Merge pull request #228 from scicco/master

deitch · web-flow · commit e4a17cd9032b · 2023-06-06T14:14:11.000+03:00
RESTORE_OPTS env variable support added
diff --git a/Makefile b/Makefile
@@ -22,7 +22,10 @@ test_cron:
 test_source_target:
 	cd test && ./test_source_target.sh
 
-test: test_dump test_cron test_source_target
+test_restore:
+	cd test && ./test_restore.sh
+
+test: test_dump test_restore test_cron test_source_target
 
 .PHONY: clean-test-stop clean-test-remove clean-test
 clean-test-stop:
diff --git a/README.md b/README.md
@@ -308,15 +308,17 @@ __You should consider the [use of `--env-file=`](https://docs.docker.com/engine/
 * `DB_NAMES`: name of database to restore to. Required if `SINGLE_DATABASE=true`, otherwise has no effect. Although the name is plural, it must contain exactly one database name.
 * `SINGLE_DATABASE`: If is set to `true`, `DB_NAMES` is required and mysql command will run with `--database=$DB_NAMES` flag. This avoids the need of `USE <database>;` statement, which is useful when restoring from a file saved with `SINGLE_DATABASE` set to `true`.
 * `DB_RESTORE_TARGET`: path to the actual restore file, which should be a compressed dump file. The target can be an absolute path, which should be volume mounted, an smb or S3 URL, similar to the target.
+* `RESTORE_OPTS`: A string of options to pass to  `mysql` restore command, e.g. `--ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem` will run `mysql --ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem -h $DB_SERVER -P $DB_PORT $DBUSER $DBPASS $DBDATABASE`, default is empty ('')
 * `DB_DUMP_DEBUG`: if `true`, dump copious outputs to the container logs while restoring.
 * To use the S3 driver `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_DEFAULT_REGION` will need to be defined.
 
 
 Examples:
 
 1. Restore from a local file: `docker run -e DB_SERVER=gotodb.example.com -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=/backup/db_backup_201509271627.gz -v /local/path:/backup databack/mysql-backup`
-2. Restore from an SMB file: `docker run -e DB_SERVER=gotodb.example.com -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=smb://smbserver/share1/backup/db_backup_201509271627.gz databack/mysql-backup`
-3. Restore from an S3 file: `docker run -e DB_SERVER=gotodb.example.com -e AWS_ACCESS_KEY_ID=awskeyid -e AWS_SECRET_ACCESS_KEY=secret -e AWS_DEFAULT_REGION=eu-central-1 -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=s3://bucket/path/db_backup_201509271627.gz databack/mysql-backup`
+2. Restore from a local file using ssl: `docker run -e DB_SERVER=gotodb.example.com -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=/backup/db_backup_201509271627.gz -e RESTORE_OPTS="--ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem" -v /local/path:/backup -v /local/certs:/certs databack/mysql-backup`
+3. Restore from an SMB file: `docker run -e DB_SERVER=gotodb.example.com -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=smb://smbserver/share1/backup/db_backup_201509271627.gz databack/mysql-backup`
+4. Restore from an S3 file: `docker run -e DB_SERVER=gotodb.example.com -e AWS_ACCESS_KEY_ID=awskeyid -e AWS_SECRET_ACCESS_KEY=secret -e AWS_DEFAULT_REGION=eu-central-1 -e DB_USER=user123 -e DB_PASS=pass123 -e DB_RESTORE_TARGET=s3://bucket/path/db_backup_201509271627.gz databack/mysql-backup`
 
 ### Restore when using docker-compose
 `docker-compose` automagically creates a network when started. `docker run` simply attaches to the bridge network. If you are trying to communicate with a mysql container started by docker-compose, you'll need to specify the network in your command arguments. You can use `docker network ls` to see what network is being used, or you can declare a network in your docker-compose.yml.
