Mysql: Skip SSL certificate generation

Created on 22 Feb 2018  路  8Comments  路  Source: docker-library/mysql

I use MySQL for local test, on each startup MySQL take some time to generate a random SSL certificate.

Is it possible to skip the SSL certificate generation?

Request question
Source
picture fvasco
👍3

All 8 comments

Hmm, this is an interesting point -- we don't have a way to skip the mysql_ssl_rsa_setup line easily.

We _do_ check whether the command exists, so you could use that to work around the issue:

FROM mysql:5.7
RUN rm -v "$(which mysql_ssl_rsa_setup)"

Or even hackier:

$ docker run ... -v /dev/null:/usr/bin/mysql_ssl_rsa_setup ... mysql:5.7
tianon picture tianon on 23 Feb 2018
👍1

Just to be clear, the section of code under discussion is the following:

https://github.com/docker-library/mysql/blob/30bf2b7ff3010d1f2ee89967dd1303d6a7230c51/5.7/docker-entrypoint.sh#L93-L100

tianon picture tianon on 23 Feb 2018

I seen that, your solution should work well, but maintain a MySQL image only for testing purpose is an extra cost.

Is it possible to add an environment variable like MYSQL_INITDB_SKIP_TZINFO?

Another interesting solution is the variable MYSQL_SERVER_KEY_PEM, so it is possible declare the certificate to use or -optionally- turn off SSL.

fvasco picture fvasco on 23 Feb 2018
👍1

Hello,
my +1 to an _env var_ approach (whatever), keeping care to disable any mounted certificate by explicitly passing --ssl=0 too (https://github.com/docker-library/mysql/issues/256), just in case.

In the mean time I'm playing w/ the 1st work around described above.

TIA,
Matteo

scara picture scara on 15 May 2018

Took a different approach over in https://github.com/docker-library/mysql/pull/428 -- basically, if SSL is disabled, we skip the certificate generation (which is exactly what 8.0's initialization scripts seem to do as well).

tianon picture tianon on 16 May 2018
👍1

@tianon

I propose https://github.com/docker-library/mysql/pull/428 is a less than ideal solution.

The use case is: The user has their own certificates/credentials they wan't to supply to mysql AND they don't want to spend time generating new credentials which will never be used. So the user wants to turn off automatic generation of credentials BUT they do not want to turn off SSL.

inieves picture inieves on 26 Aug 2018

If the user supplies their own certificates in the appropriate place, MySQL should transparently pick them up and should not create new ones. If that behavior is not working, then we should look at fixing that separately.

tianon picture tianon on 12 Sep 2018

With the solution in #428, I'm considering this closed and fixed.

If you wish to not have the image generate SSL certificates, you have two choices:

  1. supply --ssl=0 (this disables SSL in MySQL entirely, which may or may not be what you want)

  2. supply /var/lib/mysql/server-key.pem (which will disable the invocation of mysql_ssl_rsa_setup, thus not generating new keys)

tianon picture tianon on 28 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kjaltana picture kjaltana  路  3Comments
chlch picture chlch  路  3Comments
perfeyhe picture perfeyhe  路  4Comments
jdoose picture jdoose  路  5Comments
UpCoder picture UpCoder  路  3Comments