diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/Dockerfile b/Dockerfile index e7ee40f811b520d9728022bb91fbb241ac21fe76..2130cf139641cb650a6a46955258654396066e41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,42 +1,45 @@ -ARG BASE_REGISTRY=registry1.dsop.io -ARG BASE_IMAGE=ironbank/redhat/ubi/ubi7 +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=redhat/ubi7/ubi ARG BASE_TAG=7.9 -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -LABEL name="MariaDB" \ - maintainer="michael.simmons@anchore.com" \ - vendor="Open Source" \ - version="10.2.36" \ - release="1" \ - summary="Image of MariaDB" \ - description="MariaDB is a community-developed fork of the MySQL relational database management system." - -COPY mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm signatures/RPM-GPG-KEY-MariaDB signatures/RPM-GPG-KEY-CentOS-Official signatures/RPM-GPG-KEY-CentOS-7 / -COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh - -RUN groupadd -r mysql && useradd -r -g mysql mysql && \ - chmod +x /usr/local/bin/docker-entrypoint.sh && \ - rpm --import RPM-GPG-KEY-MariaDB && \ - rpm --import RPM-GPG-KEY-CentOS-Official && \ - rpm --import RPM-GPG-KEY-CentOS-7 && \ - yum -y update && \ - yum -y install mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm --setopt=tsflags=nodocs && \ - yum -y update && \ - yum clean all && \ - rm -rf /var/cache/dnf && \ - rm mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm RPM-GPG-KEY-MariaDB RPM-GPG-KEY-CentOS-Official RPM-GPG-KEY-CentOS-7 && \ - chmod +x /usr/local/bin/docker-entrypoint.sh && \ - ln -s usr/local/bin/docker-entrypoint.sh - -COPY config/my.cnf /etc/my.cnf -COPY config/server.cnf /etc/my.cnf.d/server.cnf -HEALTHCHECK --interval=5s --timeout=30s CMD mysqladmin ping -h 127.0.0.1 -u mysql || exit 1 - -USER mysql - -ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] - -EXPOSE 3306 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -CMD ["mysqld"] +COPY signatures/* /opt/ +COPY scripts/healthcheck.sh /usr/local/bin/ +COPY *.rpm.tar *.rpm /opt/ + +RUN cd /opt/ && \ + tar -xf mariadb.rpm.tar + +COPY scripts/setup_repository /opt/mariadb-10.2.37-rhel-7-x86_64-rpms/ + +RUN yum upgrade -y && \ + rpm --import /opt/RPM-GPG-KEY-CentOS-7 && \ + rpm --import /opt/RPM-GPG-KEY-MariaDB && \ + cd /opt/mariadb-10.2.37-rhel-7-x86_64-rpms && \ + ./setup_repository && \ + yum install -y MariaDB-server /opt/boost-program-options.rpm && \ + rm /opt/RPM-GPG-KEY-CentOS-7 /opt/RPM-GPG-KEY-MariaDB && \ + yum clean all + +# Copy scripts to entrypoint +COPY ./scripts/mysql_secure_installation_automated.sh /usr/local/bin/mysql_secure_installation_automated +RUN chmod +x /usr/local/bin/mysql_secure_installation_automated +COPY ./scripts/entrypoint.sh ./entrypoint.sh + +#Create usafadmin user +RUN groupadd -g 1500 usafadmin && \ + useradd usafadmin -u 1500 -g 1500 && usermod -a -G mysql usafadmin && \ + chown -R usafadmin:usafadmin /opt && \ + chown -R usafadmin:usafadmin /var/lib/mysql && \ + chown -R usafadmin:usafadmin /usr/local/bin && \ + chmod +x ./entrypoint.sh && \ + chmod +x /usr/local/bin/healthcheck.sh + +USER usafadmin +RUN cp -R /var/lib/mysql /tmp/ +#RUN rpm --setugids /usr/local/bin /opt + +HEALTHCHECK --interval=10s --timeout=30s --start-period=10s --retries=3 CMD /usr/local/bin/healthcheck.sh + +ENTRYPOINT [ "/bin/bash", "entrypoint.sh" ] diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 1ea71273a7fa07d38f23b7cd6da335f988963626..0000000000000000000000000000000000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,4 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline( - version: "10.2.36" -) diff --git a/README.md b/README.md index 4f8a9ba662512de58a6dad92cc49273702e69df8..5205dbfd0f34794424c67295920bc1765e62b80c 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,19 @@ # MariaDB -Version: 10.2.32 +Version: 10.2.37 ## Overview -MariaDB is a community-developed fork of the MySQL relational database management system. +MariaDB Platform is the complete enterprise open source database solution, with the versatility to handle transactional, analytical or hybrid transactional/analytical workloads as well as relational or document data, and the ability to scale from standalone databases and columnar data warehouses to fully distributed SQL databases executing millions of transactions per second and performing interactive, ad hoc analytics on billions of rows. -The Helm chart for MariaDB and the recommended secure configuration in values-ironbank.yaml can be found [here](https://repo1.dsop.io/dsop/charts/-/tree/master/bitnami/mariadb) +## MariaDB Documentation -The [MariaDB documentation](https://mariadb.org/documentation/) provides an introduction, primer, list of SQL statements, and useful MariaDB queries: +Documentation on using MariaDB Server. -## Usage - -The values-ironbank.yaml file located [here](https://repo1.dsop.io/dsop/charts/-/tree/master/bitnami/mariadb) provides a recommended secure configuration of MariaDB and can replace the values.yaml in the standard Helm chart (also provided in this repository). Please see the following links for more information regarding configration options for production-ready deployments. - -## Volumes - -The standard location for the MariaDB volume is `/var/lib/mysql`. Further confiugration details can be specified and additional documentation on Kubernetes volumes can be found [here](https://kubernetes.io/docs/concepts/storage/volumes/) with details about each section in the volume definition that can be specified. - -## Configuration - -Configuration changes can be made in `/etc/my.cnf` and `/etc/my.cnf.d/` \ No newline at end of file +* [Git repo](https://github.com/docker-library/mariadb) of the Docker "Official Image" for mariadb. +* [MariaDB Server Releases](https://mariadb.com/kb/en/mariadb-server/) +* [Download MariaDB Products and Tools for Development and Production](https://mariadb.com/downloads/) +* [Maria DB Server Documentation](https://mariadb.com/kb/en/documentation/) +* [Training and Tutorials](https://mariadb.com/kb/en/training-tutorials/) +* [Service and Client software](https://mariadb.com/kb/en/server-client-software/) +* [Knowledge Base](https://mariadb.com/kb/en/about-the-knowledge-base/) diff --git a/build-stage/Dockerfile b/build-stage/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..74090545fa0f42b22ee25678bdac4c1e04c4a31c --- /dev/null +++ b/build-stage/Dockerfile @@ -0,0 +1,18 @@ +FROM nexus-docker.52.61.140.4.nip.io/dsop/ubi7:latest +COPY mariadb.repo /etc/yum.repos.d/mariadb.repo + +COPY centos7.repo /etc/yum.repos.d/centos7.repo + +RUN rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 && \ + yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ + rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi && \ + yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm && \ + yum-config-manager --enable remi-php70 && \ + yum-config-manager --enable mariabdb + + +ENV ROOTDIR=/root/install +ENV DESTDIR=/root/packages + +RUN mkdir -p $ROOTDIR && mkdir -p $DESTDIR && for i in MariaDB-client MariaDB-server boost-devel.x86_64 rpm-build-libs rpm-python; do yum install --downloadonly --installroot=$ROOTDIR --releasever=7 --downloaddir=$DESTDIR -y $i ; done +RUN cd $DESTDIR && tar cvf mysql.tar . diff --git a/build-stage/build.sh b/build-stage/build.sh new file mode 100755 index 0000000000000000000000000000000000000000..a7c1b4a717a6d8ae1f63a0dd406ef233f1c930de --- /dev/null +++ b/build-stage/build.sh @@ -0,0 +1,15 @@ +#!