Add 'FLUSH PRIVILEGES;' to avoid creating 'root'@'${MYSQL_ROOT_HOST}' to be failed when MYSQL_ROOT_HOST isn't '%' #549
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… to be failed when MYSQL_ROOT_HOST isn't '%'
tianon
reviewed
Mar 11, 2019
5.5/docker-entrypoint.sh
Outdated
| @@ -158,6 +158,7 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then | |||
| DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ; | |||
| SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ; | |||
| GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ; | |||
| FLUSH PRIVILEGES ; | |||
| ${rootCreate} | |||
| DROP DATABASE IF EXISTS test ; | |||
| FLUSH PRIVILEGES ; | |||
There was a problem hiding this comment.
Why do we need to do this twice?
There was a problem hiding this comment.
Because ERROR 1396 (HY000) at line 8: Operation CREATE USER failed for 'root'@'127.0.0.1' will be thrown when trying to create 'root'@'127.0.0.1' if we do not FLUSH PRIVILEGES; after 'root'@'localhost' is created.
There was a problem hiding this comment.
I am not sure where the 127.0.0.1 is coming from. Are you setting MYSQL_ROOT_HOST to 127.0.0.1?
That works fine here (but means only root connections from within the container's network namespace):
$ docker run -d -e MYSQL_ROOT_HOST=127.0.0.1 -e MYSQL_ROOT_PASSWORD=12345 mysql:8
23d1a83c2da46239b5d3cb08cd24aa0c51ea210b9c5899ace59ce4baa383abff
$ docker logs 23d1a83c2da46239b5d3cb08cd24aa0c51ea210b9c5899ace59ce4baa383abff
Initializing database
2019-03-12T21:43:22.651362Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2019-03-12T21:43:22.651431Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server in progress as process 29
2019-03-12T21:43:24.578807Z 5 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2019-03-12T21:43:25.344101Z 0 [System] [MY-013170] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server has completed
Database initialized
MySQL init process in progress...
mbind: Operation not permitted
2019-03-12T21:43:26.821818Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2019-03-12T21:43:26.821888Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 80
2019-03-12T21:43:27.174191Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2019-03-12T21:43:27.177027Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2019-03-12T21:43:27.209833Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 0 MySQL Community Server - GPL.
2019-03-12T21:43:27.305865Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock'
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
2019-03-12T21:43:30.755816Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.
MySQL init process done. Ready for start up.
2019-03-12T21:43:31.061395Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2019-03-12T21:43:31.061459Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1
2019-03-12T21:43:31.418610Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2019-03-12T21:43:31.420085Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2019-03-12T21:43:31.432530Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
2019-03-12T21:43:31.552062Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 33060
$ docker exec -it 23d1a83c2da46239b5d3cb08cd24aa0c51ea210b9c5899ace59ce4baa383abff mysql -uroot -p12345 -h127.0.0.1
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.15 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select * from mysql.user;
....(contents of the user table)There was a problem hiding this comment.
After a bit more research, it looks like this is limited to 5.5 and 5.6 when using 127.0.0.1 for MYSQL_ROOT_HOST.
It seems that the GRANT and SET PASSWORD are fine, since "If you modify the grant tables indirectly using an account-management statement, the server notices these changes and loads the grant tables into memory again immediately" (mysql docs).
The problem stems from using DELETE FROM mysql.user rather than DROP USER. So either the DELETE FROM needs a FLUSH or we switch to DROP USER (https://stackoverflow.com/a/12343178).
Ah! Does this not affect 5.7+ because they don't have mysql_install_db and the baggage of [email protected] being pre-created?
There was a problem hiding this comment.
@yosifkit Yes, that's right. FLUSH PRIVILEGES isn't necessary for MySQL 5.7+. I will update the PR.
There was a problem hiding this comment.
Instead of adding another flush privileges, it should be enough to just move the existing one up, since as you say the DELETE FROM statement is the only one that needs a flush
There was a problem hiding this comment.
@ltangvald Thanks, I have already removed the redundant flush statement.
added 2 commits
March 13, 2019 22:45
…'root'@'localhost'.
…USER' needs a FLUSH.
yosifkit
added a commit
to infosiftr/mysql
that referenced
this pull request
May 17, 2019
`docker-entrypoint.sh`: - update `docker_process_init_files` to take in a list of file - update `docker_process_sql` to take sql input on stdin to maintain compatibility with `mysql` (and prevent us from loading an entire `.sql` file into memory) - move any code that was outside a function to `_main` or other functions - use `local` variables in functions to limit scope - move current `docker_create_db_directories` logic to `docker_init_database_dir` - new docker_create_db_directories that just creates and chowns directories - move `PASSFILE` to be in memory only so that we don't accidentally not clean it up - move `FLUSH PRIVILEGES` to fix docker-library#549 update.sh: - add back `DELETE` statement for 5.5 and 5.6 - swap some template strings to single quotes to make it easier to read - swap `sed` to use ! for delimter - use one loop rather than two
yosifkit
added a commit
to infosiftr/mysql
that referenced
this pull request
May 24, 2019
`docker-entrypoint.sh`: - update `docker_process_init_files` to take in a list of file - update `docker_process_sql` to take sql input on stdin to maintain compatibility with `mysql` (and prevent us from loading an entire `.sql` file into memory) - move any code that was outside a function to `_main` or other functions - use `local` variables in functions to limit scope - move current `docker_create_db_directories` logic to `docker_init_database_dir` - new docker_create_db_directories that just creates and chowns directories - move `PASSFILE` to be in memory only so that we don't accidentally not clean it up - move `FLUSH PRIVILEGES` to fix docker-library#549 update.sh: - add back `DELETE` statement for 5.5 and 5.6 - swap some template strings to single quotes to make it easier to read - swap `sed` to use ! for delimter - use one loop rather than two
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FLUSH PRIVILEGESneeds to be executed after creating or updating any user.