From b76a62103f2efb58a3f0a65662e3addcf1a73cc7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 20 May 2024 17:35:24 +1000 Subject: [PATCH] add 10.6-ubi, 10.11-ubi --- 10.11-ubi/Dockerfile | 55 +++ 10.11-ubi/MariaDB.repo | 6 + 10.11-ubi/docker-entrypoint.sh | 715 +++++++++++++++++++++++++++++++++ 10.11-ubi/docker.cnf | 10 + 10.11-ubi/healthcheck.sh | 353 ++++++++++++++++ 10.6-ubi/Dockerfile | 53 ++- 10.6-ubi/MariaDB.repo | 6 +- 10.6-ubi/docker-entrypoint.sh | 258 +++++++++--- 10.6-ubi/docker.cnf | 7 + 10.6-ubi/healthcheck.sh | 35 +- versions.json | 28 ++ 11 files changed, 1451 insertions(+), 75 deletions(-) create mode 100644 10.11-ubi/Dockerfile create mode 100644 10.11-ubi/MariaDB.repo create mode 100755 10.11-ubi/docker-entrypoint.sh create mode 100644 10.11-ubi/docker.cnf create mode 100755 10.11-ubi/healthcheck.sh diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile new file mode 100644 index 00000000..4d7d7494 --- /dev/null +++ b/10.11-ubi/Dockerfile @@ -0,0 +1,55 @@ +FROM redhat/ubi9 + +# systemd-coredump has the uid 999, input has group 999, that we want to use for compatibility with the ubuntu image. +RUN groupdel input && \ + userdel systemd-coredump && \ + groupadd --gid 999 -r mysql && \ + useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999 + +ARG TARGETARCH +ENV GOSU_VERSION 1.17 +RUN curl --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$TARGETARCH && \ + curl --location --output /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$TARGETARCH.asc"; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + chmod a+x /usr/local/bin/gosu; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + gosu --version; \ + gosu nobody true + +COPY MariaDB.repo /etc/yum.repos.d/ + +# missing pwgen, pv (epel), +# procps - missing dependency of galera sst script +# libboost_program_options.so.1.66.0 only used by garb - should fix upstream +RUN gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys FF8AD1344597106ECE813B918A3872BF3228467C && \ + rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ + dnf update -y && \ + dnf install -y procps-ng zstd xz jemalloc pwgen tzdata && \ + for pkg in boost-program-options-1.75.0-8; do \ + rpm -ivh https://repo.almalinux.org/almalinux/9/AppStream/$(arch)/os/Packages/${pkg}.el9.$(arch).rpm ; \ + done ; \ + dnf install -y MariaDB-backup-10.11.8 MariaDB-server-10.11.8 && \ + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so && \ + rm -rf /var/lib/mysql; \ + mkdir -p /var/lib/mysql /var/run/mysqld /etc/mysql/conf.d/ /etc/mysql/mariadb.conf.d/; \ + chown -R mysql:mysql /var/lib/mysql /var/run/mysqld; \ + chmod 777 /var/run/mysqld ; \ + mkdir /licenses && ln -s /usr/share/doc/MariaDB-server-10.11.8/COPYING /licenses/GPL-2 + +COPY docker.cnf /etc/my.cnf.d/ + +VOLUME /var/lib/mysql + +RUN mkdir /docker-entrypoint-initdb.d + +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY /docker-entrypoint.sh /usr/local/bin/ + +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 3306 +CMD ["mariadbd"] diff --git a/10.11-ubi/MariaDB.repo b/10.11-ubi/MariaDB.repo new file mode 100644 index 00000000..769b6e99 --- /dev/null +++ b/10.11-ubi/MariaDB.repo @@ -0,0 +1,6 @@ +[mariadb] +name = MariaDB +#baseurl = https://rpm.mariadb.org/10.11/rhel/$releasever/$basearch +baseurl = https://archive.mariadb.org/mariadb-10.11/yum/rhel/$releasever/$basearch +gpgkey=https://archive.mariadb.org/PublicKey +gpgcheck=1 diff --git a/10.11-ubi/docker-entrypoint.sh b/10.11-ubi/docker-entrypoint.sh new file mode 100755 index 00000000..6e50e1c0 --- /dev/null +++ b/10.11-ubi/docker-entrypoint.sh @@ -0,0 +1,715 @@ +#!/bin/bash +set -eo pipefail +shopt -s nullglob + +# logging functions +mysql_log() { + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" +} +mysql_note() { + mysql_log Note "$@" +} +mysql_warn() { + mysql_log Warn "$@" >&2 +} +mysql_error() { + mysql_log ERROR "$@" >&2 + exit 1 +} + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset +# and make them the same value (so user scripts can use either) +_mariadb_file_env() { + local var="$1"; shift + local maria="MARIADB_${var#MYSQL_}" + file_env "$var" "$@" + file_env "$maria" "${!var}" + if [ "${!maria:-}" ]; then + export "$var"="${!maria}" + fi +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions +docker_process_init_files() { + # mysql here for backwards compatibility "${mysql[@]}" + # ShellCheck: mysql appears unused. Verify use (or export if used externally) + # shellcheck disable=SC2034 + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + # ShellCheck can't follow non-constant source. Use a directive to specify location. + # shellcheck disable=SC1090 + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done +} + +# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values) +_verboseHelpArgs=( + --verbose --help +) + +mysql_check_config() { + local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors" + fi +} + +# Fetch value from server config +# We use mariadbd --verbose --help instead of my_print_defaults because the +# latter only show values present in config files, and not server defaults +mysql_get_config() { + local conf="$1"; shift + "$@" "${_verboseHelpArgs[@]}" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" +} + +# Do a temporary startup of the MariaDB server, for init purposes +docker_temp_server_start() { + "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \ + --expire-logs-days=0 \ + --loose-innodb_buffer_pool_load_at_startup=0 & + declare -g MARIADB_PID + MARIADB_PID=$! + mysql_note "Waiting for server startup" + # only use the root password if the database has already been initialized + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs=() + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs+=( '--dont-use-mysql-root-password' ) + fi + local i + for i in {30..0}; do + if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi +} + +# Stop the server. When using a local socket file mariadb-admin will block until +# the shutdown is complete. +docker_temp_server_stop() { + kill "$MARIADB_PID" + wait "$MARIADB_PID" +} + +# Verify that the minimally required password settings are set for new databases. +docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done + if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' + fi + # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility. + if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option." + fi + if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then + mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." + fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi +} + +# creates folders for the database +# also ensures permission for user mysql of run as root +docker_create_db_directories() { + local user; user="$(id -u)" + + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" + + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + # See https://github.com/MariaDB/mariadb-docker/issues/363 + find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; + + # memory.pressure + local cgroup; cgroup=$( "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + +# Initializes database with timezone info and root password, plus optional extra db/user +docker_setup_db() { + # Load timezone info into database + if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then + # --skip-write-binlog usefully disables binary logging + # but also outputs LOCK TABLES to improve the IO of + # Aria (MDEV-23326) for 10.4+. + mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \ + | docker_process_sql --dont-use-mysql-root-password --database=mysql + # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet + fi + # Generate random root password + if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then + MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" + export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD + mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD" + fi + + # Creates root users for non-localhost hosts + local rootCreate= + local rootPasswordEscaped= + if [ -n "$MARIADB_ROOT_PASSWORD" ]; then + # Sets root password and creates root users for non-localhost hosts + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") + fi + + # default root to listen for connections from anywhere + if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then + # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc + # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151 + if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + else + read -r -d '' rootCreate <<-EOSQL || true + CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; + GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; + EOSQL + fi + fi + + local mysqlAtLocalhost= + local mysqlAtLocalhostGrants= + # Install mysql@localhost user + if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then + read -r -d '' mysqlAtLocalhost <<-EOSQL || true + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; + EOSQL + if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then + if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then + mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored" + fi + mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"; + fi + fi + + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + + local rootLocalhostPass= + if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then + # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d + rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');" + fi + + local createDatabase= + # Creates a custom database and user if specified + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Creating database ${MARIADB_DATABASE}" + createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;" + fi + + local createUser= + local userGrants= + if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then + mysql_note "Creating user ${MARIADB_USER}" + if [ -n "$MARIADB_PASSWORD_HASH" ]; then + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") + createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + + if [ -n "$MARIADB_DATABASE" ]; then + mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}" + userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';" + fi + fi + + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" + # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set + # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. + docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL + -- Securing system users shouldn't be replicated + SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN; + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + + DROP USER IF EXISTS root@'127.0.0.1', root@'::1'; + EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\''); + + ${rootLocalhostPass} + ${rootCreate} + ${mysqlAtLocalhost} + ${mysqlAtLocalhostGrants} + ${createHealthCheckUsers} + -- end