search

sclorg / mysql-container

MySQL container images based on Red Hat Software Collections and intended for OpenShift and general usage. Users can choose between Red Hat Enterprise Linux, Fedora, and CentOS based images.
http://softwarecollections.org
Apache License 2.0
128 stars 201 forks source link

Replace '--initialize-insecure' by '--initialize' #227

Closed caringi closed 6 years ago

caringi commented 6 years ago

This is a proposal, any feedback is welcome.

Description:

When the container starts, there is a test to check if the data directory ($MYSQL_DATADIR) is empty or not. If it is empty, we need to initialize it.

MySQL provides to ways to accomplish this, depending on whether you want the server to generate a random initial password for the 'root'@'localhost' account:

This commit switches from the '--initialize-insecure' to '--initialize' for the data directory setup.

One of the motivations behind it is to allow the utilization of the 'validate_password' plugin. Avoiding a chicken and egg problem, in which this plugin doesn't allow the initial root password to be empty.

Alongside using the '--initialize' option, it works by extracting the auto generated root password from the log file, and then using it to do the initial user setup.

caringi commented 6 years ago

BTW, the tests are failing because this commit doesn't allow the root user to have an empty password (to be compatible with validate_password plugin)...

So, or the password is set through MYSQL_ROOT_PASSWORD environment variable or the root password is the auto generated one.

This is a topic to discuss...

hhorak commented 6 years ago

@caringi What if we would clear the password if it is not specified by MYSQL_ROOT_PASSWORD right after the initialization? I know that wouldn't work for the case validation plugin is used, so in that case MYSQL_ROOT_PASSWORD would be required. Anyway, I don't think making the ROOT password mandatory is a good way forward. Some more comments inline.

caringi commented 6 years ago

@hhorak I agree with you, good ideas... I'll update the PR soon.

caringi commented 6 years ago

Now the tests are failing because we cannot have anymore a 'root'@'localhost' with an empty password IF MYSQL_ROOT_PASSWORD is set.

To allow the utilization of validate_password plugin, the first command after initialization must be:

"ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}';"

Comments?

hhorak commented 6 years ago

LGTM, thanks a lot again, @caringi !