From 37a840010341a1c3a58c2bf7ce979f9e615ebd78 Mon Sep 17 00:00:00 2001 From: Skimpax <2030318-skimpax@users.noreply.gitlab.com> Date: Sat, 15 Oct 2022 07:49:01 +0200 Subject: [PATCH 1/4] Add ability to use secrets for mysql access --- backup.sh | 12 ++++++++++-- restore.sh | 12 ++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/backup.sh b/backup.sh index d251ed7..450bb41 100755 --- a/backup.sh +++ b/backup.sh @@ -1,10 +1,18 @@ #!/bin/bash +# Get hostname: try read from file, else get from env +[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_HOST_FILE}"); } +[ -z "${MYSQL_HOST}" ] && { echo "=> MYSQL_HOST cannot be empty" && exit 1; } +# Get username: try read from file, else get from env +[ -z "${MYSQL_USER_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_USER_FILE}"); } [ -z "${MYSQL_USER}" ] && { echo "=> MYSQL_USER cannot be empty" && exit 1; } -# If provided, take password from file +# Get password: try read from file, else get from env, else get from MYSQL_PASSWORD env [ -z "${MYSQL_PASS_FILE}" ] || { MYSQL_PASS=$(head -1 "${MYSQL_PASS_FILE}"); } -# Alternatively, take it from env var [ -z "${MYSQL_PASS:=$MYSQL_PASSWORD}" ] && { echo "=> MYSQL_PASS cannot be empty" && exit 1; } +# Get database name(s): try read from file, else get from env +# Note: when from file, there can be one database name per line in that file +[ -z "${MYSQL_DATABASE_FILE}" ] || { MYSQL_DATABASE=$(cat "${MYSQL_DATABASE_FILE}"); } +# Get level from env, else use 6 [ -z "${GZIP_LEVEL}" ] && { GZIP_LEVEL=6; } DATE=$(date +%Y%m%d%H%M) diff --git a/restore.sh b/restore.sh index 15d6b81..e17b61c 100755 --- a/restore.sh +++ b/restore.sh @@ -1,10 +1,14 @@ #!/bin/bash +# Get hostname: try read from file, else get from env +[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_HOST_FILE}"); } +[ -z "${MYSQL_HOST}" ] && { echo "=> MYSQL_HOST cannot be empty" && exit 1; } +# Get username: try read from file, else get from env +[ -z "${MYSQL_USER_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_USER_FILE}"); } [ -z "${MYSQL_USER}" ] && { echo "=> MYSQL_USER cannot be empty" && exit 1; } -# If provided, take password from file +# Get password: try read from file, else get from env, else get from MYSQL_PASSWORD env [ -z "${MYSQL_PASS_FILE}" ] || { MYSQL_PASS=$(head -1 "${MYSQL_PASS_FILE}"); } -# Alternatively, take it from env var -[ -z "${MYSQL_PASS}" ] && { echo "=> MYSQL_PASS cannot be empty" && exit 1; } +[ -z "${MYSQL_PASS:=$MYSQL_PASSWORD}" ] && { echo "=> MYSQL_PASS cannot be empty" && exit 1; } if [ "$#" -ne 1 ] then @@ -14,7 +18,7 @@ fi set -o pipefail if [ -z "${USE_PLAIN_SQL}" ] -then +then SQL=$(gunzip -c "$1") else SQL=$(cat "$1") From 4abf8c5d9d379052c36d5c4759efe67ee4ddd8b4 Mon Sep 17 00:00:00 2001 From: Skimpax <2030318-skimpax@users.noreply.gitlab.com> Date: Sat, 15 Oct 2022 07:55:10 +0200 Subject: [PATCH 2/4] Update Readme for secrets use --- README.md | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bcd60ff..8dc88b9 100644 --- a/README.md +++ b/README.md @@ -18,9 +18,11 @@ docker container run -d \ - `MYSQL_HOST`: The host/ip of your mysql database. - `MYSQL_PORT`: The port number of your mysql database. - `MYSQL_USER`: The username of your mysql database. +- `MYSQL_USER_FILE`: The file in container where to find the user of your mysql database (cf. docker secrets). You should use either MYSQL_USER_FILE or MYSQL_USER (see examples below). - `MYSQL_PASS`: The password of your mysql database. - `MYSQL_PASS_FILE`: The file in container where to find the password of your mysql database (cf. docker secrets). You should use either MYSQL_PASS_FILE or MYSQL_PASS (see examples below). - `MYSQL_DATABASE`: The database name to dump. Default: `--all-databases`. +- `MYSQL_DATABASE_FILE`: The file in container where to find the database name in your mysql database (cf. docker secrets). You should use either MYSQL_DATABASE or MYSQL_DATABASE_FILE (see examples below). - `MYSQLDUMP_OPTS`: Command line arguments to pass to mysqldump (see [mysqldump documentation](https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html)). - `MYSQL_SSL_OPTS`: Command line arguments to use [SSL](https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html). - `CRON_TIME`: The interval of cron job to run mysqldump. `0 3 * * sun` by default, which is every Sunday at 03:00. It uses UTC timezone. @@ -79,17 +81,23 @@ volumes: The database root password passed to docker container by using [docker secrets](https://docs.docker.com/engine/swarm/). -In example below, docker is in classic 'docker engine mode' (iow. not swarm mode) and secret source is a local file on host filesystem. +In example below, docker is in classic 'docker engine mode' (iow. not swarm mode) and secret sources are local files on host filesystem. -Alternatively, secret can be stored in docker secrets engine (iow. not in host filesystem). +Alternatively, secrets can be stored in docker secrets engine (iow. not in host filesystem). ```yaml version: "3.7" secrets: + # Place your secret file