build: docker image should support init scripts in docker-entrypoint-initdb.d #48647

rafiss · 2020-05-09T19:37:10Z

The Postgres (and many other databases') docker image supports adding initialization scripts to docker-entrypoint-initdb.d. We should have something similar, since it seems like a nice convention.

The Postgres docker docs: https://hub.docker.com/_/postgres

If you would like to do additional initialization in an image derived from this one, add one or more *.sql, *.sql.gz, or *.sh scripts under /docker-entrypoint-initdb.d (creating the directory if necessary). After the entrypoint calls initdb to create the default postgres user and database, it will run any *.sql files, run any executable *.sh scripts, and source any non-executable *.sh scripts found in that directory to do further initialization before starting the service.

Warning: scripts in /docker-entrypoint-initdb.d are only run if you start the container with a data directory that is empty; any pre-existing database will be left untouched on container startup. One common problem is that if one of your /docker-entrypoint-initdb.d scripts fails (which will cause the entrypoint script to exit) and your orchestrator restarts the container with the already initialized data directory, it will not continue on with your scripts.

For example, to add an additional user and database, add the following to /docker-entrypoint-initdb.d/init-user-db.sh:

#!/bin/bash
set -e

psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
    CREATE USER docker;
    CREATE DATABASE docker;
    GRANT ALL PRIVILEGES ON DATABASE docker TO docker;
EOSQL

These initialization files will be executed in sorted name order as defined by the current locale, which defaults to en_US.utf8. Any *.sql files will be executed by POSTGRES_USER, which defaults to the postgres superuser. It is recommended that any psql commands that are run inside of a *.sh script be executed as POSTGRES_USER by using the --username "$POSTGRES_USER" flag. This user will be able to connect without a password due to the presence of trust authentication for Unix socket connections made inside the container.

Additionally, as of docker-library/postgres#253, these initialization scripts are run as the postgres user (or as the "semi-arbitrary user" specified with the --user flag to docker run; see the section titled "Arbitrary --user Notes" for more details). Also, as of docker-library/postgres#440, the temporary daemon started for these initialization scripts listens only on the Unix socket, so any psql usage should drop the hostname portion (see docker-library/postgres#474 (comment) for example).

Epic CRDB-1424

The text was updated successfully, but these errors were encountered:

knz · 2020-08-24T16:28:33Z

For example, to add an additional user and database, add the following to /docker-entrypoint-initdb.d/init-user-db.sh [...]

I like this solution. However, can you explain which logic ensures that these commands are only run after the cluster has been fully initialized with init?

rafiss · 2020-08-24T21:16:21Z

I hadn't considered that. The solution I just thought of now is to add some stuff to cockroach.sh to check if the subcommand is either init or start-single-node, and if so, to send the SQL queries in the docker-entrypoint-initdb.d directory to the cluster. This means that we have to change Step 4 of the docker instructions to use docker run instead of docker exec, meaning that a new container would get created, run init, and then immediately exit. Maybe that's not a good practice though...

knz · 2020-09-21T12:20:49Z

I have studied this a little bit today.
I have come to believe your issue here is better phrased (and solves a more important problem) than #26722.

So here's our more complete bill of requirements:

make the code so that if there are initialization scripts in some directory (e.g. docker-entrypoint-initdb.d), they are run when the cluster is initialized.

We could achieve that by special logic inside CockroachDB, however given that this entire discussion (and that of cli: extend cockroach init (or 1st start without --join) with SQL initialization #26722) is geared towards Docker and containers, it's much easier to implement it inside the cockroach.sh entry script, like you explain above.
ensure this is only done when the cluster is initialized, not just for any command (e.g. not when start is executed).

So yes, we need to detect the init command and then run the scripts after init has completed, but before control is returned to the caller of the script (I presume that's the docker run command)
be careful about security.

Depending on the crdb network configuration, the servers may not be listening on a TCP port that the command inside the container has access to, or accept to authenticate clients there. We don't want to forbid these network configurations just because we need an init script.

Also if/when crdb evolves to reduce access to the root user (instead, favoring an auto-generated operator user with random credentials), the init script must not reduce in utility.

