RONDB-747: Remove hard-coded MySQL user (#93)

* Don't hard-code users in Dockerfile
* Use host uid/gid when creating docker-compose file
* Moved ndbmtd defaults to defaults

Author: olapiv

Dockerfile

@@ -47,7 +47,6 @@ RUN mkdir $DOWNLOADS_CACHE_DIR
 # Copying bare minimum of Hopsworks cloud environment for now
 FROM rondb_runtime_dependencies as cloud_preparation
 ARG RONDB_VERSION=21.04.16
-RUN groupadd mysql && adduser mysql --ingroup mysql
 ENV HOPSWORK_DIR=/srv/hops
 ENV RONDB_BIN_DIR=$HOPSWORK_DIR/mysql-$RONDB_VERSION
 RUN mkdir -p $RONDB_BIN_DIR
@@ -64,8 +63,7 @@ RUN case "$TARGETARCH" in \
 
 RUN --mount=type=bind,source=.,target=/context \
     . /env.sh \
-    && tar xfz /context/${TARBALL_PATH} -C $RONDB_BIN_DIR --strip-components=1 \
-    && chown mysql:mysql -R $RONDB_BIN_DIR
+    && tar xfz /context/${TARBALL_PATH} -C $RONDB_BIN_DIR --strip-components=1
 
 # Get RonDB tarball from remote url & unpack it
 FROM cloud_preparation as remote_tarball
@@ -78,8 +76,7 @@ RUN case "$TARGETARCH" in \
     esac \
     && wget $TARBALL_URL -O ./temp_tarball.tar.gz \
     && tar xfz ./temp_tarball.tar.gz -C $RONDB_BIN_DIR --strip-components=1 \
-    && rm ./temp_tarball.tar.gz \
-    && chown mysql:mysql -R $RONDB_BIN_DIR
+    && rm ./temp_tarball.tar.gz
 
 FROM ${RONDB_TARBALL_LOCAL_REMOTE}_tarball
 
@@ -116,32 +113,35 @@ ENV MYSQL_UNIX_PORT=$RONDB_DATA_DIR/mysql.sock
 
 RUN mkdir -p $LOG_DIR $RONDB_SCRIPTS_DIR $BACKUP_DATA_DIR $DISK_COLUMNS_DIR
 
-COPY --chown=mysql:mysql ./resources/rondb_scripts $RONDB_SCRIPTS_DIR
+COPY ./resources/rondb_scripts $RONDB_SCRIPTS_DIR
 ENV PATH=$RONDB_SCRIPTS_DIR:$PATH
 
-# So the path survives changing user to mysql
-RUN echo "export PATH=$PATH" >> /home/mysql/.profile
-
 RUN touch $MYSQL_UNIX_PORT
 
 # We expect this image to be used as base image to other
 # images with additional files specific to Docker
-COPY --chown=mysql:mysql ./resources/entrypoints ./docker/rondb_standalone/entrypoints
-COPY --chown=mysql:mysql ./resources/healthcheck.sh ./docker/rondb_standalone/healthcheck.sh
+COPY ./resources/entrypoints ./docker/rondb_standalone/entrypoints
+COPY ./resources/healthcheck.sh ./docker/rondb_standalone/healthcheck.sh
 
 # Can be used to mount SQL init scripts
 ENV SQL_INIT_SCRIPTS_DIR=$HOPSWORK_DIR/docker/rondb_standalone/sql_init_scripts
 RUN mkdir $SQL_INIT_SCRIPTS_DIR
 
 # Creating benchmarking files/directories
 # When using load balancers, "sysbench" can be used for both _single and _multi
-ENV BENCHMARKS_DIR=/home/mysql/benchmarks
+ENV BENCHMARKS_DIR=$HOPSWORK_DIR/benchmarks
 RUN mkdir $BENCHMARKS_DIR && cd $BENCHMARKS_DIR \
     && mkdir -p sysbench sysbench_single sysbench_multi dbt2_single dbt2_multi dbt2_data
 
-# Avoid changing files if they are already owned by mysql; otherwise image size doubles
-RUN chown mysql:mysql --from=root:root -R $HOPSWORK_DIR /home/mysql
+# These directories have to have 777 permissions if we want to
+# run RonDB containers with arbitrary users
+RUN chmod 777 -R $RONDB_DATA_DIR \
+    && chmod 777 -R $HOPSWORK_DIR/docker \
+    && chmod 777 -R $BENCHMARKS_DIR
+
+# Remove awkward message when using arbitrary user
+RUN echo "PS1='${debian_chroot:+(\$debian_chroot)}\h:\w\$ '" >> /etc/bash.bashrc
 
