Update mariadb container, so it will run from non-root user
Plus small re-structure. Change-Id: Ie7eaee8877ff5d39316695ac9e3b6f94204e33c6
This commit is contained in:
parent
0dcb361e7c
commit
9c2bea461e
|
@ -10,10 +10,9 @@ RUN apt-get install -y --no-install-recommends \
|
|||
&& rm -rf /var/lib/mysql/*
|
||||
|
||||
COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
|
||||
COPY bootstrap.sh /usr/local/bin/bootstrap.sh
|
||||
COPY security_reset.expect /usr/local/bin/mysql_security_reset
|
||||
RUN chmod 755 /usr/local/bin/bootstrap.sh \
|
||||
&& chmod 755 /usr/local/bin/mysql_security_reset \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
RUN chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/mariadb_sudoers \
|
||||
&& usermod -a -G microservices mysql
|
||||
&& usermod -a -G microservices mysql \
|
||||
&& chown -R mysql: /etc/mysql /var/lib/mysql
|
||||
|
||||
USER mysql
|
||||
|
|
|
@ -1 +1 @@
|
|||
%microservices ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/mysql_security_reset
|
||||
%microservices ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /opt/ccp/bin/mariadb-security-reset.expect
|
||||
|
|
|
@ -2,26 +2,29 @@
|
|||
|
||||
function bootstrap_db {
|
||||
mysqld_safe --wsrep-new-cluster &
|
||||
# Wait for the mariadb server to be "Ready" before starting the security reset with a max timeout
|
||||
echo "Wait for the mariadb server to be ready before starting the security reset"
|
||||
TIMEOUT=${DB_MAX_TIMEOUT:-60}
|
||||
while [[ ! -f /var/lib/mysql/mariadb.pid ]]; do
|
||||
if [[ ${TIMEOUT} -gt 0 ]]; then
|
||||
let TIMEOUT-=1
|
||||
sleep 1
|
||||
else
|
||||
echo "Mariadb failed to start. Waited for $DB_MAX_TIMEOUT seconds."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
echo "mysql_security_reset"
|
||||
sudo -E mysql_security_reset ${DB_ROOT_PASSWORD}
|
||||
echo "Running a mysql_security_reset"
|
||||
sudo -E /opt/ccp/bin/mariadb-security-reset.expect ${DB_ROOT_PASSWORD}
|
||||
echo "Running mysql grant privileges commands"
|
||||
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
||||
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
||||
echo "Shuting down mariadb"
|
||||
mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
|
||||
wait $(jobs -p)
|
||||
}
|
||||
|
||||
DB_ROOT_PASSWORD="$1"
|
||||
DB_MAX_TIMEOUT="$2"
|
||||
DB_ROOT_PASSWORD="{{ db_root_password }}"
|
||||
DB_MAX_TIMEOUT="{{ db_max_timeout }}"
|
||||
|
||||
# Only update permissions if permissions need to be updated
|
||||
if [[ $(stat -c %U:%G /var/lib/mysql) != "mysql:mysql" ]]; then
|
|
@ -8,24 +8,32 @@ service:
|
|||
- name: mariadb
|
||||
image: mariadb
|
||||
probes:
|
||||
readiness: mariadb-readiness.sh
|
||||
readiness: /opt/ccp/bin/mariadb-readiness.sh
|
||||
liveness: "true"
|
||||
pre:
|
||||
- name: mariadb-bootstrap
|
||||
command: bootstrap.sh {{ db_root_password }} {{ db_max_timeout }}
|
||||
user: mysql
|
||||
command: /opt/ccp/bin/mariadb-bootstrap.sh
|
||||
daemon:
|
||||
command: mysqld
|
||||
files:
|
||||
- mariadb-my-cnf
|
||||
- mariadb-readiness
|
||||
user: mysql
|
||||
- mariadb-bootstrap
|
||||
- mariadb-security-reset.expect
|
||||
|
||||
files:
|
||||
mariadb-my-cnf:
|
||||
path: /etc/mysql/my.cnf
|
||||
content: my.cnf.j2
|
||||
mariadb-readiness:
|
||||
path: /usr/local/bin/mariadb-readiness.sh
|
||||
path: /opt/ccp/bin/mariadb-readiness.sh
|
||||
content: readiness.sh.j2
|
||||
perm: "755"
|
||||
mariadb-bootstrap:
|
||||
path: /opt/ccp/bin/mariadb-bootstrap.sh
|
||||
content: mariadb-bootstrap.sh.j2
|
||||
perm: "755"
|
||||
mariadb-security-reset.expect:
|
||||
path: /opt/ccp/bin/mariadb-security-reset.expect
|
||||
content: mariadb-security-reset.expect
|
||||
perm: "755"
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
docker-py
|
||||
docker-compose
|
||||
requests==2.7.0 # dirty hack for CI
|
||||
pytest
|
|
@ -1,5 +0,0 @@
|
|||
mariadb:
|
||||
image: mariadbbuild/mariadb:latest
|
||||
ports:
|
||||
- 33306:3306
|
||||
command: "bootstrap.sh r00tme 60 && mysqld"
|
|
@ -1,45 +0,0 @@
|
|||
from subprocess import check_call
|
||||
import time
|
||||
import docker
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.fixture(scope='module')
|
||||
def cli(request):
|
||||
return docker.Client()
|
||||
|
||||
|
||||
@pytest.fixture(scope='module')
|
||||
def container(cli):
|
||||
return cli.containers(
|
||||
filters={"label": "com.docker.compose.service=mariadb"})[0]
|
||||
|
||||
|
||||
def setup_module(module):
|
||||
check_call(['docker-compose', 'up', '-d'])
|
||||
time.sleep(30)
|
||||
|
||||
|
||||
def teardown_module(module):
|
||||
check_call(['docker-compose', 'down'])
|
||||
|
||||
|
||||
def test_mysql_check_mysqld(cli, container):
|
||||
res = cli.exec_create(container['Id'], "pgrep mysql")
|
||||
cli.exec_start(res)
|
||||
assert cli.exec_inspect(res)['ExitCode'] == 0
|
||||
|
||||
|
||||
def test_mysql_is_running():
|
||||
cmd = ['nc', '-z', '-v', '-w5', '127.0.0.1', '33306']
|
||||
check_call(cmd)
|
||||
|
||||
|
||||
def test_mysql_is_accessible(cli, container):
|
||||
cmd = ("bash -c 'mysql -Ns -h127.0.0.1 -uroot -e \"SHOW DATABASES\"'")
|
||||
res = cli.exec_create(container['Id'], cmd)
|
||||
out = cli.exec_start(res)
|
||||
assert cli.exec_inspect(res)['ExitCode'] == 0
|
||||
out = filter(bool, out.split('\n'))
|
||||
assert set(out) == \
|
||||
set(['information_schema', 'mysql', 'performance_schema'])
|
9
tox.ini
9
tox.ini
|
@ -1,16 +1,9 @@
|
|||
[tox]
|
||||
minversion = 1.6
|
||||
envlist = linters,py27
|
||||
envlist = linters
|
||||
skipsdist = True
|
||||
|
||||
[testenv:linters]
|
||||
deps = yamllint
|
||||
commands =
|
||||
{toxinidir}/tools/run-check-yaml-syntax.sh
|
||||
|
||||
[testenv:py27]
|
||||
deps =
|
||||
-r{toxinidir}/test-requirements.txt
|
||||
changedir={toxinidir}/tests
|
||||
commands =
|
||||
py.test -vv {posargs}
|
||||
|
|
Loading…
Reference in New Issue