Closed Dav1dde closed 4 years ago
Hello,
I don't really see the problem, If you want to run as not root the mariadb container, you have to provide credentials to mysql user. It is not the case in provided MariaDB images, to use it, you have to write the right Galera yaml using a secret describing credentials for mysql user and also you have to modify the mariadb image.
The Galera yaml should look like this: kind: Galera ... spec: pod: credentialsSecret: name: noroit-secret ... securityContext: runAsUser: 999 fsGroup: 999 (values from standard mariadb image)
kind: Secret stringData: user: mysql password: ***
an finally on docker-entrypoint.sh, change line 244 to 253 by this : if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then mysql_note "Creating user ${MYSQL_USER}" docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' ;" docker_process_sql --database=mysql <<<"GRANT ALL ON . TO '$MYSQL_USER'@'localhost' WITH GRANT OPTION ;" fi
Have to look to https://hub.docker.com/r/sebs42/mariadb/tags, a not root image is provided
I am using my own set of images, that are pretty much the official mariadb images with their entrypoint
. The only differences being fixed filesystem permissions and the $CLUSTER_INIT
patch:
if [ "$1" = 'mysqld' ] && [ -n "$CLUSTER_INIT" ] && ! _mysql_want_help "$@"; then
Also I built the container with a CentOS, RHEL and UBI image as the base image.
On CentOS the default mariadb user is 27
(not 999
) from here.
So of course I could use the user id via the security context, but it is not necessary at all, my above patch and removing user = mysql
from my.cnf
is all that is necessary to run mariadb with an arbitrary user.
The patch also does not affect the default behaviour, as long as user = mysql
is set in the my.cnf
(which it is in all your examples).
What I forgot to mention.
Yes setting the user via security context is possible, but on Openshift this requires special permissions for the service account which I do not want to give (it's also not necessary with the above patch).
I work on a new version, this change will be incorporated through a flag, if there is no flag, no user will be "forced", if the flag forcing a user is set, the user will be forced as it is today implemented.
Makes sense, thanks!
Another place where the mysql
user ist used: https://github.com/Orange-OpenSource/galera-operator/blob/master/pkg/backup/backup-method/mariabackup/method.go#L118
// adjust the owner of the data directory to match the user and group for the MariaDB Server
cmd = []string{"chown", "-R", "mysql:mysql", "/var/lib/mysql"}
_, stderr, err = exec.ExecCmd(mb.client, mb.config, mb.backupPod.Namespace, mb.backupPod, cmd)
Interestingly enough this doesn't seem to be a problem on restore on Openshift. I haven't had time to look into why.
the user can still be specified through
my.cnf
, this allows deployment on Openshift, where the user cannot be predetermined, by not specifying a user inmy.cnf