Improving mysql container config
Hi,
just playing a little with the docker-compose. I’ve tried to mapping container’s folders to host’s ones, instead of using volumes. Just doing this some errors happens, working on them I question myself if there is a better config. My idea is to replace the mysql container config with a more easy and general one, based on linuxserver.io container. At the same time I would like to remove some elements, such as:
cap_add:
- dac_override
- setuid
- setgid
which are not very good from a security point of view https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick
This is the typical config of this linuxserver.io mysql container (HAVE TO BE TESTED, YET!):
mysql:
image: lscr.io/linuxserver/mariadb
container_name: mysql
environment:
PUID: 1000
PGID: 100
MYSQL_ROOT_PASSWORD: gg%&ujhft7r57()8
TZ:
MYSQL_DATABASE: piler
MYSQL_USER: piler
MYSQL_PASSWORD: piler123
volumes:
- mailpiler/mysql/config:/config
restart: unless-stopped
The PUID and PGID refer to the number of user and group of the host, usually the owner of the volumes: this allows to easy manage the authorization. You create a piler user and with id
command obtain the number, while users
it is used for the group. So you have a user for each container. Piler user it is the owner of mailpiler/ folder.
I dont know if the healthcheck
and command
section are mandatory for mailpiler and if they can be used with the linuxserver.io container.
mysql:
image: mariadb:10.5
restart: unless-stopped
cap_drop:
- ALL
cap_add:
- dac_override
- setuid
- setgid
environment:
- MYSQL_DATABASE=piler
- MYSQL_USER=piler
- MYSQL_PASSWORD=piler123
- MYSQL_RANDOM_ROOT_PASSWORD=yes
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
healthcheck:
test: mysql --user=piler --password=piler123 piler --execute "show tables"
interval: "60s"
timeout: "5s"
start_period: "15s"
retries: 3
volumes:
- db_data:/var/lib/mysql
If you have experiences or suggestions, you are welcome!
Comments (5)
-
reporter -
repo owner Thanks for experimenting. However, what’s the value of using something else instead of the official mysql or mariadb docker images?
-
reporter I’m not a really expert one but everytime I had problems with volumes mapping or user/group authorizations, the linuxserver.io one solve them. It is made by a great team that release updated and easy to use versions, well known in the communities. Just this.
-
repo owner - changed status to closed
Well, I'm not sure what volume mapping or authorization issues you faced using the official mariadb image. Anyway, if the linuxserver.io replacement works for you, then go ahead, I'll keep the current docker-compose.yaml as it is.
-
repo owner Well, I'm not sure what volume mapping or authorization issues you faced using the official mariadb image. Anyway, if the linuxserver.io replacement works for you, then go ahead, I'll keep the current docker-compose.yaml as it is.
- Log in to comment
ok, it seems to work (just make a first test): volume mapped on folder, and authorizations. Next days I will test the healthcheck and command and post it.