Skip to content

Commit

Permalink
Add --dont-use-mysql-root-password flag for docker_process_sql
Browse files Browse the repository at this point in the history 
- also remove bash generating bash
  • Loading branch information
@yosifkit
yosifkit committed Sep 18, 2019
1 parent 8d01eea commit 91785a5
Show file tree
Hide file tree
Showing 5 changed files with 251 additions and 135 deletions.
79 changes: 54 additions & 25 deletions .template.Debian/docker-entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,27 +84,30 @@ mysql_get_config() {

# Do a temporary startup of the MySQL server, for init purposes
docker_temp_server_start() {
local result=0
%%SERVERSTARTUP%%
if [ "$result" != "0" ];then
mysql_error "Unable to start server. Status code $result."
fi

# For 5.7+ the server is ready for use as soon as startup command unblocks
if [ "${MYSQL_MAJOR}" = "5.6" ]; then
if [ "${MYSQL_MAJOR}" = '5.6' ]; then
"$@" --skip-networking --socket="${SOCKET}" &
mysql_note "Waiting for server startup"
local i
for i in {30..0}; do
# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# only use the root password if the database has already been initializaed
# so that it won't try to fill in a password file when it hasn't been set yet
if MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql <<<'SELECT 1' &> /dev/null; then
extraArgs=()
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
break
fi
sleep 1
done
if [ "$i" = 0 ]; then
mysql_error "Unable to start server."
fi
else
# For 5.7+ the server is ready for use as soon as startup command unblocks
if ! "$@" --daemonize --skip-networking --socket="${SOCKET}"; then
mysql_error "Unable to start server."
fi
fi
}

Expand Down Expand Up @@ -143,7 +146,11 @@ docker_create_db_directories() {
# initializes the database directory
docker_init_database_dir() {
mysql_note "Initializing database files"
%%DATABASEINIT%%
if [ "$MYSQL_MAJOR" = '5.6' ]; then
mysql_install_db --datadir="$DATADIR" --rpm --keep-my-cnf "${@:2}"
else
"$@" --initialize-insecure
fi
mysql_note "Database files initialized"

if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
Expand All @@ -168,19 +175,29 @@ docker_setup_env() {
file_env 'MYSQL_USER'
file_env 'MYSQL_PASSWORD'
file_env 'MYSQL_ROOT_PASSWORD'

declare -g DATABASE_ALREADY_EXISTS
if [ -d "$DATADIR/mysql" ]; then
DATABASE_ALREADY_EXISTS='true'
fi
}

# Execute sql script, passed via stdin
# usage: docker_process_sql [mysql-cli-args]
# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
# ie: docker_process_sql --database=mydb <<<'INSERT ...'
# ie: docker_process_sql --database=mydb <my-file.sql
# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
docker_process_sql() {
passfileArgs=()
if [ '--dont-use-mysql-root-password' = "$1" ]; then
passfileArgs+=( "$1" )
shift
fi
# args sent in can override this db, since they will be later in the command
if [ -n "$MYSQL_DATABASE" ]; then
set -- --database="$MYSQL_DATABASE" "$@"
fi

mysql --defaults-file=<( _mysql_passfile ) --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
mysql --defaults-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
}

# Initializes database with timezone info and root password, plus optional extra db/user
Expand All @@ -190,17 +207,16 @@ docker_setup_db() {
# sed is for https://bugs.mysql.com/bug.php?id=20545
mysql_tzinfo_to_sql /usr/share/zoneinfo \
| sed 's/Local time zone must be set--see zic manual page/FCTY/' \
| MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql
# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# so that it won't try to fill in a password file when it hasn't been set yet
| docker_process_sql --dont-use-mysql-root-password --database=mysql
# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
fi
# Generate random root password
if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
fi
# Sets root password and creates root users for non-localhost hosts
rootCreate=
local rootCreate=
# default root to listen for connections from anywhere
if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
# no, we don't care if read finds a terminating character in this heredoc
Expand All @@ -211,14 +227,27 @@ docker_setup_db() {
EOSQL
fi

# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# so that it won't try to fill in a password file when it is just now being set
MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql <<-EOSQL
local passwordSet=
if [ "$MYSQL_MAJOR" = '5.6' ]; then
# no, we don't care if read finds a terminating character in this heredoc (see above)
read -r -d '' passwordSet <<-EOSQL || true
DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
EOSQL
else
# no, we don't care if read finds a terminating character in this heredoc (see above)
read -r -d '' passwordSet <<-EOSQL || true
ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
EOSQL
fi

# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
-- What's done in this file shouldn't be replicated
-- or products like mysql-fabric won't work
SET @@SESSION.SQL_LOG_BIN=0;
%%PASSWORDSET%%
${passwordSet}
GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
FLUSH PRIVILEGES ;
${rootCreate}
Expand Down Expand Up @@ -248,7 +277,7 @@ _mysql_passfile() {
# echo the password to the "file" the client uses
# the client command will use process substitution to create a file on the fly
# ie: --defaults-file=<( _mysql_passfile )
if [ -n "$MYSQL_ROOT_PASSWORD" ]; then
if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
cat <<-EOF
[client]
password="${MYSQL_ROOT_PASSWORD}"
Expand Down Expand Up @@ -301,8 +330,8 @@ _main() {
exec gosu mysql "$BASH_SOURCE" "$@"
fi

# If this is true then there's no database, and it needs to be initialized
if [ ! -d "$DATADIR/mysql" ]; then
# there's no database, so it needs to be initialized
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
docker_init_database_dir "$@"

Expand Down
96 changes: 65 additions & 31 deletions 5.6/docker-entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ file_env() {
unset "$fileVar"
}

# check to see if this file is being run or sourced from another script
_is_sourced() {
# https://unix.stackexchange.com/a/215279
[ "${FUNCNAME[${#FUNCNAME[@]} - 1]}" == 'source' ]
}

# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
# process initializer files, based on file extensions
Expand Down Expand Up @@ -78,27 +84,30 @@ mysql_get_config() {

# Do a temporary startup of the MySQL server, for init purposes
docker_temp_server_start() {
local result=0
"$@" --skip-networking --socket="${SOCKET}" &
if [ "$result" != "0" ];then
mysql_error "Unable to start server. Status code $result."
fi

# For 5.7+ the server is ready for use as soon as startup command unblocks
if [ "${MYSQL_MAJOR}" = "5.6" ]; then
if [ "${MYSQL_MAJOR}" = '5.6' ]; then
"$@" --skip-networking --socket="${SOCKET}" &
mysql_note "Waiting for server startup"
local i
for i in {30..0}; do
# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# only use the root password if the database has already been initializaed
# so that it won't try to fill in a password file when it hasn't been set yet
if MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql <<<'SELECT 1' &> /dev/null; then
extraArgs=()
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
break
fi
sleep 1
done
if [ "$i" = 0 ]; then
mysql_error "Unable to start server."
fi
else
# For 5.7+ the server is ready for use as soon as startup command unblocks
if ! "$@" --daemonize --skip-networking --socket="${SOCKET}"; then
mysql_error "Unable to start server."
fi
fi
}

Expand Down Expand Up @@ -137,7 +146,11 @@ docker_create_db_directories() {
# initializes the database directory
docker_init_database_dir() {
mysql_note "Initializing database files"
mysql_install_db --datadir="$DATADIR" --rpm --keep-my-cnf "${@:2}"
if [ "$MYSQL_MAJOR" = '5.6' ]; then
mysql_install_db --datadir="$DATADIR" --rpm --keep-my-cnf "${@:2}"
else
"$@" --initialize-insecure
fi
mysql_note "Database files initialized"

if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
Expand All @@ -149,8 +162,10 @@ docker_init_database_dir() {
}

# Loads various settings that are used elsewhere in the script
# This should be called after mysql_check_config, but before any other functions
docker_setup_env() {
# Get config
declare -g DATADIR SOCKET
DATADIR="$(mysql_get_config 'datadir' "$@")"
SOCKET="$(mysql_get_config 'socket' "$@")"

Expand All @@ -160,19 +175,29 @@ docker_setup_env() {
file_env 'MYSQL_USER'
file_env 'MYSQL_PASSWORD'
file_env 'MYSQL_ROOT_PASSWORD'

declare -g DATABASE_ALREADY_EXISTS
if [ -d "$DATADIR/mysql" ]; then
DATABASE_ALREADY_EXISTS='true'
fi
}