diff --git a/entrypoint b/entrypoint
@@ -145,7 +145,8 @@ if [[ -n "$DB_RESTORE_TARGET" ]]; then
     rm -rf $workdir
     mkdir -p $workdir
     $UNCOMPRESS < $TMPRESTORE | tar -C $workdir -xvf -
-    cat $workdir/* | mysql -h $DB_SERVER -P $DB_PORT $DBUSER $DBPASS $DBDATABASE
+    RESTORE_OPTS=${RESTORE_OPTS:-}
+    cat $workdir/* | mysql $RESTORE_OPTS -h $DB_SERVER -P $DB_PORT $DBUSER $DBPASS $DBDATABASE
     rm -rf $workdir
     /bin/rm -f $TMPRESTORE
   else
diff --git a/test/_functions.sh b/test/_functions.sh
@@ -11,6 +11,9 @@ BACKUP_IMAGE=mysqlbackup_backup_test:latest
 BACKUP_TESTER_IMAGE=mysqlbackup_backup_test_harness:latest
 SMB_IMAGE=mysqlbackup_smb_test:latest
 BACKUP_VOL=mysqlbackup-test
+CERTS_VOL=mysqlbackup-certs
+MYSQLDUMP_OPTS="--ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem"
+RESTORE_OPTS="--ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem"
 MYSQLUSER=user
 MYSQLPW=abcdefg
 MYSQL_IMAGE=mysql:8.0
@@ -36,7 +39,7 @@ function create_backup_file() {
   tmpdumpfile=backup.sql
   docker exec $mysql_cid mysqldump -hlocalhost --protocol=tcp -u$MYSQLUSER -p$MYSQLPW --compact --databases tester > $tmpdumpdir/$tmpdumpfile
   tar -C $tmpdumpdir -cvf - $tmpdumpfile | gzip > ${target}
-  cat $target | docker run --label mysqltest --name mysqlbackup-data-source -i --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} save_dump
+  cat $target | docker run --label mysqltest --name mysqlbackup-data-source -i --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e DEBUG=${DEBUG} -e MYSQLDUMP_OPTS="${MYSQLDUMP_OPTS}" ${BACKUP_TESTER_IMAGE} save_dump
   rm -rf $tmpdumpdir $target
 }
 
@@ -107,6 +110,7 @@ function makevolume() {
 	local EXISTING_VOLS=$(docker volume ls --filter label=mysqltest -q)
 	[ -n "${EXISTING_VOLS}" ] && docker volume rm ${EXISTING_VOLS}
 	docker volume create --label mysqltest $BACKUP_VOL
+	docker volume create --label mysqltest $CERTS_VOL
 }
 function makesmb() {
 	# build the service images we need
@@ -117,11 +121,13 @@ function start_service_containers() {
 	# run the test images we need
 	[[ "$DEBUG" != "0" ]] && echo "Running smb, s3 and mysql containers"
 	smb_cid=$(docker run --label mysqltest --net mysqltest --name=smb  -d -p 445:445 -v ${BACKUP_VOL}:/share/backups -t ${SMB_IMAGE})
-	mysql_cid=$(docker run --label mysqltest --net mysqltest --name mysql -d -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=tester -e MYSQL_USER=$MYSQLUSER -e MYSQL_PASSWORD=$MYSQLPW $MYSQL_IMAGE)
+	mysql_cid=$(docker run --label mysqltest --net mysqltest --name mysql -d -v ${CERTS_VOL}:/certs -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=tester -e MYSQL_USER=$MYSQLUSER -e MYSQL_PASSWORD=$MYSQLPW $MYSQL_IMAGE --require-secure-transport)
+	docker exec -i mysql bash -c "until [[ -f /var/lib/mysql/client-cert.pem ]]; do sleep 5; done; cp /var/lib/mysql/client-cert.pem /certs"
+	docker exec -i mysql bash -c "until [[ -f /var/lib/mysql/client-key.pem ]]; do sleep 5; done; cp /var/lib/mysql/client-key.pem /certs"
 	# need process privilege, set it up after waiting for the mysql to be ready
-	s3_cid=$(docker run --label mysqltest --net mysqltest --name s3 -d -v ${BACKUP_VOL}:/fakes3_root/s3/mybucket lphoward/fake-s3 -r /fakes3_root -p 443)
