gitlab-ci-pipeline-php icon indicating copy to clipboard operation
gitlab-ci-pipeline-php copied to clipboard

Published 20 hours ago verified publisher icon edbizarro

MySQL 8 support broken

Open Synchro opened this issue 3 years ago • 3 comments

The image uses mariadb-client instead of mysql-client. This means that anything trying to connect to MySQL 8.0 server will fail by default because the mariaDB client does not include support for the caching_sha2_password plugin. This is a fatal error that can't easily be fixed from outside because MariaDB does not support this authentication mechanism, so in a testing scenario like this, it is not an appropriate substitution. This is how it is configured in CI:

db-seeding:
  stage: build
  services:
    - mysql:8.0

and here's an example of how it fails in a pipeline:

The command "mysql --user="${:LARAVEL_LOAD_USER}" --password="${:LARAVEL_LOAD_PASSWORD}" --host="${:LARAVEL_LOAD_HOST}" --port="${:LARAVEL_LOAD_PORT}" --database="${:LARAVEL_LOAD_DATABASE}" < "${:LARAVEL_LOAD_PATH}"" failed.
Exit Code: 1(General error)
Working directory: /builds/myapp
Output:
================
Error Output:
================
ERROR 1045 (28000): Plugin caching_sha2_password could not be loaded: /usr/lib/x86_64-linux-gnu/mariadb19/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

This was fixed once before in a PR, but that was never merged.

A possible workaround would be to manually install the mysql client package prior to running the pipeline, but that should not be something we need to do in a default config.

Synchro avatar Feb 03 '21 10:02 Synchro

I remember back in the time that there's a reason to this change to mariadb-client, but was a long time ago and i don't remember why anymore, so, i think we can change back to mysql-client again and see

edbizarro avatar Feb 03 '21 13:02 edbizarro

I found that reference. I checked, and it's correct – Debian buster does not provide a MySQL package (which I'm a bit surprised by). MySQL's policy on this is that they provide a repo for Debian packages that you should use instead. Unfortunately this implies a certain amount of inconvenience as per this guide, though the problem here is with the client; we don't need the server. I'll have a go at scripting that in my PR, which won't work in its current state.

Synchro avatar Feb 03 '21 16:02 Synchro

I have found a workaround for this. In the gitlab.ci.yml file, instead of saying:

services: mysql:8.0

say:

services:
    - name: mysql:8.0
      command: [ "--default-authentication-plugin=mysql_native_password" ]

which makes the client use old-style authentication. Bear in mind that this is very much a workaround as it involves a security downgrade.

Synchro avatar Mar 05 '21 10:03 Synchro