALIZED +# +# This tests that the crash recovery of InnoDB has completed +# along with all the other things required to make it to a healthy +# operational state. Note this may return true in the early +# states of initialization. Use with a connect test to avoid +# these false positives. +innodb_initialized() +{ + local s + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") + [ "$s" == 1 ] +} + +# INNODB_BUFFER_POOL_LOADED +# +# Tests the load of the innodb buffer pool as been complete +# implies innodb_buffer_pool_load_at_startup=1 (default), or if +# manually SET innodb_buffer_pool_load_now=1 +innodb_buffer_pool_loaded() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") + if [[ $s =~ 'load completed' ]]; then + return 0 + fi + return 1 +} + +# GALERA_ONLINE +# +# Tests that the galera node is in the SYNCed state +galera_online() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") + # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes + # not https://xkcd.com/221/ + if [[ $s -eq 4 ]]; then + return 0 + fi + return 1 +} + +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + +# REPLICATION +# +# Tests the replication has the required set of functions: +# --replication_all -> Checks all replication sources +# --replication_name=n -> sets the multisource connection name tested +# --replication_io -> IO thread is running +# --replication_sql -> SQL thread is running +# --replication_seconds_behind_master=n -> less than or equal this seconds of delay +# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay +# (ref: https://mariadb.com/kb/en/delayed-replication/) +replication() +{ + # SHOW REPLICA available 10.5+ + # https://github.com/koalaman/shellcheck/issues/2383 + # shellcheck disable=SC2016,SC2026 + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ + { + # required for trim of leading space. + shopt -s extglob + # Row header + read -t 5 -r + # read timeout + [ $? -gt 128 ] && return 1 + while IFS=":" read -t 1 -r n v; do + # Trim leading space + n=${n##+([[:space:]])} + # Leading space on all values by the \G format needs to be trimmed. + v=${v:1} + case "$n" in + Slave_IO_Running) + if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Slave_SQL_Running) + if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Seconds_Behind_Master) + # A NULL value is the IO thread not running: + if [ -n "${repl['seconds_behind_master']}" ] && + { [ "$v" = NULL ] || + (( "${repl['seconds_behind_master']}" < "$v" )); }; then + return 1 + fi + ;; + SQL_Remaining_Delay) + # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL + # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ + if [ -n "${repl['sql_remaining_delay']}" ] && + [ "$v" != NULL ] && + (( "${repl['sql_remaining_delay']}" < "$v" )); then + return 1 + fi + ;; + esac + done + # read timeout + [ $? -gt 128 ] && return 1 + return 0 + } + # reachable in command not found(?) + # shellcheck disable=SC2317 + return $? +} + +# mariadbupgrade +# +# Test the lock on the file $datadir/mariadb_upgrade_info +# https://jira.mariadb.org/browse/MDEV-27068 +mariadbupgrade() +{ + local f="$datadir/mariadb_upgrade_info" + if [ -r "$f" ]; then + flock --exclusive --nonblock -n 9 9<"$f" + return $? + fi + return 0 +} + + +# MAIN + +if [ $# -eq 0 ]; then + echo "At least one argument required" >&2 + exit 1 +fi + +#ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ +# Global variables used by tests +declare -A repl +declare -A def +nodefaults= +connect_s= +datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi + +_repl_param_check() +{ + case "$1" in + seconds_behind_master) ;& + sql_remaining_delay) + if [ -z "${repl['io']}" ]; then + repl['io']=1 + echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 + fi + ;; + all) + if [ -n "${repl['name']}" ]; then + unset 'repl[name]' + echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 + fi + ;; + name) + if [ -n "${repl['all']}" ]; then + unset 'repl[all]' + echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 + fi + ;; + esac +} + +_test_exists() { + declare -F "$1" > /dev/null + return $? +} + +while [ $# -gt 0 ]; do + case "$1" in + --su=*) + u="${1#*=}" + shift + exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" + ;; + --su) + shift + u=$1 + shift + exec gosu "$u" "${BASH_SOURCE[0]}" "$@" + ;; + --su-mysql) + shift + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + ;; + --replication_*=*) + # Change the n to what is between _ and = and make lower case + n=${1#*_} + n=${n%%=*} + n=${n,,*} + # v is after the = + v=${1#*=} + repl[$n]=$v + _repl_param_check "$n" + ;; + --replication_*) + # Without =, look for a non --option next as the value, + # otherwise treat it as an "enable", just equate to 1. + # Clearing option is possible with "--replication_X=" + n=${1#*_} + n=${n,,*} + if [ "${2:0:2}" == '--' ]; then + repl[$n]=1 + else + repl[$n]=$2 + shift + fi + _repl_param_check "$n" + ;; + --datadir=*) + datadir=${1#*=} + ;; + --datadir) + shift + datadir=${1} + ;; + --no-defaults) + def=() + nodefaults=1 + ;; + --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) + n=${1:11} # length --defaults- + n=${n%%=*} + n=${n//-/_} + # v is after the = + v=${1#*=} + def[$n]=$v + nodefaults= + ;; + --defaults-file|--defaults-extra-file|--defaults-group-suffix) + n=${1:11} # length --defaults- + n=${n//-/_} + if [ "${2:0:2}" == '--' ]; then + def[$n]="" + else + def[$n]=$2 + shift + fi + nodefaults= + ;; + --*) + test=${1#--} + ;; + *) + echo "Unknown healthcheck option $1" >&2 + exit 1 + esac + if [ -n "$test" ]; then + if ! _test_exists "$test" ; then + echo "healthcheck unknown option or test '$test'" >&2 + exit 1 + elif ! "$test"; then + echo "healthcheck $test failed" >&2 + exit 1 + fi + test= + fi + shift +done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/main/Dockerfile b/main/Dockerfile new file mode 100644 index 00000000..3ccc1c0f --- /dev/null +++ b/main/Dockerfile @@ -0,0 +1,142 @@ +# vim:set ft=dockerfile: +FROM ubuntu:noble + +# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added +RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu + +# add gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +# gosu key is B42F6819007F00F88E364FD4036A9C25BF357DD4 +ENV GOSU_VERSION 1.17 + +ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8 +# pub rsa4096 2016-03-30 [SC] +# 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8 +# uid [ unknown] MariaDB Signing Key +# sub rsa4096 2016-03-30 [E] +# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD +# install "pwgen" for randomizing passwords +# install "tzdata" for /usr/share/zoneinfo/ +# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files +# install "zstd" for .sql.zst docker-entrypoint-initdb.d files +# hadolint ignore=SC2086 +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + ca-certificates \ + gpg \ + gpgv \ + libjemalloc2 \ + pwgen \ + tzdata \ + xz-utils \ + zstd ; \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get install -y --no-install-recommends \ + dirmngr \ + gpg-agent \ + wget; \ + rm -rf /var/lib/apt/lists/*; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + for key in $GPG_KEYS; do \ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + done; \ + gpg --batch --export "$GPG_KEYS" > /etc/apt/trusted.gpg.d/mariadb.gpg; \ + if command -v gpgconf >/dev/null; then \ + gpgconf --kill all; \ + fi; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark >/dev/null; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true + +RUN mkdir /docker-entrypoint-initdb.d + +# Ensure the container exec commands handle range of utf8 characters based of +# default locales in base image (https://github.com/docker-library/docs/blob/135b79cc8093ab02e55debb61fdb079ab2dbce87/ubuntu/README.md#locales) +ENV LANG C.UTF-8 + +# OCI annotations to image +LABEL org.opencontainers.image.authors="MariaDB Community" \ + org.opencontainers.image.title="MariaDB Database" \ + org.opencontainers.image.description="MariaDB Database for relational SQL" \ + org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ + org.opencontainers.image.base.name="docker.io/library/ubuntu:noble" \ + org.opencontainers.image.licenses="GPL-2.0" \ + org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ + org.opencontainers.image.vendor="MariaDB Community" \ + org.opencontainers.image.version="main.0" \ + org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" + +# bashbrew-architectures: amd64 arm64v8 ppc64le s390x +ARG MARIADB_VERSION=1:main.0+maria~ubu2404 +ENV MARIADB_VERSION $MARIADB_VERSION +# release-status:Alpha +# release-support-type:Unknown +# (https://downloads.mariadb.org/rest-api/mariadb/) + +# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions +ARG REPOSITORY="http://archive.mariadb.org/mariadb-main.0/repo/ubuntu/ noble main main/debug" + +RUN set -e;\ + echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \ + { \ + echo 'Package: *'; \ + echo 'Pin: release o=MariaDB'; \ + echo 'Pin-Priority: 999'; \ + } > /etc/apt/preferences.d/mariadb +# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies +# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed + +# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) +# also, we set debconf keys to make APT a little quieter +# hadolint ignore=DL3015 +RUN set -ex; \ + { \ + echo "mariadb-server" mysql-server/root_password password 'unused'; \ + echo "mariadb-server" mysql-server/root_password_again password 'unused'; \ + } | debconf-set-selections; \ + apt-get update; \ +# postinst script creates a datadir, so avoid creating it by faking its existance. + mkdir -p /var/lib/mysql/mysql ; touch /var/lib/mysql/mysql/user.frm ; \ +# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos + apt-get install -y --no-install-recommends mariadb-server="$MARIADB_VERSION" mariadb-backup socat \ + ; \ + rm -rf /var/lib/apt/lists/*; \ +# purge and re-create /var/lib/mysql with appropriate ownership + rm -rf /var/lib/mysql; \ + mkdir -p /var/lib/mysql /run/mysqld; \ + chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ +# ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime + chmod 1777 /run/mysqld; \ +# comment out a few problematic configuration values + find /etc/mysql/ -name '*.cnf' -print0 \ + | xargs -0 grep -lZE '^(bind-address|log|user\s)' \ + | xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \ +# don't reverse lookup hostnames, they are usually another container + printf "[mariadb]\nhost-cache-size=0\nskip-name-resolve\n" > /etc/mysql/mariadb.conf.d/05-skipcache.cnf; \ +# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation) + if [ -L /etc/mysql/my.cnf ]; then \ +# 10.5+ + sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/\n\2\n\1/}' /etc/mysql/mariadb.cnf; \ + fi + + +VOLUME /var/lib/mysql + +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 3306 +CMD ["mariadbd"] diff --git a/main/docker-entrypoint.sh b/main/docker-entrypoint.sh new file mode 100755 index 00000000..3332255b --- /dev/null +++ b/main/docker-entrypoint.sh @@ -0,0 +1,721 @@ +#!