What to do about this?

I suggest to take inspiration from what the pg docker image is doing: leverage the unix socket and use it for the initialization script.

Separately we want to ensure that any future project to de-emphasize root would keep the docker init script use case working. This will need some unit testing to be in place, to serve as guardrail for future changes.

knz · 2020-09-21T12:24:31Z

There may be a fly in the "let's detect this in the script" ointment: the init command may be done over the network, in which case the script has nothing to work with. But I have an idea about that.

rafiss · 2020-09-23T15:20:43Z

Tagging #19826 since it seems like a related ask that could/should be solved similarly. cc @apantel

knz · 2020-09-23T16:04:37Z

yep.

FYI I'm currently drafting some pr that goes in this direction. who will be the best folk in sql / appdev to help with review / iterations? I think I'll also ping Bob for the k8s integrability.

rafiss · 2020-09-23T20:39:38Z

Can you work with @apantel on that? He also had discussed with a few others I believe.

54758: server: split server pre-start from accepting clients r=irfansharif,tbg a=knz This will enable the introduction of further cluster initialization using SQL in `start.go`, before clients become able to connect. I found this to be a prerequisite to #48647. Co-authored-by: Raphael 'kena' Poss <[email protected]>

knz · 2021-09-22T13:57:15Z

Discussed with @rafiss and @ZhouXing19 , we can operate using a variation of the following script:

#!/bin/sh

set -eu

case $1 in
    shell)
        shift
        exec /bin/sh "$@"
        ;;
    auto)
        shift
        C=/cockroach/cockroach
        if ! [ -e certs ]; then
            mkdir certs
            $C cert create-ca --certs-dir=certs --ca-key=certs/ca.key
            $C cert create-node --certs-dir=certs --ca-key=certs/ca.key 127.0.0.1
            $C cert create-client --certs-dir=certs --ca-key=certs/ca.key root
        fi
        if ! [ -e cockroach-data ]; then
            # init here
            rm -f server_fifo; mkfifo server_fifo
            $C start-single-node --certs-dir=certs --listen-addr=127.0.0.1 --background \
               --listening-url-file=server_fifo --pid-file=server_pid &
            cat server_fifo>server.url
            $C sql --certs-dir=certs --url=$(cat server.url) \
               -e "CREATE DATABASE $COCKROACH_DATABASE" \
               -e "CREATE USER $COCKROACH_USER WITH PASSWORD $COCKROACH_PASSWORD" \
               -e "GRANT ALL ON DATABASE $COCKROACH_DATABASE TO $COCKROACH_USER" \
               -e "GRANT admin TO $COCKROACH_USER"
            kill $(cat server_pid)
            # wait until server finishes
            while ! kill -0 $(cat server_pid); do
                sleep 1
            done
        fi
        # restart server.
        exec /cockroach/cockroach --certs-dir=certs start-single-node --listen-addr=127.0.0.1 "$@"
        ;;
    *)
        exec /cockroach/cockroach "$@"
        ;;
esac

knz · 2021-09-22T17:47:58Z

Summary of our convo earlier today, to clarify the script above:

the main goal here is to provide a docker image for unit tests in SQL client frameworks. Therefore, we do not need to provision a general-purpose solution that works for multi-node clusters.
the behavior can be triggered by a special argument to the docker container, to have that initialization on a non-default code path in the script.
since we're focusing on a single-node cluster, it's legitimate to start a server a first time, do SQL initialization, then restart the server.
to ensure that the SQL service is not available to client apps until the SQL initialization has completed, we can start the 1st server using another TCP port than 26257, and do the initialization using that secondary port.
the example script above is just a proof of concept, it is missing many aspects, for example:
- better error handling
- reset the setup if something fails
- check with similar scripts in other DBs what is done to protect against quoting errors (what if the names provided by the env var contain special characters?)
- we may want to provision the certs using a docker volume mount. Re-creating the certs every time is expensive.

