Add 10.9

10.9/Dockerfile

@@ -0,0 +1,139 @@
+# vim:set ft=dockerfile:
+FROM ubuntu:focal
+
+# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
+RUN groupadd -r mysql && useradd -r -g mysql mysql
+
+# https://bugs.debian.org/830696 (apt uses gpgv by default in newer releases, rather than gpg)
+RUN set -ex; \
+	apt-get update; \
+	if ! which gpg; then \
+		apt-get install -y --no-install-recommends gnupg; \
+	fi; \
+	if ! gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
+# Ubuntu includes "gnupg" (not "gnupg2", but still 2.x), but not dirmngr, and gnupg 2.x requires dirmngr
+# so, if we're not running gnupg 1.x, explicitly install dirmngr too
+		apt-get install -y --no-install-recommends dirmngr; \
+	fi; \
+	rm -rf /var/lib/apt/lists/*
+
+# add gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.14
+RUN set -eux; \
+	apt-get update; \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates; \
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get install -y --no-install-recommends wget; \
+	rm -rf /var/lib/apt/lists/*; \
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	chmod +x /usr/local/bin/gosu; \
+	gosu --version; \
+	gosu nobody true
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD
+# install "pwgen" for randomizing passwords
+# install "tzdata" for /usr/share/zoneinfo/
+# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files
+# install "zstd" for .sql.zst docker-entrypoint-initdb.d files
+RUN set -ex; \
+	apt-get update; \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+		libjemalloc2 \
+		pwgen \
+		tzdata \
+		xz-utils \
+		zstd \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8
+# pub   rsa4096 2016-03-30 [SC]
+#         177F 4010 FE56 CA33 3630  0305 F165 6F24 C74C D1D8
+# uid           [ unknown] MariaDB Signing Key <signing-key@mariadb.org>
+# sub   rsa4096 2016-03-30 [E]
+
+RUN set -ex; \
+	export GNUPGHOME="$(mktemp -d)"; \
+	for key in $GPG_KEYS; do \
+		gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+	done; \
+	gpg --batch --export $GPG_KEYS > /etc/apt/trusted.gpg.d/mariadb.gpg; \
+	command -v gpgconf > /dev/null && gpgconf --kill all || :; \
+	rm -fr "$GNUPGHOME"; \
+	apt-key list
+
+# bashbrew-architectures: amd64 arm64v8 ppc64le s390x
+ARG MARIADB_MAJOR=10.9
+ENV MARIADB_MAJOR $MARIADB_MAJOR
+ARG MARIADB_VERSION=1:10.9.0+maria~focal
+ENV MARIADB_VERSION $MARIADB_VERSION
+# release-status:Alpha
+# (https://downloads.mariadb.org/mariadb/+releases/)
+
+# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions
+ARG REPOSITORY="http://archive.mariadb.org/mariadb-10.9.0/repo/ubuntu/ focal main"
+
+RUN set -e;\
+	echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \
+	{ \
+		echo 'Package: *'; \
+		echo 'Pin: release o=MariaDB'; \
+		echo 'Pin-Priority: 999'; \
+	} > /etc/apt/preferences.d/mariadb
+# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies
+#  libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed
+
+# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql)
+# also, we set debconf keys to make APT a little quieter
+RUN set -ex; \
+	{ \
+		echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password password 'unused'; \
+		echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password_again password 'unused'; \
+	} | debconf-set-selections; \
+	apt-get update; \
+	apt-get install -y \
+		"mariadb-server=$MARIADB_VERSION" \
+# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos
+		mariadb-backup \
+		socat \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+# purge and re-create /var/lib/mysql with appropriate ownership
+	rm -rf /var/lib/mysql; \
+	mkdir -p /var/lib/mysql /var/run/mysqld; \
+	chown -R mysql:mysql /var/lib/mysql /var/run/mysqld; \
+# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
+	chmod 777 /var/run/mysqld; \
+# comment out a few problematic configuration values
+	find /etc/mysql/ -name '*.cnf' -print0 \
+		| xargs -0 grep -lZE '^(bind-address|log|user\s)' \
+		| xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \
