Removing wordpress and correcting image

96231222 · Joshua Eason · 36a47e7c · 96231222 · 36a47e7c · 36a47e7c
Commit 96231222 authored May 20, 2021 by Joshua Eason
5 changed files
--- a/Dockerfile
+++ b/Dockerfile
 ARG BASE_REGISTRY=registry1.dsop.io
 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
-ARG BASE_TAG=8.3
+ARG BASE_TAG=8.4

 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

-LABEL name="MariaDB" \
-      maintainer="bhearn@anchore.com" \
-      vendor="Open Source" \
-      version="10.5.8" \
-      release="1" \
-      summary="Image of MariaDB" \
-      description="MariaDB is a community-developed fork of the MySQL relational database management system."
+ENV MARIADB_MAJOR 10.5
+ENV MARIADB_VERSION 10.5.10

 # copy dependencies, GPG keys, and scripts
 COPY mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm galera.rpm boost.rpm signatures/RPM-GPG-KEY-MariaDB signatures/RPM-GPG-KEY-CentOS-Official /
@@ -27,18 +22,23 @@ RUN groupadd -r mysql && \
    dnf install -y mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm galera.rpm boost.rpm --setopt=tsflags=nodocs && \
    dnf clean all && \
    rm -rf /var/cache/dnf && \
-    rm mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm galera.rpm boost.rpm RPM-GPG-KEY-MariaDB RPM-GPG-KEY-CentOS-Official && \
-    rm usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool && \
+    rm -f mariadb-server.rpm mariadb-client.rpm mariadb-common.rpm mariadb-shared.rpm galera.rpm boost.rpm RPM-GPG-KEY-MariaDB RPM-GPG-KEY-CentOS-Official && \
    chmod +x /usr/local/bin/docker-entrypoint.sh && \
-    ln -s usr/local/bin/docker-entrypoint.sh
+
+    # Default installation has preconfigured credentials and sample databases.
+    # We're going to delete all of it and allow the entrypoint to recreate things securely.
+    rm -rf /var/lib/mysql && \
+	mkdir -p /var/lib/mysql /var/run/mysqld && \
+	chown -R mysql:mysql /var/lib/mysql /var/run/mysqld && \
+    # chmod 777 /var/run/mysqld && \
+    mkdir /docker-entrypoint-initdb.d && \
+    chown mysql:mysql /docker-entrypoint-initdb.d

 COPY config/my.cnf /etc/my.cnf
 COPY config/server.cnf /etc/my.cnf.d/server.cnf

 USER mysql

-HEALTHCHECK --interval=5s --timeout=30s CMD mysqladmin ping -h 127.0.0.1 -u mysql || exit 1
-
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