+	s3_cid=$(docker run --label mysqltest --net mysqltest --name s3 -d -v ${CERTS_VOL}:/certs -v ${BACKUP_VOL}:/fakes3_root/s3/mybucket lphoward/fake-s3 -r /fakes3_root -p 443)
 	# Allow up to 20 seconds for the database to be ready
-	db_connect="docker exec -i $mysql_cid mysql -u$MYSQLUSER -p$MYSQLPW --protocol=tcp -h127.0.0.1 --wait --connect_timeout=20 tester"
+	db_connect="docker exec -i $mysql_cid mysql ${MYSQLDUMP_OPTS} -u$MYSQLUSER -p$MYSQLPW --protocol=tcp -h127.0.0.1 --wait --connect_timeout=20 tester"
 	retry_count=0
 	retryMax=20
 	retrySleep=1
@@ -140,7 +146,7 @@ function start_service_containers() {
 		return 1
 	fi
 	# ensure the user has the right privileges
-	docker exec -i mysql mysql -uroot -proot --protocol=tcp -h127.0.0.1 -e "grant process on *.* to user;"
+  docker exec -i mysql mysql ${MYSQLDUMP_OPTS} -uroot -proot --protocol=tcp -h127.0.0.1 -e "grant process on *.* to user;"
 }
 function rm_service_containers() {
 	local smb_cid="$1"
@@ -176,6 +182,7 @@ function rm_network() {
 function rm_volume() {
 	[[ "$DEBUG" != "0" ]] && echo "Removing docker volume"
 	docker volume rm ${BACKUP_VOL}
+	docker volume rm ${CERTS_VOL}
 }
 function run_dump_test() {
 	local t=$1
@@ -205,7 +212,14 @@ function run_dump_test() {
 	# change our target
         # ensure that we remove leading whitespace from targets
         allTargets=$(echo $allTargets | awk '{$1=$1;print}')
-        cid=$(docker container create --label mysqltest --name mysqlbackup-${sequence} --net mysqltest -v ${BACKUP_VOL}:/backups --link ${s3_cid}:mybucket.s3.amazonaws.com ${DBDEBUG} -e DB_USER=$MYSQLUSER -e DB_PASS=$MYSQLPW -e DB_DUMP_FREQ=60 -e DB_DUMP_BEGIN=+0 -e DB_DUMP_TARGET="${allTargets}" -e AWS_ACCESS_KEY_ID=abcdefg -e AWS_SECRET_ACCESS_KEY=1234567 -e AWS_ENDPOINT_URL=http://s3:443/ -e DB_SERVER=mysql -e MYSQLDUMP_OPTS="--compact" ${BACKUP_IMAGE})
+        if [[ "$sequence" -lt 1 ]]; then
+          # on first run we need to fix /certs/*.pem permissions and assign it to appuser otherwise mysqldump command fails
+          c_with_wrong_permission=$(docker container create --label mysqltest --name mysqltest-fix-certs-permissions -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs ${DBDEBUG} -e DB_USER=$MYSQLUSER -e DB_PASS=$MYSQLPW -e DB_DUMP_FREQ=60 -e DB_DUMP_BEGIN=+0 -e DB_DUMP_TARGET="${allTargets}" -e DB_SERVER=mysql -e MYSQLDUMP_OPTS="--compact ${MYSQLDUMP_OPTS}" ${BACKUP_IMAGE})
+          docker container start ${c_with_wrong_permission} >/dev/null
+          docker exec -u 0 ${c_with_wrong_permission} chown -R appuser /certs>/dev/null
+          rm_containers $c_with_wrong_permission
+        fi
+        cid=$(docker container create --label mysqltest --name mysqlbackup-${sequence} --net mysqltest -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs --link ${s3_cid}:mybucket.s3.amazonaws.com ${DBDEBUG} -e DB_USER=$MYSQLUSER -e DB_PASS=$MYSQLPW -e DB_DUMP_FREQ=60 -e DB_DUMP_BEGIN=+0 -e DB_DUMP_TARGET="${allTargets}" -e AWS_ACCESS_KEY_ID=abcdefg -e AWS_SECRET_ACCESS_KEY=1234567 -e AWS_ENDPOINT_URL=http://s3:443/ -e DB_SERVER=mysql -e MYSQLDUMP_OPTS="--compact ${MYSQLDUMP_OPTS}" ${BACKUP_IMAGE})
         linkfile=/tmp/link.$$
         ln -s /backups/$sequence ${linkfile}