+# don't reverse lookup hostnames, they are usually another container
+# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation)
+	if [ ! -L /etc/mysql/my.cnf ]; then sed -i -e '/includedir/i[mariadb]\nskip-host-cache\nskip-name-resolve\n' /etc/mysql/my.cnf; \
+# 10.5+
+	else sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/[mariadbd]\nskip-host-cache\nskip-name-resolve\n\n\2\n\1/}' \
+                /etc/mysql/mariadb.cnf; fi
+
+
+VOLUME /var/lib/mysql
+
+COPY healthcheck.sh /usr/local/bin/healthcheck.sh
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 3306
+CMD ["mariadbd"]

10.9/docker-entrypoint.sh

@@ -0,0 +1,502 @@
+#!/bin/bash
+set -eo pipefail
+shopt -s nullglob
+
+# logging functions
+mysql_log() {
+	local type="$1"; shift
+	printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
+}
+mysql_note() {
+	mysql_log Note "$@"
+}
+mysql_warn() {
+	mysql_log Warn "$@" >&2
+}
+mysql_error() {
+	mysql_log ERROR "$@" >&2
+	exit 1
+}
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		mysql_error "Both $var and $fileVar are set (but are exclusive)"
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset
+# and make them the same value (so user scripts can use either)
+_mariadb_file_env() {
+	local var="$1"; shift
+	local maria="MARIADB_${var#MYSQL_}"
+	file_env "$var" "$@"
+	file_env "$maria" "${!var}"
+	if [ "${!maria:-}" ]; then
+		export "$var"="${!maria}"
+	fi
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions
+docker_process_init_files() {
+	# mysql here for backwards compatibility "${mysql[@]}"
+	# ShellCheck: mysql appears unused. Verify use (or export if used externally)
+	# shellcheck disable=SC2034
+	mysql=( docker_process_sql )
+
+	echo
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					mysql_note "$0: running $f"
+					"$f"
+				else
+					mysql_note "$0: sourcing $f"
+					# ShellCheck can't follow non-constant source. Use a directive to specify location.
+					# shellcheck disable=SC1090
+					. "$f"
+				fi
+				;;
+			*.sql)     mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;;
+			*.sql.gz)  mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
+			*.sql.xz)  mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
+			*.sql.zst) mysql_note "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;;
+			*)         mysql_warn "$0: ignoring $f" ;;
+		esac
+		echo
+	done
+}
+
+# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values)
+_verboseHelpArgs=(
+	--verbose --help
+	--log-bin-index="$(mktemp -u)" # https://github.com/docker-library/mysql/issues/136
+)
+
+mysql_check_config() {
+	local toRun=( "$@" "${_verboseHelpArgs[@]}" ) errors
+	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
+		mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
+	fi
+}
+
+# Fetch value from server config
+# We use mariadbd --verbose --help instead of my_print_defaults because the
+# latter only show values present in config files, and not server defaults
+mysql_get_config() {
+	local conf="$1"; shift
+	"$@" "${_verboseHelpArgs[@]}" 2>/dev/null \
+		| awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
+	# match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
+}
+
+# Do a temporary startup of the MariaDB server, for init purposes
+docker_temp_server_start() {
+	"$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF --skip-log-bin \
+		--loose-innodb_buffer_pool_load_at_startup=0 &
+	declare -g MARIADB_PID
+	MARIADB_PID=$!
+	mysql_note "Waiting for server startup"
+	# only use the root password if the database has already been initializaed
+	# so that it won't try to fill in a password file when it hasn't been set yet
+	extraArgs=()
+	if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+		extraArgs+=( '--dont-use-mysql-root-password' )
+	fi
+	local i
+	for i in {30..0}; do
+		if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+			break
+		fi
+		sleep 1
+	done
+	if [ "$i" = 0 ]; then
+		mysql_error "Unable to start server."