/bin/bash +set -eo pipefail +shopt -s nullglob + +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset +# and make them the same value (so user scripts can use either) +_mariadb_file_env() { + local var="$1"; shift + local maria="MARIADB_${var#MYSQL_}" + file_env "$var" "$@" + file_env "$maria" "${!var}" + if [ "${!maria:-}" ]; then + export "$var"="${!maria}" + fi +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + # ShellCheck: mysql appears unused. Verify use (or export if used externally) + # shellcheck disable=SC2034 + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + # ShellCheck can't follow non-constant source. Use a directive to specify location. + # shellcheck disable=SC1090 + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +_verboseHelpArgs=( + --verbose --help +) + +mysql_check_config() { + local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + fi +} + +# Fetch value from server config +# We use mariadbd --verbose --help instead of my_print_defaults because the +# latter only show values present in config files, and not server defaults +mysql_get_config() { + local conf="$1"; shift + "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" +} + +# Do a temporary startup of the MariaDB server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ + --expire-logs-days=0 \ + --loose-innodb_buffer_pool_load_at_startup=0 \ + --skip-ssl --ssl-cert='' --ssl-key='' --ssl-ca='' \ + & + declare -g MARIADB_PID + MARIADB_PID=$! + mysql_note "Waiting for server startup" + # only use the root password if the database has already been initialized + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + local i + for i in {30..0}; do + if docker_process_sql "${extraArgs[@]}" --database=mysql \ + --skip-ssl --skip-ssl-verify-server-cert \ + <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mariadb-admin will block until +# the shutdown is complete. +docker_temp_server_stop() { + kill "$MARIADB_PID" + wait "$MARIADB_PID" +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done + if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' + fi + # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. + if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." + fi + if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." + fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" + + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) + # See https://github.com/MariaDB/mariadb-docker/issues/363 + if [ "${SOCKET:0:1}" != '@' ]; then # not abstract sockets + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \) + fi + + # memory.pressure + local cgroup; cgroup=$( "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then + # --skip-write-binlog usefully disables binary logging + # but also outputs LOCK TABLES to improve the IO of + # Aria (MDEV-23326) for 10.4+. + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ + | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" + export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD + mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" + fi + + # Creates root users for non-localhost hosts + local rootCreate= + local rootPasswordEscaped= + if [ -n "$MARIADB_ROOT_PASSWORD" ]; then + # Sets root password and creates root users for non-localhost hosts + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") + fi + + # default root to listen for connections from anywhere + if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then + # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + else + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + fi + fi + + local mysqlAtLocalhost= + local mysqlAtLocalhostGrants= + # Install mysql@localhost user + if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then + read -r -d '' mysqlAtLocalhost <<-EOSQL || true + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; + EOSQL + if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then + if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then + mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" + fi + mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; + fi + fi + + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + + local rootLocalhostPass= + if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then + # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d + rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" + fi + + local createDatabase= + # Creates a custom database and user if specified + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Creating database ${MARIADB_DATABASE}" + createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" + fi + + local createUser= + local userGrants= + if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then + mysql_note "Creating user ${MARIADB_USER}" + if [ -n "$MARIADB_PASSWORD_HASH" ]; then + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" + userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" + fi + fi + + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" + # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set + # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. + docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL + -- Securing system users shouldn't be replicated + SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + + DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; + EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); + + ${rootLocalhostPass} + ${rootCreate} + ${mysqlAtLocalhost} + ${mysqlAtLocalhostGrants} + ${createHealthCheckUsers} + -- end of securing system users, rest of init now... + SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; + -- create users/databases + ${createDatabase} + ${createUser} + ${createReplicaUser} + ${userGrants} + + ${changeMasterTo} + ${startReplica} + EOSQL +} + +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \) + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + +# backup the mysql database +docker_mariadb_backup_system() +{ + if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ + && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then + mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" + return + fi + local backup_db="system_mysql_backup_unknown_version.sql.zst" + local oldfullversion="unknown_version" + if [ -r "$DATADIR"/mariadb_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mariadb_upgrade_info || true + if [ -n "$oldfullversion" ]; then + backup_db="system_mysql_backup_${oldfullversion}.sql.zst" + fi + fi + + mysql_note "Backing up system database to $backup_db" + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + mysql_error "Unable backup system database for upgrade from $oldfullversion." + fi + mysql_note "Backing up complete" +} + +# perform mariadb-upgrade +# backup the mysql database if this is a major upgrade +docker_mariadb_upgrade() { + if [ -z "$MARIADB_AUTO_UPGRADE" ] \ + || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + return + fi + mysql_note "Starting temporary server" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + mysql_note "Temporary server started." + + docker_mariadb_backup_system + + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + + mysql_note "Starting mariadb-upgrade" + mariadb-upgrade --upgrade-system-tables + mysql_note "Finished mariadb-upgrade" + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" +} + + +_check_if_upgrade_is_needed() { + if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then + mysql_note "MariaDB upgrade information missing, assuming required" + return 0 + fi + local mariadbVersion + mariadbVersion="$(_mariadb_version)" + IFS='.-' read -ra newversion <<<"$mariadbVersion" + IFS='.-' read -ra oldversion < "$DATADIR"/mariadb_upgrade_info || true + + if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ + || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ + || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then + return 0 + fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi + mysql_note "MariaDB upgrade not required" + return 1 +} + +# check arguments for an option that would cause mariadbd to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mariadbd + if [ "${1:0:1}" = '-' ]; then + set -- mariadbd "$@" + fi + + #ENDOFSUBSTITUTIONS + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + docker_mariadb_init "$@" + # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline + #elif mariadb-upgrade --check-if-upgrade-is-needed; then + elif _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + fi + exec "$@" +} + +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/main/healthcheck.sh b/main/healthcheck.sh new file mode 100755 index 00000000..c5dcbd38 --- /dev/null +++ b/main/healthcheck.sh @@ -0,0 +1,375 @@ +#!/bin/bash +# +# Healthcheck script for MariaDB +# +# Runs various tests on the MariaDB server to check its health. Pass the tests +# to run as arguments. If all tests succeed, the server is considered healthy, +# otherwise it's not. +# +# Arguments are processed in strict order. Set replication_* options before +# the --replication option. This allows a different set of replication checks +# on different connections. +# +# --su{=|-mysql} is option to run the healthcheck as a different unix user. +# Useful if mysql@localhost user exists with unix socket authentication +# Using this option disregards previous options set, so should usually be the +# first option. +# +# Some tests require SQL privileges. +# +# TEST MINIMUM GRANTS REQUIRED +# connect none* +# innodb_initialized USAGE +# innodb_buffer_pool_loaded USAGE +# galera_online USAGE +# galera_ready USAGE +# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) +# mariadbupgrade none, however unix user permissions on datadir +# +# The SQL user used is the default for the mariadb client. This can be the unix user +# if no user(or password) is set in the [mariadb-client] section of a configuration +# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration +# different from elsewhere. +# +# Note * though denied error message will result in error log without +# any permissions. USAGE recommend to avoid this. + +set -eo pipefail + +_process_sql() +{ + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + --protocol socket \ + -B "$@" +} + +# TESTS + + +# CONNECT +# +# Tests that a