Allow healthcheck@{127.0.0.1,::1,localhost} to exist to facilitate healthcheck --connect

healthcheck@{127.0.0.1,::1,localhost} users are granted USAGE by default, which
is enough for the non-replication healthchecks in healtcheck.sh.

The env variable MARIADB_HEALTHCHECK_GRANTS can replace USAGE with any
comma separated set of grants.

On initialization a generated password is created and saved in
$DATADIR/.my-healthcheck.cnf along with the server port and socket. If the
command args or default configuration file changes this may become out
of date. Because the password is generated in configuration file the
'#', comment, and '=' characters cannot be part of this password.

The healthcheck.cnf configuration file also sets protocol=tcp to
enforce indirectly that --connect being a standard part of the test. This is
required as starts of the service under --skip-networking should
never be considered healthy.

The healthcheck script also has the --defaults-extra-file set to this
.my-healthcheck.cnf file, if it exists (backwards compatible on
previously created datadirs), so that all new healthcheck invokations
use the authentication here by default.

The compatibility with old instances, without the .my-healthcheck.cnf is
preserved by non setting --defaults-extra-file.

The healthcheck --connect will increment the server status variable Aborted_connects
for each check, however now connection_error* counts are changed.

This also prevents any invalid password errors showing up in the
container log.

Closes #430

Author: grooverdan

.test/run.sh

@@ -174,9 +174,8 @@ checkReplication() {
 			-e MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 \
 			-e MARIADB_REPLICATION_USER="$mariadb_replication_user" \
 			-e MARIADB_REPLICATION_PASSWORD="$pass" \
-			-e MARIADB_MYSQL_LOCALHOST_USER=1 \
-			-e MARIADB_MYSQL_LOCALHOST_GRANTS="${RPL_MONITOR}" \
-			--health-cmd='healthcheck.sh --su-mysql --replication_io --replication_sql --replication_seconds_behind_master=0 --replication' \
+			-e MARIADB_HEALTHCHECK_GRANTS="${RPL_MONITOR}" \
+			--health-cmd='healthcheck.sh --connect --innodb-initialized --replication_io --replication_sql --replication_seconds_behind_master=0 --replication' \
 			--health-interval=3s \
 			"$image" --server-id=3001 --port "${port}"
 		unset port
@@ -190,7 +189,7 @@ checkReplication() {
 
 		docker exec --user mysql -i \
 			"$cname" \
-			$mariadb \
+			$mariadb --defaults-file=/var/lib/mysql/.my-healthcheck.cnf \
 			-e 'SHOW SLAVE STATUS\G' || die 'error examining replica status'
 
 		mariadbclient_unix -u root replcheck --batch --skip-column-names -e 'show create table t1;' || die 'sample table not replicated'
@@ -226,7 +225,7 @@ mariadbclient -u root -e 'show databases'
 othertables=$(mariadbclient -u root --skip-column-names -Be "select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA where SCHEMA_NAME not in ('mysql', 'information_schema', 'performance_schema', 'sys')")
 [ "${othertables}" != 'NULL' ] && die "unexpected table(s) $othertables"
 
-otherusers=$(mariadbclient -u root --skip-column-names -Be "select user,host from mysql.user where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'))")
+otherusers=$(mariadbclient -u root --skip-column-names -Be "select user,host from mysql.global_priv where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'), ('healthcheck', '::1'), ('healthcheck', '127.0.0.1'), ('healthcheck', 'localhost'))")
 [ "$otherusers" != '' ] && die "unexpected users $otherusers"
 
 	echo "Contents of /var/lib/mysql/{mysql,mariadb}_upgrade_info:"
@@ -246,7 +245,7 @@ killoff
 	mariadbclient -u root -pexamplepass -e 'select current_user()'
 	mariadbclient -u root -pwrongpass -e 'select current_user()' || echo 'expected failure'
 
-	otherusers=$(mariadbclient -u root -pexamplepass --skip-column-names -Be "select user,host from mysql.user where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'), ('mysql','localhost'))")
+	otherusers=$(mariadbclient -u root -pexamplepass --skip-column-names -Be "select user,host from mysql.global_priv where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'), ('mysql','localhost'), ('healthcheck', '::1'), ('healthcheck', '127.0.0.1'), ('healthcheck', 'localhost'))")
 	[ "$otherusers" != '' ] && die "unexpected users $otherusers"
 
 	createuser=$(docker exec --user mysql -i \
@@ -266,6 +265,22 @@ killoff
 	# shellcheck disable=SC2016
 	[ "${grants//\'/\`}" == 'GRANT USAGE ON *.* TO `mysql`@`localhost` IDENTIFIED VIA unix_socket' ] || die "I wasn't granted what I was expected"
 