+	fi
+}
+
+# Stop the server. When using a local socket file mariadb-admin will block until
+# the shutdown is complete.
+docker_temp_server_stop() {
+	if ! MYSQL_PWD=$MARIADB_ROOT_PASSWORD mariadb-admin shutdown -uroot --socket="${SOCKET}"; then
+		mysql_error "Unable to shut down server."
+	fi
+}
+
+# Verify that the minimally required password settings are set for new databases.
+docker_verify_minimum_env() {
+	if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD'
+	fi
+}
+
+# creates folders for the database
+# also ensures permission for user mysql of run as root
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	# TODO other directories that are used by default? like /var/lib/mysql-files
+	# see https://github.com/docker-library/mysql/issues/562
+	mkdir -p "$DATADIR"
+
+	if [ "$user" = "0" ]; then
+		# this will cause less disk access than `chown -R`
+		find "$DATADIR" \! -user mysql -exec chown mysql: '{}' +
+		# See https://github.com/MariaDB/mariadb-docker/issues/363
+		find "${SOCKET%/*}" -maxdepth 0 \! -user mysql -exec chown mysql: '{}' \;
+	fi
+}
+
+_mariadb_version() {
+        local mariaVersion="${MARIADB_VERSION##*:}"
+        mariaVersion="${mariaVersion%%[-+~]*}"
+	echo -n "${mariaVersion}-MariaDB"
+}
+
+# initializes the database directory
+docker_init_database_dir() {
+	mysql_note "Initializing database files"
+	installArgs=( --datadir="$DATADIR" --rpm --auth-root-authentication-method=normal )
+	if { mariadb-install-db --help || :; } | grep -q -- '--skip-test-db'; then
+		# 10.3+
+		installArgs+=( --skip-test-db )
+	else
+		# 10.2 only
+		installArgs+=( --skip-auth-anonymous-user )
+	fi
+	# "Other options are passed to mariadbd." (so we pass all "mysqld" arguments directly here)
+	mariadb-install-db "${installArgs[@]}" "${@:2}" \
+		--default-time-zone=SYSTEM --enforce-storage-engine= --skip-log-bin \
+		--loose-innodb_buffer_pool_load_at_startup=0 \
+		--loose-innodb_buffer_pool_dump_at_shutdown=0
+	mysql_note "Database files initialized"
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called after mysql_check_config, but before any other functions
+docker_setup_env() {
+	# Get config
+	declare -g DATADIR SOCKET
+	DATADIR="$(mysql_get_config 'datadir' "$@")"
+	SOCKET="$(mysql_get_config 'socket' "$@")"
+
+
+	# Initialize values that might be stored in a file
+	_mariadb_file_env 'MYSQL_ROOT_HOST' '%'
+	_mariadb_file_env 'MYSQL_DATABASE'
+	_mariadb_file_env 'MYSQL_USER'
+	_mariadb_file_env 'MYSQL_PASSWORD'
+	_mariadb_file_env 'MYSQL_ROOT_PASSWORD'
+
+	# set MARIADB_ from MYSQL_ when it is unset and then make them the same value
+	: "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}"
+	export MYSQL_ALLOW_EMPTY_PASSWORD="$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
+	: "${MARIADB_RANDOM_ROOT_PASSWORD:=${MYSQL_RANDOM_ROOT_PASSWORD:-}}"
+	export MYSQL_RANDOM_ROOT_PASSWORD="$MARIADB_RANDOM_ROOT_PASSWORD" MARIADB_RANDOM_ROOT_PASSWORD
+	: "${MARIADB_INITDB_SKIP_TZINFO:=${MYSQL_INITDB_SKIP_TZINFO:-}}"
+	export MYSQL_INITDB_SKIP_TZINFO="$MARIADB_INITDB_SKIP_TZINFO" MARIADB_INITDB_SKIP_TZINFO
+
+	declare -g DATABASE_ALREADY_EXISTS
+	if [ -d "$DATADIR/mysql" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	fi
+}
+
+# Execute the client, use via docker_process_sql to handle root password
+docker_exec_client() {
+	# args sent in can override this db, since they will be later in the command
+	if [ -n "$MYSQL_DATABASE" ]; then
+		set -- --database="$MYSQL_DATABASE" "$@"
+	fi
+	mariadb --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+}
+
+# Execute sql script, passed via stdin
+# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
+#    ie: docker_process_sql --database=mydb <<<'INSERT ...'
