Skip certificate generation if SSL is disabled #428

tianon · 2018-05-16T18:25:13Z

Closes #379

tianon · 2018-05-16T18:26:07Z

8.0/docker-entrypoint.sh

@@ -111,7 +111,8 @@ if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
 		"$@" --initialize-insecure
 		echo 'Database initialized'

-		if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
+		sslEnabled="$(_get_config 'ssl' "$@")"
+		if [ "$sslEnabled" = 'TRUE' ] && command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then


@ltangvald I was testing this and found that in 8.0, it appears that --initalize-insecure is creating a certificate itself if SSL is enabled -- should we remove this bit of code entirely from 8.0? (or are there cases where SSL is enabled and --initalize-insecure doesn't create a server-key.pem file?)

Friendly ping @ltangvald ❤️

Friendly ping @ltangvald 😉

I was testing this and found that in 8.0, it appears that --initalize-insecure is creating a certificate itself if SSL is enabled -- should we remove this bit of code entirely from 8.0? (or are there cases where SSL is enabled and --initalize-insecure doesn't create a server-key.pem file?)

inieves · 2018-08-26T15:19:12Z

I propose this is a less than ideal solution.

The use case is: The user has their own certificates/credentials they wan't to supply to mysql AND they don't want to spend time generating new credentials which will never be used. So the user wants to turn off automatic generation of credentials BUT they do not want to turn off SSL.

tianon · 2018-09-12T19:44:30Z

#379 (comment)

If the user supplies their own certificates in the appropriate place, MySQL should transparently pick them up and should not create new ones. If that behavior is not working, then we should look at fixing that separately.

tianon · 2020-06-19T21:16:21Z

Rebased/updated to the new docker-entrypoint.sh structure

ltangvald · 2020-07-18T10:51:47Z

I think the separate mysql_ssl_rsa_setup utility was mostly just relevant before we started linking openssl (for licensing issues), so this may no longer be needed for any versions? Also, this behavior can be controlled with the auto_generate_certs and sha256_password_auto_generate_rsa_keys settings. So by virtue of me being over 2 years late cough, I think this probably isn't needed any more :)

tianon · 2020-07-20T19:11:29Z

So if I'm understanding correctly, this change should be updated to the following, even on MySQL 5.6?

diff --git a/.template.Debian/docker-entrypoint.sh b/.template.Debian/docker-entrypoint.sh
index 6845ee4..6024a90 100755
--- a/.template.Debian/docker-entrypoint.sh
+++ b/.template.Debian/docker-entrypoint.sh
@@ -163,13 +163,6 @@ docker_init_database_dir() {
 		"$@" --initialize-insecure
 	fi
 	mysql_note "Database files initialized"
-
-	if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
-		# https://github.com/mysql/mysql-server/blob/23032807537d8dd8ee4ec1c4d40f0633cd4e12f9/packaging/deb-in/extra/mysql-systemd-start#L81-L84
-		mysql_note "Initializing certificates"
-		mysql_ssl_rsa_setup --datadir="$DATADIR"
-		mysql_note "Certificates initialized"
-	fi
 }
 
 # Loads various settings that are used elsewhere in the script

ltangvald · 2020-07-22T07:38:52Z

Right. Just need to verify that the resulting datadir is the same. For 5.6 I don't think that block does anything, since it doesn't have this functionality or mysql_ssl_rsa_setup.

tianon · 2020-11-20T22:23:18Z

Updated with the removal of the mysql_ssl_rsa_setup code, and verified on 8.0 and 5.7 that certificates are still generated into /var/lib/mysql.

8.0:

$ docker exec -it test sh -c 'ls -l /var/lib/mysql/*.pem'
-rw------- 1 mysql mysql 1676 Nov 20 22:21 /var/lib/mysql/ca-key.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:21 /var/lib/mysql/ca.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:21 /var/lib/mysql/client-cert.pem
-rw------- 1 mysql mysql 1680 Nov 20 22:21 /var/lib/mysql/client-key.pem
-rw------- 1 mysql mysql 1680 Nov 20 22:21 /var/lib/mysql/private_key.pem
-rw-r--r-- 1 mysql mysql  452 Nov 20 22:21 /var/lib/mysql/public_key.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:21 /var/lib/mysql/server-cert.pem
-rw------- 1 mysql mysql 1676 Nov 20 22:21 /var/lib/mysql/server-key.pem

5.7:

$ docker exec -it test sh -c 'ls -l /var/lib/mysql/*.pem'
-rw------- 1 mysql mysql 1676 Nov 20 22:22 /var/lib/mysql/ca-key.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:22 /var/lib/mysql/ca.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:22 /var/lib/mysql/client-cert.pem
-rw------- 1 mysql mysql 1680 Nov 20 22:22 /var/lib/mysql/client-key.pem
-rw------- 1 mysql mysql 1680 Nov 20 22:22 /var/lib/mysql/private_key.pem
-rw-r--r-- 1 mysql mysql  452 Nov 20 22:22 /var/lib/mysql/public_key.pem
-rw-r--r-- 1 mysql mysql 1112 Nov 20 22:22 /var/lib/mysql/server-cert.pem
-rw------- 1 mysql mysql 1676 Nov 20 22:22 /var/lib/mysql/server-key.pem

tianon · 2020-11-20T22:24:35Z

I also verified with --ssl=0.