 EXPOSE 3306

--- a/Jenkinsfile
+++ b/Jenkinsfile
-@Library('DCCSCR@master') _
-dccscrPipeline(version: "10.5.8")
--- a/download.yaml
+++ b/download.yaml
---
-resources:
-  - url: "https://yum.mariadb.org/10.5.8/rhel8-amd64/rpms/MariaDB-server-10.5.8-1.el8.x86_64.rpm"
-    filename: "mariadb-server.rpm"
-    validation:
-      type: "sha256"
-      value: "14fcda323b749aec9c85d66df3bca92f827124644e312e97c29fc850b3c5515e"
-  - url: "https://yum.mariadb.org/10.5.8/rhel8-amd64/rpms/MariaDB-client-10.5.8-1.el8.x86_64.rpm"
-    filename: "mariadb-client.rpm"
-    validation:
-      type: "sha256"
-      value: "daccd783ab8adedf3d5515de3f413643028dd946b6def017170f501ac2a0c9f2"
-  - url: "https://yum.mariadb.org/10.5.8/rhel8-amd64/rpms/MariaDB-common-10.5.8-1.el8.x86_64.rpm"
-    filename: "mariadb-common.rpm"
-    validation:
-      type: "sha256"
-      value: "368ded82a22dcc45ac41841110542a4a7d3969314e04d2847018b17a9d4223df"
-  - url: "https://yum.mariadb.org/10.5.8/rhel8-amd64/rpms/MariaDB-shared-10.5.8-1.el8.x86_64.rpm"
-    filename: "mariadb-shared.rpm"
-    validation:
-      type: "sha256"
-      value: "abf5cc16105ec787c143afe02f66d93b095db8b894f1df29970d743ff3b33345"
-  - url: "https://yum.mariadb.org/10.5.8/rhel8-amd64/rpms/galera-4-26.4.5-1.el8.x86_64.rpm"
-    filename: "galera.rpm"
-    validation:
-      type: "sha256"
-      value: "7d3bf4f2920a5cc73a32bccc1a21c989845998e52b9c1c8865990ed93c331908"
-  - url: "http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/boost-program-options-1.66.0-7.el8.x86_64.rpm"
-    filename: "boost.rpm"
-    validation:
-      type: "sha256"
-      value: "a0514f24c2bbc8ea14a13703acb5f35b1b5ba1dfb97397e6776d522c8ea60331"
\ No newline at end of file
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "opensource/mariadb/mariadb105"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "10.5.10"
+- "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.4"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "mariadb105"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "MariaDB Server is one of the most popular open source relational databases."
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "GPL-2.0"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://mariadb.org"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "Maria DB Foundation"
+  org.opencontainers.image.version: "10.5.10"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "opensource,database,relational"
+  # This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "opensource"
+  # Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "opensource"
+
+# List of resources to make available to the offline build context
+resources:
+- filename: mariadb-server.rpm
+  url: http://yum.mariadb.org/10.5.10/centos/8/x86_64/rpms/MariaDB-server-10.5.10-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: e24dec019f8516b668fff0a062be3d9e9b9e3b274848c6b10c75c6fa8b14d200
+- filename: mariadb-client.rpm
+  url: http://yum.mariadb.org/10.5.10/centos/8/x86_64/rpms/MariaDB-client-10.5.10-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: e340d3a97bc6faab5cb094eed8181099e63347e51d95f687ab5ea786f45e1267
+- filename: mariadb-common.rpm
+  url: http://yum.mariadb.org/10.5.10/centos/8/x86_64/rpms/MariaDB-common-10.5.10-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: 3d9bad2e7b1bc553b3ba28642e0f527a9bf816cf049fd54edaf06ca1a3e04a75
+- filename: mariadb-shared.rpm
+  url: http://yum.mariadb.org/10.5.10/centos/8/x86_64/rpms/MariaDB-shared-10.5.10-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: ab96f0581a84485c01c8832ae94a5cff25f35db397c792bcea2258af23df82c7
+- filename: galera.rpm
+  url: http://yum.mariadb.org/10.5.10/centos/8/x86_64/rpms/galera-4-26.4.8-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: 4157ca5f63c10f043ea48a0b4b781b3d2c123b00601305c6b654deb6eac169d4
+- filename: boost.rpm
+  url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/boost-program-options-1.66.0-10.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: da68048ba572927abac063a05a271297ff80e8c997df88a3c914e69cb5fbaf04
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -39,6 +39,18 @@ file_env() {
 	unset "$fileVar"
 }

+# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset
+# and make them the same value (so user scripts can use either)
+_mariadb_file_env() {
+	local var="$1"; shift
+	local maria="MARIADB_${var#MYSQL_}"
+	file_env "$var" "$@"
+	file_env "$maria" "${!var}"
+	if [ "${!maria:-}" ]; then
+		export "$var"="${!maria}"
+	fi
+}
+
 # check to see if this file is being run or sourced from another script
 _is_sourced() {
 	# https://unix.stackexchange.com/a/215279
@@ -78,8 +90,14 @@ docker_process_init_files() {
 	done
 }

+# arguments necessary to run "mysqld --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values)
+_verboseHelpArgs=(
+	--verbose --help
+	--log-bin-index="$(mktemp -u)" # https://github.com/docker-library/mysql/issues/136
+)
+
 mysql_check_config() {
-	local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
+	local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors
 	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
 		mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
 	fi
@@ -90,23 +108,23 @@ mysql_check_config() {
 # latter only show values present in config files, and not server defaults
 mysql_get_config() {
 	local conf="$1"; shift
-	"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
+	"$@" "${_verboseHelpArgs[@]}" 2>/dev/null \
 		| awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
 	# match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
 }

-# Do a temporary startup of the MySQL server, for init purposes
+# Do a temporary startup of the MariaDB server, for init purposes
 docker_temp_server_start() {
-	"$@" --skip-networking --socket="${SOCKET}" &
+	"$@" --skip-networking --socket="${SOCKET}" --wsrep_on=OFF &
 	mysql_note "Waiting for server startup"
+	# only use the root password if the database has already been initializaed
+	# so that it won't try to fill in a password file when it hasn't been set yet
+	extraArgs=()
+	if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+		extraArgs+=( '--dont-use-mysql-root-password' )
+	fi
 	local i
 	for i in {30..0}; do
-		# only use the root password if the database has already been initializaed
-		# so that it won't try to fill in a password file when it hasn't been set yet
-		extraArgs=()
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			extraArgs+=( '--dont-use-mysql-root-password' )
-		fi
 		if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
 			break
 		fi
@@ -120,15 +138,15 @@ docker_temp_server_start() {
 # Stop the server. When using a local socket file mysqladmin will block until
 # the shutdown is complete.
 docker_temp_server_stop() {
-	if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
+	if ! MYSQL_PWD=$MARIADB_ROOT_PASSWORD mysqladmin shutdown -uroot --socket="${SOCKET}"; then
 		mysql_error "Unable to shut down server."
 	fi
 }