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also we support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - All the other cockroach sub-commands function the same as they previously functioned; - Bash is now supported in addition to shell. Usage for environment variables: 1. Start the cockroach server by running ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=bee \ -e COCKROACH_PASSWORD=23333 \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/cockroach:latest start-single-node \ --listen-addr=127.0.0.1:26257 \ --http-addr=localhost:8080 \ --certs-dir=certs ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=bee` is to set the default user name, and `-e COCKROACH_PASSWORD=23333` is to set the password for the default user. This `docker run` command gives a container id. Use `docker logs` to check if the initialization is finished. 2. Enter the sql interface by running ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://bee:[email protected]:26257/defaultdb?sslcert=certs%2Fclient.bee.crt&sslkey=certs%2Fclient.bee.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` 3. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Usage for init scripts: 1. Put `.sql`/`.sql.gz`/`.sql.xz` files under `docker-entrypoint-initdb.d`. 2. Run: ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ cockroachdb/cockroach:latest start-single-node \ --listen-addr=127.0.0.1 \ --http-addr=localhost:8080 \ --certs-dir=certs ``` 3. Enter the sql interface to check if the init scripts are processed. Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also we support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - All the other cockroach sub-commands function the same as they previously functioned; - Bash is now supported in addition to shell. Usage for environment variables: 1. Start the cockroach server by running ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=bee \ -e COCKROACH_PASSWORD=23333 \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/cockroach:latest start-single-node \ --insecure ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=bee` is to set the default user name, and `-e COCKROACH_PASSWORD=23333` is to set the password for the default user. This `docker run` command gives a container id. Use `docker logs` to check if the initialization is finished. 2. Enter the sql interface by running ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://bee:[email protected]:26257/defaultdb?sslcert=certs%2Fclient.bee.crt&sslkey=certs%2Fclient.bee.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` 3. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Usage for init scripts: 1. Put `.sql`/`.sql.gz`/`.sql.xz` files under `docker-entrypoint-initdb.d`. 2. Run: ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ cockroachdb/cockroach:latest start-single-node \ --certs-dir=certs ``` 3. Enter the sql interface to check if the init scripts are processed. Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also we support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - Bash commands are now supported in addition to shell commands; - All the other cockroach sub-commands function the same as they previously functioned. Usage for environment variables: 1. Start the cockroach server by running ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=bee \ -e COCKROACH_PASSWORD=23333 \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/cockroach:latest start-single-node \ --insecure ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=bee` is to set the default user name, and `-e COCKROACH_PASSWORD=23333` is to set the password for the default user. This `docker run` command gives a container id. Use `docker logs` to check if the initialization is finished. 2. Enter the sql interface by running ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://bee:[email protected]:26257/mydb?sslcert=certs%2Fclient.bee.crt&sslkey=certs%2Fclient.bee.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` 3. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Usage for init scripts: 1. Put `.sql`/`.sql.gz`/`.sql.xz` files under `docker-entrypoint-initdb.d`. 2. Run: ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ --name=roach1 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ cockroachdb/cockroach:latest start-single-node \ --certs-dir=certs ``` 3. Enter the sql interface to check if the init scripts are processed. Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also, we now support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - Bash commands are now supported in addition to shell commands; - All the other cockroach sub-commands function the same as they previously functioned. Usage: 1. Create a bridge network with `docker network create -d bridge --subnet=172.18.0.0/16 roachnet`. 2. Start the cockroach server. If you want to explicitly set the advertise address, set the `--ip` flag for the docker container, and the `--advertise-address` for the cockroach node with the same address within the range of the docker network's subnet. If it's not specified, the default ip for the node is 127.0.0.1 (localhost). ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=myuser \ -e COCKROACH_PASSWORD=12345 \ --name=roach1 \ --ip=172.18.0.3 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/jane_cockroach:latest start-single-node \ --advertise-addr=172.18.0.3 \ --certs-dir=certs ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=myuser` is to set the default user name, and `-e COCKROACH_PASSWORD=12345` is to set the password for the default user. Initialization scripts (`.sql`/`.sql.gz`/`.sql.xz`) are expected to be placed in a dir `docker-entrypoint-initdb.d` under the current path. Use `docker logs roach1 --follow` to check if the initialization is finished. 3. Enter the sql interface. ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://myuser:[email protected]:26257/mydb?sslcert=certs%2Fclient.myuser.crt&sslkey=certs%2Fclient.myuser.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` 4. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also, we now support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - Bash commands are now supported in addition to shell commands; - All the other cockroach sub-commands function the same as they previously functioned. Usage: 1. Create a bridge network with `docker network create -d bridge --subnet=172.18.0.0/16 roachnet`. 2. Start the cockroach server. If you want to explicitly set the advertise address, set the `--ip` flag for the docker container, and the `--advertise-address` for the cockroach node with the same address within the range of the docker network's subnet. If it's not specified, the default ip for the node is 127.0.0.1 (localhost). Note that in this commit we only support the port mapping for default cockroach port (`26257`). Hence users have to sepcify `-p 26257:26257`, and are not encouraged to specify other ports with the `--advertise-addr` flag. We leave the compatibility for other ports for the future work. ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=myuser \ -e COCKROACH_PASSWORD=12345 \ --name=roach1 \ --ip=172.18.0.3 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/jane_cockroach:latest start-single-node \ --advertise-addr=172.18.0.3 \ ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=myuser` is to set the default user name, and `-e COCKROACH_PASSWORD=12345` is to set the password for the default user. Initialization scripts (`.sql`/`.sql.gz`/`.sql.xz`) are expected to be placed in a dir `docker-entrypoint-initdb.d` under the current path. Use `docker logs roach1 --follow` to check if the initialization is finished. By default we implicitly create a `certs` dir and start the server in secure mode. Users can also use `--insecure` mode when start the single-node server. 3. Enter the sql interface. ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://myuser:[email protected]:26257/mydb?sslcert=certs%2Fclient.myuser.crt&sslkey=certs%2Fclient.myuser.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` Users can also use `--insecure` for sql query if the server was created in insecure mode. 4. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Unsolved Problems: 1. Support ports other than the default `26257`; 2. If the single-node-server is started in `--insecure` mode, when trying to enter the sql console with `docker exec ... ./cockroach sql --user=myuser --insecure`, the `--user` flag would be ignore, and users will always enter as `root`. (Though they can do `set role myuser` in the sql console.) Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

