diff --git a/Dockerfile.sidecar b/Dockerfile.sidecar index b3b1c26c7..39d42d244 100644 --- a/Dockerfile.sidecar +++ b/Dockerfile.sidecar @@ -32,6 +32,10 @@ RUN wget -nv https://github.com/ncw/rclone/releases/download/v1.46/rclone-v1.46- # Copy the mysql-operator-sidecar into it's own image FROM debian:stretch-slim as sidecar +RUN groupadd -g 999 mysql +RUN useradd -u 999 -r -g 999 -s /sbin/nologin \ + -c "Default Application User" mysql + RUN apt-get update \ && apt-get install -y --no-install-recommends \ apt-transport-https ca-certificates wget \ @@ -50,6 +54,8 @@ RUN apt-get update \ && wget https://github.com/maxbube/mydumper/archive/v0.9.5.tar.gz -O /usr/share/src/mydumper-v0.9.5.tar.gz +USER mysql + COPY ./hack/docker/sidecar-entrypoint.sh /usr/local/bin/sidecar-entrypoint.sh COPY --from=builder /go/src/github.com/presslabs/mysql-operator/mysql-operator-sidecar /usr/local/bin/mysql-operator-sidecar COPY --from=rclone /usr/local/bin/rclone /usr/local/bin/rclone diff --git a/hack/development/Dockerfile.sidecar b/hack/development/Dockerfile.sidecar index 57e790a20..b8d3511b8 100644 --- a/hack/development/Dockerfile.sidecar +++ b/hack/development/Dockerfile.sidecar @@ -1,6 +1,11 @@ # Copy the mysql-operator-sidecar into it's own image +# NOTE: this image is for development only FROM debian:stretch-slim as sidecar +RUN groupadd -g 999 mysql +RUN useradd -u 999 -r -g 999 -s /sbin/nologin \ + -c "Default Application User" mysql + RUN apt-get update \ && apt-get install -y --no-install-recommends \ apt-transport-https ca-certificates wget \ @@ -23,6 +28,8 @@ RUN apt-get update \ && rm -rf rclone-*-linux-amd64 rclone-current-linux-amd64.zip \ && chmod 755 /usr/local/bin/rclone +USER mysql + # set expiration time for dev images # https://support.coreos.com/hc/en-us/articles/115001384693-Tag-Expiration LABEL quay.expires-after=2d diff --git a/hack/docker/sidecar-entrypoint.sh b/hack/docker/sidecar-entrypoint.sh index 50c14cd47..1e4c4219f 100755 --- a/hack/docker/sidecar-entrypoint.sh +++ b/hack/docker/sidecar-entrypoint.sh @@ -2,7 +2,7 @@ set -e echo "Create rclone.conf file." -cat < /etc/rclone.conf +cat < /tmp/rclone.conf [s3] type = s3 env_auth = false diff --git a/pkg/controller/mysqlcluster/internal/syncer/statefullset.go b/pkg/controller/mysqlcluster/internal/syncer/statefullset.go index 1cdfd557e..564ddf85a 100644 --- a/pkg/controller/mysqlcluster/internal/syncer/statefullset.go +++ b/pkg/controller/mysqlcluster/internal/syncer/statefullset.go @@ -126,7 +126,8 @@ func (s *sfsSyncer) ensurePodSpec() core.PodSpec { ImagePullSecrets: s.cluster.Spec.PodSpec.ImagePullSecrets, SecurityContext: &core.PodSecurityContext{ // mount volumes with mysql gid - FSGroup: &fsGroup, + FSGroup: &fsGroup, + RunAsUser: &fsGroup, }, } } diff --git a/pkg/sidecar/server.go b/pkg/sidecar/server.go index 4f7c607da..9e3cc20e8 100644 --- a/pkg/sidecar/server.go +++ b/pkg/sidecar/server.go @@ -91,7 +91,8 @@ func (s *server) backupHandler(w http.ResponseWriter, r *http.Request) { xtrabackup := exec.Command("xtrabackup", "--backup", "--slave-info", "--stream=xbstream", fmt.Sprintf("--tables-exclude=%s.%s", toolsDbName, toolsInitTableName), "--host=127.0.0.1", fmt.Sprintf("--user=%s", s.cfg.ReplicationUser), - fmt.Sprintf("--password=%s", s.cfg.ReplicationPassword)) + fmt.Sprintf("--password=%s", s.cfg.ReplicationPassword), + "--target-dir=/tmp/xtrabackup_backupfiles/") xtrabackup.Stderr = os.Stderr