Run MySQL a prefilled docker container as random (non-root) linux user?

Asked 17/5, 2018 at 18:10 Answered 6/6, 2018 at 7:18

I am trying to create an OpenShift compliant prefilled MySQL container image.

Running the container with a specified user is (sadly) not an option for us.

This is a problem since OpenShift simply creates some random UID without a username so setting a username at runtime with a script before starting the MySQL service is not an option.

Is there any way to get MySQL to run with any random UID in a docker container?

edit: The idea behind this question is being able to start a MySQL container like this Dockerfile for randomusermysql:example

FROM mysql:5.7.22

#IMPORTANT: MySQL Container runs init in alphanumerical order!
COPY src/some.sql /docker-entrypoint-initdb.d/

ENV MYSQL_ROOT_PASSWORD='somepw'

RUN mkdir -p /var/lib/mysql2 && \
    chown -R mysql:mysql /var/lib/mysql2 && \
    chmod -R 777 /var/lib/mysql2 && \
    sed -i 's|/var/lib/mysql|/var/lib/mysql2|g' /etc/mysql/mysql.conf.d/mysqld.cnf && \
    sed -i 's|exec "$@"||g' /entrypoint.sh && \
    /entrypoint.sh mysqld && \
    chmod -R 777 /var/lib/mysql2/ && \
    chown -R mysql:mysql /var/lib/mysql2 && \
    find /var/lib/mysql2/ -name "*.cnf" -exec chmod 775 {} \; && \
    echo 'exec "$@"' >> /entrypoint.sh

Then starting it like this

docker run -u 123456789 randomusermysql:example

Results in the following error when starting the container

2018-05-22T11:39:35.084034Z 0 [ERROR] Fatal error: Can't open and lock privilege tables: Table storage engine for 'user' doesn't have this option
2018-05-22T11:39:35.084235Z 0 [ERROR] Aborting

There is no possibility of passing the user as docker ENV when starting the container

edit2: Bounty text is incorrect.
Corrected bounty statement:
A solution is needed with a prefilled MySQL database without just copying the dump files into /docker-entrypoint-initdb.d directory!

Awesome answered 17/5, 2018 at 18:10 Comment(7)

Why not use github.com/sclorg/mysql-container? – Scratchboard 17/5, 2018 at 18:50

Can you not use the upstream/official mysql docker image hub.docker.com/_/mysql? It already supports creating a user at runtime using environment variable MYSQL_USER. – Triley 18/5, 2018 at 4:59

@Triley the problem is not creating a MySQL database user at runtime. – Awesome 18/5, 2018 at 7:9

@Scratchboard I already have my container and everything else finished and working, switching to a new image would be very troublesome, I will consider it for the future. – Awesome 18/5, 2018 at 7:15

What does the statement in the bounty description have to do with the original question? Run MySQL docker container as random (non-root) linux user? versus

A solution is needed to prefill a MySQL database without just copying the dump files into /docker-entrypoint-initdb.d directory!

– Pompey 22/5, 2018 at 14:38

@Pompey I can not edit the bounty statement, please look at the updated question. – Awesome 22/5, 2018 at 15:2

@Thodi, I don't think it is possible as such. The reason is if you check the Dockerfile. It has VOLUME /var/lib/mysql. One a volume is declared, it cannot have any content in the upcoming layers. So even if you initialise a file it won't be there – Bailey 22/5, 2018 at 20:2

The problem is that if you pre-create the database files as part of the image in the required location, is that they will have user the same as the Dockerfile created them. You will not know in advance what the user is and so can't match what the database may be started as, causing MySQL to fail on startup because the directory owning the database files is not the same as what it is being started as.

The only solution I have seen to this is to add the database files into the image in a tar file at some location. In the startup command for the database, create the directory for the database and unpack the tar file into it. This way the directory and the files will be the user that MySQL runs as.

Note that you will want to make the parent directory of where the database directory is to be created, group root and writable by group so you can create the database directory when image run as arbitrary user ID for which there is no passwd file entry. In that case, the group ID will fallback to being root group and so that will allow the database directory to be created.

Custombuilt answered 22/5, 2018 at 23:21 Comment(0)

The problem is that the random uid that is not present in the passwd file nor in the group file.

I posted a solution for that on the github page of mssql: https://github.com/Microsoft/mssql-docker/issues/121#issuecomment-347766828

Summary of the solution: I created a wrapper with lib-nss-wrapper so that the process is able to look up the random uid.

Let me know if you need further instructions.

Alienable answered 6/6, 2018 at 7:18 Comment(0)

Recommended topics

Hot tags