 # Verify that the minimally required password settings are set for new databases.
 docker_verify_minimum_env() {
-	if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
-		mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
+	if [ -z "$MARIADB_ROOT_PASSWORD" -a -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" -a -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD'
 	fi
 }

@@ -144,18 +162,18 @@ docker_create_db_directories() {
 	if [ "$user" = "0" ]; then
 		# this will cause less disk access than `chown -R`
 		find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+		# See https://github.com/MariaDB/mariadb-docker/issues/363
+		find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql '{}' \;
 	fi
 }

 # initializes the database directory
 docker_init_database_dir() {
 	mysql_note "Initializing database files"
-	installArgs=( --datadir="$DATADIR" --rpm )
-	if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
-		# beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
-		# see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
-		# (this flag doesn't exist in 10.0 and below)
-		installArgs+=( --auth-root-authentication-method=normal )
+	installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal )
+	if { mysql_install_db --help || :; } | grep -q -- '--skip-test-db'; then
+		# 10.3+
+		installArgs+=( --skip-test-db )
 	fi
 	# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
 	mysql_install_db "${installArgs[@]}" "${@:2}"
@@ -170,12 +188,21 @@ docker_setup_env() {
 	DATADIR="$(mysql_get_config 'datadir' "$@")"
 	SOCKET="$(mysql_get_config 'socket' "$@")"

+
 	# Initialize values that might be stored in a file
-	file_env 'MYSQL_ROOT_HOST' '%'
-	file_env 'MYSQL_DATABASE'
-	file_env 'MYSQL_USER'
-	file_env 'MYSQL_PASSWORD'
-	file_env 'MYSQL_ROOT_PASSWORD'
+	_mariadb_file_env 'MYSQL_ROOT_HOST' '%'
+	_mariadb_file_env 'MYSQL_DATABASE'
+	_mariadb_file_env 'MYSQL_USER'
+	_mariadb_file_env 'MYSQL_PASSWORD'
+	_mariadb_file_env 'MYSQL_ROOT_PASSWORD'
+
+	# set MARIADB_ from MYSQL_ when it is unset and then make them the same value
+	: "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}"
+	export MYSQL_ALLOW_EMPTY_PASSWORD="$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
+	: "${MARIADB_RANDOM_ROOT_PASSWORD:=${MYSQL_RANDOM_ROOT_PASSWORD:-}}"
+	export MYSQL_RANDOM_ROOT_PASSWORD="$MARIADB_RANDOM_ROOT_PASSWORD" MARIADB_RANDOM_ROOT_PASSWORD
+	: "${MARIADB_INITDB_SKIP_TZINFO:=${MYSQL_INITDB_SKIP_TZINFO:-}}"
+	export MYSQL_INITDB_SKIP_TZINFO="$MARIADB_INITDB_SKIP_TZINFO" MARIADB_INITDB_SKIP_TZINFO

 	declare -g DATABASE_ALREADY_EXISTS
 	if [ -d "$DATADIR/mysql" ]; then
@@ -183,6 +210,15 @@ docker_setup_env() {
 	fi
 }

+# Execute the client, use via docker_process_sql to handle root password
+docker_exec_client() {
+	# args sent in can override this db, since they will be later in the command
+	if [ -n "$MYSQL_DATABASE" ]; then
+		set -- --database="$MYSQL_DATABASE" "$@"
+	fi
+	mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+}
+
 # Execute sql script, passed via stdin
 # usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
 #    ie: docker_process_sql --database=mydb <<<'INSERT ...'
@@ -190,56 +226,79 @@ docker_setup_env() {
 docker_process_sql() {
 	passfileArgs=()
 	if [ '--dont-use-mysql-root-password' = "$1" ]; then
-		passfileArgs+=( "$1" )
 		shift
+		MYSQL_PWD= docker_exec_client "$@"
+	else
+		MYSQL_PWD=$MARIADB_ROOT_PASSWORD docker_exec_client "$@"
 	fi
-	# args sent in can override this db, since they will be later in the command
-	if [ -n "$MYSQL_DATABASE" ]; then
-		set -- --database="$MYSQL_DATABASE" "$@"
-	fi
+}

-	mysql --defaults-extra-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+# SQL escape the string $1 to be placed in a string literal.
+# escape, \ followed by '
+docker_sql_escape_string_literal() {
+	local escaped=${1//\\/\\\\}
+	echo "${escaped//\'/\\\'}"
 }

