Update mariadb container, so it will run from non-root user

Plus small re-structure.

Change-Id: Ie7eaee8877ff5d39316695ac9e3b6f94204e33c6

docker/mariadb/Dockerfile.j2

@@ -10,10 +10,9 @@ RUN apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/mysql/*
 
 COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
-COPY bootstrap.sh /usr/local/bin/bootstrap.sh
-COPY security_reset.expect /usr/local/bin/mysql_security_reset
-RUN chmod 755 /usr/local/bin/bootstrap.sh \
-    && chmod 755 /usr/local/bin/mysql_security_reset \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/mariadb_sudoers \
-    && usermod -a -G microservices mysql
+    && usermod -a -G microservices mysql \
+    && chown -R mysql: /etc/mysql /var/lib/mysql
+
+USER mysql

docker/mariadb/mariadb_sudoers

@@ -1 +1 @@
-%microservices ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/mysql_security_reset
+%microservices ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /opt/ccp/bin/mariadb-security-reset.expect

service/files/mariadb-bootstrap.sh.j2

@@ -2,26 +2,29 @@
 
 function bootstrap_db {
     mysqld_safe --wsrep-new-cluster &
-    # Wait for the mariadb server to be "Ready" before starting the security reset with a max timeout
+    echo "Wait for the mariadb server to be ready before starting the security reset"
     TIMEOUT=${DB_MAX_TIMEOUT:-60}
     while [[ ! -f /var/lib/mysql/mariadb.pid ]]; do
         if [[ ${TIMEOUT} -gt 0 ]]; then
             let TIMEOUT-=1
             sleep 1
         else
+            echo "Mariadb failed to start. Waited for $DB_MAX_TIMEOUT seconds."
             exit 1
         fi
     done
-    echo "mysql_security_reset"
-    sudo -E mysql_security_reset ${DB_ROOT_PASSWORD}
+    echo "Running a mysql_security_reset"
+    sudo -E /opt/ccp/bin/mariadb-security-reset.expect ${DB_ROOT_PASSWORD}
+    echo "Running mysql grant privileges commands"
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
+    echo "Shuting down mariadb"
     mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
     wait $(jobs -p)
 }
 
-DB_ROOT_PASSWORD="$1"
-DB_MAX_TIMEOUT="$2"
+DB_ROOT_PASSWORD="{{ db_root_password }}"
+DB_MAX_TIMEOUT="{{ db_max_timeout }}"
 
 # Only update permissions if permissions need to be updated
 if [[ $(stat -c %U:%G /var/lib/mysql) != "mysql:mysql" ]]; then

service/mariadb.yaml

@@ -8,24 +8,32 @@ service:
     - name: mariadb
       image: mariadb
       probes:
-        readiness: mariadb-readiness.sh
+        readiness: /opt/ccp/bin/mariadb-readiness.sh
         liveness: "true"
       pre:
         - name: mariadb-bootstrap
-          command: bootstrap.sh {{ db_root_password }} {{ db_max_timeout }}
-          user: mysql
+          command: /opt/ccp/bin/mariadb-bootstrap.sh
       daemon:
         command: mysqld
         files:
             - mariadb-my-cnf
             - mariadb-readiness
-        user: mysql
+            - mariadb-bootstrap
+            - mariadb-security-reset.expect
 
 files:
   mariadb-my-cnf:
     path: /etc/mysql/my.cnf
     content: my.cnf.j2
   mariadb-readiness:
-    path: /usr/local/bin/mariadb-readiness.sh
+    path: /opt/ccp/bin/mariadb-readiness.sh
     content: readiness.sh.j2
     perm: "755"
+  mariadb-bootstrap:
+    path: /opt/ccp/bin/mariadb-bootstrap.sh
+    content: mariadb-bootstrap.sh.j2
+    perm: "755"
+  mariadb-security-reset.expect:
+    path: /opt/ccp/bin/mariadb-security-reset.expect
+    content: mariadb-security-reset.expect
+    perm: "755"

test-requirements.txt

@@ -1,4 +0,0 @@
-docker-py
-docker-compose
-requests==2.7.0  # dirty hack for CI
-pytest

tests/docker-compose.yml

@@ -1,5 +0,0 @@
-mariadb:
-    image: mariadbbuild/mariadb:latest
-    ports:
-      - 33306:3306
-    command: "bootstrap.sh r00tme 60 && mysqld"

tests/test_mariadb.py

@@ -1,45 +0,0 @@
-from subprocess import check_call
-import time
-import docker
-import pytest
-
-
-@pytest.fixture(scope='module')
-def cli(request):
-    return docker.Client()
-
-
-@pytest.fixture(scope='module')
-def container(cli):
-    return cli.containers(
-        filters={"label": "com.docker.compose.service=mariadb"})[0]
-
-
-def setup_module(module):
-    check_call(['docker-compose', 'up', '-d'])
-    time.sleep(30)
-
-
-def teardown_module(module):
-    check_call(['docker-compose', 'down'])
-
-
-def test_mysql_check_mysqld(cli, container):
-    res = cli.exec_create(container['Id'], "pgrep mysql")
-    cli.exec_start(res)
-    assert cli.exec_inspect(res)['ExitCode'] == 0
-
-
-def test_mysql_is_running():
-    cmd = ['nc', '-z', '-v', '-w5', '127.0.0.1', '33306']
-    check_call(cmd)
-
-
-def test_mysql_is_accessible(cli, container):
-    cmd = ("bash -c 'mysql -Ns -h127.0.0.1 -uroot -e \"SHOW DATABASES\"'")
-    res = cli.exec_create(container['Id'], cmd)
-    out = cli.exec_start(res)
-    assert cli.exec_inspect(res)['ExitCode'] == 0
-    out = filter(bool, out.split('\n'))
-    assert set(out) == \
-        set(['information_schema', 'mysql', 'performance_schema'])

tox.ini

@@ -1,16 +1,9 @@
 [tox]
 minversion = 1.6
-envlist = linters,py27
+envlist = linters
 skipsdist = True
 
 [testenv:linters]
 deps = yamllint
 commands =
     {toxinidir}/tools/run-check-yaml-syntax.sh
-
-[testenv:py27]
-deps =
-    -r{toxinidir}/test-requirements.txt
-changedir={toxinidir}/tests
-commands =
-    py.test -vv {posargs}