docker环境下mysql镜像启动后权限更改问题的解决

184 阅读2分钟

问题:

docker自带有mysql镜像,本文主要以mysql:5.7.24为标准,讲解用该镜像启动容器的时候,挂载的数据库目录总会被改变用户权限的问题。

1、问题回溯

如上图,可以看到,该系统是通过docker-compose.yml文件将宿主机(dev00)上的db目录挂载到了mysql:5.7.24容器对应的/var/lib/mysql目录下,但是通过ls命令可以看到,该db目录在宿主机上的用户及用户组为polkitd:input,这个时候会很奇怪,并没有建立这俩用户,也没赋权限,为何他的用户变成这个了,下面讲下具体原因。

2、问题剖析

       正如前面讲的,目录为什么会变,最终还是要聚集到entrypoint.sh这个文件,因为docker的镜像变成运行态的时候,也就是容器的时候,是需要命令来启动的,这个启动的命令就是entrypoint.sh,下面分析原因:

如上图,可以看到,进入容器内部以后,在根目录下面,有个entrypoint.sh,软连接到docker-entrypoint.sh,也就是说,启动的这个文件肯定是篡改了原来的目录,下面具体看下这个文件:

#!/bin/bash
set -eo pipefail
shopt -s nullglob

# if command starts with an option, prepend mysqld
if [ "${1:0:1}" = '-' ]; then
        set -- mysqld "$@"
fi

# skip setup if they want an option that stops mysqld
wantHelp=
for arg; do
        case "$arg" in
                -'?'|--help|--print-defaults|-V|--version)
                        wantHelp=1
                        break
                        ;;
        esac
done

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
        local var="$1"
        local fileVar="${var}_FILE"
        local def="${2:-}"
        if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
                echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
                exit 1
        fi
        local val="$def"
        if [ "${!var:-}" ]; then
                val="${!var}"
        elif [ "${!fileVar:-}" ]; then
                val="$(< "${!fileVar}")"
        fi
        export "$var"="$val"
        unset "$fileVar"
}

# usage: process_init_file FILENAME MYSQLCOMMAND...
#    ie: process_init_file foo.sh mysql -uroot
# (process a single initializer file, based on its extension. we define this
# function here, so that initializer scripts (*.sh) can use the same logic,
# potentially recursively, or override the logic used in subsequent calls)
process_init_file() {
        local f="$1"; shift
        local mysql=( "$@" )

        case "$f" in
                *.sh)     echo "$0: running $f"; . "$f" ;;
                *.sql)    echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;;
                *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;;
                *)        echo "$0: ignoring $f" ;;
        esac
        echo
}

_check_config() {
        toRun=( "$@" --verbose --help )
        if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
                cat >&2 <<-EOM

                        ERROR: mysqld failed while attempting to check config
                        command was: "${toRun[*]}"

                        $errors
                EOM
                exit 1
        fi
}

# Fetch value from server config
# We use mysqld --verbose --help instead of my_print_defaults because the
# latter only show values present in config files, and not server defaults
_get_config() {
        local conf="$1"; shift
        "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null | awk '$1 == "'"$conf"'" { print $2; exit }'
}

# allow the container to be started with `--user`
if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
        _check_config "$@"
        DATADIR="$(_get_config 'datadir' "$@")"
        mkdir -p "$DATADIR"
        chown -R mysql:mysql "$DATADIR"
        exec gosu mysql "$BASH_SOURCE" "$@"
fi

if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
        # still need to check config, container may have started with --user
        _check_config "$@"
        # Get config
        DATADIR="$(_get_config 'datadir' "$@")"

        if [ ! -d "$DATADIR/mysql" ]; then
                file_env 'MYSQL_ROOT_PASSWORD'
                if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
                        echo >&2 'error: database is uninitialized and password option is not specified '
                        echo >&2 '  You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
                        exit 1
                fi

                mkdir -p "$DATADIR"

                echo 'Initializing database'
                "$@" --initialize-insecure
                echo 'Database initialized'

                if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
                        # https://github.com/mysql/mysql-server/blob/23032807537d8dd8ee4ec1c4d40f0633cd4e12f9/packaging/deb-in/extra/mysql-systemd-start#L81-L84
                        echo 'Initializing certificates'
                        mysql_ssl_rsa_setup --datadir="$DATADIR"
                        echo 'Certificates initialized'
                fi

                SOCKET="$(_get_config 'socket' "$@")"
                "$@" --skip-networking --socket="${SOCKET}" &
                pid="$!"