 # Initializes database with timezone info and root password, plus optional extra db/user
 docker_setup_db() {
 	# Load timezone info into database
-	if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
-		# sed is for https://bugs.mysql.com/bug.php?id=20545
-		mysql_tzinfo_to_sql /usr/share/zoneinfo \
-			| sed 's/Local time zone must be set--see zic manual page/FCTY/' \
-			| docker_process_sql --dont-use-mysql-root-password --database=mysql
-			# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
+	if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then
+		{
+			# Aria in 10.4+ is slow due to "transactional" (crash safety)
+			# https://jira.mariadb.org/browse/MDEV-23326
+			# https://github.com/docker-library/mariadb/issues/262
+			local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type )
+			for table in "${tztables[@]}"; do
+				echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;"
+			done
+
+			# sed on "Local time zone" is for https://bugs.mysql.com/bug.php?id=20545
+			# Offset quoting is because of MDEV-25556 (10.6)
+			mysql_tzinfo_to_sql /usr/share/zoneinfo \
+				| sed -e 's/Local time zone must be set--see zic manual page/FCTY/' \
+				      -e 's/Offset/`Offset`/'
+
+			for table in "${tztables[@]}"; do
+				echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;"
+			done
+		} | docker_process_sql --dont-use-mysql-root-password --database=mysql
+		# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
 	fi
 	# Generate random root password
-	if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
-		export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
-		mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+	if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
+		export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD
+		mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD"
 	fi
 	# Sets root password and creates root users for non-localhost hosts
 	local rootCreate=
+	local rootPasswordEscaped
+	rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" )
+
 	# default root to listen for connections from anywhere
-	if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+	if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then
 		# no, we don't care if read finds a terminating character in this heredoc
 		# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
 		read -r -d '' rootCreate <<-EOSQL || true
-			CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
-			GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
+			CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ;
+			GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ;
 		EOSQL
 	fi

-	# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
-	docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
+	# tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set
+	# --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding.
+	docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL
 		-- What's done in this file shouldn't be replicated
 		--  or products like mysql-fabric won't work
 		SET @@SESSION.SQL_LOG_BIN=0;
-
+                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
+		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
 		DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
-		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${rootPasswordEscaped}') ;
 		-- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
 		-- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
 		DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
-
 		GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
 		FLUSH PRIVILEGES ;
 		${rootCreate}
@@ -247,33 +306,25 @@ docker_setup_db() {
 	EOSQL

 	# Creates a custom database and user if specified
-	if [ -n "$MYSQL_DATABASE" ]; then
-		mysql_note "Creating database ${MYSQL_DATABASE}"
-		docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+	if [ -n "$MARIADB_DATABASE" ]; then
+		mysql_note "Creating database ${MARIADB_DATABASE}"
+		docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\` ;"
 	fi

-	if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
-		mysql_note "Creating user ${MYSQL_USER}"
-		docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
-
-		if [ -n "$MYSQL_DATABASE" ]; then
-			mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
-			docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
+	if [ -n "$MARIADB_USER" ] && [ -n "$MARIADB_PASSWORD" ]; then
+		mysql_note "Creating user ${MARIADB_USER}"
+		# SQL escape the user password, \ followed by '
+		local userPasswordEscaped
+		userPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_PASSWORD}" )
+		docker_process_sql --database=mysql --binary-mode <<-EOSQL_USER
+			SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
+			CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';
+		EOSQL_USER
+
+		if [ -n "$MARIADB_DATABASE" ]; then
+			mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}"
+			docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%' ;"
 		fi
-
-		docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
-	fi
-}
-
-_mysql_passfile() {
-	# echo the password to the "file" the client uses
-	# the client command will use process substitution to create a file on the fly
-	# ie: --defaults-extra-file=<( _mysql_passfile )
-	if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
-		cat <<-EOF
-			[client]
-			password="${MYSQL_ROOT_PASSWORD}"
-		EOF
 	fi
 }

@@ -298,8 +349,8 @@ _main() {
 	fi

 	# skip setup if they aren't running mysqld or want an option that stops mysqld
-	if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
-		mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
+	if [ "$1" == 'mysqld' ] && ! _mysql_want_help "$@"; then
+		mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started."

 		mysql_check_config "$@"
 		# Load various environment variables
@@ -333,10 +384,12 @@ _main() {
 			mysql_note "Temporary server stopped"

 			echo
-			mysql_note "MySQL init process done. Ready for start up."
+			mysql_note "MariaDB init process done. Ready for start up."
 			echo
 		fi
 	fi
+
+	env
 	exec "$@"
 }