-ENTRYPOINT ["./docker/rondb_standalone/entrypoints/entrypoint.sh"]
+ENTRYPOINT ["./docker/rondb_standalone/entrypoints/main.sh"]
 EXPOSE 3306 33060 11860 1186 4406 5406
 CMD ["mysqld"]

build_run_docker.sh

@@ -379,7 +379,7 @@ if [ "$NUM_MYSQLD_NODES" -gt 0 ]; then
 fi
 
 DATA_DIR="/srv/hops/mysql-cluster"
-BENCH_DIR="/home/mysql/benchmarks"
+BENCH_DIR="/srv/hops/benchmarks"
 
 #######################
 #######################
@@ -433,6 +433,7 @@ service-template() {
     %s:
       image: %s
       container_name: %s
+      user: $(id -u):$(id -g)
 " "$SERVICE_NAME" "$RONDB_IMAGE_ID" "$SERVICE_NAME";
 }
 

resources/config_templates/autobench_dbt2.conf

@@ -56,4 +56,4 @@ NDB_MGMD_NODES="%s"
 
 DBT2_TIME="30"
 DBT2_WAREHOUSES="%s"
-DBT2_DATA_DIR=/home/mysql/benchmarks/dbt2_data
+DBT2_DATA_DIR=/srv/hops/benchmarks/dbt2_data

resources/config_templates/config.ini

@@ -1,4 +1,10 @@
 [NDBD DEFAULT] 
+
+DataDir=/srv/hops/mysql-cluster/log
+FileSystemPath=/srv/hops/mysql-cluster/ndb_data
+FileSystemPathDD=/srv/hops/mysql-cluster/ndb_disk_columns
+BackupDataDir=/srv/hops/mysql-cluster/ndb/backups
+
 # RonDB default configuration is intended for execution in Cloud VMs with
 # around 8 GB per VCPU. In this case it is sufficient to set nothing since
 # AutomaticThreadConfig=true is default and also AutomaticMemoryConfig=true

resources/config_templates/config_ndbd.ini

@@ -5,7 +5,3 @@ NodeActive=%s
 LocationDomainId=0
 HostName=%s
 ServerPort=%s
-DataDir=/srv/hops/mysql-cluster/log
-FileSystemPath=/srv/hops/mysql-cluster/ndb_data
-FileSystemPathDD=/srv/hops/mysql-cluster/ndb_disk_columns
-BackupDataDir=/srv/hops/mysql-cluster/ndb/backups

resources/entrypoints/entrypoint.sh

@@ -16,31 +16,10 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 set -e
 
-# Let group members access files created by us. This is to allow the host user
-# (outside the container) to access mounted volumes. The umask will be inherited
-# by child processes, so this is the only place we need to set it.
-umask 0002
-
 # https://stackoverflow.com/a/246128/9068781
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 if [ "$1" = 'mysqld' ]; then
-
-	# In order to make use of the umask, we need to set the environment
-	# variables that controls the creation file mode for mysqld. These
-	# variables are confusingly named UMASK and UMASK_DIR - despite their
-	# names, they are used as modes, not masks. The default UMASK and
-	# UMASK_DIR values are 0640 and 0750, respectively. We want an effect
-	# similar to `chmod g=u`, so we'll set them to 0660 and 0770. The
-	# prefixed 0 causes mysqld to interpret these as octal numbers. Note
-	# that this configuration does not affect the file creation mode mysqld
-	# uses for files containing cryptographic key (*.pem). This only means
-	# the host user cannot read private keys, which is not a problem. Since
-	# the host user has write permission to all directories, everything can
-	# still be deleted.
-	export UMASK=0660
-	export UMASK_DIR=0770
-
 	"$SCRIPT_DIR/mysqld.sh" "$@"
 else
 	# "set" lets us set the arguments to the current script.
@@ -62,38 +41,6 @@ else
 		echo "[entrypoints/main.sh] Starting ndb_mgmd"
 		set -- "$@" -f "$RONDB_DATA_DIR/config.ini" --configdir="$RONDB_DATA_DIR/log"
 	elif [ "$1" == "ndbmtd" ]; then
-
-		# ndbmtd has several hard-coded file creation modes that cannot
-		# be configured. Permissions can be removed from such hard-coded
-		# modes using umask, but there is no way to add permissions to
-		# them. As a workaround, this is a very hacky background process
-		# that every 5 seconds makes sure that the group's permissions
-		# equal the owner's.
-		ensure-group-permissions() {
-			# Find all files owned by the current user, print their
-			# modestring and path, null-terminated.
-			find /srv/hops/mysql-cluster -user "$USER" -printf '%m %p\0' |
-			# Remove all null-terminated items that begin with two
-			# equal characters (where the group's permissions
-			# already equals the user's) and then remove the
-			# modestring.
-			sed -zr '/^(.)\1/d; s/^... //;' |
-			# xargs: Run chmod with an efficient number of file
-			# arguments to correct the group's permissions.
-			xargs -r0 chmod -f g=u ||
-			# Make sure the process does not exit due to some
-			# failure.
-			true
-		}
-		while true; do
-			ensure-group-permissions
-			sleep 5
-		done &
-
-		# If ndbmtd exits within 5 seconds of creating a file, we need
-		# to make sure to set group permissions correctly.
-		trap ensure-group-permissions EXIT
-
 		echo "[entrypoints/main.sh] Starting ndbmtd"
 		# Command for more verbosity with ndbmtds: `set -- "$@" --verbose=TRUE`
 

