From a274fcfd4ace756a19d13d18cbc0589867f513a5 Mon Sep 17 00:00:00 2001
From: Joshua Eason <josheason@seed-innovations.com>
Date: Thu, 20 May 2021 19:40:25 -0600
Subject: [PATCH] Removing wordpress

---
 CHANGELOG                                     |   0
 Dockerfile                                    |  82 +++----
 README.md                                     |   2 +-
 build-stage/Dockerfile                        |  18 --
 build-stage/build.sh                          |  15 --
 build-stage/centos7.repo                      |   5 -
 build-stage/mariadb.repo                      |   5 -
 hardening_manifest.yaml                       |  37 +++-
 scripts/centos7.repo                          |   5 -
 scripts/docker-entrypoint.sh                  | 200 +++++++++++-------
 scripts/entrypoint.sh                         |  25 ---
 scripts/healthcheck.sh                        |  31 ---
 scripts/mariadb.repo                          |   5 -
 .../mysql_secure_installation_automated.sh    |  94 --------
 scripts/setup_repository                      |  42 ----
 15 files changed, 199 insertions(+), 367 deletions(-)
 delete mode 100644 CHANGELOG
 delete mode 100644 build-stage/Dockerfile
 delete mode 100755 build-stage/build.sh
 delete mode 100644 build-stage/centos7.repo
 delete mode 100644 build-stage/mariadb.repo
 delete mode 100644 scripts/centos7.repo
 delete mode 100755 scripts/entrypoint.sh
 delete mode 100644 scripts/healthcheck.sh
 delete mode 100644 scripts/mariadb.repo
 delete mode 100644 scripts/mysql_secure_installation_automated.sh
 delete mode 100755 scripts/setup_repository

diff --git a/CHANGELOG b/CHANGELOG
deleted file mode 100644
index e69de29..0000000
diff --git a/Dockerfile b/Dockerfile
index 2130cf1..88a0bba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,45 +1,45 @@
-ARG BASE_REGISTRY=registry1.dso.mil
-ARG BASE_IMAGE=redhat/ubi7/ubi
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi7
 ARG BASE_TAG=7.9
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
-COPY signatures/* /opt/
-COPY scripts/healthcheck.sh /usr/local/bin/
-COPY *.rpm.tar *.rpm /opt/
-
-RUN cd /opt/ && \
-    tar -xf mariadb.rpm.tar
-
-COPY scripts/setup_repository /opt/mariadb-10.2.37-rhel-7-x86_64-rpms/
-
-RUN yum upgrade -y && \
-    rpm --import /opt/RPM-GPG-KEY-CentOS-7 && \
-    rpm --import /opt/RPM-GPG-KEY-MariaDB && \
-    cd /opt/mariadb-10.2.37-rhel-7-x86_64-rpms && \
-    ./setup_repository && \
-    yum install -y MariaDB-server /opt/boost-program-options.rpm && \
-    rm /opt/RPM-GPG-KEY-CentOS-7 /opt/RPM-GPG-KEY-MariaDB && \
-    yum clean all
-
-# Copy scripts to  entrypoint
-COPY ./scripts/mysql_secure_installation_automated.sh /usr/local/bin/mysql_secure_installation_automated
-RUN chmod +x /usr/local/bin/mysql_secure_installation_automated
-COPY ./scripts/entrypoint.sh ./entrypoint.sh
-
-#Create usafadmin user
-RUN groupadd -g 1500 usafadmin && \
-    useradd usafadmin -u 1500 -g 1500 && usermod -a -G mysql usafadmin && \
-    chown -R usafadmin:usafadmin /opt && \
-    chown -R usafadmin:usafadmin /var/lib/mysql && \
-    chown -R usafadmin:usafadmin /usr/local/bin && \
-    chmod +x ./entrypoint.sh && \
-    chmod +x /usr/local/bin/healthcheck.sh
-
-USER usafadmin
-RUN  cp -R /var/lib/mysql /tmp/
-#RUN  rpm --setugids /usr/local/bin /opt
-
-HEALTHCHECK --interval=10s --timeout=30s --start-period=10s --retries=3 CMD /usr/local/bin/healthcheck.sh
-
-ENTRYPOINT   [ "/bin/bash", "entrypoint.sh" ]
+ENV MARIADB_MAJOR 10.2
+ENV MARIADB_VERSION 10.2.38
+
+# copy dependencies, GPG keys, and scripts
+COPY mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm signatures/RPM-GPG-KEY-MariaDB signatures/RPM-GPG-KEY-CentOS-7 /
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
+# import GPG keys, update, install dependencies, and clean
+# remove rpms/keys and allow exec permissions on entrypoint
+RUN groupadd -r mysql && \
+    useradd -r -g mysql mysql && \
+    rpm --import RPM-GPG-KEY-MariaDB && \
+    rpm --import RPM-GPG-KEY-CentOS-7 && \
+    yum update -y && \
+    yum install -y hostname mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm --setopt=tsflags=nodocs && \
+    yum clean all && \
+    rm -rf /var/cache/yum && \
+    rm -f mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm mariadb-compat.rpm galera.rpm boost.rpm RPM-GPG-KEY-MariaDB RPM-GPG-KEY-CentOS-7 && \
+    chmod +x /usr/local/bin/docker-entrypoint.sh && \
+
+    # Default installation has preconfigured credentials and sample databases.
+    # We're going to delete all of it and allow the entrypoint to recreate things securely.
+    rm -rf /var/lib/mysql && \
+	mkdir -p /var/lib/mysql /var/run/mysqld && \
+	chown -R mysql:mysql /var/lib/mysql /var/run/mysqld && \
+    mkdir /docker-entrypoint-initdb.d && \
+    chown mysql:mysql /docker-entrypoint-initdb.d
+
+COPY config/my.cnf /etc/my.cnf
+COPY config/server.cnf /etc/my.cnf.d/server.cnf
+
+USER mysql
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+
+EXPOSE 3306
+
+CMD ["mysqld"]
diff --git a/README.md b/README.md
index 5205dbf..b160f41 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # MariaDB
 