         docker cp ${linkfile} $cid:/scripts.d
diff --git a/test/ctr/entrypoint_test.sh b/test/ctr/entrypoint_test.sh
@@ -218,6 +218,10 @@ save_dump)
 cron)
 	/cron_test.sh
 	;;
+*)
+  echo "unrecognized command: ${cmd}"
+  exit 2
+  ;;
 esac
 
 
diff --git a/test/test_dump.sh b/test/test_dump.sh
@@ -55,8 +55,8 @@ seq=0
 [[ "$DEBUG" != "0" ]] && echo "Populating volume for each target"
 for ((i=0; i< ${#targets[@]}; i++)); do
         t=${targets[$i]}
-        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} populate "$t" $seq
-        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} prepare_pre_post "$t" $seq
+        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e MYSQLDUMP_OPTS="${MYSQLDUMP_OPTS}" -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} populate "$t" $seq
+        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e MYSQLDUMP_OPTS="${MYSQLDUMP_OPTS}" -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} prepare_pre_post "$t" $seq
         # increment our counter
         ((seq++)) || true
 done
@@ -89,7 +89,7 @@ declare -a pass
 seq=0
 for ((i=0; i< ${#targets[@]}; i++)); do
         t=${targets[$i]}
-        results=$(docker run --label mysqltest --name mysqlbackup-data-check --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} check "$t" $seq)
+        results=$(docker run --label mysqltest --name mysqlbackup-data-check --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e MYSQLDUMP_OPTS="${MYSQLDUMP_OPTS}" -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} check "$t" $seq)
 	# save the passes and fails
 	#   | cat  - so that it doesn't return an error on no-match
 	passes=$(echo "$results" | grep '^PASS:' | cat)
diff --git a/test/test_restore.sh b/test/test_restore.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -ex
+
+source ./_functions.sh
+
+#cleanup all temporary folders
+mkdir -p backups
+rm -rf backups/*.tgz
+mkdir -p certs
+rm -rf certs/*.pem
+
+makevolume
+
+makenetwork
+
+make_test_images
+
+makesmb
+
+start_service_containers
+
+#temporary use original certificate location
+MYSQLDUMP_OPTS="--ssl-cert /var/lib/mysql/client-cert.pem --ssl-key /var/lib/mysql/client-key.pem"
+db_connect="docker exec -i $mysql_cid mysql ${MYSQLDUMP_OPTS} -u$MYSQLUSER -p$MYSQLPW --protocol=tcp -h127.0.0.1 --wait --connect_timeout=20 tester"
+$db_connect -e 'select 1;'
+echo 'use tester; create table t1 (id INT, name VARCHAR(20)); INSERT INTO t1 (id,name) VALUES (1, "John"), (2, "Jill"), (3, "Sam"), (4, "Sarah");' | $db_connect
+
+
+#fix /certs/*.pem files permissions
+c_with_wrong_permission=$(docker container create --label mysqltest --net mysqltest --name mysqltest-fix-certs-permissions -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs ${DBDEBUG} -e DB_USER=$MYSQLUSER -e DB_PASS=$MYSQLPW -e DB_DUMP_FREQ=60 -e DB_DUMP_BEGIN=+0 -e DB_SERVER=mysql -e MYSQLDUMP_OPTS="--compact ${MYSQLDUMP_OPTS}" ${BACKUP_IMAGE})
+docker container start ${c_with_wrong_permission} >/dev/null
+docker exec -u 0 ${c_with_wrong_permission} chown -R appuser /certs>/dev/null
+rm_containers $c_with_wrong_permission
+
+# now we can reset to /certs
+MYSQLDUMP_OPTS="--ssl-cert /certs/client-cert.pem --ssl-key /certs/client-key.pem"
+