connection can be made over TCP, the final state +# of the entrypoint and is listening. The authentication used +# isn't tested. +connect() +{ + local s + # short cut mechanism, to work with --require-secure-transport + s=$(_process_sql --skip-column-names -e 'select @@skip_networking') + case "$s" in + 0|1) + connect_s=$s + return "$s"; + ;; + esac + # falling back to this if there wasn't a connection answer. + set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + --skip-ssl --skip-ssl-verify-server-cert \ + -h localhost --protocol tcp -e 'select 1' 2>&1 \ + | grep -qF "Can't connect" + local ret=${PIPESTATUS[1]} + set -eo pipefail + if (( "$ret" == 0 )); then + # grep Matched "Can't connect" so we fail + connect_s=1 + else + connect_s=0 + fi + return $connect_s +} + +# INNODB_INITIALIZED +# +# This tests that the crash recovery of InnoDB has completed +# along with all the other things required to make it to a healthy +# operational state. Note this may return true in the early +# states of initialization. Use with a connect test to avoid +# these false positives. +innodb_initialized() +{ + local s + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") + [ "$s" == 1 ] +} + +# INNODB_BUFFER_POOL_LOADED +# +# Tests the load of the innodb buffer pool as been complete +# implies innodb_buffer_pool_load_at_startup=1 (default), or if +# manually SET innodb_buffer_pool_load_now=1 +innodb_buffer_pool_loaded() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") + if [[ $s =~ 'load completed' ]]; then + return 0 + fi + return 1 +} + +# GALERA_ONLINE +# +# Tests that the galera node is in the SYNCed state +galera_online() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") + # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes + # not https://xkcd.com/221/ + if [[ $s -eq 4 ]]; then + return 0 + fi + return 1 +} + +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + +# REPLICATION +# +# Tests the replication has the required set of functions: +# --replication_all -> Checks all replication sources +# --replication_name=n -> sets the multisource connection name tested +# --replication_io -> IO thread is running +# --replication_sql -> SQL thread is running +# --replication_seconds_behind_master=n -> less than or equal this seconds of delay +# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay +# (ref: https://mariadb.com/kb/en/delayed-replication/) +replication() +{ + # SHOW REPLICA available 10.5+ + # https://github.com/koalaman/shellcheck/issues/2383 + # shellcheck disable=SC2016,SC2026 + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ + { + # required for trim of leading space. + shopt -s extglob + # Row header + read -t 5 -r + # read timeout + [ $? -gt 128 ] && return 1 + while IFS=":" read -t 1 -r n v; do + # Trim leading space + n=${n##+([[:space:]])} + # Leading space on all values by the \G format needs to be trimmed. + v=${v:1} + case "$n" in + Slave_IO_Running) + if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Slave_SQL_Running) + if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Seconds_Behind_Master) + # A NULL value is the IO thread not running: + if [ -n "${repl['seconds_behind_master']}" ] && + { [ "$v" = NULL ] || + (( "${repl['seconds_behind_master']}" < "$v" )); }; then + return 1 + fi + ;; + SQL_Remaining_Delay) + # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL + # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ + if [ -n "${repl['sql_remaining_delay']}" ] && + [ "$v" != NULL ] && + (( "${repl['sql_remaining_delay']}" < "$v" )); then + return 1 + fi + ;; + esac + done + # read timeout + [ $? -gt 128 ] && return 1 + return 0 + } + # reachable in command not found(?) + # shellcheck disable=SC2317 + return $? +} + +# mariadbupgrade +# +# Test the lock on the file $datadir/mariadb_upgrade_info +# https://jira.mariadb.org/browse/MDEV-27068 +mariadbupgrade() +{ + local f="$datadir/mariadb_upgrade_info" + if [ -r "$f" ]; then + flock --exclusive --nonblock -n 9 9<"$f" + return $? + fi + return 0 +} + + +# MAIN + +if [ $# -eq 0 ]; then + echo "At least one argument required" >&2 + exit 1 +fi + +#ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ +# Global variables used by tests +declare -A repl +declare -A def +nodefaults= +connect_s= +datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi + +_repl_param_check() +{ + case "$1" in + seconds_behind_master) ;& + sql_remaining_delay) + if [ -z "${repl['io']}" ]; then + repl['io']=1 + echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 + fi + ;; + all) + if [ -n "${repl['name']}" ]; then + unset 'repl[name]' + echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 + fi + ;; + name) + if [ -n "${repl['all']}" ]; then + unset 'repl[all]' + echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 + fi + ;; + esac +} + +_test_exists() { + declare -F "$1" > /dev/null + return $? +} + +while [ $# -gt 0 ]; do + case "$1" in + --su=*) + u="${1#*=}" + shift + exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" + ;; + --su) + shift + u=$1 + shift + exec gosu "$u" "${BASH_SOURCE[0]}" "$@" + ;; + --su-mysql) + shift + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + ;; + --replication_*=*) + # Change the n to what is between _ and = and make lower case + n=${1#*_} + n=${n%%=*} + n=${n,,*} + # v is after the = + v=${1#*=} + repl[$n]=$v + _repl_param_check "$n" + ;; + --replication_*) + # Without =, look for a non --option next as the value, + # otherwise treat it as an "enable", just equate to 1. + # Clearing option is possible with "--replication_X=" + n=${1#*_} + n=${n,,*} + if [ "${2:0:2}" == '--' ]; then + repl[$n]=1 + else + repl[$n]=$2 + shift + fi + _repl_param_check "$n" + ;; + --datadir=*) + datadir=${1#*=} + ;; + --datadir) + shift + datadir=${1} + ;; + --no-defaults) + def=() + nodefaults=1 + ;; + --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) + n=${1:11} # length --defaults- + n=${n%%=*} + n=${n//-/_} + # v is after the = + v=${1#*=} + def[$n]=$v + nodefaults= + ;; + --defaults-file|--defaults-extra-file|--defaults-group-suffix) + n=${1:11} # length --defaults- + n=${n//-/_} + if [ "${2:0:2}" == '--' ]; then + def[$n]="" + else + def[$n]=$2 + shift + fi + nodefaults= + ;; + --*) + test=${1#--} + ;; + *) + echo "Unknown healthcheck option $1" >&2 + exit 1 + esac + if [ -n "$test" ]; then + if ! _test_exists "$test" ; then + echo "healthcheck unknown option or test '$test'" >&2 + exit 1 + elif ! "$test"; then + echo "healthcheck $test failed" >&2 + exit 1 + fi + test= + fi + shift +done +if [ -z "$connect_s" ]; then + # we didn't do a connnect test, so the current success status is suspicious + # return what connect thinks. + connect + exit $? +fi diff --git a/update.sh b/update.sh index eb7eb8d2..ca99d50b 100755 --- a/update.sh +++ b/update.sh @@ -4,7 +4,7 @@ set -Eeuo pipefail # Usage ./update.sh [version(multiple)...] # -development_version=11.6 +development_version=main defaultSuite='noble' declare -A suites=( diff --git a/versions.json b/versions.json index 81c58052..cd827cd3 100644 --- a/versions.json +++ b/versions.json @@ -166,5 +166,33 @@ "ppc64le", "s390x" ] + }, + "main": { + "milestone": "main", + "version": "main.0", + "fullVersion": "1:main.0+maria~ubu2404", + "releaseStatus": "Alpha", + "supportType": "Unknown", + "base": "ubuntu:noble", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] + }, + "main-ubi": { + "milestone": "main", + "version": "main.0", + "fullVersion": "main.0", + "releaseStatus": "Alpha", + "supportType": "Unknown", + "base": "ubi9", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] } } From 05a42334c406567185dc331defd0f33b8edd0454 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 25 Jul 2024 12:35:36 +1000 Subject: [PATCH 13/18] ubi: use ENV MARIADB_VERSION so its easier for CI --- 10.11-ubi/Dockerfile | 5 +++-- 10.6-ubi/Dockerfile | 5 +++-- 11.4-ubi/Dockerfile | 5 +++-- 11.5-ubi/Dockerfile | 9 +++++---- 11.6-ubi/Dockerfile | 5 +++-- Dockerfile-ubi.template | 5 +++-- main-ubi/Dockerfile | 5 +++-- 7 files changed, 23 insertions(+), 16 deletions(-) diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile index 272ae5fb..314351a9 100644 --- a/10.11-ubi/Dockerfile +++ b/10.11-ubi/Dockerfile @@ -55,6 +55,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=10.11.8 +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:Stable # release-support-type:Long Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -85,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-10.11.8 MariaDB-server-10.11.8 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -94,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-10.11.8/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile index eaf6b179..d3f16a7e 100644 --- a/10.6-ubi/Dockerfile +++ b/10.6-ubi/Dockerfile @@ -56,6 +56,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_MAJOR=10.6 ARG MARIADB_VERSION=10.6.18 +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:Stable # release-support-type:Long Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -86,7 +87,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-10.6.18 MariaDB-server-10.6.18 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +96,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-10.6.18/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.4-ubi/Dockerfile b/11.4-ubi/Dockerfile index 6ec10217..dce5d083 100644 --- a/11.4-ubi/Dockerfile +++ b/11.4-ubi/Dockerfile @@ -55,6 +55,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=11.4.2 +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:Stable # release-support-type:Long Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -85,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-11.4.2 MariaDB-server-11.4.2 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -94,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-11.4.2/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile index ffc3aebc..ccbe224a 100644 --- a/11.5-ubi/Dockerfile +++ b/11.5-ubi/Dockerfile @@ -55,8 +55,9 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=11.5.1 -# release-status:RC -# release-support-type:Rolling +ENV MARIADB_VERSION=$MARIADB_VERSION +# release-status:Unknown +# release-support-type:Unknown # (https://downloads.mariadb.org/rest-api/mariadb/) # missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions) @@ -85,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-11.5.1 MariaDB-server-11.5.1 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -94,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-11.5.1/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.6-ubi/Dockerfile b/11.6-ubi/Dockerfile index 