+#    ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
+docker_process_sql() {
+	if [ '--dont-use-mysql-root-password' = "$1" ]; then
+		shift
+		MYSQL_PWD='' docker_exec_client "$@"
+	else
+		MYSQL_PWD=$MARIADB_ROOT_PASSWORD docker_exec_client "$@"
+	fi
+}
+
+# SQL escape the string $1 to be placed in a string literal.
+# escape, \ followed by '
+docker_sql_escape_string_literal() {
+	local newline=$'\n'
+	local escaped=${1//\\/\\\\}
+	escaped="${escaped//$newline/\\n}"
+	echo "${escaped//\'/\\\'}"
+}
+
+# Initializes database with timezone info and root password, plus optional extra db/user
+docker_setup_db() {
+	# Load timezone info into database
+	if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then
+		mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo \
+			| docker_process_sql --dont-use-mysql-root-password --database=mysql
+		# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
+	fi
+	# Generate random root password
+	if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
+		MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
+		export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD
+		mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD"
+	fi
+	# Sets root password and creates root users for non-localhost hosts
+	local rootCreate=
+	local rootPasswordEscaped
+	rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" )
+
+	# default root to listen for connections from anywhere
+	if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then
+		# no, we don't care if read finds a terminating character in this heredoc
+		# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
+		read -r -d '' rootCreate <<-EOSQL || true
+			CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ;
+			GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ;
+		EOSQL
+	fi
+
+	local mysqlAtLocalhost=
+	local mysqlAtLocalhostGrants=
+	# Install mysql@localhost user
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
+		local pw=
+		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
+		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
+		# It wasn't until 10.4 that the unix_socket auth was built in to the server.
+		read -r -d '' mysqlAtLocalhost <<-EOSQL || true
+		EXECUTE IMMEDIATE IF(VERSION() RLIKE '^10\.[23]\.',
+			"INSTALL PLUGIN /*M10401 IF NOT EXISTS */ unix_socket SONAME 'auth_socket'",
+			"SELECT 'already there'");
+		CREATE USER mysql@localhost IDENTIFIED BY '$pw';
+		ALTER USER mysql@localhost IDENTIFIED VIA unix_socket;
+		EOSQL
+		if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+			if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then
+				mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored"
+			fi
+			mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;";
+		fi
+	fi
+
+	mysql_note "Securing system users (equivalent to running mysql_secure_installation)"
+	# tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set
+	# --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding.