+	createuser=$(docker exec --user mysql -i \
+		"$cname" \
+		$mariadb --defaults-file=/var/lib/mysql/.my-healthcheck.cnf \
+		--silent \
+		-e "show create user")
+	# shellcheck disable=SC2016
+	[[ "${createuser//\'/\`}" =~ 'CREATE USER `healthcheck`@`localhost` IDENTIFIED' ]] || die "I wasn't created how I was expected"
+
+	grants="$(docker exec --user mysql -i \
+		$cname \
+		$mariadb --defaults-file=/var/lib/mysql/.my-healthcheck.cnf \
+		--silent \
+		-e show\ grants)"
+
+	# shellcheck disable=SC2016
+	[[ "${grants//\'/\`}" =~ 'GRANT USAGE ON *.* TO `healthcheck`@`localhost`' ]] || die "I wasn't granted what I was expected"
 	killoff
 
 	;&
@@ -458,7 +473,7 @@ mariadbclient -u root -e 'show databases'
 othertables=$(mariadbclient -u root --skip-column-names -Be "select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA where SCHEMA_NAME not in ('mysql', 'information_schema', 'performance_schema', 'sys')")
 [ "${othertables}" != 'NULL' ] && die "unexpected table(s) $othertables"
 
-otherusers=$(mariadbclient -u root --skip-column-names -Be "select user,host from mysql.user where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'), ('mysql','localhost'))")
+otherusers=$(mariadbclient -u root --skip-column-names -Be "select user,host from mysql.user where (user,host) not in (('root', 'localhost'), ('root', '%'), ('mariadb.sys', 'localhost'), ('mysql','localhost'), ('healthcheck', '::1'), ('healthcheck', '127.0.0.1'), ('healthcheck', 'localhost'))")
 [ "$otherusers" != '' ] && die "unexpected users $otherusers"
 killoff
 

10.10/docker-entrypoint.sh

@@ -226,9 +226,10 @@ docker_init_database_dir() {
 # This should be called after mysql_check_config, but before any other functions
 docker_setup_env() {
 	# Get config
-	declare -g DATADIR SOCKET
+	declare -g DATADIR SOCKET PORT
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
+	PORT="$(mysql_get_config 'port' "$@")"
 
 
 	# Initialize values that might be stored in a file
@@ -364,6 +365,29 @@ docker_setup_db() {
 		fi
 	fi
 
+	local healthCheckUser
+	local healthCheckGrant=USAGE
+	local healthCheckConnectPass
+	local healthCheckConnectPassEscaped
+	healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
+	healthCheckConnectPassEscaped=$( docker_sql_escape_string_literal "${healthCheckConnectPass}" )
+	if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
+		healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
+	fi
+	read -r -d '' healthCheckUser <<-EOSQL || true
+	CREATE USER healthcheck@'127.0.0.1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@'::1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@localhost IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'127.0.0.1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'::1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@localhost;
+	EOSQL
+	local maskPreserve
+	maskPreserve=$(umask -p)
+	umask 0077
+	echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf
+	$maskPreserve
+
 	local rootLocalhostPass=
 	if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
 		# handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
@@ -433,6 +457,7 @@ docker_setup_db() {
 		${rootCreate}
 		${mysqlAtLocalhost}
 		${mysqlAtLocalhostGrants}
+		${healthCheckUser}
 		-- end of securing system users, rest of init now...
 		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
 		-- create users/databases

10.10/healthcheck.sh

@@ -55,6 +55,8 @@ _process_sql()
 connect()
 {
 	set +e +o pipefail
+	# (on second extra_file)
+	# shellcheck disable=SC2086
 	mariadb ${nodefaults:+--no-defaults} \
 		${def['file']:+--defaults-file=${def['file']}} \
 		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}}  \
@@ -210,6 +212,9 @@ declare -A repl
 declare -A def
 nodefaults=
 datadir=/var/lib/mysql
+if [ -f $datadir/.my-healthcheck.cnf ]; then
+	def['extra_file']=$datadir/.my-healthcheck.cnf
+fi
 
