search

docker-library / mysql

Docker Official Image packaging for MySQL Community Server
https://dev.mysql.com/
GNU General Public License v2.0
2.46k stars 2.19k forks source link

Root password ending on '\J' causes a crash #571

Open ArthurHNL opened 5 years ago

ArthurHNL commented 5 years ago

When creating an instance of the mysql:5.7 container, with the following variables from an env file (using docker compose):

root@demo01:/conf/docker# cat envfile.env | grep 'MYSQL'
MYSQL_DATABASE=somevalue
MYSQL_USER=sqluser
MYSQL_PASSWORD=(6T+B\`2@`Bf]cqF
MYSQL_ROOT_PASSWORD=;*{q#'Br9+qxh2\J
MYSQL_ROOT_HOST=%

MySQL crashes with the following output in the log:

Initializing database
2019-06-15T15:23:59.415039Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2019-06-15T15:24:00.127942Z 0 [Warning] InnoDB: New log files created, LSN=45790
2019-06-15T15:24:00.250132Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2019-06-15T15:24:00.310568Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 99a9caa4-8f81-11e9-acf7-0242ac140002.
2019-06-15T15:24:00.311781Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2019-06-15T15:24:00.312706Z 1 [Warning] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
Database initialized
Initializing certificates
Generating a RSA private key
.................................................................+++++
.................................................................................+++++
unable to write 'random state'
writing new private key to 'ca-key.pem'
-----
Generating a RSA private key
...........+++++
..........................................+++++
unable to write 'random state'
writing new private key to 'server-key.pem'
-----
Generating a RSA private key
.........................................................................+++++
................+++++
unable to write 'random state'
writing new private key to 'client-key.pem'
-----
Certificates initialized
MySQL init process in progress...
2019-06-15T15:24:06.640728Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2019-06-15T15:24:06.648939Z 0 [Note] mysqld (mysqld 5.7.26) starting as process 89 ...
2019-06-15T15:24:06.674792Z 0 [Note] InnoDB: PUNCH HOLE support available
2019-06-15T15:24:06.674827Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2019-06-15T15:24:06.674838Z 0 [Note] InnoDB: Uses event mutexes
2019-06-15T15:24:06.674849Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2019-06-15T15:24:06.674859Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2019-06-15T15:24:06.674870Z 0 [Note] InnoDB: Using Linux native AIO
2019-06-15T15:24:06.675462Z 0 [Note] InnoDB: Number of pools: 1
2019-06-15T15:24:06.675674Z 0 [Note] InnoDB: Using CPU crc32 instructions
2019-06-15T15:24:06.691483Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2019-06-15T15:24:06.751571Z 0 [Note] InnoDB: Completed initialization of buffer pool
2019-06-15T15:24:06.765430Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2019-06-15T15:24:06.779958Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
2019-06-15T15:24:06.813040Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2019-06-15T15:24:06.817139Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2019-06-15T15:24:06.906716Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2019-06-15T15:24:06.909770Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
2019-06-15T15:24:06.909789Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
2019-06-15T15:24:06.910300Z 0 [Note] InnoDB: Waiting for purge to start
2019-06-15T15:24:06.960487Z 0 [Note] InnoDB: 5.7.26 started; log sequence number 2524985
2019-06-15T15:24:06.961302Z 0 [Note] Plugin 'FEDERATED' is disabled.
2019-06-15T15:24:06.967999Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2019-06-15T15:24:06.971097Z 0 [Note] InnoDB: Buffer pool(s) load completed at 190615 15:24:06
2019-06-15T15:24:06.988611Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2019-06-15T15:24:06.990031Z 0 [Warning] CA certificate ca.pem is self signed.
2019-06-15T15:24:07.003237Z 0 [Warning] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2019-06-15T15:24:07.067563Z 0 [Note] Event Scheduler: Loaded 0 events
2019-06-15T15:24:07.068076Z 0 [Note] mysqld: ready for connections.
Version: '5.7.26'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server (GPL)
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
ERROR at line 5: Unknown command '\J'.
ArthurHNL commented 5 years ago

Removing the \J from the password gives the following error:

ERROR 1064 (42000) at line 5: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';*{q#'Br9+qxh2\')

So I'm guessing input from variables is not escaped and the ; at the beginning of the password is interpreted by mysql.

wglambert commented 5 years ago

https://github.com/docker-library/mariadb/issues/183#issuecomment-405361398

We don't escape any password characters since we didn't want to implement the equivalent of mysql_real_escape_string in bash and didn't want to burden the image with an install of a library/language just for this purpose.

ArthurHNL commented 5 years ago

I see. Can you at least update the documentation of the image on the Docker hub to make this more apperent, it took me over an hour to find out why my stack did not work.

tianon commented 5 years ago

I think it's probably the single quote, not the \J that caused the error (the \J error is just the symptom).

ArthurHNL commented 5 years ago

I think it's probably the single quote, not the \J that caused the error (the \J error is just the symptom).

I recognized that however my point is that it is pretty frustrating to spent over an hour of time to find out that certain characters in a password (I obviously randomly generated this one) cause the entire container to crash. Some extra text stating like "Note that environment variables are not escaped so you can not use characters like ; and '" would be very welcome on the container page (https://hub.docker.com/_/mysql) under "Caveats" or "Environment variables".

wglambert commented 5 years ago

Interpreted characters should be enclosed as a literal string, it's not relevant to the image's documentation since this formatting requirement affects everything that can interpret characters. And for the characters enclosed in a literal string you wouldn't want an unanticipated termination with an added matching quote inside.

You'll also want to remove the ; as it's also being interpreted, and it doesn't seem like mysql accepts a password in a literal quote

Initialization:

$ docker run -d --rm --name mysql -e MYSQL_ROOT_PASSWORD='*{q#Br9+qxh2\J' mysql:5.7 
006b5b8fa0177d28f6704eac1939757dcd4b2b1e5663705d6125bc3db3935c26

$ docker logs mysql 2>&1 | tail -n 3
2019-08-07T17:10:59.436099Z 0 [Note] Event Scheduler: Loaded 0 events
2019-08-07T17:10:59.436365Z 0 [Note] mysqld: ready for connections.
Version: '5.7.26'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server (GPL)

$ docker exec -it mysql bash

root@006b5b8fa017:/# echo "$MYSQL_ROOT_PASSWORD"
*{q#Br9+qxh2\J

Giving the password as a literal quote and trying a variable expansion:

root@006b5b8fa017:/# mysql -p'*{q#Br9+qxh2\J'
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
root@006b5b8fa017:/# mysql -p"$MYSQL_ROOT_PASSWORD"
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
root@006b5b8fa017:/# mysql -p$MYSQL_ROOT_PASSWORD 
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

Just passing it directly:

root@006b5b8fa017:/# mysql -p*{q#Br9+qxh2\J 
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
tianon commented 5 years ago

I think we need to follow up with some of the improvements discussed in https://github.com/docker-library/mariadb/issues/183 (especially %q for some basic quoting).