+	docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL
+		-- What's done in this file shouldn't be replicated
+		--  or products like mysql-fabric won't work
+		SET @@SESSION.SQL_LOG_BIN=0;
+                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
+		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
+
+		DROP USER IF EXISTS root@'127.0.0.1', root@'::1';
+		EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\'');
+
+		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${rootPasswordEscaped}') ;
+		${rootCreate}
+		${mysqlAtLocalhost}
+		${mysqlAtLocalhostGrants}
+		-- pre-10.3
+		DROP DATABASE IF EXISTS test ;
+	EOSQL
+
+	# Creates a custom database and user if specified
+	if [ -n "$MARIADB_DATABASE" ]; then
+		mysql_note "Creating database ${MARIADB_DATABASE}"
+		docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\` ;"
+	fi
+
+	if [ -n "$MARIADB_USER" ] && [ -n "$MARIADB_PASSWORD" ]; then
+		mysql_note "Creating user ${MARIADB_USER}"
+		# SQL escape the user password, \ followed by '
+		local userPasswordEscaped
+		userPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_PASSWORD}" )
+		docker_process_sql --database=mysql --binary-mode <<-EOSQL_USER
+			SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
+			CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';
+		EOSQL_USER
+
+		if [ -n "$MARIADB_DATABASE" ]; then
+			mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}"
+			docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%' ;"
+		fi
+	fi
+}
+
+# backup the mysql database
+docker_mariadb_backup_system()
+{
+	if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] \
+		&& [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then
+		mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting"
+		return
+	fi
+	local backup_db="system_mysql_backup_unknown_version.sql.zst"
+	local oldfullversion="unknown_version"
+	if [ -r "$DATADIR"/mysql_upgrade_info ]; then
+		read -r -d '' oldfullversion < "$DATADIR"/mysql_upgrade_info || true
+		if [ -n "$oldfullversion" ]; then
+			backup_db="system_mysql_backup_${oldfullversion}.sql.zst"
+		fi
+	fi
+
+	mysql_note "Backing up system database to $backup_db"
+	if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd > "${DATADIR}/${backup_db}"; then
+		mysql_error "Unable backup system database for upgrade from $oldfullversion."
+	fi
+	mysql_note "Backing up complete"
+}
+
+# perform mariadb-upgrade
+# backup the mysql database if this is a major upgrade
+docker_mariadb_upgrade() {
+	if [ -z "$MARIADB_AUTO_UPGRADE" ] \
+		|| [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then
+		mysql_note "MariaDB upgrade (mariadb-upgrade) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting"
+		return
+	fi
+	mysql_note "Starting temporary server"
+	docker_temp_server_start "$@" --skip-grant-tables \
+		--loose-innodb_buffer_pool_dump_at_shutdown=0
+	mysql_note "Temporary server started."
+
+	docker_mariadb_backup_system
+
+	mysql_note "Starting mariadb-upgrade"
+	mariadb-upgrade --upgrade-system-tables
+	mysql_note "Finished mariadb-upgrade"
+
+	# docker_temp_server_stop needs authentication since
+	# upgrade ended in FLUSH PRIVILEGES
+	mysql_note "Stopping temporary server"
+	kill "$MARIADB_PID"
+	wait "$MARIADB_PID"
+	mysql_note "Temporary server stopped"
+}
+
+
+_check_if_upgrade_is_needed() {
+	if [ ! -f "$DATADIR"/mysql_upgrade_info ]; then
+		mysql_note "MariaDB upgrade information missing, assuming required"
+		return 0
+	fi
+	local mariadbVersion
+	mariadbVersion="$(_mariadb_version)"
+	IFS='.-' read -ra newversion <<<"$mariadbVersion"
+	IFS='.-' read -ra oldversion < "$DATADIR"/mysql_upgrade_info || true
+
+	if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] \
+		|| [[ ${oldversion[0]} -lt ${newversion[0]} ]] \
+		|| [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then
+		return 0
+	fi
+	mysql_note "MariaDB upgrade not required"
+	return 1
+}
+
+# check arguments for an option that would cause mariadbd to stop
+# return true if there is one
+_mysql_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			-'?'|--help|--print-defaults|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if command starts with an option, prepend mariadbd
+	if [ "${1:0:1}" = '-' ]; then
+		set -- mariadbd "$@"
+	fi
+
+	#ENDOFSUBSTITIONS
+	# skip setup if they aren't running mysqld or want an option that stops mysqld
+	if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
+		mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started."