-Version: 10.2.37
+Version: 10.2.x
 
 ## Overview
 
diff --git a/build-stage/Dockerfile b/build-stage/Dockerfile
deleted file mode 100644
index 7409054..0000000
--- a/build-stage/Dockerfile
+++ /dev/null
@@ -1,18 +0,0 @@
-FROM nexus-docker.52.61.140.4.nip.io/dsop/ubi7:latest
-COPY mariadb.repo /etc/yum.repos.d/mariadb.repo
-
-COPY centos7.repo /etc/yum.repos.d/centos7.repo
-
-RUN rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 && \
-    yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-    rpm --import https://rpms.remirepo.net/RPM-GPG-KEY-remi && \
-    yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm && \
-    yum-config-manager --enable remi-php70 && \
-    yum-config-manager --enable mariabdb 
-    
-
-ENV ROOTDIR=/root/install 
-ENV DESTDIR=/root/packages
-
-RUN mkdir -p $ROOTDIR && mkdir -p  $DESTDIR  && for i in MariaDB-client MariaDB-server boost-devel.x86_64 rpm-build-libs rpm-python; do  yum install --downloadonly --installroot=$ROOTDIR --releasever=7 --downloaddir=$DESTDIR -y $i ; done
-RUN cd $DESTDIR && tar cvf mysql.tar . 
diff --git a/build-stage/build.sh b/build-stage/build.sh
deleted file mode 100755
index a7c1b4a..0000000
--- a/build-stage/build.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-export NAME=mysql-demo
-export TAG=final
-echo "Building mysql image...."
-docker build . -t mysql:final --label  $NAME
-IMAGE_ID=$(docker image ls -f label=$NAME  | grep $TAG | awk '{print $3}')
-echo "Running container....."
-docker run -d -i  --name $NAME $IMAGE_ID
-CONTAINER_ID=$(docker ps | grep $NAME  | awk '{print $1}')
-docker cp $CONTAINER_ID:/root/packages/mysql.tar ../
-docker stop $CONTAINER_ID
-docker rm $CONTAINER_ID
-docker image  rm $IMAGE_ID
-unset IMAGE_ID
-unset CONTAINER_ID
diff --git a/build-stage/centos7.repo b/build-stage/centos7.repo
deleted file mode 100644
index 64f27ad..0000000
--- a/build-stage/centos7.repo
+++ /dev/null
@@ -1,5 +0,0 @@
-[centos7]
-name = centos 7
-baseurl = http://mirror.centos.org/centos/7/os/x86_64/
-gpgkey = http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7
-gpgcheck = 1
diff --git a/build-stage/mariadb.repo b/build-stage/mariadb.repo
deleted file mode 100644
index 665dcd5..0000000
--- a/build-stage/mariadb.repo
+++ /dev/null
@@ -1,5 +0,0 @@
-[mariadb]
-name = MariaDB
-baseurl = http://yum.mariadb.org/10.3/rhel7-amd64
-gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
-gpgcheck=1
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 94b774e..e202693 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "opensource/mariadb/mariadb"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "10.2.37"
+- "10.2.38"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://mariadb.org"
   # Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "MariaDB Foundation"
-  org.opencontainers.image.version: "10.2.37"
+  org.opencontainers.image.version: "10.2.38"
   # Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "database,mysql,mariadb"
   # This value can be "opensource" or "commercial"
@@ -37,12 +37,37 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- filename: mariadb.rpm.tar
-  url: https://downloads.mariadb.com/MariaDB/mariadb-10.2.37/yum/centos/mariadb-10.2.37-rhel-7-x86_64-rpms.tar
+- filename: mariadb-server.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/MariaDB-server-10.2.38-1.el7.centos.x86_64.rpm
   validation:
     type: sha256
-    value: 8772cb079026efd59d17cdb99cdf8fddfa2175ff8c2aa5a68fa9d60a2c4da916
-- filename: boost-program-options.rpm
+    value: 5852c23f8a606fc3cd064216ebc20cb4452f3ce7306ef473dbed6f8d503bdf9b
+- filename: mariadb-client.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/MariaDB-client-10.2.38-1.el7.centos.x86_64.rpm
+  validation:
+    type: sha256
+    value: 4f235711d5337c6ee7e276e669aaaa07763c53bb82a32ace9077488a7efe6157
+- filename: mariadb-common.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/MariaDB-common-10.2.38-1.el7.centos.x86_64.rpm
+  validation:
+    type: sha256
+    value: c0460eafcdffc84757ce1847462e44c59b424b9186dbca49b813dad3b23d5aa3
+- filename: mariadb-shared.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/MariaDB-shared-10.2.38-1.el7.centos.x86_64.rpm
+  validation:
+    type: sha256
+    value: 65c058edbc0d5f7925c6edc2ca9a761a1d7a9d30f0e3dc2ff82ccc3fadc5a84f
+- filename: galera.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/galera-25.3.33-1.el7.centos.x86_64.rpm
+  validation:
+    type: sha256
+    value: 6eed358dc8e8fcde8dead76cbac519e8320a4c189fb9e526d6fcb4582d801155
+- filename: mariadb-compat.rpm
+  url: http://yum.mariadb.org/10.2.38/centos/7/x86_64/rpms/MariaDB-compat-10.2.38-1.el7.centos.x86_64.rpm
+  validation:
+    type: sha256
+    value: 1b951e4b56a45e5b290f4035c44c827ac39dcc161e662b99f8024f22ca64e026
+- filename: boost.rpm
   url: http://mirror.centos.org/centos/7/os/x86_64/Packages/boost-program-options-1.53.0-28.el7.x86_64.rpm
   validation:
     type: sha256
diff --git a/scripts/centos7.repo b/scripts/centos7.repo
deleted file mode 100644
index 64f27ad..0000000
--- a/scripts/centos7.repo
+++ /dev/null
@@ -1,5 +0,0 @@
-[centos7]
-name = centos 7
-baseurl = http://mirror.centos.org/centos/7/os/x86_64/
-gpgkey = http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7
-gpgcheck = 1
diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh
index 8e5fd13..77cd416 100644
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -39,6 +39,18 @@ file_env() {
 	unset "$fileVar"
 }
 
+# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset
+# and make them the same value (so user scripts can use either)
+_mariadb_file_env() {
+	local var="$1"; shift
+	local maria="MARIADB_${var#MYSQL_}"
+	file_env "$var" "$@"
+	file_env "$maria" "${!var}"
+	if [ "${!maria:-}" ]; then
+		export "$var"="${!maria}"
+	fi
+}
+
 # check to see if this file is being run or sourced from another script
 _is_sourced() {
 	# https://unix.stackexchange.com/a/215279
@@ -78,8 +90,14 @@ docker_process_init_files() {
 	done
 }
 
+# arguments necessary to run "mysqld --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values)
+_verboseHelpArgs=(
+	--verbose --help
+	--log-bin-index="$(mktemp -u)" # https://github.com/docker-library/mysql/issues/136
+)
+
 mysql_check_config() {
-	local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
+	local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors
 	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
 		mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
 	fi
@@ -90,23 +108,23 @@ mysql_check_config() {
 # latter only show values present in config files, and not server defaults
 mysql_get_config() {
 	local conf="$1"; shift
-	"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
+	"$@" "${_verboseHelpArgs[@]}" 2>/dev/null \
 		| awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
 	# match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
 }
 
-# Do a temporary startup of the MySQL server, for init purposes
+# Do a temporary startup of the MariaDB server, for init purposes
 docker_temp_server_start() {
-	"$@" --skip-networking --socket="${SOCKET}" &
+	"$@" --skip-networking --socket="${SOCKET}" --wsrep_on=OFF &
 	mysql_note "Waiting for server startup"
+	# only use the root password if the database has already been initializaed
+	# so that it won't try to fill in a password file when it hasn't been set yet
+	extraArgs=()
+	if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+		extraArgs+=( '--dont-use-mysql-root-password' )
+	fi
 	local i
 	for i in {30..0}; do
-		# only use the root password if the database has already been initializaed
-		# so that it won't try to fill in a password file when it hasn't been set yet
-		extraArgs=()
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			extraArgs+=( '--dont-use-mysql-root-password' )
-		fi
 		if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
 			break
 		fi
@@ -120,15 +138,15 @@ docker_temp_server_start() {
 # Stop the server. When using a local socket file mysqladmin will block until
 # the shutdown is complete.
 docker_temp_server_stop() {
-	if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
+	if ! MYSQL_PWD=$MARIADB_ROOT_PASSWORD mysqladmin shutdown -uroot --socket="${SOCKET}"; then
 		mysql_error "Unable to shut down server."
 	fi
 }
 
 # Verify that the minimally required password settings are set for new databases.
 docker_verify_minimum_env() {
-	if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
-		mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
+	if [ -z "$MARIADB_ROOT_PASSWORD" -a -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" -a -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD'
 	fi
 }
 
@@ -144,18 +162,18 @@ docker_create_db_directories() {
 	if [ "$user" = "0" ]; then
 		# this will cause less disk access than `chown -R`
 		find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+		# See https://github.com/MariaDB/mariadb-docker/issues/363
+		find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql '{}' \;
 	fi
 }
 
 # initializes the database directory
 docker_init_database_dir() {
 	mysql_note "Initializing database files"
-	installArgs=( --datadir="$DATADIR" --rpm )
-	if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
-		# beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
-		# see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
-		# (this flag doesn't exist in 10.0 and below)
-		installArgs+=( --auth-root-authentication-method=normal )
+	installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal )
+	if { mysql_install_db --help || :; } | grep -q -- '--skip-test-db'; then
+		# 10.3+
+		installArgs+=( --skip-test-db )
 	fi
 	# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
 	mysql_install_db "${installArgs[@]}" "${@:2}"
@@ -170,12 +188,21 @@ docker_setup_env() {
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"
 
