Docker Image needs root access to database
The start script explicity checks the root access to the mysql database. But I think, this isn’t necessary.
In case of docker-compose the mysql-service can be defined with a user MYSQL_USER and MYSQL_PASSWORD that has full access to the database MYSQL_DATABASE.
The only thing here to do is - rely on that environment vars instead of using root to ceate and init the database. So replace all root and hardcoded “piler” user and “piler” database with that VARs.
In case of security both methods are not “completly” nice. A special user without CREATE/DROP rights is good at runtime, but must docker images ignore that. Your approach with a seperate root-access has disadvantages - f.e. when you try to use a central / infrastructure database cluster. In that case, the root-access would be “horrible” for any database admin.
I’d like to help here (I’ve already startet to build that for 1.3.9 but today I saw, you already pushed 1.3.10). So, maybe we can work together on that (I’m only know the processes in github).
Comments (7)
-
reporter -
repo owner You have a valid point. The “init” script can be improved. At the time I wrote it, I assumed that the user wants the simplest possible solution. To have such you need the mysql root account, otherwise you just can’t create a new database and add a new mysql user. However, your use case having a central mysql cluster is more advanced, however, it can be solved provided that you create the piler mysql user and database before starting the containers.
How about if we introduce a SKIP_DB_INIT variable? If set, then we’ll use the mysql piler user (whatever we call it) to try connecting the mysql daemon. Otherwise go with the current logic.
Btw. I think it makes sense to use piler for both unix and mysql account name. But I listen to your argument, if there’s any on the matter.
-
reporter Ok, “the simplest possible solution”
- let the docker image for Maria/Mysql DB do the job. If you have a look into https://hub.docker.com/_/mariadb in the section Environment variable to MYSQL_DATABASE you see, that Maria (and MySQL too) can automatically create a database for you. The MYSQL_ROOT_PASSWORD is in that case a random password - that you never need, because you always use MYSQL_USER and MYSQL_PASSWORD to connect to the database
- The SKIP_DB_INIT would not work - the vars MYSQL_USER and MYSQL_DATABASE must be set too (you’re using hardcoded “piler”).
- Of course - you need to define MYSQL_USER and MYSQL_DATABASE (as a user of docker-compose or what ever), but you code make defaults to it, that could be overwritten by the user.
I think, the only changes are in the start.sh script above. Of course some minor README and docker-compose changes.
-
repo owner Well, there are several use cases:
- using mariadb running docker. In this case the auto creating of the database and mysql account may work
- using an external cluster. In this case you should create the mysql database and user for piler, and provide their values to the docker compose file
-
repo owner Check out this commit: https://bitbucket.org/jsuto/piler/commits/5aa8d62701a01d8d8457667e32553a1bc55160f3 and let me know if you think there’s something else to fix.
I’ve also rebuilt the docker image and pushed to docker hub.
-
repo owner - changed status to closed
The issue has been fixed on the latest master branch.
-
reporter Good morning - sorry for the late response. Our own software bothered me the last days.
After removing all old config (incl. .my.cnf) the image works as expected with
- a local docker-compose database
- a remote preconfigured database
- different username, password then default
- without mysql-root user
Thanks a lot.
- Log in to comment
If’m right, this changes to the start script should be enough
line 25-33
line 79-84
line 100-111
line 131-133
line 144-147
maybe the complete /root/my.cnf is not necessary, because we use the same SQL user
also - do not mix the unix PILER_USER with the MYSQL_USER