Comments - How to change root to native-password plugin with dockerhub image

2 years, 9 months ago James Stewart Miller

Many thanks for your help. I discovered the issue. When a pod is created, a network namespace is created for it automatically. This has the following name 'ceramic_isles_dev_pod', in my case. So, if I run: podman exec -it maria_cont2 bash -c "mysql -uroot -h'ceramic_isles_dev_pod' -p" I am able to successfully enter the password with no issue. ....you said.... Note I recommend leaving it to the container entrypoint to create the non-root user and its password. It handles the escaping of passwords in shell and SQL significantly better that the scripting you have written. ..... There are two reasons that I don't use the container entrypoint with environment variables. The first and principle reason is that I intend to start/restart the container with a systemd script that generates a new container each time the host starts. This container will then connect to an existing database, as although the container will be new and fresh, the database will still exist at the bind mount to /var/lib/mysql. This will allow me to run/create the containers under a system (<999 id) user, for extra security. Since the podman generate-systemd command uses the initial run command to start the new container each time, I don't want to have a new database and user recreated each time, as I want to reuse the existing database. I will be using the --files and --new flags of the podman generate systemd command... http://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html

The second reason, is that in the past, when I tried to use the initial database creation environment variables, is that it didn't work, as I remember. The container failed to run, quitting immediately, and on restarting it, I seem to recall that either the database wasn't created or I couldn't see it because of my current issues. So, I have just tried it again, and counter-intuitively, the new user and database is created but on the host of 'ceramic_isles_dev_pod' - the pod name, but root is created on localhost. I am able to login successfully in both cases. So, if I don't create a database initially, then root is pod_name but if I do then root is 'localhost'. My bash scripting is not particularly good, you are quite right. I had changed the printf in the read command from echo, to remove a newline character and must have deleted the $ sign in front of the variable 'token' then. I will use your syntax provided, many thanks. And many thanks overall, not just for your help, but for your work in supporting the community with your maintenance of this image.

 
2 years, 9 months ago James Stewart Miller

just in case anyone reads the post, the secret creation command is correct except for a hyphen at the end -

read -p "Enter variable for MARIADB_ROOT_PASSWORD : " token && echo -n "$token" | podman secret create "MARIADB_ROOT_PASSWORD" -

 
2 years, 9 months ago James Stewart Miller

So, I finally got it to work. I was having another issue which is that once I had created the container using podman run, I had to wait an unspecified amount of time before the database in the container would accept commands. I ended up running a podman exec command to delete root@% as a do, done loop, like so... until podman exec -e ROOT_PASSWORD="$mysql_root_password" -it "${MARIA_CONT_NAME}" bash -c "mysql -uroot -p\"\${ROOT_PASSWORD}\" -h'localhost' -e \"delete from mysql.global_priv where user='root' and host='%'; flush privileges;\"" > /dev/null 2>&1 do echo -n "." done

Note, I added the redirection to null after I last tested it, but it should be ok, I guess.

Then I ran the podman exec command to create the database, and it worked fine.

 
2 years, 9 months ago Daniel Black

Thanks for explaining your use and fixing my missing -.

Using MARIADB_ROOT_HOST=localhost will prevent a root@% creation. There will still be a root@localhost user which is unix socket only, so only a podman exec can use it.

If you do need to remove a user please use drop user. The entrypoint that does similar hackery needs to be cleaned up and is obviously a bad example.

Waiting until it starts is something I plan to fix with a healthcheck script (MDEV-25434).

In the mean time your loop should be using mysql --protocol=tcp as there can be a few temporary starts which could get your command executed early.

Happy to take issues/feature requests on github or JIRA.

 
2 years, 9 months ago James Stewart Miller

Many thanks for all your help.

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.