+
 	# Initialize values that might be stored in a file
-	file_env 'MYSQL_ROOT_HOST' '%'
-	file_env 'MYSQL_DATABASE'
-	file_env 'MYSQL_USER'
-	file_env 'MYSQL_PASSWORD'
-	file_env 'MYSQL_ROOT_PASSWORD'
+	_mariadb_file_env 'MYSQL_ROOT_HOST' '%'
+	_mariadb_file_env 'MYSQL_DATABASE'
+	_mariadb_file_env 'MYSQL_USER'
+	_mariadb_file_env 'MYSQL_PASSWORD'
+	_mariadb_file_env 'MYSQL_ROOT_PASSWORD'
+
+	# set MARIADB_ from MYSQL_ when it is unset and then make them the same value
+	: "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}"
+	export MYSQL_ALLOW_EMPTY_PASSWORD="$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
+	: "${MARIADB_RANDOM_ROOT_PASSWORD:=${MYSQL_RANDOM_ROOT_PASSWORD:-}}"
+	export MYSQL_RANDOM_ROOT_PASSWORD="$MARIADB_RANDOM_ROOT_PASSWORD" MARIADB_RANDOM_ROOT_PASSWORD
+	: "${MARIADB_INITDB_SKIP_TZINFO:=${MYSQL_INITDB_SKIP_TZINFO:-}}"
+	export MYSQL_INITDB_SKIP_TZINFO="$MARIADB_INITDB_SKIP_TZINFO" MARIADB_INITDB_SKIP_TZINFO
 
 	declare -g DATABASE_ALREADY_EXISTS
 	if [ -d "$DATADIR/mysql" ]; then
@@ -183,6 +210,15 @@ docker_setup_env() {
 	fi
 }
 
+# Execute the client, use via docker_process_sql to handle root password
+docker_exec_client() {
+	# args sent in can override this db, since they will be later in the command
+	if [ -n "$MYSQL_DATABASE" ]; then
+		set -- --database="$MYSQL_DATABASE" "$@"
+	fi
+	mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+}
+
 # Execute sql script, passed via stdin
 # usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
 #    ie: docker_process_sql --database=mydb <<<'INSERT ...'
@@ -190,56 +226,79 @@ docker_setup_env() {
 docker_process_sql() {
 	passfileArgs=()
 	if [ '--dont-use-mysql-root-password' = "$1" ]; then
-		passfileArgs+=( "$1" )
 		shift
+		MYSQL_PWD= docker_exec_client "$@"
+	else
+		MYSQL_PWD=$MARIADB_ROOT_PASSWORD docker_exec_client "$@"
 	fi
-	# args sent in can override this db, since they will be later in the command
-	if [ -n "$MYSQL_DATABASE" ]; then
-		set -- --database="$MYSQL_DATABASE" "$@"
-	fi
+}
 
-	mysql --defaults-extra-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+# SQL escape the string $1 to be placed in a string literal.
+# escape, \ followed by '
+docker_sql_escape_string_literal() {
+	local escaped=${1//\\/\\\\}
+	echo "${escaped//\'/\\\'}"
 }
 