…` command This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also, we now support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - Bash commands are now supported in addition to shell commands; - All the other cockroach sub-commands function the same as they previously functioned. Usage: 1. Create a bridge network with `docker network create -d bridge --subnet=172.18.0.0/16 roachnet`. 2. Start the cockroach server. If you want to explicitly set the advertise address, set the `--ip` flag for the docker container, and the `--advertise-address` for the cockroach node with the same address within the range of the docker network's subnet. If it's not specified, the default ip for the node is 127.0.0.1 (localhost). Note that in this commit we only support the port mapping for default cockroach port (`26257`). Hence users have to sepcify `-p 26257:26257`, and are not encouraged to specify other ports with the `--advertise-addr` flag. We leave the compatibility for other ports for the future work. ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=myuser \ -e COCKROACH_PASSWORD=12345 \ --name=roach1 \ --ip=172.18.0.3 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/jane_cockroach:latest start-single-node \ --advertise-addr=172.18.0.3 \ ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=myuser` is to set the default user name, and `-e COCKROACH_PASSWORD=12345` is to set the password for the default user. Initialization scripts (`.sql`/`.sql.gz`/`.sql.xz`) are expected to be placed in a dir `docker-entrypoint-initdb.d` under the current path. Use `docker logs roach1 --follow` to check if the initialization is finished. By default we implicitly create a `certs` dir and start the server in secure mode. Users can also use `--insecure` mode when start the single-node server. 3. Enter the sql interface. ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://myuser:[email protected]:26257/mydb?sslcert=certs%2Fclient.myuser.crt&sslkey=certs%2Fclient.myuser.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` Users can also use `--insecure` for sql query if the server was created in insecure mode. 4. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Unsolved Problems: 1. Support ports other than the default `26257`; 2. If the single-node-server is started in `--insecure` mode, when trying to enter the sql console with `docker exec ... ./cockroach sql --user=myuser --insecure`, the `--user` flag would be ignore, and users will always enter as `root`. (Though they can do `set role myuser` in the sql console.) Note that this commit doesn't include tests yet because the [related test infra](cockroachdb#72586) is not finished. Related tests will be added after this commit get merged. Resolves cockroachdb#48647 Resolves cockroachdb#19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command