8.0:

$ docker exec -it test sh -c 'ls -l /var/lib/mysql/*.pem'
-rw------- 1 mysql mysql 1680 Nov 20 22:23 /var/lib/mysql/private_key.pem
-rw-r--r-- 1 mysql mysql  452 Nov 20 22:23 /var/lib/mysql/public_key.pem

5.7:

$ docker exec -it test sh -c 'ls -l /var/lib/mysql/*.pem'
-rw------- 1 mysql mysql 1680 Nov 20 22:23 /var/lib/mysql/private_key.pem
-rw-r--r-- 1 mysql mysql  452 Nov 20 22:23 /var/lib/mysql/public_key.pem

yosifkit

This seems fine. Is it safe to merge?

> I _think_ the separate mysql_ssl_rsa_setup utility was mostly just relevant before we started linking openssl (for licensing issues), so this may no longer be needed for any versions? Also, this behavior can be controlled with the auto_generate_certs and sha256_password_auto_generate_rsa_keys settings. So by virtue of me being over 2 years late *cough*, I think this probably isn't needed any more :)

Changes: - docker-library/mysql@6a2fb1d: Merge pull request docker-library/mysql#428 from infosiftr/ssl=0 - docker-library/mysql@2d86ed2: Drop explicit "mysql_ssl_rsa_setup" invocation - docker-library/mysql@b06a707: Merge pull request docker-library/mysql#821 from infosiftr/signed-by - docker-library/mysql@4afbe06: Switch from apt-key/trusted.gpg(.d) to signed-by - docker-library/mysql@0bd6d4c: Fix .gitattributes

Changes: - docker-library/mysql@4d243fc: Merge pull request docker-library/mysql#680 from infosiftr/oracle - docker-library/mysql@6a2fb1d: Merge pull request docker-library/mysql#428 from infosiftr/ssl=0 - docker-library/mysql@c77f720: Add Oracle Linux image variants - docker-library/mysql@2d86ed2: Drop explicit "mysql_ssl_rsa_setup" invocation - docker-library/mysql@b06a707: Merge pull request docker-library/mysql#821 from infosiftr/signed-by - docker-library/mysql@4afbe06: Switch from apt-key/trusted.gpg(.d) to signed-by - docker-library/mysql@0bd6d4c: Fix .gitattributes

Changes: - docker-library/mysql@131ffdd: Merge pull request docker-library/mysql#825 from infosiftr/oracle-gosu - docker-library/mysql@4e7d396: Update Oracle "gosu" to 1.14 - docker-library/mysql@4d243fc: Merge pull request docker-library/mysql#680 from infosiftr/oracle - docker-library/mysql@6a2fb1d: Merge pull request docker-library/mysql#428 from infosiftr/ssl=0 - docker-library/mysql@c77f720: Add Oracle Linux image variants - docker-library/mysql@2d86ed2: Drop explicit "mysql_ssl_rsa_setup" invocation - docker-library/mysql@b06a707: Merge pull request docker-library/mysql#821 from infosiftr/signed-by - docker-library/mysql@4afbe06: Switch from apt-key/trusted.gpg(.d) to signed-by - docker-library/mysql@0bd6d4c: Fix .gitattributes

tianon commented May 16, 2018

View reviewed changes

tianon mentioned this pull request May 16, 2018

Skip SSL certificate generation #379

Closed

tianon requested a review from ltangvald May 17, 2018 17:25

tianon force-pushed the ssl=0 branch from 533539a to 2790344 Compare June 19, 2020 21:15

tianon force-pushed the ssl=0 branch from 2790344 to 87f89d5 Compare November 20, 2020 22:16

yosifkit approved these changes Mar 22, 2021

View reviewed changes

tianon force-pushed the ssl=0 branch from 87f89d5 to 2d86ed2 Compare February 15, 2022 17:44

tianon merged commit 6a2fb1d into docker-library:master Feb 16, 2022

tianon deleted the ssl=0 branch February 16, 2022 22:56

tianon mentioned this pull request Feb 17, 2022

Update mysql docker-library/official-images#11888

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Skip certificate generation if SSL is disabled #428

Skip certificate generation if SSL is disabled #428

Uh oh!

tianon commented May 16, 2018

Uh oh!

tianon May 16, 2018

Uh oh!

tianon Jul 25, 2018

Uh oh!

tianon Nov 1, 2018

Uh oh!

inieves commented Aug 26, 2018 •

edited

Loading

Uh oh!

tianon commented Sep 12, 2018

Uh oh!

tianon commented Jun 19, 2020

Uh oh!

ltangvald commented Jul 18, 2020

Uh oh!

tianon commented Jul 20, 2020

Uh oh!

ltangvald commented Jul 22, 2020

Uh oh!

tianon commented Nov 20, 2020

Uh oh!

tianon commented Nov 20, 2020

Uh oh!

yosifkit left a comment

Uh oh!

Uh oh!

Skip certificate generation if SSL is disabled #428

Skip certificate generation if SSL is disabled #428

Uh oh!

Conversation

tianon commented May 16, 2018

Uh oh!

tianon May 16, 2018

Choose a reason for hiding this comment

Uh oh!

tianon Jul 25, 2018

Choose a reason for hiding this comment

Uh oh!

tianon Nov 1, 2018

Choose a reason for hiding this comment

Uh oh!

inieves commented Aug 26, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tianon commented Sep 12, 2018

Uh oh!

tianon commented Jun 19, 2020

Uh oh!

ltangvald commented Jul 18, 2020

Uh oh!

tianon commented Jul 20, 2020

Uh oh!

ltangvald commented Jul 22, 2020

Uh oh!

tianon commented Nov 20, 2020

Uh oh!

tianon commented Nov 20, 2020

Uh oh!

yosifkit left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

inieves commented Aug 26, 2018 •

edited

Loading