From 275297af91e85af864e70c70ce2a650ec128db9c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 15 Aug 2024 14:07:49 +1000 Subject: [PATCH] Manually hack release status/support status As API unnormalized. --- 11.5-ubi/Dockerfile | 179 +++++++++++++++++----------------------- 11.5-ubi/healthcheck.sh | 49 +++++++---- 11.5/Dockerfile | 4 +- 11.6-ubi/Dockerfile | 4 +- 11.6-ubi/healthcheck.sh | 49 +++++++---- 11.6/Dockerfile | 4 +- 11.6/healthcheck.sh | 49 +++++++---- 7 files changed, 177 insertions(+), 161 deletions(-) diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile index a7f1aa06..32355e7e 100644 --- a/11.5-ubi/Dockerfile +++ b/11.5-ubi/Dockerfile @@ -1,77 +1,52 @@ -# vim:set ft=dockerfile: -FROM ubuntu:noble +FROM redhat/ubi9-minimal -# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mysql && useradd -r -g mysql mysql --home-dir /var/lib/mysql && userdel --remove ubuntu +# user 999/ group 999, that we want to use for compatibility with the ubuntu image. +RUN groupadd --gid 999 -r mysql && \ + useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999 -# add gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -# gosu key is B42F6819007F00F88E364FD4036A9C25BF357DD4 ENV GOSU_VERSION 1.17 - -ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8 -# pub rsa4096 2016-03-30 [SC] -# 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8 -# uid [ unknown] MariaDB Signing Key -# sub rsa4096 2016-03-30 [E] -# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD -# install "pwgen" for randomizing passwords -# install "tzdata" for /usr/share/zoneinfo/ -# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files -# install "zstd" for .sql.zst docker-entrypoint-initdb.d files -# hadolint ignore=SC2086 RUN set -eux; \ - apt-get update; \ - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - ca-certificates \ - gpg \ - gpgv \ - libjemalloc2 \ - pwgen \ - tzdata \ - xz-utils \ - zstd ; \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get install -y --no-install-recommends \ - dirmngr \ - gpg-agent \ - wget; \ - rm -rf /var/lib/apt/lists/*; \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \ + case "$rpmArch" in \ + aarch64) dpkgArch='arm64' ;; \ + armv7*) dpkgArch='armhf' ;; \ + i686) dpkgArch='i386' ;; \ + ppc64le) dpkgArch='ppc64el' ;; \ + s390x|riscv64) dpkgArch=$rpmArch ;; \ + x86_64) dpkgArch='amd64' ;; \ + *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \ + esac; \ + curl --fail --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch} ; \ + curl --fail --location --output /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc; \ GNUPGHOME="$(mktemp -d)"; \ export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - gpg --batch --export "$GPG_KEYS" > /etc/apt/trusted.gpg.d/mariadb.gpg; \ - if command -v gpgconf >/dev/null; then \ - gpgconf --kill all; \ - fi; \ + chmod a+x /usr/local/bin/gosu; \ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark >/dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - chmod +x /usr/local/bin/gosu; \ gosu --version; \ gosu nobody true -RUN mkdir /docker-entrypoint-initdb.d +COPY --chmod=0644 docker.cnf /etc/my.cnf.d/ + +COPY MariaDB.repo /etc/yum.repos.d/ -# Ensure the container exec commands handle range of utf8 characters based of -# default locales in base image (https://github.com/docker-library/docs/blob/135b79cc8093ab02e55debb61fdb079ab2dbce87/ubuntu/README.md#locales) -ENV LANG C.UTF-8 +# HasRequiredLabel requirement from Red Hat OpenShift Software Certification +# https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html/red_hat_openshift_software_certification_policy_guide/assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction#con-image-metadata-requirements_openshift-sw-cert-policy-container-images +LABEL name="MariaDB Server" \ + vendor="MariaDB Community" \ + version="11.5.2" \ + release="Refer to Annotations org.opencontainers.image.