+
+		mysql_check_config "$@"
+		# Load various environment variables
+		docker_setup_env "$@"
+		docker_create_db_directories
+
+		# If container is started as root user, restart as dedicated mysql user
+		if [ "$(id -u)" = "0" ]; then
+			mysql_note "Switching to dedicated user 'mysql'"
+			exec gosu mysql "${BASH_SOURCE[0]}" "$@"
+		fi
+
+		# there's no database, so it needs to be initialized
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir "$@"
+
+			mysql_note "Starting temporary server"
+			docker_temp_server_start "$@"
+			mysql_note "Temporary server started."
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			mysql_note "Stopping temporary server"
+			docker_temp_server_stop
+			mysql_note "Temporary server stopped"
+
+			echo
+			mysql_note "MariaDB init process done. Ready for start up."
+			echo
+		# MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline
+		#elif mariadb-upgrade --check-if-upgrade-is-needed; then
+		elif _check_if_upgrade_is_needed; then
+			docker_mariadb_upgrade "$@"
+		fi
+	fi
+	exec "$@"
+}
+
+# If we are sourced from elsewhere, don't perform any further actions
+if ! _is_sourced; then
+	_main "$@"
+fi

10.9/healthcheck.sh

@@ -0,0 +1,321 @@
+#!/bin/bash
+#
+# Healthcheck script for MariaDB
+#
+# Runs various tests on the MariaDB server to check its health. Pass the tests
+# to run as arguments. If all tests succeed, the server is considered healthy,
+# otherwise it's not.
+#
+# Arguments are processed in strict order. Set replication_* options before
+# the --replication option. This allows a different set of replication checks
+# on different connections.
+#
+# --su{=|-mariadb} is option to run the healthcheck as a different unix user.
+# Useful if mariadb@localhost user exists with unix socket authentication
+# Using this option disregards previous options set, so should usually be the
+# first option.
+#
+# Some tests require SQL privileges.
+#
+# TEST                      GRANTS REQUIRED
+# connect                   none*
+# innodb_initialized        USAGE
+# innodb_buffer_pool_loaded USAGE
+# galera_online             USAGE
+# replication               SUPER or REPLICATION_CLIENT or REPLICA MONITOR (10.5+)
+# mariadbupgrade            none, however unix user permissions on datadir
+#
+# The SQL user used is the default for the mariadb client. This can be the unix user
+# if no user(or password) is set in the [mariadb-client] section of a configuration
+# file. --defaults-{file,extra-file,group-suffix} can specify a file/configuration
+# different from elsewhere.
+#
+# Note * though denied error message will result in error log without
+#      any permissions.
+
+set -eo pipefail
+
+_process_sql()
+{
+	mariadb ${nodefaults:+--no-defaults} \
+		${def['file']:+--defaults-file=${def['file']}} \
+		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}} \
+		${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}} \
+		-B "$@"
+}
+
+# TESTS
+
+
+# CONNECT
+#
+# Tests that a connection can be made over TCP, the final state
+# of the entrypoint and is listening. The authentication used
+# isn't tested.
+connect()
+{
+	set +e +o pipefail
+	mariadb ${nodefaults:+--no-defaults} \
+		${def['file']:+--defaults-file=${def['file']}} \
+		${def['extra_file']:+--defaults-extra-file=${def['extra_file']}}  \
+		${def['group_suffix']:+--defaults-group-suffix=${def['group_suffix']}}  \
+		-h localhost --protocol tcp -e 'select 1' 2>&1 \
+		| grep -qF "Can't connect"
+	local ret=${PIPESTATUS[1]}
+	set -eo pipefail
+	if (( "$ret" == 0 )); then
+		# grep Matched "Can't connect" so we fail
+		return 1
+	fi
+	return 0
+}
+
+# INNODB_INITIALIZED
+#
+# This tests that the crash recovery of InnoDB has completed
+# along with all the other things required to make it to a healthy
+# operational state. Note this may return true in the early
+# states of initialization. Use with a connect test to avoid
+# these false positives.