 # Initializes database with timezone info and root password, plus optional extra db/user
 docker_setup_db() {
 	# Load timezone info into database
-	if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
-		# sed is for https://bugs.mysql.com/bug.php?id=20545
-		mysql_tzinfo_to_sql /usr/share/zoneinfo \
-			| sed 's/Local time zone must be set--see zic manual page/FCTY/' \
-			| docker_process_sql --dont-use-mysql-root-password --database=mysql
-			# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
+	if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then
+		{
+			# Aria in 10.4+ is slow due to "transactional" (crash safety)
+			# https://jira.mariadb.org/browse/MDEV-23326
+			# https://github.com/docker-library/mariadb/issues/262
+			local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type )
+			for table in "${tztables[@]}"; do
+				echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;"
+			done
+
+			# sed on "Local time zone" is for https://bugs.mysql.com/bug.php?id=20545
+			# Offset quoting is because of MDEV-25556 (10.6)
+			mysql_tzinfo_to_sql /usr/share/zoneinfo \
+				| sed -e 's/Local time zone must be set--see zic manual page/FCTY/' \
+				      -e 's/Offset/`Offset`/'
+
+			for table in "${tztables[@]}"; do
+				echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;"
+			done
+		} | docker_process_sql --dont-use-mysql-root-password --database=mysql
+		# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
 	fi
 	# Generate random root password
-	if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
-		export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
-		mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+	if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
+		export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD
+		mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD"
 	fi
 	# Sets root password and creates root users for non-localhost hosts
 	local rootCreate=
+	local rootPasswordEscaped
+	rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" )
+
 	# default root to listen for connections from anywhere
-	if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+	if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then
 		# no, we don't care if read finds a terminating character in this heredoc
 		# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
 		read -r -d '' rootCreate <<-EOSQL || true
-			CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
-			GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
+			CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ;
+			GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ;
 		EOSQL
 	fi
 
-	# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
-	docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
+	# tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set
+	# --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding.
+	docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL
 		-- What's done in this file shouldn't be replicated
 		--  or products like mysql-fabric won't work
 		SET @@SESSION.SQL_LOG_BIN=0;
-
+                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
+		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
 		DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
-		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${rootPasswordEscaped}') ;
 		-- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
 		-- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
 		DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
-
 		GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
 		FLUSH PRIVILEGES ;
 		${rootCreate}
@@ -247,33 +306,25 @@ docker_setup_db() {
 	EOSQL
 
 	# Creates a custom database and user if specified
-	if [ -n "$MYSQL_DATABASE" ]; then
-		mysql_note "Creating database ${MYSQL_DATABASE}"
-		docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+	if [ -n "$MARIADB_DATABASE" ]; then
+		mysql_note "Creating database ${MARIADB_DATABASE}"
+		docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\` ;"
 	fi
 
-	if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
-		mysql_note "Creating user ${MYSQL_USER}"
-		docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
-
-		if [ -n "$MYSQL_DATABASE" ]; then
-			mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
-			docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
+	if [ -n "$MARIADB_USER" ] && [ -n "$MARIADB_PASSWORD" ]; then
+		mysql_note "Creating user ${MARIADB_USER}"
+		# SQL escape the user password, \ followed by '
+		local userPasswordEscaped
+		userPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_PASSWORD}" )
+		docker_process_sql --database=mysql --binary-mode <<-EOSQL_USER
+			SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
+			CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';
+		EOSQL_USER
+
+		if [ -n "$MARIADB_DATABASE" ]; then
+			mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}"
+			docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%' ;"
 		fi
-
-		docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
-	fi
-}
-
-_mysql_passfile() {
-	# echo the password to the "file" the client uses
-	# the client command will use process substitution to create a file on the fly
-	# ie: --defaults-extra-file=<( _mysql_passfile )
-	if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
-		cat <<-EOF
-			[client]
-			password="${MYSQL_ROOT_PASSWORD}"
-		EOF
 	fi
 }
 
@@ -298,8 +349,8 @@ _main() {
 	fi
 
 	# skip setup if they aren't running mysqld or want an option that stops mysqld
-	if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
-		mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
+	if [ "$1" == 'mysqld' ] && ! _mysql_want_help "$@"; then
+		mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started."
 
 		mysql_check_config "$@"
 		# Load various environment variables
@@ -333,10 +384,11 @@ _main() {
 			mysql_note "Temporary server stopped"
 
 			echo
-			mysql_note "MySQL init process done. Ready for start up."
+			mysql_note "MariaDB init process done. Ready for start up."
 			echo
 		fi
 	fi
+
 	exec "$@"
 }
 