somewhere on your host filesystem, with your password inside mysql_root_password: - # Place your secret file somewhere on your host filesystem, with your password inside file: ./secrets/mysql_root_password + mysql_user: + file: ./secrets/mysql_user + mysql_password: + file: ./secrets/mysql_password + mysql_database: + file: ./secrets/mysql_database services: mariadb: @@ -101,10 +109,15 @@ services: - data:/var/lib/mysql - ${VOLUME_PATH}/backup:/backup environment: - - MYSQL_DATABASE=${DATABASE_NAME} - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password + - MYSQL_USER_FILE=/run/secrets/mysql_user + - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password + - MYSQL_DATABASE_FILE=/run/secrets/mysql_database secrets: - mysql_root_password + - mysql_user + - mysql_password + - mysql_database restart: unless-stopped backup: @@ -116,13 +129,18 @@ services: - ${VOLUME_PATH}/backup:/backup environment: - MYSQL_HOST=my_mariadb - - MYSQL_USER=root - - MYSQL_PASS_FILE=/run/secrets/mysql_root_password + # Alternatively to MYSQL_USER_FILE, we can use MYSQL_USER=root to use root user instead + - MYSQL_USER_FILE=/run/secrets/mysql_user + # Alternatively, we can use /run/secrets/mysql_root_password when using root user + - MYSQL_PASS_FILE=/run/secrets/mysql_password + - MYSQL_DATABASE_FILE=/run/secrets/mysql_database - MAX_BACKUPS=10 - INIT_BACKUP=1 - CRON_TIME=0 0 * * * secrets: - - mysql_root_password + - mysql_user + - mysql_password + - mysql_database restart: unless-stopped volumes: From 7bc94755f21625d210a4c0ac23e45e91b5310a5c Mon Sep 17 00:00:00 2001 From: Skimpax <2030318-skimpax@users.noreply.gitlab.com> Date: Sun, 16 Oct 2022 21:46:12 +0200 Subject: [PATCH 3/4] Fix copy/paste errors --- backup.sh | 2 +- restore.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backup.sh b/backup.sh index 450bb41..33ff1b1 100755 --- a/backup.sh +++ b/backup.sh @@ -1,7 +1,7 @@ #!/bin/bash # Get hostname: try read from file, else get from env -[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_HOST_FILE}"); } +[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_HOST=$(head -1 "${MYSQL_HOST_FILE}"); } [ -z "${MYSQL_HOST}" ] && { echo "=> MYSQL_HOST cannot be empty" && exit 1; } # Get username: try read from file, else get from env [ -z "${MYSQL_USER_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_USER_FILE}"); } diff --git a/restore.sh b/restore.sh index e17b61c..0607d6f 100755 --- a/restore.sh +++ b/restore.sh @@ -1,7 +1,7 @@ #!/bin/bash # Get hostname: try read from file, else get from env -[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_HOST_FILE}"); } +[ -z "${MYSQL_HOST_FILE}" ] || { MYSQL_HOST=$(head -1 "${MYSQL_HOST_FILE}"); } [ -z "${MYSQL_HOST}" ] && { echo "=> MYSQL_HOST cannot be empty" && exit 1; } # Get username: try read from file, else get from env [ -z "${MYSQL_USER_FILE}" ] || { MYSQL_USER=$(head -1 "${MYSQL_USER_FILE}"); } From d1f887f83c4567665e32dbbf4e0b246be6db4260 Mon Sep 17 00:00:00 2001 From: Skimpax <2030318-skimpax@users.noreply.gitlab.com> Date: Sun, 16 Oct 2022 21:46:32 +0200 Subject: [PATCH 4/4] Add details in README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8dc88b9..923ec5e 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,16 @@ docker container run -d \ ## Variables + - `MYSQL_HOST`: The host/ip of your mysql database. +- `MYSQL_HOST_FILE`: The file in container where to find the host of your mysql database (cf. docker secrets). You should use either MYSQL_HOST_FILE or MYSQL_HOST (see examples below). - `MYSQL_PORT`: The port number of your mysql database. - `MYSQL_USER`: The username of your mysql database. - `MYSQL_USER_FILE`: The file in container where to find the user of your mysql database (cf. docker secrets). You should use either MYSQL_USER_FILE or MYSQL_USER (see examples below). - `MYSQL_PASS`: The password of your mysql database. - `MYSQL_PASS_FILE`: The file in container where to find the password of your mysql database (cf. docker secrets). You should use either MYSQL_PASS_FILE or MYSQL_PASS (see examples below). - `MYSQL_DATABASE`: The database name to dump. Default: `--all-databases`. -- `MYSQL_DATABASE_FILE`: The file in container where to find the database name in your mysql database (cf. docker secrets). You should use either MYSQL_DATABASE or MYSQL_DATABASE_FILE (see examples below). +- `MYSQL_DATABASE_FILE`: The file in container where to find the database name(s) in your mysql database (cf. docker secrets). In that file, there can be several database names: one per line. You should use either MYSQL_DATABASE or MYSQL_DATABASE_FILE (see examples below). - `MYSQLDUMP_OPTS`: Command line arguments to pass to mysqldump (see [mysqldump documentation](https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html)). - `MYSQL_SSL_OPTS`: Command line arguments to use [SSL](https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html). - `CRON_TIME`: The interval of cron job to run mysqldump. `0 3 * * sun` by default, which is every Sunday at 03:00. It uses UTC timezone.