+innodb_initialized()
+{
+	local s
+	s=$(_process_sql --skip-column-names -e 'select 1 from information_schema.ENGINES WHERE engine="innodb" AND support in ("YES", "DEFAULT", "ENABLED")')
+	[ "$s" == 1 ]
+}
+
+# INNODB_BUFFER_POOL_LOADED
+#
+# Tests the load of the innodb buffer pool as been complete
+# implies innodb_buffer_pool_load_at_startup=1 (default), or if
+# manually SET innodb_buffer_pool_load_now=1
+innodb_buffer_pool_loaded()
+{
+	local s
+	s=$(_process_sql --skip-column-names -e 'select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME="Innodb_buffer_pool_load_status"')
+	if [[ $s =~ 'load completed' ]]; then
+		return 0
+	fi
+	return 1
+}
+
+# GALERA_ONLINE
+#
+# Tests that the galera node is in the SYNCed state
+galera_online()
+{
+	local s
+	s=$(_process_sql --skip-column-names -e 'select VARIABLE_VALUE from information_schema.GLOBAL_STATUS WHERE VARIABLE_NAME="WSREP_LOCAL_STATE"')
+	# 4 from https://galeracluster.com/library/documentation/node-states.html#node-state-changes
+	# not https://xkcd.com/221/
+	if [[ $s -eq 4 ]]; then
+		return 0
+	fi
+	return 1
+}
+
+# REPLICATION
+#
+# Tests the replication has the required set of functions:
+# --replication_all -> Checks all replication sources
+# --replication_name=n -> sets the multisource connection name tested
+# --replication_io -> IO thread is running
+# --replication_sql -> SQL thread is running
+# --replication_seconds_behind_master=n -> less than or equal this seconds of delay
+# --replication_sql_remaining_delay=n -> less than or equal this seconds of remaining delay
+#  (ref: https://mariadb.com/kb/en/delayed-replication/)
+replication()
+{
+	# SHOW REPLICA available 10.5+
+	# https://github.com/koalaman/shellcheck/issues/2383
+	# shellcheck disable=SC2016,SC2026
+	_process_sql -e "show ${repl['all']:+all} slave${repl['all']:+s} ${repl['name']:+'${repl['name']}'} status\G" | \
+		{
+		# required for trim of leading space.
+		shopt -s extglob
+		# Row header
+		read -t 5 -r
+		# read timeout
+		[ $? -gt 128 ] && return 1
+		while IFS=":" read -t 1 -r n v; do
+			# Trim leading space
+			n=${n##+([[:space:]])}
+			# Leading space on all values by the \G format needs to be trimmed.
+			v=${v:1}
+			case "$n" in
+				Slave_IO_Running)
+					if [ -n "${repl['io']}" ] && [ "$v" = 'No' ]; then
+						return 1
+					fi
+					;;
+				Slave_SQL_Running)
+					if [ -n "${repl['sql']}" ] && [ "$v" = 'No' ]; then
+						return 1
+					fi
+					;;
+				Seconds_Behind_Master)
+					# A NULL value is the IO thread not running:
+					if [ -n "${repl['seconds_behind_master']}" ] &&
+						{ [ "$v" = NULL ] ||
+							(( "${repl['seconds_behind_master']}" < "$v" )); }; then
+						return 1
+					fi
+					;;
+				SQL_Remaining_Delay)
+					# Unlike Seconds_Behind_Master, sql_remaining_delay will hit NULL
+					# once replication is caught up - https://mariadb.com/kb/en/delayed-replication/
+					if [ -n "${repl['sql_remaining_delay']}" ] &&
+						[ "$v" != NULL ] &&
+						(( "${repl['sql_remaining_delay']}" < "$v" )); then
+						return 1
+					fi
+					;;
+			esac
+		done
+		# read timeout
+		[ $? -gt 128 ] && return 1
+		return 0
+       }
+       return $?