 _repl_param_check()
 {

10.11/docker-entrypoint.sh

@@ -226,9 +226,10 @@ docker_init_database_dir() {
 # This should be called after mysql_check_config, but before any other functions
 docker_setup_env() {
 	# Get config
-	declare -g DATADIR SOCKET
+	declare -g DATADIR SOCKET PORT
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
+	PORT="$(mysql_get_config 'port' "$@")"
 
 
 	# Initialize values that might be stored in a file
@@ -364,6 +365,29 @@ docker_setup_db() {
 		fi
 	fi
 
+	local healthCheckUser
+	local healthCheckGrant=USAGE
+	local healthCheckConnectPass
+	local healthCheckConnectPassEscaped
+	healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
+	healthCheckConnectPassEscaped=$( docker_sql_escape_string_literal "${healthCheckConnectPass}" )
+	if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
+		healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
+	fi
+	read -r -d '' healthCheckUser <<-EOSQL || true
+	CREATE USER healthcheck@'127.0.0.1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@'::1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@localhost IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'127.0.0.1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'::1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@localhost;
+	EOSQL
+	local maskPreserve
+	maskPreserve=$(umask -p)
+	umask 0077
+	echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf
+	$maskPreserve
+
 	local rootLocalhostPass=
 	if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
 		# handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
@@ -433,6 +457,7 @@ docker_setup_db() {
 		${rootCreate}
 		${mysqlAtLocalhost}
 		${mysqlAtLocalhostGrants}
+		${healthCheckUser}
 		-- end of securing system users, rest of init now...
 		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
 		-- create users/databases

10.11/healthcheck.sh

@@ -55,6 +55,8 @@ _process_sql()
 connect()
 {
 	set +e +o pipefail
+	# (on second extra_file)
+	# shellcheck disable=SC2086
 	mariadb ${nodefaults:+--no-defaults} \
 		${def['file']:+--defaults-file=${def['file']}} \
 		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}}  \
@@ -210,6 +212,9 @@ declare -A repl
 declare -A def
 nodefaults=
 datadir=/var/lib/mysql
+if [ -f $datadir/.my-healthcheck.cnf ]; then
+	def['extra_file']=$datadir/.my-healthcheck.cnf
+fi
 
 _repl_param_check()
 {

10.4/docker-entrypoint.sh

@@ -225,9 +225,10 @@ docker_init_database_dir() {
 # This should be called after mysql_check_config, but before any other functions
 docker_setup_env() {
 	# Get config
-	declare -g DATADIR SOCKET
+	declare -g DATADIR SOCKET PORT
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
+	PORT="$(mysql_get_config 'port' "$@")"
 
 
 	# Initialize values that might be stored in a file
@@ -363,6 +364,29 @@ docker_setup_db() {
 		fi
 	fi
 
+	local healthCheckUser
+	local healthCheckGrant=USAGE
+	local healthCheckConnectPass
+	local healthCheckConnectPassEscaped
+	healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
+	healthCheckConnectPassEscaped=$( docker_sql_escape_string_literal "${healthCheckConnectPass}" )
+	if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
+		healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
+	fi
+	read -r -d '' healthCheckUser <<-EOSQL || true
+	CREATE USER healthcheck@'127.0.0.1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@'::1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@localhost IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'127.0.0.1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'::1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@localhost;
+	EOSQL
+	local maskPreserve
+	maskPreserve=$(umask -p)
+	umask 0077
+	echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf
+	$maskPreserve
+
 	local rootLocalhostPass=
 	if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
 		# handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
@@ -432,6 +456,7 @@ docker_setup_db() {
 		${rootCreate}
 		${mysqlAtLocalhost}
 		${mysqlAtLocalhostGrants}
+		${healthCheckUser}
 		-- end of securing system users, rest of init now...
 		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
 		-- create users/databases

10.4/healthcheck.sh

@@ -55,6 +55,8 @@ _process_sql()
 connect()
 {
 	set +e +o pipefail
+	# (on second extra_file)
+	# shellcheck disable=SC2086
 	mysql ${nodefaults:+--no-defaults} \
 		${def['file']:+--defaults-file=${def['file']}} \
 		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}}  \
@@ -210,6 +212,9 @@ declare -A repl
 declare -A def
 nodefaults=
 datadir=/var/lib/mysql
+if [ -f $datadir/.my-healthcheck.cnf ]; then
+	def['extra_file']=$datadir/.my-healthcheck.cnf
+fi
 