9e7182f5..4ad4b312 100644 --- a/11.6-ubi/Dockerfile +++ b/11.6-ubi/Dockerfile @@ -55,6 +55,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=11.6.0 +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:Alpha # release-support-type:Unknown # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -85,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-11.6.0 MariaDB-server-11.6.0 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -94,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-11.6.0/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/Dockerfile-ubi.template b/Dockerfile-ubi.template index ab6e6052..cff7d4d4 100644 --- a/Dockerfile-ubi.template +++ b/Dockerfile-ubi.template @@ -56,6 +56,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures:%%ARCHES%% ARG MARIADB_MAJOR=%%MARIADB_MAJOR%% ARG MARIADB_VERSION=%%MARIADB_VERSION%% +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:%%MARIADB_RELEASE_STATUS%% # release-support-type:%%MARIADB_SUPPORT_TYPE%% # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -86,7 +87,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-%%MARIADB_VERSION_BASIC%% MariaDB-server-%%MARIADB_VERSION_BASIC%% ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +96,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-%%MARIADB_VERSION_BASIC%%/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/main-ubi/Dockerfile b/main-ubi/Dockerfile index 17d5189c..a7839211 100644 --- a/main-ubi/Dockerfile +++ b/main-ubi/Dockerfile @@ -55,6 +55,7 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=main.0 +ENV MARIADB_VERSION=$MARIADB_VERSION # release-status:Alpha # release-support-type:Unknown # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -85,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-main.0 MariaDB-server-main.0 ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -94,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-main.0/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu From ffb4f5bd50b2991be4a49c0ebed464fb0c651ba3 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 25 Jul 2024 12:56:12 +1000 Subject: [PATCH 14/18] TMP: update.sh to use Unknwon for missing release_{support_type,status} --- update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index ca99d50b..3ef526b2 100755 --- a/update.sh +++ b/update.sh @@ -244,8 +244,8 @@ for version in "${versions[@]}"; do fi readarray -t release <<< "$(curl -fsSL "$DOWNLOADS_REST_API/mariadb/" \ | jq -r --arg version "${version%-*}" '.major_releases[] | select(.release_id == $version) | [ .release_status ] , [ .release_support_type ] | @tsv')" - releaseStatus=${release[0]} - supportType=${release[1]} + releaseStatus=${release[0]:-Unknown} + supportType=${release[1]:-Unknown} update_version done From c52e778360654abdb3d4c88be1d900885fbfceb3 Mon Sep 17 00:00:00 2001 From: Martin Montes Date: Wed, 3 Jul 2024 15:42:06 +0200 Subject: [PATCH 15/18] Specify "mysql" as container user to be compliant with Red Hat container certification --- 10.11-ubi/Dockerfile | 1 + 10.6-ubi/Dockerfile | 1 + 11.4-ubi/Dockerfile | 1 + 11.5-ubi/Dockerfile | 1 + 11.6-ubi/Dockerfile | 1 + Dockerfile-ubi.template | 1 + main-ubi/Dockerfile | 1 + 7 files changed, 7 insertions(+) diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile index 314351a9..d3c1315f 100644 --- a/10.11-ubi/Dockerfile +++ b/10.11-ubi/Dockerfile @@ -108,5 +108,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile index d3f16a7e..75d8a008 100644 --- a/10.6-ubi/Dockerfile +++ b/10.6-ubi/Dockerfile @@ -109,5 +109,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/11.4-ubi/Dockerfile b/11.4-ubi/Dockerfile index dce5d083..b6ea4194 100644 --- a/11.4-ubi/Dockerfile +++ b/11.4-ubi/Dockerfile @@ -108,5 +108,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile index ccbe224a..382b8d21 100644 --- a/11.5-ubi/Dockerfile +++ b/11.5-ubi/Dockerfile @@ -108,5 +108,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/11.6-ubi/Dockerfile b/11.6-ubi/Dockerfile index 4ad4b312..db8fd8dc 100644 --- a/11.6-ubi/Dockerfile +++ b/11.6-ubi/Dockerfile @@ -108,5 +108,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/Dockerfile-ubi.template b/Dockerfile-ubi.template index cff7d4d4..22e88083 100644 --- a/Dockerfile-ubi.template +++ b/Dockerfile-ubi.template @@ -109,5 +109,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/main-ubi/Dockerfile b/main-ubi/Dockerfile index a7839211..8a335c51 100644 --- a/main-ubi/Dockerfile +++ b/main-ubi/Dockerfile @@ -108,5 +108,6 @@ COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] From c6f49a502a5a3400e9abe74a923c225b3596e2e2 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 2 Aug 2024 17:50:31 +1000 Subject: [PATCH 16/18] test: jemalloc test agnositic to default USER --- .test/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.test/run.sh b/.test/run.sh index bb3e7d92..7ac3d7b8 100755 --- a/.test/run.sh +++ b/.test/run.sh @@ -625,7 +625,7 @@ if [ -n "$debarch" ] then echo -e "Test: jemalloc preload\n" runandwait -e LD_PRELOAD="/usr/lib/$debarch-linux-gnu/libjemalloc.so.1 /usr/lib/$debarch-linux-gnu/libjemalloc.so.2 /usr/lib64/libjemalloc.so.2" -e MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 "${image}" - docker exec -i "$cid" gosu mysql /bin/grep 'jemalloc' /proc/1/maps || die "expected to preload jemalloc" + docker exec -i --user