# Execute sql script, passed via stdin
# usage: docker_process_sql [mysql-cli-args]
# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
# ie: docker_process_sql --database=mydb <<<'INSERT ...'
# ie: docker_process_sql --database=mydb <my-file.sql
# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
docker_process_sql() {
passfileArgs=()
if [ '--dont-use-mysql-root-password' = "$1" ]; then
passfileArgs+=( "$1" )
shift
fi
# args sent in can override this db, since they will be later in the command
if [ -n "$MYSQL_DATABASE" ]; then
set -- --database="$MYSQL_DATABASE" "$@"
fi

mysql --defaults-file=<( _mysql_passfile ) --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
mysql --defaults-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
}

# Initializes database with timezone info and root password, plus optional extra db/user
Expand All @@ -182,17 +207,16 @@ docker_setup_db() {
# sed is for https://bugs.mysql.com/bug.php?id=20545
mysql_tzinfo_to_sql /usr/share/zoneinfo \
| sed 's/Local time zone must be set--see zic manual page/FCTY/' \
| MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql
# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# so that it won't try to fill in a password file when it hasn't been set yet
| docker_process_sql --dont-use-mysql-root-password --database=mysql
# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
fi
# Generate random root password
if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
fi
# Sets root password and creates root users for non-localhost hosts
rootCreate=
local rootCreate=
# default root to listen for connections from anywhere
if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
# no, we don't care if read finds a terminating character in this heredoc
Expand All @@ -203,15 +227,27 @@ docker_setup_db() {
EOSQL
fi

# unset MYSQL_ROOT_PASSWORD for just docker_process_sql
# so that it won't try to fill in a password file when it is just now being set
MYSQL_ROOT_PASSWORD= docker_process_sql --database=mysql <<-EOSQL
local passwordSet=
if [ "$MYSQL_MAJOR" = '5.6' ]; then
# no, we don't care if read finds a terminating character in this heredoc (see above)
read -r -d '' passwordSet <<-EOSQL || true
DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
EOSQL
else
# no, we don't care if read finds a terminating character in this heredoc (see above)
read -r -d '' passwordSet <<-EOSQL || true
ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
EOSQL
fi

# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
-- What's done in this file shouldn't be replicated
-- or products like mysql-fabric won't work
SET @@SESSION.SQL_LOG_BIN=0;
DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}');
${passwordSet}
GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
FLUSH PRIVILEGES ;
${rootCreate}
Expand Down Expand Up @@ -241,7 +277,7 @@ _mysql_passfile() {
# echo the password to the "file" the client uses
# the client command will use process substitution to create a file on the fly
# ie: --defaults-file=<( _mysql_passfile )
if [ -n "$MYSQL_ROOT_PASSWORD" ]; then
if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
cat <<-EOF
[client]
password="${MYSQL_ROOT_PASSWORD}"
Expand Down Expand Up @@ -283,9 +319,9 @@ _main() {
if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
mysql_note "Entrypoint script for MySQL Server ${MYSQL_VERSION} started."

mysql_check_config "$@"
# Load various environment variables
docker_setup_env "$@"
mysql_check_config "$@"
docker_create_db_directories

# If container is started as root user, restart as dedicated mysql user
Expand All @@ -294,8 +330,8 @@ _main() {
exec gosu mysql "$BASH_SOURCE" "$@"
fi

# If this is true then there's no database, and it needs to be initialized
if [ ! -d "$DATADIR/mysql" ]; then
# there's no database, so it needs to be initialized
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
docker_init_database_dir "$@"

Expand All @@ -320,9 +356,7 @@ _main() {
exec "$@"
}

# This checks if the script has been sourced from elsewhere.
# If so we don't perform any further actions
# https://unix.stackexchange.com/a/215279
if [ "${FUNCNAME[${#FUNCNAME[@]} - 1]}" != 'source' ]; then
# If we are sourced from elsewhere, don't perform any further actions
if ! _is_sourced; then
_main "$@"
fi
Loading

0 comments on commit 91785a5

Please sign in to comment.