 _repl_param_check()
 {

10.5/docker-entrypoint.sh

@@ -225,9 +225,10 @@ docker_init_database_dir() {
 # This should be called after mysql_check_config, but before any other functions
 docker_setup_env() {
 	# Get config
-	declare -g DATADIR SOCKET
+	declare -g DATADIR SOCKET PORT
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
+	PORT="$(mysql_get_config 'port' "$@")"
 
 
 	# Initialize values that might be stored in a file
@@ -363,6 +364,29 @@ docker_setup_db() {
 		fi
 	fi
 
+	local healthCheckUser
+	local healthCheckGrant=USAGE
+	local healthCheckConnectPass
+	local healthCheckConnectPassEscaped
+	healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
+	healthCheckConnectPassEscaped=$( docker_sql_escape_string_literal "${healthCheckConnectPass}" )
+	if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
+		healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
+	fi
+	read -r -d '' healthCheckUser <<-EOSQL || true
+	CREATE USER healthcheck@'127.0.0.1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@'::1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@localhost IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'127.0.0.1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'::1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@localhost;
+	EOSQL
+	local maskPreserve
+	maskPreserve=$(umask -p)
+	umask 0077
+	echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf
+	$maskPreserve
+
 	local rootLocalhostPass=
 	if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
 		# handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
@@ -432,6 +456,7 @@ docker_setup_db() {
 		${rootCreate}
 		${mysqlAtLocalhost}
 		${mysqlAtLocalhostGrants}
+		${healthCheckUser}
 		-- end of securing system users, rest of init now...
 		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
 		-- create users/databases

10.5/healthcheck.sh

@@ -55,6 +55,8 @@ _process_sql()
 connect()
 {
 	set +e +o pipefail
+	# (on second extra_file)
+	# shellcheck disable=SC2086
 	mysql ${nodefaults:+--no-defaults} \
 		${def['file']:+--defaults-file=${def['file']}} \
 		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}}  \
@@ -210,6 +212,9 @@ declare -A repl
 declare -A def
 nodefaults=
 datadir=/var/lib/mysql
+if [ -f $datadir/.my-healthcheck.cnf ]; then
+	def['extra_file']=$datadir/.my-healthcheck.cnf
+fi
 
 _repl_param_check()
 {

10.6/docker-entrypoint.sh

@@ -226,9 +226,10 @@ docker_init_database_dir() {
 # This should be called after mysql_check_config, but before any other functions
 docker_setup_env() {
 	# Get config
-	declare -g DATADIR SOCKET
+	declare -g DATADIR SOCKET PORT
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
+	PORT="$(mysql_get_config 'port' "$@")"
 
 
 	# Initialize values that might be stored in a file
@@ -364,6 +365,29 @@ docker_setup_db() {
 		fi
 	fi
 
+	local healthCheckUser
+	local healthCheckGrant=USAGE
+	local healthCheckConnectPass
+	local healthCheckConnectPassEscaped
+	healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
+	healthCheckConnectPassEscaped=$( docker_sql_escape_string_literal "${healthCheckConnectPass}" )
+	if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
+		healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
+	fi
+	read -r -d '' healthCheckUser <<-EOSQL || true
+	CREATE USER healthcheck@'127.0.0.1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@'::1' IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	CREATE USER healthcheck@localhost IDENTIFIED BY '$healthCheckConnectPassEscaped';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'127.0.0.1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@'::1';
+	GRANT $healthCheckGrant ON *.* TO healthcheck@localhost;
+	EOSQL
+	local maskPreserve
+	maskPreserve=$(umask -p)
+	umask 0077
+	echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\nprotocol=tcp\\n" > "$DATADIR"/.my-healthcheck.cnf
+	$maskPreserve
+
 	local rootLocalhostPass=
 	if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
 		# handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
@@ -433,6 +457,7 @@ docker_setup_db() {
 		${rootCreate}
 		${mysqlAtLocalhost}
 		${mysqlAtLocalhostGrants}
+		${healthCheckUser}
 		-- end of securing system users, rest of init now...
 		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
 		-- create users/databases