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
deleted file mode 100755
index c25ec87..0000000
--- a/scripts/entrypoint.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#! /bin/bash
-set -o errexit # abort on nonzero exitstatus
-set -o nounset # abort on unbound variable
-# Ensure vars are defined
-function check_requirements() {
-  [ -z "${MYSQL_ROOT_PASS}" ] && error_exit "MYSQL_ROOT_PASS is a required variable"
-  [ -z "${WORDPRESS_DB_USER}" ] && error_exit "WORDPRESS_DB_USER is a required variable"
-  [ -z "${WORDPRESS_DB_PASS}" ] && error_exit "WORDPRESS_DB_PASS is a required variable"
-  [ -z "${WORDPRESS_DB_NAME}" ] && error_exit "WORDPRESS_DB_NAME is a required variable"
-  echo "All neccesary vars defined"
-}
-
-check_requirements
-
-# Check if mysql dir is empty
-if [ "$(ls -A /var/lib/mysql )" ]; then
-echo "Do nothing /var/lib/mysql is not Empty"
-else
-echo "Take action  /var/lib/mysql is Empty"
-cp -R /tmp/mysql /var/lib/
-fi
-
-/etc/init.d/mysql start
-mysql_secure_instalation_automated "${MYSQL_ROOT_PASS}" "${WORDPRESS_DB_USER}" "${WORDPRESS_DB_PASS}" "${WORDPRESS_DB_NAME}"
-tail -f /dev/null
\ No newline at end of file
diff --git a/scripts/healthcheck.sh b/scripts/healthcheck.sh
deleted file mode 100644
index eefb613..0000000
--- a/scripts/healthcheck.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-set -eo pipefail
-
-if [ "$MYSQL_RANDOM_ROOT_PASSWORD" ] && [ -z "$MYSQL_USER" ] && [ -z "$MYSQL_PASSWORD" ]; then
-	# there's no way we can guess what the random MySQL password was
-	echo >&2 'healthcheck error: cannot determine random root password (and MYSQL_USER and MYSQL_PASSWORD were not set)'
-	exit 0
-fi
-
-host="$(hostname --ip-address || echo '127.0.0.1')"
-user="${MYSQL_USER:-root}"
-export MYSQL_PWD="${MYSQL_PASSWORD:-$MYSQL_ROOT_PASSWORD}"
-
-args=(
-	# force mysql to not use the local "mysqld.sock" (test "external" connectibility)
-	-h"$host"
-	-u"$user"
-	--silent
-)
-
-if command -v mysqladmin &> /dev/null; then
-	if mysqladmin "${args[@]}" ping > /dev/null; then
-		exit 0
-	fi
-else
-	if select="$(echo 'SELECT 1' | mysql "${args[@]}")" && [ "$select" = '1' ]; then
-		exit 0
-	fi
-fi
-
-exit 1
diff --git a/scripts/mariadb.repo b/scripts/mariadb.repo
deleted file mode 100644
index 665dcd5..0000000
--- a/scripts/mariadb.repo
+++ /dev/null
@@ -1,5 +0,0 @@
-[mariadb]
-name = MariaDB
-baseurl = http://yum.mariadb.org/10.3/rhel7-amd64
-gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
-gpgcheck=1
diff --git a/scripts/mysql_secure_installation_automated.sh b/scripts/mysql_secure_installation_automated.sh
deleted file mode 100644
index 8a8814f..0000000
--- a/scripts/mysql_secure_installation_automated.sh
+++ /dev/null
@@ -1,94 +0,0 @@
-#! /bin/bash
-set -o errexit # abort on nonzero exitstatus
-set -o nounset # abort on unbound variable
-
-
-### Functions ###
-usage() {
-cat << _EOF_
-
-Usage: ${1} "ROOT PASSWORD"
-
-  with "ROOT PASSWORD" the desired password for the database root user.
-
-Use quotes if your password contains spaces or other special characters.
-
-
-Usage: ${2} "WORDPRESS DB USER"
-
-  with "WORDPRESS DB USER" the desired username for the word press database wp user.
-