                mysql=( mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" )

                for i in {30..0}; do
                        if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then
                                break
                        fi
                        echo 'MySQL init process in progress...'
                        sleep 1
                done
                if [ "$i" = 0 ]; then
                        echo >&2 'MySQL init process failed.'
                        exit 1
                fi

                if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
                        # sed is for https://bugs.mysql.com/bug.php?id=20545
                        mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql
                fi

                if [ ! -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
                        export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
                        echo "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
                fi

                rootCreate=
                # default root to listen for connections from anywhere
                file_env 'MYSQL_ROOT_HOST' '%'
                if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then
                        # no, we don't care if read finds a terminating character in this heredoc
                        # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
                        read -r -d '' rootCreate <<-EOSQL || true
                                CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
                                GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
                        EOSQL
                fi

                "${mysql[@]}" <<-EOSQL
                        -- What's done in this file shouldn't be replicated
                        --  or products like mysql-fabric won't work
                        SET @@SESSION.SQL_LOG_BIN=0;

                        SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
                        GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
                        ${rootCreate}
                        DROP DATABASE IF EXISTS test ;
                        FLUSH PRIVILEGES ;
                EOSQL

                if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then
                        mysql+=( -p"${MYSQL_ROOT_PASSWORD}" )
                fi

                file_env 'MYSQL_DATABASE'
                if [ "$MYSQL_DATABASE" ]; then
                        echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}"
                        mysql+=( "$MYSQL_DATABASE" )
                fi

                file_env 'MYSQL_USER'
                file_env 'MYSQL_PASSWORD'
                if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
                        echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}"

                        if [ "$MYSQL_DATABASE" ]; then
                                echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
                        fi

                        echo 'FLUSH PRIVILEGES ;' | "${mysql[@]}"
                fi

                echo
                ls /docker-entrypoint-initdb.d/ > /dev/null
                for f in /docker-entrypoint-initdb.d/*; do
                        process_init_file "$f" "${mysql[@]}"
                done

                if [ ! -z "$MYSQL_ONETIME_PASSWORD" ]; then
                        "${mysql[@]}" <<-EOSQL
                                ALTER USER 'root'@'%' PASSWORD EXPIRE;
                        EOSQL
                fi
                if ! kill -s TERM "$pid" || ! wait "$pid"; then
                        echo >&2 'MySQL init process failed.'
                        exit 1
                fi

                echo
                echo 'MySQL init process done. Ready for start up.'
                echo
        fi
fi

exec "$@"

下面这段代码其实是非常关键的,这段代码的意思是说,该程序运行指定用户来启动mysql,但是如果你不指定用户,他会默认用mysql用户来给DATADIR赋权限,并用mysql用户来执行脚本,所以实际上,用户就变mysql了,但是为啥在宿主机上,却是polkitd呢?

# allow the container to be started with `--user`
if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
        _check_config "$@"
        DATADIR="$(_get_config 'datadir' "$@")"
        mkdir -p "$DATADIR"
        chown -R mysql:mysql "$DATADIR"
        exec gosu mysql "$BASH_SOURCE" "$@"
fi

继续看下面:

如上图,可以看到,在容器内部,他的用户为mysql,他的用户ID为999,然后退出容器,在宿主机上,可以看到ID为999的用户ID对应的用户变成了polkitd,所以,到了这里就明白了,实际上容器内部和外部是用的同一套用户,名字可能不同,但是ID用的是同一个,从而导致,ID虽然相同,但是用户不一致,从而权限也出现了差别,如何解决这个问题呢,让权限能够一致,这就需要修改entrypoint.sh了。

3、问题解决

解决这个问题,需要如下几步:

(1)修改docker-compose.yml文件,将用户映射进去,一定要注意:/etc/passwd也要映射进去,不然找不到用户!

(2)修改entrypoint.sh文件,将用户映射进去,可以看到,chown -R后面我把环境变量的用户给映射进去了,也就是用宿主机用户来初始化mysql

# allow the container to be started with `--user`
if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
        _check_config "$@"
        DATADIR="$(_get_config 'datadir' "$@")"
        mkdir -p "$DATADIR"
        chown -R ${_USER}:${_USER} "$DATADIR"
        exec gosu ${_USER} "$BASH_SOURCE" "$@"
fi

(3)重启容器docker-compose up -d,此时,无论重启或者关闭,都会是当前用户,不会再出问题了