"Running as an arbitrary user" broken in 8.0.37

mhutter commented 3 months ago

As of 8.0.37-debian, the entrypoint script tries to create the /var/lib/mysql-files directory on startup. This does not work when running as a non-root user, as /var/lib (correctly) is not writable by arbitrary user IDs.

Steps to reproduce

Deploy docker.io/library/mysql:8.0.36-debian in a scenario where the user cannot write arbitrary files (e.g. on OpenShift platforms)
Upgrade to docker.io/library/mysql:8.0.37-debian

Expected outcome

Since this is a patch level upgrade, the setup should continue to run as-is

Actual outcome

The container crashes upon startup.

Workaround

Mount a volume at /var/lib/mysql-files

Possible Fixes

Revert the change
Document that /var/lib/mysql-files must also be mounted and writable

LaurentGoderre commented 3 months ago

autocommit was already implicitly enabled by default so I am not sure that this is the cause. However as per https://github.com/docker-library/mysql/blob/master/8.0/Dockerfile.debian#L87-L91 /var/lib/mysql-files is not the standard location for the data so maybe there are some permission issues with your image.

yosifkit commented 3 months ago

I'm fairly certain this is caused by the issue in https://github.com/docker-library/mysql/issues/1069; In other words, newer buildkit changed permissions on the COPYd config files, so MySQL refuses to use them.

Edit: we are looking into a fix for the Official Images build system to fix the images.

mhutter commented 3 months ago

Ah, I checked what changed between 8.0.36 and 8.0.37, and autocommit was the only change that stood out to me, so I just assumed it was that. I updated the issue description to not make any assumptions.

tianon commented 2 months ago

This should be fixed in the latest builds :+1:

tianon commented 2 months ago

Confirmed: :metal:

$ docker run --user 12345:12345 -it --rm --pull=always --env MYSQL_ROOT_PASSWORD=nonononononono mysql:8.0-debian
8.0-debian: Pulling from library/mysql
Digest: sha256:04805c6af59d7b087d464da1ccf359fd1e0a6d60513df2362219b1289fa8d172
Status: Image is up to date for mysql:8.0-debian
2024-07-26 20:00:39+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.39-1debian12 started.
2024-07-26 20:00:39+00:00 [Note] [Entrypoint]: Initializing database files
2024-07-26T20:00:39.151906Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.39) initializing of server in progress as process 41
2024-07-26T20:00:39.160909Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-07-26T20:00:39.802100Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-07-26T20:00:41.596800Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2024-07-26 20:00:44+00:00 [Note] [Entrypoint]: Database files initialized
2024-07-26 20:00:44+00:00 [Note] [Entrypoint]: Starting temporary server
mysqld will log errors to /var/lib/mysql/cf64d00106c0.err
mysqld is running as pid 87
2024-07-26 20:00:45+00:00 [Note] [Entrypoint]: Temporary server started.
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.

2024-07-26 20:00:46+00:00 [Note] [Entrypoint]: Stopping temporary server
2024-07-26 20:00:48+00:00 [Note] [Entrypoint]: Temporary server stopped

2024-07-26 20:00:48+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.

2024-07-26T20:00:48.791661Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.39) starting as process 1
2024-07-26T20:00:48.800248Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-07-26T20:00:48.999573Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-07-26T20:00:49.229408Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2024-07-26T20:00:49.229438Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2024-07-26T20:00:49.234999Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2024-07-26T20:00:49.254127Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.39'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
2024-07-26T20:00:49.254168Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock

docker-library / mysql