+# copy our certificates locally
+docker cp mysql:/certs/client-key.pem $PWD/certs/client-key.pem
+docker cp mysql:/certs/client-cert.pem $PWD/certs/client-cert.pem
+
+cid_dump=$( \
+docker container create \
+-u 0 \
+--label mysqltest \
+--name mysqldump \
+--net mysqltest \
+-v $PWD/backups/:/backups \
+-v $PWD/certs/client-key.pem:/certs/client-key.pem \
+-v $PWD/certs/client-cert.pem:/certs/client-cert.pem \
+-e DB_DUMP_TARGET=/backups \
+-e DB_DUMP_DEBUG=0 \
+-e DB_SERVER=mysql \
+-e DB_USER=$MYSQLUSER \
+-e DB_PASS=$MYSQLPW \
+-e RUN_ONCE=1 \
+-e MYSQLDUMP_OPTS="${MYSQLDUMP_OPTS}" \
+${BACKUP_IMAGE})
+docker container start $cid_dump
+
+sleepwait 5
+
+# remove tester database so we can be sure that restore actually works restoring tester database
+docker exec -i mysql mysql ${MYSQLDUMP_OPTS} -uroot -proot --protocol=tcp -h127.0.0.1 -e "drop database tester;"
+
+ls -l $PWD/backups
+backup_name=$(ls $PWD/backups)
+if [[ "$backup_name" == "" ]]; then
+  echo "***********************************"
+  echo "backup file was not created, see container log output:"
+  docker logs $cid_dump
+  echo "***********************************"
+  exit 1
+fi
+
+cid_restore=$( \
+docker container create \
+-u 0 \
+--label mysqltest \
+--name mysqlrestore \
+--net mysqltest \
+-v $PWD/certs/client-key.pem:/certs/client-key.pem \
+-v $PWD/certs/client-cert.pem:/certs/client-cert.pem \
+-v $PWD/backups/:/backups \
+-e DB_DUMP_DEBUG=0 \
+-e DB_SERVER=mysql \
+-e DB_USER=$MYSQLUSER \
+-e DB_PASS=$MYSQLPW \
+-e DB_RESTORE_TARGET=/backups/${backup_name} \
+-e RESTORE_OPTS="${RESTORE_OPTS}" \
+${BACKUP_IMAGE})
+docker container start $cid_restore
+
+sleepwait 5
+
+db_command="docker exec -i $mysql_cid mysql ${MYSQLDUMP_OPTS} -u$MYSQLUSER -p$MYSQLPW --protocol=tcp -h127.0.0.1 tester"
+echo 'use tester; select * from t1' | $db_command
+
+rm_service_containers $smb_cid $mysql_cid $s3_cid
+docker rm $cid_dump $cid_restore
+
+rm -rf backups/*.tgz
+rmdir backups
+rm -rf certs/*.pem
+rmdir certs
+
diff --git a/test/test_source_target.sh b/test/test_source_target.sh
@@ -57,7 +57,7 @@ seq=0
 [[ "$DEBUG" != "0" ]] && echo "Populating volume for each target"
 for ((i=0; i< ${#targets[@]}; i++)); do
         t=${targets[$i]}
-        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} populate "$t" $seq
+        docker run --label mysqltest --name mysqlbackup-data-populate --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} populate "$t" $seq
         # increment our counter
         ((seq++)) || true
 done
@@ -92,7 +92,7 @@ declare -a pass
 seq=0
 for ((i=0; i< ${#targets[@]}; i++)); do
 	t=${targets[$i]}
-        results=$(docker run --label mysqltest --name mysqlbackup-data-check --rm -v ${BACKUP_VOL}:/backups -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} check_source_target "$t" $seq $(get_default_source))
+        results=$(docker run --label mysqltest --name mysqlbackup-data-check --rm -v ${BACKUP_VOL}:/backups -v ${CERTS_VOL}:/certs -e DEBUG=${DEBUG} ${BACKUP_TESTER_IMAGE} check_source_target "$t" $seq $(get_default_source))
         # save the passes and fails
         #   | cat  - so that it doesn't return an error on no-match
         passes=$(echo "$results" | grep '^PASS:' | cat)