{revision,source}" \ + summary="MariaDB Database" \ + description="MariaDB Database for relational SQL" # OCI annotations to image LABEL org.opencontainers.image.authors="MariaDB Community" \ org.opencontainers.image.title="MariaDB Database" \ org.opencontainers.image.description="MariaDB Database for relational SQL" \ org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \ - org.opencontainers.image.base.name="docker.io/library/ubuntu:noble" \ + org.opencontainers.image.base.name="docker.io/redhat/ubi9-minimal" \ org.opencontainers.image.licenses="GPL-2.0" \ org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \ org.opencontainers.image.vendor="MariaDB Community" \ @@ -79,64 +54,60 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker" # bashbrew-architectures: amd64 arm64v8 ppc64le s390x -ARG MARIADB_VERSION=1:11.5.2+maria~ubu2404 -ENV MARIADB_VERSION $MARIADB_VERSION -# release-status:Unknown -# release-support-type:Unknown +ARG MARIADB_VERSION=11.5.2 +ENV MARIADB_VERSION=$MARIADB_VERSION +# release-status:Stable +# release-support-type:Short Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) -# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions -ARG REPOSITORY="http://archive.mariadb.org/mariadb-11.5.2/repo/ubuntu/ noble main main/debug" - -RUN set -e;\ - echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \ - { \ - echo 'Package: *'; \ - echo 'Pin: release o=MariaDB'; \ - echo 'Pin-Priority: 999'; \ - } > /etc/apt/preferences.d/mariadb -# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies -# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed - -# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) -# also, we set debconf keys to make APT a little quieter -# hadolint ignore=DL3015 -RUN set -ex; \ - { \ - echo "mariadb-server" mysql-server/root_password password 'unused'; \ - echo "mariadb-server" mysql-server/root_password_again password 'unused'; \ - } | debconf-set-selections; \ - apt-get update; \ -# postinst script creates a datadir, so avoid creating it by faking its existance. - mkdir -p /var/lib/mysql/mysql ; touch /var/lib/mysql/mysql/user.frm ; \ -# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos - apt-get install -y --no-install-recommends mariadb-server="$MARIADB_VERSION" mariadb-backup socat \ - ; \ - rm -rf /var/lib/apt/lists/*; \ -# purge and re-create /var/lib/mysql with appropriate ownership - rm -rf /var/lib/mysql; \ - mkdir -p /var/lib/mysql /run/mysqld; \ - chown -R mysql:mysql /var/lib/mysql /run/mysqld; \ -# ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime - chmod 1777 /run/mysqld; \ -# comment out a few problematic configuration values - find /etc/mysql/ -name '*.cnf' -print0 \ - | xargs -0 grep -lZE '^(bind-address|log|user\s)' \ - | xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \ -# don't reverse lookup hostnames, they are usually another container - printf "[mariadb]\nhost-cache-size=0\nskip-name-resolve\n" > /etc/mysql/mariadb.conf.d/05-skipcache.cnf; \ -# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation) - if [ -L /etc/mysql/my.cnf ]; then \ -# 10.5+ - sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/\n\2\n\1/}' /etc/mysql/mariadb.cnf; \ - fi - +# missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions) +# procps, pv(epel) - missing dependencies of galera sst script +# tzdata re-installed as only a fake version is part of the ubi-minimal base image. +# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key +RUN set -eux ; \ + curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ + rpmkeys --import /tmp/epelkey.txt ; \ + curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ + rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ + rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ + curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ + rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ + microdnf update -y ; \ + microdnf reinstall -y tzdata ; \ + microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ + mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \ + chmod ugo+rwx,o+t /run/mariadb ; \ + microdnf install -y MariaDB-backup-${MARIADB_VERSION} MariaDB-server-${MARIADB_VERSION} ; \ + # compatibility with DEB Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \ + # compatibility with RPM Galera packaging + ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib64/galera/libgalera_smm.so ; \ + microdnf clean all ; \ + rmdir /var/lib/mysql/mysql ; \ + chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \ + mkdir /licenses ; \ + ln -s /usr/share/doc/MariaDB-server-${MARIADB_VERSION}/COPYING /licenses/GPL-2 ; \ + ln -s /usr/share/licenses /licenses/package-licenses ; \ + ln -s Apache-2.0-license /licenses/gosu VOLUME /var/lib/mysql +RUN mkdir /docker-entrypoint-initdb.d + COPY healthcheck.sh /usr/local/bin/healthcheck.sh COPY docker-entrypoint.sh /usr/local/bin/ + ENTRYPOINT ["docker-entrypoint.sh"] +USER mysql EXPOSE 3306 CMD ["mariadbd"] diff --git a/11.5-ubi/healthcheck.sh b/11.5-ubi/healthcheck.sh index c5dcbd38..ad0b17f5 100755 --- a/11.5-ubi/healthcheck.sh +++ b/11.5-ubi/healthcheck.sh @@ -66,25 +66,40 @@ connect() return "$s"; ;; esac - # falling back to this if there wasn't a connection answer. - set +e +o pipefail - # (on second extra_file) - # shellcheck disable=SC2086 - mariadb ${nodefaults:+--no-defaults} \ + # falling back to tcp if there wasn't a connection answer. + s=$(mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ - -h localhost --protocol tcp -e 'select 1' 2>&1 \ - | grep -qF "Can't connect" - local ret=${PIPESTATUS[1]} - set -eo pipefail - if (( "$ret" == 0 )); then - # grep Matched "Can't connect" so we fail - connect_s=1 - else - connect_s=0 - fi + -h localhost --protocol tcp \ + --skip-column-names --batch --skip-print-query-on-error \ + -e 'select @@skip_networking' 2>&1) + + case "$s" in + 1) # skip-networking=1 (no network) + ;& + ERROR\ 2002\ \(HY000\):*) + # cannot connect + connect_s=1 + ;; + 0) # skip-networking=0 + ;& + ERROR\ 1820\ \(HY000\)*) # password expire + ;& + ERROR\ 4151\ \(HY000\):*) # account locked + ;& + ERROR\ 1226\ \(42000\)*) # resource limit exceeded + ;& + ERROR\ 1[0-9][0-9][0-9]\ \(28000\):*) + # grep access denied and other 28000 client errors - we did connect + connect_s=0 + ;; + *) + >&2 echo "Unknown error $s" + connect_s=1 + ;; + esac return $connect_s } @@ -367,8 +382,8 @@ while [ $# -gt 0 ]; do fi shift done -if [ -z "$connect_s" ]; then - # we didn't do a connnect test, so the current success status is suspicious +if [ "$connect_s" != "0" ]; then + # we didn't pass a connnect test, so the current success status is suspicious # return what connect thinks. connect exit $? diff --git a/11.5/Dockerfile b/11.5/Dockerfile index a7f1aa06..a394eb87 100644 --- a/11.5/Dockerfile +++ b/11.5/Dockerfile @@ -81,8 +81,8 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=1:11.5.2+maria~ubu2404 ENV MARIADB_VERSION $MARIADB_VERSION -# release-status:Unknown -# release-support-type:Unknown +# release-status:Stable +# release-support-type:Short Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) # Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions diff --git a/11.6-ubi/Dockerfile b/11.6-ubi/Dockerfile index c61eafc9..d205b3f0 100644 --- a/11.6-ubi/Dockerfile +++ b/11.6-ubi/Dockerfile @@ -56,8 +56,8 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=11.6.1 ENV MARIADB_VERSION=$MARIADB_VERSION -# release-status:Unknown -# release-support-type:Unknown +# release-status:RC +# release-support-type:Short Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) # missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions) diff --git a/11.6-ubi/healthcheck.sh b/11.6-ubi/healthcheck.sh index c5dcbd38..ad0b17f5 100755 --- a/11.6-ubi/healthcheck.sh +++ b/11.6-ubi/healthcheck.sh @@ -66,25 +66,40 @@ connect() return "$s"; ;; esac - # falling back to this if there wasn't a connection