mysql "$cid" /bin/grep 'jemalloc' /proc/1/maps || die "expected to preload jemalloc" killoff From 58494e28dd61665c6a04c17048acb93cbec86e4b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 2 Aug 2024 17:52:10 +1000 Subject: [PATCH 17/18] ubi: Fix env variable for installation version fixing --- 10.11-ubi/Dockerfile | 4 ++-- 10.6-ubi/Dockerfile | 4 ++-- 11.4-ubi/Dockerfile | 4 ++-- 11.5-ubi/Dockerfile | 4 ++-- 11.6-ubi/Dockerfile | 12 ++++++------ Dockerfile-ubi.template | 4 ++-- main-ubi/Dockerfile | 4 ++-- 7 files changed, 18 insertions(+), 18 deletions(-) diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile index d3c1315f..72804c77 100644 --- a/10.11-ubi/Dockerfile +++ b/10.11-ubi/Dockerfile @@ -86,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile index 75d8a008..31e1afec 100644 --- a/10.6-ubi/Dockerfile +++ b/10.6-ubi/Dockerfile @@ -87,7 +87,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -96,7 +96,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.4-ubi/Dockerfile b/11.4-ubi/Dockerfile index b6ea4194..c73fb26e 100644 --- a/11.4-ubi/Dockerfile +++ b/11.4-ubi/Dockerfile @@ -86,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile index 382b8d21..d16dbe04 100644 --- a/11.5-ubi/Dockerfile +++ b/11.5-ubi/Dockerfile @@ -86,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/11.6-ubi/Dockerfile b/11.6-ubi/Dockerfile index db8fd8dc..8380f3c2 100644 --- a/11.6-ubi/Dockerfile +++ b/11.6-ubi/Dockerfile @@ -36,7 +36,7 @@ COPY MariaDB.repo /etc/yum.repos.d/ # https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html/red_hat_openshift_software_certification_policy_guide/assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction#con-image-metadata-requirements_openshift-sw-cert-policy-container-images LABEL name="MariaDB Server" \ vendor="MariaDB Community" \ - version="11.6.0" \ + version="11.6.0 Vector" \ release="Refer to Annotations org.opencontainers.image.{revision,source}" \ summary="MariaDB Database" \ description="MariaDB Database for relational SQL" @@ -50,13 +50,13 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ org.opencontainers.image.licenses="GPL-2.0" \ org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ org.opencontainers.image.vendor="MariaDB Community" \ - org.opencontainers.image.version="11.6.0" \ + org.opencontainers.image.version="11.6.0 Vector" \ org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" # bashbrew-architectures: amd64 arm64v8 ppc64le s390x -ARG MARIADB_VERSION=11.6.0 +ARG MARIADB_VERSION=11.6.0 Vector ENV MARIADB_VERSION=$MARIADB_VERSION -# release-status:Alpha +# release-status:Unknown # release-support-type:Unknown # (https://downloads.mariadb.org/rest-api/mariadb/) @@ -86,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/Dockerfile-ubi.template b/Dockerfile-ubi.template index 22e88083..13d31f5d 100644 --- a/Dockerfile-ubi.template +++ b/Dockerfile-ubi.template @@ -87,7 +87,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -96,7 +96,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu diff --git a/main-ubi/Dockerfile b/main-ubi/Dockerfile index 8a335c51..7be4e69f 100644 --- a/main-ubi/Dockerfile +++ b/main-ubi/Dockerfile @@ -86,7 +86,7 @@ RUN set -eux ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ chmod ugo+rwx,o+t /run/mariadb ; \ - microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION_BASIC} ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ # compatibility with DEB Galera packaging ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ # compatibility with RPM Galera packaging @@ -95,7 +95,7 @@ RUN set -eux ; \ rmdir /var/lib/mysql/mysql ; \ chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ mkdir /licenses ; \ - ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION_BASIC}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ ln -s /usr/share/licenses /licenses/package-licenses ; \ ln -s Apache-2.0-license /licenses/gosu From 64decf74a761c6468be329ba4891fa5a3f3ef43c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 4 Aug 2024 10:51:49 +1000 Subject: [PATCH 18/18] Containerfiles for making contains with debug info --- Containerfile.debug | 12 ++++++++++++ Containerfile.debug-ubi | 8 ++++++++ 2 files changed, 20 insertions(+) create mode 100644 Containerfile.debug create mode 100644 Containerfile.debug-ubi diff --git a/Containerfile.debug b/Containerfile.debug new file mode 100644 index 00000000..1b1e269d --- /dev/null +++ b/Containerfile.debug @@ -0,0 +1,12 @@ +# Containerfile for adding the debuginfo of an apt, based container +# with some tools. +ARG BASE +FROM $BASE + +RUN apt-get update \ + && apt-get install -y linux-tools-common gdbserver gdb curl \ + && dpkg-query --showformat='${Package},${Version},${Architecture}\n' --show | grep mariadb \ + | while IFS=, read pkg version arch; do \ + [ $arch != all ] && apt-get install -y ${pkg}-dbgsym=${version} ; \ + done; \ + rm -rf /var/lib/apt/lists/* diff --git a/Containerfile.debug-ubi b/Containerfile.debug-ubi new file mode 100644 index 00000000..ca159da0 --- /dev/null +++ b/Containerfile.debug-ubi @@ -0,0 +1,8 @@ +# Containerfile for adding the debuginfo of ubi micro rpm, based container +# with some tools. +ARG BASE +FROM $BASE + +USER root +RUN microdnf install MariaDB-server-debug-${MARIADB_VERSION} MariaDB-backup-debug-${MARIADB_VERSION} +USER mysql