charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

mariabackup user cannot connect when password is complicated

Open zsoltbalogh opened this issue 2 years ago • 9 comments

Name and Version

bitnami/mariadb-galera:10.4

What steps will reproduce the bug?

  1. Set up a mariadb galera cluster using the recommended configuration
  2. Create a docker secret with a complicated password (should contain special characters, example: p+G?{/`OJ1!,)U=W~5U-vPg4 and configure that for MARIADB_GALERA_MARIABACKUP_PASSWORD_FILE
  3. Start the cluster. When the second node tries to join the backup would fail and the second node stops

What is the expected behavior?

The backup works. :)

What do you see instead?

    db-vm-1    | WSREP_SST: [INFO] Evaluating /opt/bitnami/mariadb//bin/mariabackup --defaults-file='/opt/bitnami/mariadb/conf/my.cnf' --backup --no-version-check --databases-exclude='lost+found' --tmpdir='/opt/bitnami/mariadb/tmp/tmp.5qKCrFrnL0' --innodb-data-home-dir='.' --log-bin='mysql-bin' --user='""mymariabackup' --socket='/opt/bitnami/mariadb/tmp/mysql.sock' --galera-info --stream=mbstream --target-dir='/tmp/tmp.2ExSbI46FC' --datadir='/bitnami/mariadb/data' --mysqld-args '--basedir=/opt/bitnami/mariadb' '--pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid' '--wsrep_provider_options=ist.recv_addr=192.168.0.184:4568;ist.recv_bind=0.0.0.0:4568' '--wsrep_node_incoming_address=192.168.0.184' '--wsrep_sst_receive_address=192.168.0.184' 2> '/bitnami/mariadb/data/mariabackup.backup.log' | socat -u stdio TCP:192.168.0.57:4444; RC=( ${PIPESTATUS[@]} ) (20220624 11:46:31.078)
    db-vm-1    | 2022-06-24 11:46:31 20 [Warning] Access denied for user '""mymariabackup'@'localhost' (using password: YES)

Note the double quote before the username.

Additional information

I think the issue is coming from an escaping problem in the my.cnf:

    I have no name!@db-vm-1:/$ cd /opt/bitnami/mariadb/conf/
    I have no name!@db-vm-1:/opt/bitnami/mariadb/conf$ cat my.cnf
    [..]
    wsrep_sst_auth="""mymariabackup:p+G?{/`OJ1!,)U=W~5U-vPg4"""

zsoltbalogh avatar Jun 24 '22 11:06 zsoltbalogh

Hi @zsoltbalogh, this issue is most likely related to escaping the password in my.cnf as you say. Right now we are using the ini-file tool to set the passwords, and it is possible that it does not support input of special characters.

If you are able to fix the issue, we'd be happy to review and help with the release of those changes. In the meantime, we recommend you to avoid characters that may break the Ini file (i.e. quotes and "`").

marcosbc avatar Jun 27 '22 15:06 marcosbc

Thanks, @marcosbc, I'll attempt to fix. :)

zsoltbalogh avatar Jun 28 '22 07:06 zsoltbalogh

Working on the issue. The """ is clearly not valid, I haven't seen any reference to triple double quote in ini files.

Checked:

  • https://dev.mysql.com/doc/refman/8.0/en/option-files.html#option-file-syntax
  • https://en.wikipedia.org/wiki/INI_file

zsoltbalogh avatar Jul 02 '22 12:07 zsoltbalogh

The ` character causes the problem.

zsoltbalogh avatar Jul 02 '22 12:07 zsoltbalogh

The """-s are generated by https://github.com/go-ini/ini/

It looks like """ is a thing in .ini files by mysql does not really know what to do with those.

So go-ini is correct, mysql is correct (they don't say the level of compatibility with this anywhere in their documentation) so we are stuck in-between.

zsoltbalogh avatar Jul 02 '22 12:07 zsoltbalogh

@zsoltbalogh If so, how are users supposed to escape the "`" character in the MySQL .ini file? Have you checked if replacing all occurrences of """ with " would work? If so, we could add a call to replace_in_file to get it working.

marcosbc avatar Jul 04 '22 14:07 marcosbc

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Jul 20 '22 01:07 github-actions[bot]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Aug 06 '22 01:08 github-actions[bot]

@marcosbc, I'm sorry for the late reply, I was afk for some weeks. I've tested and it works with a single double quote (") and without any quotes.

The way I tested was the following: created a my_custom.cnf file and added the following:

[galera]
wsrep_sst_auth=mariabackup:ea8`lU3jhRVPhrvMan

Mounted this file to /opt/bitnami/mariadb/conf/my_custom.cnf, then restarted the cluster and wait for the sync to happen and it worked.

Same is true with the double quotes:

[galera]
wsrep_sst_auth="mariabackup:ea8`lU3jhRVPhrvMan"

Probably the latter one is safer than the first one.

zsoltbalogh avatar Aug 08 '22 10:08 zsoltbalogh

Thanks for the update @zsoltbalogh, I've created an internal task for looking into this issue. Unfortunately I can't provide any ETA for when this issue will be fixed.

marcosbc avatar Aug 11 '22 09:08 marcosbc

Thank you! There's no urgency, the workaround is simple, just avoid ` in passwords. :)

zsoltbalogh avatar Aug 15 '22 09:08 zsoltbalogh

Hi zsoltbalogh,

The issue is now solved and a fix was released (we are now sanitizing triple quotes produced by ini-file when using special characters like "`") . Thanks for your contribution!

aoterolorenzo avatar Oct 20 '22 11:10 aoterolorenzo

Amazing, thank you, @aoterolorenzo!

zsoltbalogh avatar Oct 24 '22 06:10 zsoltbalogh