of securing system users, rest of init now... + SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; + -- create users/databases + ${createDatabase} + ${createUser} + ${createReplicaUser} + ${userGrants} + + ${changeMasterTo} + ${startReplica} + EOSQL +} + +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + +# backup the mysql database +docker_mariadb_backup_system() +{ + if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \ + && [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then + mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting" + return + fi + local backup_db="system_mysql_backup_unknown_version.sql.zst" + local oldfullversion="unknown_version" + if [ -r "$DATADIR"/mysql_upgrade_info ]; then + read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true + if [ -n "$oldfullversion" ]; then + backup_db="system_mysql_backup_${oldfullversion}.sql.zst" + fi + fi + + mysql_note "Backing up system database to $backup_db" + if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then + mysql_error "Unable backup system database for upgrade from $oldfullversion." + fi + mysql_note "Backing up complete" +} + +# perform mariadb-upgrade +# backup the mysql database if this is a major upgrade +docker_mariadb_upgrade() { + if [ -z "$MARIADB_AUTO_UPGRADE" ] \ + || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + return + fi + mysql_note "Starting temporary server" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + mysql_note "Temporary server started." + + docker_mariadb_backup_system + + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + + mysql_note "Starting mariadb-upgrade" + mariadb-upgrade --upgrade-system-tables + mysql_note "Finished mariadb-upgrade" + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" +} + + +_check_if_upgrade_is_needed() { + if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then + mysql_note "MariaDB upgrade information missing, assuming required" + return 0 + fi + local mariadbVersion + mariadbVersion="$(_mariadb_version)" + IFS='.-' read -ra newversion <<<"$mariadbVersion" + IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true + + if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \ + || [[ ${oldversion[0]} -lt ${newversion[0]} ]] \ + || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then + return 0 + fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi + mysql_note "MariaDB upgrade not required" + return 1 +} + +# check arguments for an option that would cause mariadbd to stop +# return true if there is one +_mysql_want_help() { + local arg + for arg; do + case "$arg" in + -'?'|--help|--print-defaults|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if command starts with an option, prepend mariadbd + if [ "${1:0:1}" = '-' ]; then + set -- mariadbd "$@" + fi + + #ENDOFSUBSTITUTIONS + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + docker_mariadb_init "$@" + # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline + #elif mariadb-upgrade --check-if-upgrade-is-needed; then + elif _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + fi + exec "$@" +} + +# If we are sourced from elsewhere, don't perform any further actions +if ! _is_sourced; then + _main "$@" +fi diff --git a/10.11-ubi/docker.cnf b/10.11-ubi/docker.cnf new file mode 100644 index 00000000..61c4e86c --- /dev/null +++ b/10.11-ubi/docker.cnf @@ -0,0 +1,10 @@ +# Ubuntu container compatibility + +[mariadb] +host-cache-size=0 +skip-name-resolve + +[client-server] +socket=/run/mysqld/mariadb.sock + +!includedir /etc/mysql/conf.d diff --git a/10.11-ubi/healthcheck.sh b/10.11-ubi/healthcheck.sh new file mode 100755 index 00000000..5aea4e8e --- /dev/null +++ b/10.11-ubi/healthcheck.sh @@ -0,0 +1,353 @@ +#!/bin/bash +# +# Healthcheck script for MariaDB +# +# Runs various tests on the MariaDB server to check its health. Pass the tests +# to run as arguments. If all tests succeed, the server is considered healthy, +# otherwise it's not. +# +# Arguments are processed in strict order. Set replication_* options before +# the --replication option. This allows a different set of replication checks +# on different connections. +# +# --su{=|-mariadb} is option to run the healthcheck as a different unix user. +# Useful if mariadb@localhost user exists with unix socket authentication +# Using this option disregards previous options set, so should usually be the +# first option. +# +# Some tests require SQL privileges. +# +# TEST MINIMUM GRANTS REQUIRED +# connect none* +# innodb_initialized USAGE +# innodb_buffer_pool_loaded USAGE +# galera_online USAGE +# galera_ready USAGE +# replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) +# mariadbupgrade none, however unix user permissions on datadir +# +# The SQL user used is the default for the mariadb client. This can be the unix user +# if no user(or password) is set in the [mariadb-client] section of a configuration +# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration +# different from elsewhere. +# +# Note * though denied error message will result in error log without +# any permissions. + +set -eo pipefail + +_process_sql() +{ + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + -B "$@" +} + +# TESTS + + +# CONNECT +# +# Tests that a connection can be made over TCP, the final state +# of the entrypoint and is listening. The authentication used +# isn't tested. +connect() +{ + set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 + mariadb ${nodefaults:+--no-defaults} \ + ${def['file']:+--defaults-file=${def['file']}} \ + ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ + ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ + -h localhost --protocol tcp -e 'select 1' 2>&1 \ + | grep -qF "Can't connect" + local ret=${PIPESTATUS[1]} + set -eo pipefail + if (( "$ret" == 0 )); then + # grep Matched "Can't connect" so we fail + return 1 + fi + return 0 +} + +# INNODB_INITIALIZED +# +# This tests that the crash recovery of InnoDB has completed +# along with all the other things required to make it to a healthy +# operational state. Note this may return true in the early +# states of initialization. Use with a connect test to avoid +# these false positives. +innodb_initialized() +{ + local s + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") + [ "$s" == 1 ] +} + +# INNODB_BUFFER_POOL_LOADED +# +# Tests the load of the innodb buffer pool as been complete +# implies innodb_buffer_pool_load_at_startup=1 (default), or if +# manually SET innodb_buffer_pool_load_now=1 +innodb_buffer_pool_loaded() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") + if [[ $s =~ 'load completed' ]]; then + return 0 + fi + return 1 +} + +# GALERA_ONLINE +# +# Tests that the galera node is in the SYNCed state +galera_online() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") + # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes + # not https://xkcd.com/221/ + if [[ $s -eq 4 ]]; then + return 0 + fi + return 1 +} + +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + +# REPLICATION +# +# Tests the replication has the required set of functions: +# --replication_all -> Checks all replication sources +# --replication_name=n -> sets the multisource connection name tested +# --replication_io -> IO thread is running +# --replication_sql -> SQL thread is running +# --replication_seconds_behind_master=n -> less than or equal this seconds of delay +# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay +# (ref: https://mariadb.com/kb/en/delayed-replication/) +replication() +{ + # SHOW REPLICA available 10.5+ + # https://github.com/koalaman/shellcheck/issues/2383 + # shellcheck disable=SC2016,SC2026 + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ + { + # required for trim of leading space. + shopt -s extglob + # Row header + read -t 5 -r + # read timeout + [ $? -gt 128 ] && return 1 + while IFS=":" read -t 1 -r n v; do + # Trim leading space + n=${n##+([[:space:]])} + # Leading space on all values by the \G format needs to be trimmed. + v=${v:1} + case "$n" in + Slave_IO_Running) + if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Slave_SQL_Running) + if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then + return 1 + fi + ;; + Seconds_Behind_Master) + # A NULL value is the IO thread not running: + if [ -n "${repl['seconds_behind_master']}" ] && + { [ "$v" = NULL ] || + (( "${repl['seconds_behind_master']}" < "$v" )); }; then + return 1 + fi + ;; + SQL_Remaining_Delay) + # Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL + # once replication is caught up - https://mariadb.com/kb/en/delayed-replication/ + if [ -n "${repl['sql_remaining_delay']}" ] && + [ "$v" != NULL ] && + (( "${repl['sql_remaining_delay']}" < "$v" )); then + return 1 + fi + ;; + esac + done + # read timeout + [ $? -gt 128 ] && return 1 + return 0 + } + # reachable in command not found(?) + # shellcheck disable=SC2317 + return $? +} + +# mariadbupgrade +# +# Test the lock on the file $datadir/mysql_upgrade_info +# https://jira.mariadb.org/browse/MDEV-27068 +mariadbupgrade() +{ + local f="$datadir/mysql_upgrade_info" + if [ -r "$f" ]; then + flock --exclusive --nonblock -n 9 9<"$f" + return $? + fi + return 0 +} + + +# MAIN + +if [ $# -eq 0 ]; then + echo "At least one argument required" >&2 + exit 1 +fi + +#ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ +# Global variables used by tests +declare -A repl +declare -A def +nodefaults= +datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi + +_repl_param_check() +{ + case "$1" in + seconds_behind_master) ;& + sql_remaining_delay) + if [ -z "${repl['io']}" ]; then + repl['io']=1 + echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2 + fi + ;; + all) + if [ -n "${repl['name']}" ]; then + unset 'repl[name]' + echo "Option --replication_all incompatible with specified source --replication_name, clearing replication_name" >&2 + fi + ;; + name) + if [ -n "${repl['all']}" ]; then + unset 'repl[all]' + echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2 + fi + ;; + esac +} + +_test_exists() { + declare -F "$1" > /dev/null + return $? +} + +while [ $# -gt 0 ]; do + case "$1" in + --su=*) + u="${1#*=}" + shift + exec gosu "${u}" "${BASH_SOURCE[0]}" "$@" + ;; + --su) + shift + u=$1 + shift + exec gosu "$u" "${BASH_SOURCE[0]}" "$@" + ;; + --su-mysql) + shift + exec gosu mysql "${BASH_SOURCE[0]}" "$@" + ;; + --replication_*=*) + # Change the n to what is between _ and = and make lower case + n=${1#*_} + n=${n%%=*} + n=${n,,*} + # v is after the = + v=${1#*=} + repl[$n]=$v + _repl_param_check "$n" + ;; + --replication_*) + # Without =, look for a non --option next as the value, + # otherwise treat it as an "enable", just equate to 1. + # Clearing option is possible with "--replication_X=" + n=${1#*_} + n=${n,,*} + if [ "${2:0:2}" == '--' ]; then + repl[$n]=1 + else + repl[$n]=$2 + shift + fi + _repl_param_check "$n" + ;; + --datadir=*) + datadir=${1#*=} + ;; + --datadir) + shift + datadir=${1} + ;; + --no-defaults) + def=() + nodefaults=1 + ;; + --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) + n=${1:11} # length --defaults- + n=${n%%=*} + n=${n//-/_} + # v is after the = + v=${1#*=} + def[$n]=$v + nodefaults= + ;; + --defaults-file|--defaults-extra-file|--defaults-group-suffix) + n=${1:11} # length --defaults- + n=${n//-/_} + if [ "${2:0:2}" == '--' ]; then + def[$n]="" + else + def[$n]=$2 + shift + fi + nodefaults= + ;; + --*) + test=${1#--} + ;; + *) + echo "Unknown healthcheck option $1" >&2 + exit 1 + esac + if [ -n "$test" ]; then + if ! _test_exists "$test" ; then + echo "healthcheck unknown option or test '$test'" >&2 + exit 1 + elif ! "$test"; then + echo "healthcheck $test failed" >&2 + exit 1 + fi + test= + fi + shift +done diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile index f7a635c3..d3e57747 100644 --- a/10.6-ubi/Dockerfile +++ b/10.6-ubi/Dockerfile @@ -1,33 +1,52 @@ FROM redhat/ubi9 -RUN groupadd -r mysql && useradd -r -g mysql mysql -COPY MariaDB.repo /etc/yum.repos.d/ +# systemd-coredump has the uid 999, input has group 999, that we want to use for compatibility with the ubuntu image. +RUN groupdel input && \ + userdel systemd-coredump && \ + groupadd --gid 999 -r mysql && \ + useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999 + +ARG TARGETARCH +ENV GOSU_VERSION 1.17 +RUN curl --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$TARGETARCH && \ + curl --location --output /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$TARGETARCH.asc"; \ + GNUPGHOME="$(mktemp -d)"; \ + export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + chmod a+x /usr/local/bin/gosu; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + gosu --version; \ + gosu nobody true -# missing pwgen, and libboost_program_options.so.1.66.0 hence centos hack -RUN dnf update -y && \ - dnf install -y MariaDB-backup socat wget tzdata xz && \ - wget http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/boost-program-options-1.66.0-10.el8.x86_64.rpm && \ - dnf localinstall -y *rpm && \ - rm *rpm && \ - dnf install -y MariaDB-server-10.6.11 && \ - dnf clean all +COPY MariaDB.repo /etc/yum.repos.d/ -RUN rm -rf /var/lib/mysql; \ +# missing pwgen, pv (epel), +# procps - missing dependency of galera sst script +# libboost_program_options.so.1.66.0 only used by garb - should fix upstream +RUN gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys FF8AD1344597106ECE813B918A3872BF3228467C && \ + rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ + dnf update -y && \ + dnf install -y procps-ng zstd xz jemalloc pwgen tzdata && \ + for pkg in boost-program-options-1.75.0-8; do \ + rpm -ivh https://repo.almalinux.org/almalinux/9/AppStream/$(arch)/os/Packages/${pkg}.el9.$(arch).rpm ; \ + done ; \ + dnf install -y MariaDB-backup-10.6.18 MariaDB-server-10.6.18 && \ + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so && \ + rm -rf /var/lib/mysql; \ mkdir -p /var/lib/mysql /var/run/mysqld /etc/mysql/conf.d/ /etc/mysql/mariadb.conf.d/; \ chown -R mysql:mysql /var/lib/mysql /var/run/mysqld; \ - chmod 777 /var/run/mysqld + chmod 777 /var/run/mysqld ; \ + mkdir /licenses && ln -s /usr/share/doc/MariaDB-server-10.6.18/COPYING /licenses/GPL-2 COPY docker.cnf /etc/my.cnf.d/ VOLUME /var/lib/mysql -RUN wget -O /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/1.12/gosu-$TARGETARCH && \ - chmod a+x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - RUN mkdir /docker-entrypoint-initdb.d +COPY healthcheck.sh /usr/local/bin/healthcheck.sh COPY /docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/10.6-ubi/MariaDB.repo b/10.6-ubi/MariaDB.repo index 138e1243..4a7e039f 100644 --- a/10.6-ubi/MariaDB.repo +++ b/10.6-ubi/MariaDB.repo @@ -1,6 +1,6 @@ [mariadb] name = MariaDB -baseurl = https://rpm.mariadb.org/10.6/rhel9-amd64/ -module_hotfixes=1 -gpgkey=https://rpm.mariadb.org/yum/RPM-GPG-KEY-MariaDB_v2 +#baseurl = https://rpm.mariadb.org/10.6/rhel/$releasever/$basearch +baseurl = https://archive.mariadb.org/mariadb-10.6/yum/rhel/$releasever/$basearch +gpgkey=https://archive.mariadb.org/PublicKey gpgcheck=1 diff --git a/10.6-ubi/docker-entrypoint.sh b/10.6-ubi/docker-entrypoint.sh index 48226619..4738c6a9 100755 --- a/10.6-ubi/docker-entrypoint.sh +++ b/10.6-ubi/docker-entrypoint.sh @@ -152,6 +152,14 @@ docker_temp_server_stop() { # Verify that the minimally required password settings are set for new databases. docker_verify_minimum_env() { + # Restoring from backup requires no environment variables + declare -g DATABASE_INIT_FROM_BACKUP + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + if [ -f "${file}" ]; then + DATABASE_INIT_FROM_BACKUP='true' + return + fi + done if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD' fi @@ -162,6 +170,25 @@ docker_verify_minimum_env() { if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option." fi + if [ -n "$MARIADB_REPLICATION_USER" ]; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # its a master, we're creating a user + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master" + fi + else + # its a replica + if [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; then + mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image." + fi + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ] ; then + mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica" + fi + fi + fi + if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ] ; }; then + mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory." + fi } # creates folders for the database @@ -178,21 +205,30 @@ docker_create_db_directories() { find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + # See https://github.com/MariaDB/mariadb-docker/issues/363 find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \; + fi } _mariadb_version() { - local mariaVersion="${MARIADB_VERSION##*:}" - mariaVersion="${mariaVersion%%[-+~]*}" - echo -n "${mariaVersion}-MariaDB" + echo -n "10.6.18-MariaDB" } # initializes the database directory docker_init_database_dir() { mysql_note "Initializing database files" installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal ) - # "Other options are passed to mariadbd." (so we pass all "mysqld" arguments directly here) - mariadb-install-db "${installArgs[@]}" "${@:2}" \ + # "Other options are passed to mariadbd." (so we pass all "mariadbd" arguments directly here) + + local mariadbdArgs=() + for arg in "${@:2}"; do + # Check if the argument contains whitespace + if [[ "$arg" =~ [[:space:]] ]]; then + mysql_warn "Not passing argument \'$arg\' to mariadb-install-db because mariadb-install-db does not support arguments with whitespace." + else + mariadbdArgs+=("$arg") + fi + done + mariadb-install-db "${installArgs[@]}" "${mariadbdArgs[@]}" \ --skip-test-db \ --old-mode='UTF8_IS_UTF8MB3' \ --default-time-zone=SYSTEM --enforce-storage-engine= \ @@ -207,9 +243,10 @@ docker_init_database_dir() { # This should be called after mysql_check_config, but before any other functions docker_setup_env() { # Get config - declare -g DATADIR SOCKET + declare -g DATADIR SOCKET PORT DATADIR="$(mysql_get_config 'datadir' "$@")" SOCKET="$(mysql_get_config 'socket' "$@")" + PORT="$(mysql_get_config 'port' "$@")" # Initialize values that might be stored in a file @@ -221,6 +258,13 @@ docker_setup_env() { # No MYSQL_ compatibility needed for new variables file_env 'MARIADB_PASSWORD_HASH' file_env 'MARIADB_ROOT_PASSWORD_HASH' + # env variables related to replication + file_env 'MARIADB_REPLICATION_USER' + file_env 'MARIADB_REPLICATION_PASSWORD' + file_env 'MARIADB_REPLICATION_PASSWORD_HASH' + # env variables related to master + file_env 'MARIADB_MASTER_HOST' + file_env 'MARIADB_MASTER_PORT' 3306 # set MARIADB_ from MYSQL_ when it is unset and then make them the same value : "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}" @@ -267,6 +311,42 @@ docker_sql_escape_string_literal() { echo "${escaped//\'/\\\'}" } +# Creates replication user +create_replica_user() { + if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then + echo "CREATE USER '$MARIADB_REPLICATION_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_REPLICATION_PASSWORD_HASH';" + else + # SQL escape the user password, \ followed by ' + local userPasswordEscaped + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + echo "CREATE USER '$MARIADB_REPLICATION_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" + fi + echo "GRANT REPLICATION REPLICA ON *.* TO '$MARIADB_REPLICATION_USER'@'%';" +} + +# Create healthcheck users +create_healthcheck_users() { + local healthCheckGrant=USAGE + local healthCheckConnectPass + local healthCheckConnectPassEscaped + healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)" + healthCheckConnectPassEscaped=$(docker_sql_escape_string_literal "${healthCheckConnectPass}") + if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then + healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS" + fi + for host in 127.0.0.1 ::1 localhost; do + echo "CREATE USER IF NOT EXISTS healthcheck@'$host' IDENTIFIED BY '$healthCheckConnectPassEscaped';" + # doing this so if the users exists, we're just setting the password, and not replacing the existing grants + echo "SET PASSWORD FOR healthcheck@'$host' = PASSWORD('$healthCheckConnectPassEscaped');" + echo "GRANT $healthCheckGrant ON *.* TO healthcheck@'$host';" + done + local maskPreserve + maskPreserve=$(umask -p) + umask 0077 + echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf + $maskPreserve +} + # Initializes database with timezone info and root password, plus optional extra db/user docker_setup_db() { # Load timezone info into database @@ -290,7 +370,7 @@ docker_setup_db() { local rootPasswordEscaped= if [ -n "$MARIADB_ROOT_PASSWORD" ]; then # Sets root password and creates root users for non-localhost hosts - rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" ) + rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}") fi # default root to listen for connections from anywhere @@ -301,11 +381,13 @@ docker_setup_db() { read -r -d '' rootCreate <<-EOSQL || true CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ; GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; EOSQL else read -r -d '' rootCreate <<-EOSQL || true CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ; GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ; + GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION; EOSQL fi fi @@ -314,16 +396,8 @@ docker_setup_db() { local mysqlAtLocalhostGrants= # Install mysql@localhost user if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then - local pw= - pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)" - # MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check - # It wasn't until 10.4 that the unix_socket auth was built in to the server. read -r -d '' mysqlAtLocalhost <<-EOSQL || true - EXECUTE IMMEDIATE IF(VERSION() RLIKE '^10\.3\.', - "INSTALL PLUGIN /*M10401 IF NOT EXISTS */ unix_socket SONAME 'auth_socket'", - "SELECT 'already there'"); - CREATE USER mysql@localhost IDENTIFIED BY '$pw'; - ALTER USER mysql@localhost IDENTIFIED VIA unix_socket; + CREATE USER mysql@localhost IDENTIFIED VIA unix_socket; EOSQL if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then @@ -333,6 +407,9 @@ docker_setup_db() { fi fi + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + local rootLocalhostPass= if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d @@ -355,7 +432,7 @@ docker_setup_db() { else # SQL escape the user password, \ followed by ' local userPasswordEscaped - userPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_PASSWORD}" ) + userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}") createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';" fi @@ -365,6 +442,26 @@ docker_setup_db() { fi fi + # To create replica user + local createReplicaUser= + local changeMasterTo= + local startReplica= + if [ -n "$MARIADB_REPLICATION_USER" ] ; then + if [ -z "$MARIADB_MASTER_HOST" ]; then + # on master + mysql_note "Creating user ${MARIADB_REPLICATION_USER}" + createReplicaUser=$(create_replica_user) + else + # on replica + local rplPasswordEscaped + rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}") + # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value. + # shellcheck disable=SC2153 + changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;" + startReplica="START REPLICA;" + fi + fi + mysql_note "Securing system users (equivalent to running mysql_secure_installation)" # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding. @@ -382,17 +479,78 @@ docker_setup_db() { ${rootCreate} ${mysqlAtLocalhost} ${mysqlAtLocalhostGrants} - -- pre-10.3 only - DROP DATABASE IF EXISTS test ; + ${createHealthCheckUsers} -- end of securing system users, rest of init now... SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin; -- create users/databases ${createDatabase} ${createUser} + ${createReplicaUser} ${userGrants} + + ${changeMasterTo} + ${startReplica} EOSQL } +# create a new installation +docker_mariadb_init() +{ + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then + shopt -s dotglob + for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do + mkdir -p "$DATADIR"/.init + tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init + mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back + + mv "$DATADIR"/.restore/** "$DATADIR"/ + if [ -f "$DATADIR/.init/backup-my.cnf" ]; then + mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf" + mysql_note "Adding startup configuration:" + my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mysqld + fi + rm -rf "$DATADIR"/.init "$DATADIR"/.restore + if [ "$(id -u)" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql: '{}' + + fi + done + if _check_if_upgrade_is_needed; then + docker_mariadb_upgrade "$@" + fi + return + fi + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + # Wait until after /docker-entrypoint-initdb.d is performed before setting + # root@localhost password to a hash we don't know the password for. + if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then + mysql_note "Setting root@localhost password hash" + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + SET @@SESSION.SQL_LOG_BIN=0; + SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; + EOSQL + fi + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MariaDB init process done. Ready for start up." + echo +} + # backup the mysql database docker_mariadb_backup_system() { @@ -422,7 +580,7 @@ docker_mariadb_backup_system() docker_mariadb_upgrade() { if [ -z "$MARIADB_AUTO_UPGRADE" ] \ || [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then - mysql_note "MariaDB upgrade (mariadb-upgrade) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" + mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting" return fi mysql_note "Starting temporary server" @@ -433,6 +591,33 @@ docker_mariadb_upgrade() { docker_mariadb_backup_system + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "Creating healthcheck users" + local createHealthCheckUsers + createHealthCheckUsers=$(create_healthcheck_users) + docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL + -- Healthcheck users shouldn't be replicated + SET @@SESSION.SQL_LOG_BIN=0; + -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set + SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', ''); + FLUSH PRIVILEGES; + $createHealthCheckUsers +EOSQL + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + if _check_if_upgrade_is_needed; then + # need a restart as FLUSH PRIVILEGES isn't reversable + mysql_note "Restarting temporary server for upgrade" + docker_temp_server_start "$@" --skip-grant-tables \ + --loose-innodb_buffer_pool_dump_at_shutdown=0 \ + --skip-slave-start + else + return 0 + fi + fi + mysql_note "Starting mariadb-upgrade" mariadb-upgrade --upgrade-system-tables mysql_note "Finished mariadb-upgrade" @@ -458,6 +643,10 @@ _check_if_upgrade_is_needed() { || [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then return 0 fi + if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then + mysql_note "MariaDB heathcheck configation file missing, assuming desirable" + return 0 + fi mysql_note "MariaDB upgrade not required" return 1 } @@ -502,34 +691,7 @@ _main() { if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - # Wait until after /docker-entrypoint-initdb.d is performed before setting - # root@localhost password to a hash we don't know the password for. - if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then - mysql_note "Setting root@localhost password hash" - docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL - SET @@SESSION.SQL_LOG_BIN=0; - SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}'; - EOSQL - fi - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MariaDB init process done. Ready for start up." - echo + docker_mariadb_init "$@" # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline #elif mariadb-upgrade --check-if-upgrade-is-needed; then elif _check_if_upgrade_is_needed; then diff --git a/10.6-ubi/docker.cnf b/10.6-ubi/docker.cnf index 9f48d82d..61c4e86c 100644 --- a/10.6-ubi/docker.cnf +++ b/10.6-ubi/docker.cnf @@ -1,3 +1,10 @@ # Ubuntu container compatibility +[mariadb] +host-cache-size=0 +skip-name-resolve + +[client-server] +socket=/run/mysqld/mariadb.sock + !includedir /etc/mysql/conf.d diff --git a/10.6-ubi/healthcheck.sh b/10.6-ubi/healthcheck.sh index 60c84ed5..5aea4e8e 100755 --- a/10.6-ubi/healthcheck.sh +++ b/10.6-ubi/healthcheck.sh @@ -22,6 +22,7 @@ # innodb_initialized USAGE # innodb_buffer_pool_loaded USAGE # galera_online USAGE +# galera_ready USAGE # replication REPLICATION_CLIENT (<10.5)or REPLICA MONITOR (10.5+) # mariadbupgrade none, however unix user permissions on datadir # @@ -55,6 +56,8 @@ _process_sql() connect() { set +e +o pipefail + # (on second extra_file) + # shellcheck disable=SC2086 mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ @@ -80,7 +83,7 @@ connect() innodb_initialized() { local s - s=$(_process_sql --skip-column-names -e 'select 1 from information_schema.ENGINES WHERE engine="innodb" AND support in ("YES", "DEFAULT", "ENABLED")') + s=$(_process_sql --skip-column-names -e "select 1 from information_schema.ENGINES WHERE engine='innodb' AND support in ('YES', 'DEFAULT', 'ENABLED')") [ "$s" == 1 ] } @@ -92,7 +95,7 @@ innodb_initialized() innodb_buffer_pool_loaded() { local s - s=$(_process_sql --skip-column-names -e 'select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME="Innodb_buffer_pool_load_status"') + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='Innodb_buffer_pool_load_status'") if [[ $s =~ 'load completed' ]]; then return 0 fi @@ -105,7 +108,7 @@ innodb_buffer_pool_loaded() galera_online() { local s - s=$(_process_sql --skip-column-names -e 'select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME="WSREP_LOCAL_STATE"') + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_LOCAL_STATE'") # 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes # not https://xkcd.com/221/ if [[ $s -eq 4 ]]; then @@ -114,6 +117,19 @@ galera_online() return 1 } +# GALERA_READY +# +# Tests that the Galera provider is ready. +galera_ready() +{ + local s + s=$(_process_sql --skip-column-names -e "select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME='WSREP_READY'") + if [ "$s" = "ON" ]; then + return 0 + fi + return 1 +} + # REPLICATION # # Tests the replication has the required set of functions: @@ -129,7 +145,7 @@ replication() # SHOW REPLICA available 10.5+ # https://github.com/koalaman/shellcheck/issues/2383 # shellcheck disable=SC2016,SC2026 - _process_sql -e "show ${repl['all']:+all} slave${repl['all']:+s} ${repl['name']:+'${repl['name']}'} status\G" | \ + _process_sql -e "SHOW ${repl['all']:+all} REPLICA${repl['all']:+S} ${repl['name']:+'${repl['name']}'} STATUS\G" | \ { # required for trim of leading space. shopt -s extglob @@ -176,12 +192,14 @@ replication() [ $? -gt 128 ] && return 1 return 0 } + # reachable in command not found(?) + # shellcheck disable=SC2317 return $? } # mariadbupgrade # -# Test the lock on the file /var/lib/mysql_upgrade_info +# Test the lock on the file $datadir/mysql_upgrade_info # https://jira.mariadb.org/browse/MDEV-27068 mariadbupgrade() { @@ -201,13 +219,16 @@ if [ $# -eq 0 ]; then exit 1 fi -# Marks the end of mariadb -> mariadb name changes in 10.6+ #ENDOFSUBSTITUTIONS +# Marks the end of mysql -> mariadb name changes in 10.6+ # Global variables used by tests declare -A repl declare -A def nodefaults= datadir=/var/lib/mysql +if [ -f $datadir/.my-healthcheck.cnf ]; then + def['extra_file']=$datadir/.my-healthcheck.cnf +fi _repl_param_check() { @@ -288,7 +309,7 @@ while [ $# -gt 0 ]; do datadir=${1} ;; --no-defaults) - unset def + def=() nodefaults=1 ;; --defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*) diff --git a/versions.json b/versions.json index df1e6119..9a79ffec 100644 --- a/versions.json +++ b/versions.json @@ -137,5 +137,33 @@ "ppc64le", "s390x" ] + }, + "10.11-ubi": { + "milestone": "10.11-ubi", + "version": "10.11.8", + "fullVersion": "10.11.8", + "releaseStatus": "Stable", + "supportType": "Long Term Support", + "base": "ubi9", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] + }, + "11.4-ubi": { + "milestone": "11.4-ubi", + "version": "11.4.1", + "fullVersion": "11.4.1", + "releaseStatus": "RC", + "supportType": "Long Term Support", + "base": "ubi9", + "arches": [ + "amd64", + "arm64v8", + "ppc64le", + "s390x" + ] } }