resources/entrypoints/main.sh

@@ -25,23 +25,10 @@ _get_config() {
     "$@" --verbose --help 2>/dev/null | grep "^$conf" | awk '$1 == "'"$conf"'" { print $2; exit }'
 }
 
-# Check if entrypoint (and the container) is running as root
-# Important: Distinguish between MYSQLD_USER and MYSQL_BENCH_USER
-if [ "$(id --user)" = "0" ]; then
-    echo "[entrypoints/mysqld_configure.sh] We are running as root; setting MYSQLD_USER to 'mysql'"
-    is_root=1
-    install_devnull="install /dev/null -m0600 -omysql -gmysql"
-    MYSQLD_USER=mysql
-else
-    echo "[entrypoints/mysqld_configure.sh] Setting MYSQLD_USER to current non-root user"
-    install_devnull="install /dev/null -m0600"
-    MYSQLD_USER=$(id --user --name)
-fi
-
 # Make sure that "--defaults-file" is always run as second argument
 # Otherwise there is a risk that it might not be read
 shift
-set -- mysqld --defaults-file="$RONDB_DATA_DIR/my.cnf" --user="$MYSQLD_USER" "$@"
+set -- mysqld --defaults-file="$RONDB_DATA_DIR/my.cnf" "$@"
 echo "[entrypoints/mysqld_configure.sh] \$@: $*"
 
 # Test that the server can start. We redirect stdout to /dev/null so

resources/entrypoints/mysqld_configure.sh

@@ -193,7 +193,7 @@ services:
       image: rondb:22.10.4-dev
       container_name: bench_1
       command: >
-          bash -c "sleep 5 && bench_run.sh --verbose --default-directory /home/mysql/benchmarks/sysbench_multi "
+          bash -c "sleep 5 && bench_run.sh --verbose --default-directory /srv/hops/benchmarks/sysbench_multi "
       deploy:
         resources:
           limits:
@@ -204,16 +204,16 @@ services:
       volumes:
       - type: bind
         source: <path-to-repo>/autogenerated_files/v22104_m1_g1_r2_my2_ra1_bn1/volumes/sysbench_single
-        target: /home/mysql/benchmarks/sysbench_single
+        target: /srv/hops/benchmarks/sysbench_single
       - type: bind
         source: <path-to-repo>/autogenerated_files/v22104_m1_g1_r2_my2_ra1_bn1/volumes/dbt2_single
-        target: /home/mysql/benchmarks/dbt2_single
+        target: /srv/hops/benchmarks/dbt2_single
       - type: bind
         source: <path-to-repo>/autogenerated_files/v22104_m1_g1_r2_my2_ra1_bn1/volumes/sysbench_multi
-        target: /home/mysql/benchmarks/sysbench_multi
+        target: /srv/hops/benchmarks/sysbench_multi
       - type: bind
         source: <path-to-repo>/autogenerated_files/v22104_m1_g1_r2_my2_ra1_bn1/volumes/dbt2_multi
-        target: /home/mysql/benchmarks/dbt2_multi
+        target: /srv/hops/benchmarks/dbt2_multi
       environment:
       - HOST_GROUP_ID=20
       - MYSQL_BENCH_PASSWORD=Abc123?e

sample_files/docker_compose.yml

@@ -5,7 +5,6 @@
 default-character-set = utf8
 
 [mysqld]
-user            = mysql
 basedir         = /srv/hops/mysql
 datadir         = /srv/hops/mysql-cluster/mysql
 port            = 3306