-Use quotes if your password contains spaces or other special characters.
-
-
-Usage: ${3} "WORDPRESS DB PASS"
-
-  with "WORDPRESS DB PASS" the desired password for the database wp user.
-
-Use quotes if your password contains spaces or other special characters.
-
-Usage: ${4} "WORDPRESS DB NAME"
-
-  with "WORDPRESS DB NAME" the desired name for the wp database.
-
-Use quotes if your password contains spaces or other special characters.
-_EOF_
-}
-
-# Predicate that returns exit status 0 if the database root password
-# is set, a nonzero exit status otherwise.
-is_mysql_root_password_set() {
-  ! mysqladmin --user=root status > /dev/null 2>&1
-}
-
-# Predicate that returns exit status 0 if the mysql(1) command is available,
-# nonzero exit status otherwise.
-is_mysql_command_available() {
-  which mysql > /dev/null 2>&1
-}
-### --- ###
-
-### Command line parsing ###
-if [ "$#" -ne "4" ]; then
-  echo "Expected 4 argument, got $#" >&2
-  usage
-  exit 2
-fi
-### --- ###
-
-### Variables ###
-db_root_password="${1}"
-wordpress_db_user="${2}"
-wordpress_db_pass="${3}"
-wordpress_db_name="${4}"
-### --- ###
-
-### Script proper ###
-if ! is_mysql_command_available; then
-  echo "The MySQL/MariaDB client mysql(1) is not installed."
-  exit 1
-fi
-
-if is_mysql_root_password_set; then
-  echo "Database root password already set"
-  exit 0
-fi
-
-
-mysql --user=root <<_EOF_
-  CREATE DATABASE ${wordpress_db_name};
-  CREATE USER '${wordpress_db_user}' IDENTIFIED BY '${wordpress_db_pass}';
-  GRANT ALL PRIVILEGES ON ${wordpress_db_name}.* TO '${wordpress_db_user}';
-  FLUSH PRIVILEGES;
-_EOF_
-## -- ##
-
-mysql --user=root <<_EOF_
-  UPDATE mysql.user SET Password=PASSWORD('${db_root_password}') WHERE User='root';
-  DELETE FROM mysql.user WHERE User='';
-  DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-  DROP DATABASE IF EXISTS test;
-  DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
-  FLUSH PRIVILEGES;
-_EOF_
-### --- ###
diff --git a/scripts/setup_repository b/scripts/setup_repository
deleted file mode 100755
index 84ba878..0000000
--- a/scripts/setup_repository
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/env bash
-
-file=/etc/yum.repos.d/mariadb.repo
-install_cmd='yum install MariaDB-server'
-gpgkey=/opt/RPM-GPG-KEY-MariaDB
-
-err() {
-  msg=$1
-  shift
-  printf "[ERROR] $msg\n" "$@" >&2
-  exit 1
-}
-
-for d in "$PWD" "${0%/*}"; do
-  if [[ -d $d/repodata ]] ; then
-    dir=$d
-    if ! [[ $dir = /* ]] ; then
-      dir=$PWD/$dir
-    fi
-    break
-  fi
-done
-
-if ! [[ $dir ]] ; then
-  err 'Could not find a "repodata" directory. Please change to the top level directory of the unpacked archive. and re-run this script.'
-fi
-
-if [[ -e $file ]] ; then
-  err 'File "%s" already exists. Rename it and re-run this script, or manually create a new .repo file.' "$file"
-fi
-
-if ! cat > "$file" <<EoF
-[MariaDB]
-name = MariaDB
-baseurl = file://$dir
-gpgkey = file://$gpgkey
-EoF
-  then
-  err 'Could not create "%s". Please investigate and re-run this script.' "$file"
-fi
-
-printf 'Repository file successfully created! Please install MariaDB Server with this command:\n\n   %s\n\n' "$install_cmd"
-- 
GitLab