+}
+
+# mariadbupgrade
+#
+# Test the lock on the file /var/lib/mysql_upgrade_info
+# https://jira.mariadb.org/browse/MDEV-27068
+mariadbupgrade()
+{
+	local f="$datadir/mysql_upgrade_info"
+	if [ -r "$f" ]; then
+		flock --exclusive --nonblock -n 9 9<"$f"
+		return $?
+	fi
+	return 0
+}
+
+
+# MAIN
+
+if [ $# -eq 0 ]; then
+	echo "At least one argument required" >&2
+	exit 1
+fi
+
+# Global variables used by tests
+declare -A repl
+declare -A def
+nodefaults=
+datadir=/var/lib/mariadb
+
+_repl_param_check()
+{
+	case "$1" in
+		seconds_behind_master) ;&
+		sql_remaining_delay)
+			if [ -z "${repl['io']}" ]; then
+				repl['io']=1
+				echo "Forcing --replication_io=1, $1 requires IO thread to be running" >&2
+			fi
+			;;
+		all)
+			if [ -n "${repl['name']}" ]; then
+				unset 'repl[name]'
+				echo "Option --replication_all incompatible with specied source --replication_name, clearing replication_name" >&2
+			fi
+			;;
+		name)
+			if [ -n "${repl['all']}" ]; then
+				unset 'repl[all]'
+				echo "Option --replication_name incompatible with --replication_all, clearing replication_all" >&2
+			fi
+			;;
+	esac
+}
+
+_test_exists() {
+    declare -F "$1"
+    return $?
+}
+
+# Marks the end of mariadb -> mariadb name changes in 10.6+
+#ENDOFSUBSTITUTIONS
+while [ $# -gt 0 ]; do
+	case "$1" in
+		--su=*)
+			u="${1#*=}"
+			shift
+			exec gosu "${u}" "${BASH_SOURCE[0]}" "$@"
+			;;
+		--su-mariadb)
+			shift
+			exec gosu mariadb "${BASH_SOURCE[0]}" "$@"
+			;;
+		--replication_*=*)
+			# Change the n to what is between _ and = and make lower case
+			n=${1#*_}
+			n=${n%%=*}
+			n=${n,,*}
+			# v is after the =
+			v=${1#*=}
+			repl[$n]=$v
+			_repl_param_check "$n"
+			;;
+		--replication_*)
+			# Without =, look for a non --option next as the value,
+			# otherwise treat it as an "enable", just equate to 1.
+			# Clearing option is possible with "--replication_X="
+			n=${1#*_}
+			n=${n,,*}
+			if [ "${2:0:2}" == '--' ]; then
+				repl[$n]=1
+			else
+				repl[$n]=$2
+				shift
+			fi
+			_repl_param_check "$n"
+			;;
+		--datadir=*)
+			datadir=${1#*=}
+			;;
+		--no-defaults)
+			unset def
+			nodefaults=1
+			;;
+		--defaults-file=*|--defaults-extra-file=*|--defaults-group-suffix=*)
+			n=${1:11} # length --defaults-
+			n=${n%%=*}
+			n=${n//-/_}
+			# v is after the =
+			v=${1#*=}
+			def[$n]=$v
+			nodefaults=
+			;;
+		--defaults-file|--defaults-extra-file|--defaults-group-suffix)
+			n=${1:11} # length --defaults-
+			n=${n//-/_}
+			if [ "${2:0:2}" == '--' ]; then
+				def[$n]=""
+			else
+				def[$n]=$2
+				shift
+			fi
+			nodefaults=
+			;;
+		--*)
+			test=${1#--}
+			;;
+		*)
+			echo "Unknown healthcheck option $1" >&2
+			exit 1
+	esac
+	if [ -n "$test" ]; then
+		if ! _test_exists "$test" ; then
+			echo "healthcheck unknown test '$test'" >&2
+			exit 1
+		elif ! "$test"; then
+			echo "healthcheck $test failed" >&2
+			exit 1
+		fi
+	fi
+	shift
+done