/bin/bash +export NAME=mysql-demo +export TAG=final +echo "Building mysql image...." +docker build . -t mysql:final --label $NAME +IMAGE_ID=$(docker image ls -f label=$NAME | grep $TAG | awk '{print $3}') +echo "Running container....." +docker run -d -i --name $NAME $IMAGE_ID +CONTAINER_ID=$(docker ps | grep $NAME | awk '{print $1}') +docker cp $CONTAINER_ID:/root/packages/mysql.tar ../ +docker stop $CONTAINER_ID +docker rm $CONTAINER_ID +docker image rm $IMAGE_ID +unset IMAGE_ID +unset CONTAINER_ID diff --git a/build-stage/centos7.repo b/build-stage/centos7.repo new file mode 100644 index 0000000000000000000000000000000000000000..64f27adf5b11da5bdbff65883d584c120f4610f7 --- /dev/null +++ b/build-stage/centos7.repo @@ -0,0 +1,5 @@ +[centos7] +name = centos 7 +baseurl = http://mirror.centos.org/centos/7/os/x86_64/ +gpgkey = http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 +gpgcheck = 1 diff --git a/build-stage/mariadb.repo b/build-stage/mariadb.repo new file mode 100644 index 0000000000000000000000000000000000000000..665dcd525c704ac900618e6789705a8c069a9305 --- /dev/null +++ b/build-stage/mariadb.repo @@ -0,0 +1,5 @@ +[mariadb] +name = MariaDB +baseurl = http://yum.mariadb.org/10.3/rhel7-amd64 +gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB +gpgcheck=1 diff --git a/download.yaml b/download.yaml deleted file mode 100644 index 375ebb1e22e4aedfe6beeb534b2e13ec41c35ae2..0000000000000000000000000000000000000000 --- a/download.yaml +++ /dev/null @@ -1,36 +0,0 @@ -resources: - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/MariaDB-server-10.2.36-1.el7.centos.x86_64.rpm" - filename: "mariadb-server.rpm" - validation: - type: "sha256" - value: "66efcfe077199e0338650568331ae87780a29d397b4bda81b664d5d2b9511974" - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/MariaDB-client-10.2.36-1.el7.centos.x86_64.rpm" - filename: "mariadb-client.rpm" - validation: - type: "sha256" - value: "70948a763232bf9bd69f719ff7528f5b01dfedfc49baa33708cd949c42b4bef0" - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/MariaDB-common-10.2.36-1.el7.centos.x86_64.rpm" - filename: "mariadb-common.rpm" - validation: - type: "sha256" - value: "db4cc11948336fed9e23cdf48d68a5bf7a8cb973d35e1d41fe5db4fcb089ff2a" - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/MariaDB-shared-10.2.36-1.el7.centos.x86_64.rpm" - filename: "mariadb-shared.rpm" - validation: - type: "sha256" - value: "e63005ee9d6b3602410250a714e4585b7f87af0e3d31af4cd5fa94dd71e941a6" - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/MariaDB-compat-10.2.36-1.el7.centos.x86_64.rpm" - filename: "mariadb-compat.rpm" - validation: - type: "sha256" - value: "38cb7f81c341504497bc046c88da2460693f95b3397ed780ea9a230d4cfdf245" - - url: "https://yum.mariadb.org/10.2.36/rhel7-amd64/rpms/galera-25.3.29-1.rhel7.el7.centos.x86_64.rpm" - filename: "galera.rpm" - validation: - type: "sha256" - value: "43ead92608047423d3207f5a896416dd4b164cd8f3b2dfca247cf8f5e8fe0657" - - url: "http://mirror.centos.org/centos/7/os/x86_64/Packages/boost-program-options-1.53.0-28.el7.x86_64.rpm" - filename: "boost.rpm" - validation: - type: "sha256" - value: "1aa6d9b776bb246523faa8396bb5d06b50fc7010c112ace3689872b4c22fae23" \ No newline at end of file diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..94b774ea307b5d73e885bcb2ee069812aa4c1d0c --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "opensource/mariadb/mariadb" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "10.2.37" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi7" + BASE_TAG: "7.9" + +# Docker image labels +labels: + org.opencontainers.image.title: "mariadb" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "GPLv2" + # URL to find more information on the image + org.opencontainers.image.url: "https://mariadb.org" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "MariaDB Foundation" + org.opencontainers.image.version: "10.2.37" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "database,mysql,mariadb" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "opensource" + +# List of resources to make available to the offline build context +resources: +- filename: mariadb.rpm.tar + url: https://downloads.mariadb.com/MariaDB/mariadb-10.2.37/yum/centos/mariadb-10.2.37-rhel-7-x86_64-rpms.tar + validation: + type: sha256 + value: 8772cb079026efd59d17cdb99cdf8fddfa2175ff8c2aa5a68fa9d60a2c4da916 +- filename: boost-program-options.rpm + url: http://mirror.centos.org/centos/7/os/x86_64/Packages/boost-program-options-1.53.0-28.el7.x86_64.rpm + validation: + type: sha256 + value: 1aa6d9b776bb246523faa8396bb5d06b50fc7010c112ace3689872b4c22fae23 + +# List of project maintainers +maintainers: +- email: "josheason@seed-innovations.com" + # The name of the current container owner + name: "Josh Eason" + # The gitlab username of the current container owner + username: "josheason" + cht_member: true diff --git a/scripts/centos7.repo b/scripts/centos7.repo new file mode 100644 index 0000000000000000000000000000000000000000..64f27adf5b11da5bdbff65883d584c120f4610f7 --- /dev/null +++ b/scripts/centos7.repo @@ -0,0 +1,5 @@ +[centos7] +name = centos 7 +baseurl = http://mirror.centos.org/centos/7/os/x86_64/ +gpgkey = http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 +gpgcheck = 1 diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh new file mode 100755 index 0000000000000000000000000000000000000000..c25ec875867e91986437694e37f36fa3ce3a52b8 --- /dev/null +++ b/scripts/entrypoint.sh @@ -0,0 +1,25 @@ +#! /bin/bash +set -o errexit # abort on nonzero exitstatus +set -o nounset # abort on unbound variable +# Ensure vars are defined +function check_requirements() { + [ -z "${MYSQL_ROOT_PASS}" ] && error_exit "MYSQL_ROOT_PASS is a required variable" + [ -z "${WORDPRESS_DB_USER}" ] && error_exit "WORDPRESS_DB_USER is a required variable" + [ -z "${WORDPRESS_DB_PASS}" ] && error_exit "WORDPRESS_DB_PASS is a required variable" + [ -z "${WORDPRESS_DB_NAME}" ] && error_exit "WORDPRESS_DB_NAME is a required variable" + echo "All neccesary vars defined" +} + +check_requirements + +# Check if mysql dir is empty +if [ "$(ls -A /var/lib/mysql )" ]; then +echo "Do nothing /var/lib/mysql is not Empty" +else +echo "Take action /var/lib/mysql is Empty" +cp -R /tmp/mysql /var/lib/ +fi + +/etc/init.d/mysql start +mysql_secure_instalation_automated "${MYSQL_ROOT_PASS}" "${WORDPRESS_DB_USER}" "${WORDPRESS_DB_PASS}" "${WORDPRESS_DB_NAME}" +tail -f /dev/null \ No newline at end of file diff --git a/scripts/healthcheck.sh b/scripts/healthcheck.sh new file mode 100644 index 0000000000000000000000000000000000000000..eefb613bc50c568b27bd632b7bbb17f6d23bf73f --- /dev/null +++ b/scripts/healthcheck.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -eo pipefail + +if [ "$MYSQL_RANDOM_ROOT_PASSWORD" ] && [ -z "$MYSQL_USER" ] && [ -z "$MYSQL_PASSWORD" ]; then + # there's no way we can guess what the random MySQL password was + echo >&2 'healthcheck error: cannot determine random root password (and MYSQL_USER and MYSQL_PASSWORD were not set)' + exit 0 +fi + +host="$(hostname --ip-address || echo '127.0.0.1')" +user="${MYSQL_USER:-root}" +export MYSQL_PWD="${MYSQL_PASSWORD:-$MYSQL_ROOT_PASSWORD}" + +args=( + # force mysql to not use the local "mysqld.sock" (test "external" connectibility) + -h"$host" + -u"$user" + --silent +) + +if command -v mysqladmin &> /dev/null; then + if mysqladmin "${args[@]}" ping > /dev/null; then + exit 0 + fi +else + if select="$(echo 'SELECT 1' | mysql "${args[@]}")" && [ "$select" = '1' ]; then + exit 0 + fi +fi + +exit 1 diff --git a/scripts/mariadb.repo b/scripts/mariadb.repo new file mode 100644 index 0000000000000000000000000000000000000000..665dcd525c704ac900618e6789705a8c069a9305 --- /dev/null +++ b/scripts/mariadb.repo @@ -0,0 +1,5 @@ +[mariadb] +name = MariaDB +baseurl = http://yum.mariadb.org/10.3/rhel7-amd64 +gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB +gpgcheck=1 diff --git a/scripts/mysql_secure_installation_automated.sh b/scripts/mysql_secure_installation_automated.sh new file mode 100644 index 0000000000000000000000000000000000000000..8a8814ff4c8f249d650a15d04a24b4075e5bd657 --- /dev/null +++ b/scripts/mysql_secure_installation_automated.sh @@ -0,0 +1,94 @@ +#! /bin/bash +set -o errexit # abort on nonzero exitstatus +set -o nounset # abort on unbound variable + + +### Functions ### +usage() { +cat << _EOF_ + +Usage: ${1} "ROOT PASSWORD" + + with "ROOT PASSWORD" the desired password for the database root user. + +Use quotes if your password contains spaces or other special characters. + + +Usage: ${2} "WORDPRESS DB USER" + + with "WORDPRESS DB USER" the desired username for the word press database wp user. + +Use quotes if your password contains spaces or other special characters. + + +Usage: ${3} "WORDPRESS DB PASS" + + with "WORDPRESS DB PASS" the desired password for the database wp user. + +Use quotes if your password contains spaces or other special characters. + +Usage: ${4} "WORDPRESS DB NAME" + + with "WORDPRESS DB NAME" the desired name for the wp database. + +Use quotes if your password contains spaces or other special characters. +_EOF_ +} + +# Predicate that returns exit status 0 if the database root password +# is set, a nonzero exit status otherwise. +is_mysql_root_password_set() { + ! mysqladmin --user=root status > /dev/null 2>&1 +} + +# Predicate that returns exit status 0 if the mysql(1) command is available, +# nonzero exit status otherwise. +is_mysql_command_available() { + which mysql > /dev/null 2>&1 +} +### --- ### + +### Command line parsing ### +if [ "$#" -ne "4" ]; then + echo "Expected 4 argument, got $#" >&2 + usage + exit 2 +fi +### --- ### + +### Variables ### +db_root_password="${1}" +wordpress_db_user="${2}" +wordpress_db_pass="${3}" +wordpress_db_name="${4}" +### --- ### + +### Script proper ### +if ! is_mysql_command_available; then + echo "The MySQL/MariaDB client mysql(1) is not installed." + exit 1 +fi + +if is_mysql_root_password_set; then + echo "Database root password already set" + exit 0 +fi + + +mysql --user=root <<_EOF_ + CREATE DATABASE ${wordpress_db_name}; + CREATE USER '${wordpress_db_user}' IDENTIFIED BY '${wordpress_db_pass}'; + GRANT ALL PRIVILEGES ON ${wordpress_db_name}.* TO '${wordpress_db_user}'; + FLUSH PRIVILEGES; +_EOF_ +## -- ## + +mysql --user=root <<_EOF_ + UPDATE mysql.user SET Password=PASSWORD('${db_root_password}') WHERE User='root'; + DELETE FROM mysql.user WHERE User=''; + DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); + DROP DATABASE IF EXISTS test; + DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; + FLUSH PRIVILEGES; +_EOF_ +### --- ### diff --git a/scripts/setup_repository b/scripts/setup_repository new file mode 100755 index 0000000000000000000000000000000000000000..84ba8780028a5f8120b63a16b5fbc8f96b3ee6ac --- /dev/null +++ b/scripts/setup_repository @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +file=/etc/yum.repos.d/mariadb.repo +install_cmd='yum install MariaDB-server' +gpgkey=/opt/RPM-GPG-KEY-MariaDB + +err() { + msg=$1 + shift + printf "[ERROR] $msg\n" "$@" >&2 + exit 1 +} + +for d in "$PWD" "${0%/*}"; do + if [[ -d $d/repodata ]] ; then + dir=$d + if ! [[ $dir = /* ]] ; then + dir=$PWD/$dir + fi + break + fi +done + +if ! [[ $dir ]] ; then + err 'Could not find a "repodata" directory. Please change to the top level directory of the unpacked archive. and re-run this script.' +fi + +if [[ -e $file ]] ; then + err 'File "%s" already exists. Rename it and re-run this script, or manually create a new .repo file.' "$file" +fi + +if ! cat > "$file" <