answer. - set +e +o pipefail - # (on second extra_file) - # shellcheck disable=SC2086 - mariadb ${nodefaults:+--no-defaults} \ + # falling back to tcp if there wasn't a connection answer. + s=$(mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ - -h localhost --protocol tcp -e 'select 1' 2>&1 \ - | grep -qF "Can't connect" - local ret=${PIPESTATUS[1]} - set -eo pipefail - if (( "$ret" == 0 )); then - # grep Matched "Can't connect" so we fail - connect_s=1 - else - connect_s=0 - fi + -h localhost --protocol tcp \ + --skip-column-names --batch --skip-print-query-on-error \ + -e 'select @@skip_networking' 2>&1) + + case "$s" in + 1) # skip-networking=1 (no network) + ;& + ERROR\ 2002\ \(HY000\):*) + # cannot connect + connect_s=1 + ;; + 0) # skip-networking=0 + ;& + ERROR\ 1820\ \(HY000\)*) # password expire + ;& + ERROR\ 4151\ \(HY000\):*) # account locked + ;& + ERROR\ 1226\ \(42000\)*) # resource limit exceeded + ;& + ERROR\ 1[0-9][0-9][0-9]\ \(28000\):*) + # grep access denied and other 28000 client errors - we did connect + connect_s=0 + ;; + *) + >&2 echo "Unknown error $s" + connect_s=1 + ;; + esac return $connect_s } @@ -367,8 +382,8 @@ while [ $# -gt 0 ]; do fi shift done -if [ -z "$connect_s" ]; then - # we didn't do a connnect test, so the current success status is suspicious +if [ "$connect_s" != "0" ]; then + # we didn't pass a connnect test, so the current success status is suspicious # return what connect thinks. connect exit $? diff --git a/11.6/Dockerfile b/11.6/Dockerfile index 7fd0ae0a..ffc341a3 100644 --- a/11.6/Dockerfile +++ b/11.6/Dockerfile @@ -81,8 +81,8 @@ LABEL org.opencontainers.image.authors="MariaDB Community" \ # bashbrew-architectures: amd64 arm64v8 ppc64le s390x ARG MARIADB_VERSION=1:11.6.1+maria~ubu2404 ENV MARIADB_VERSION $MARIADB_VERSION -# release-status:Unknown -# release-support-type:Unknown +# release-status:RC +# release-support-type:Short Term Support # (https://downloads.mariadb.org/rest-api/mariadb/) # Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions diff --git a/11.6/healthcheck.sh b/11.6/healthcheck.sh index c5dcbd38..ad0b17f5 100755 --- a/11.6/healthcheck.sh +++ b/11.6/healthcheck.sh @@ -66,25 +66,40 @@ connect() return "$s"; ;; esac - # falling back to this if there wasn't a connection answer. - set +e +o pipefail - # (on second extra_file) - # shellcheck disable=SC2086 - mariadb ${nodefaults:+--no-defaults} \ + # falling back to tcp if there wasn't a connection answer. + s=$(mariadb ${nodefaults:+--no-defaults} \ ${def['file']:+--defaults-file=${def['file']}} \ ${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \ ${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \ --skip-ssl --skip-ssl-verify-server-cert \ - -h localhost --protocol tcp -e 'select 1' 2>&1 \ - | grep -qF "Can't connect" - local ret=${PIPESTATUS[1]} - set -eo pipefail - if (( "$ret" == 0 )); then - # grep Matched "Can't connect" so we fail - connect_s=1 - else - connect_s=0 - fi + -h localhost --protocol tcp \ + --skip-column-names --batch --skip-print-query-on-error \ + -e 'select @@skip_networking' 2>&1) + + case "$s" in + 1) # skip-networking=1 (no network) + ;& + ERROR\ 2002\ \(HY000\):*) + # cannot connect + connect_s=1 + ;; + 0) # skip-networking=0 + ;& + ERROR\ 1820\ \(HY000\)*) # password expire + ;& + ERROR\ 4151\ \(HY000\):*) # account locked + ;& + ERROR\ 1226\ \(42000\)*) # resource limit exceeded + ;& + ERROR\ 1[0-9][0-9][0-9]\ \(28000\):*) + # grep access denied and other 28000 client errors - we did connect + connect_s=0 + ;; + *) + >&2 echo "Unknown error $s" + connect_s=1 + ;; + esac return $connect_s } @@ -367,8 +382,8 @@ while [ $# -gt 0 ]; do fi shift done -if [ -z "$connect_s" ]; then - # we didn't do a connnect test, so the current success status is suspicious +if [ "$connect_s" != "0" ]; then + # we didn't pass a connnect test, so the current success status is suspicious # return what connect thinks. connect exit $?