70238: docker: support env variables and init scripts for `start-single-node` r=[knz,jlinder,rafiss] a=ZhouXing19 This commit adds support for environment varibales `COCKROACH_DATABASE`, `COCKROACH_USER` and `COCKROACH_PASSWORD`for a default database and/or a default user with password. I.e., a similar feature as POSTGRES_DB,`POSTGRES_USER` and `POSTGRES_PASSWORD` in PostgreSQL's docker image. See also https://hub.docker.com/_/postgres. Also, we now support additional initialization from init scripts in `docker-entrypoint-initdb.d`. Users need to mount the `docker-entrypoint-initdb.d` using the `-v` flag when running the docker image. The usage is similar to the one in PostgreSQL's docker image. Note: - The new features only affect the `start-single-node` sub-command of cockroach; - Bash commands are now supported in addition to shell commands; - All the other cockroach sub-commands function the same as they previously functioned. Usage: 1. Create a bridge network with `docker network create -d bridge --subnet=172.18.0.0/16 roachnet`. 2. Start the cockroach server. If you want to explicitly set the advertise address, set the `--ip` flag for the docker container, and the `--advertise-address` for the cockroach node with the same address within the range of the docker network's subnet. If it's not specified, the default ip for the node is 127.0.0.1 (localhost). Note that in this commit we only support the port mapping for default cockroach port (`26257`). Hence users have to sepcify `-p 26257:26257`, and are not encouraged to specify other ports with the `--advertise-addr` flag. We leave the compatibility for other ports for the future work. ``` docker run -d \ -e COCKROACH_DATABASE=mydb \ -e COCKROACH_USER=myuser \ -e COCKROACH_PASSWORD=12345 \ --name=roach1 \ --ip=172.18.0.3 \ --hostname=roach1 \ --net=roachnet \ -p 26257:26257 -p 8080:8080 \ -v "${PWD}/cockroach-data/roach1:/cockroach/cockroach-data" \ -v "${PWD}/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d" \ cockroachdb/jane_cockroach:latest start-single-node \ --advertise-addr=172.18.0.3 \ ``` where `-e COCKROACH_DATABASE=mydb` is to set the default database's name, `-e COCKROACH_USER=myuser` is to set the default user name, and `-e COCKROACH_PASSWORD=12345` is to set the password for the default user. Initialization scripts (`.sql`/`.sql.gz`/`.sql.xz`) are expected to be placed in a dir `docker-entrypoint-initdb.d` under the current path. Use `docker logs roach1 --follow` to check if the initialization is finished. By default we implicitly create a `certs` dir and start the server in secure mode. Users can also use `--insecure` mode when start the single-node server. 3. Enter the sql interface. ``` docker exec -it roach1 ./cockroach sql --certs-dir=certs \ --url="postgresql://myuser:[email protected]:26257/mydb?sslcert=certs%2Fclient.myuser.crt&sslkey=certs%2Fclient.myuser.key&sslmode=verify-full&sslrootcert=certs%2Fca.crt" ``` Users can also use `--insecure` for sql query if the server was created in insecure mode. 4. Run `\l` to check the list of databases, run `SHOW ROLES;` to check the list of users. Unsolved Problems: 1. Support ports other than the default `26257`; 2. If the single-node-server is started in `--insecure` mode, when trying to enter the sql console with `docker exec ... ./cockroach sql --user=myuser --insecure`, the `--user` flag would be ignore, and users will always enter as `root`. (Though they can do `set role myuser` in the sql console.) Note that this commit doesn't include tests yet because the [related test infra](#72586) is not yet finished. Related tests will be added after this commit get merged. Resolves #48647 Resolves #19826 Release note (docker): Support env variables and init scripts in docker-entrypoint-initdb.d for `start-single-node` command Co-authored-by: Jane Xing <[email protected]>

rafiss added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-build-system labels May 9, 2020

This was referenced Aug 14, 2020

cli: extend cockroach init (or 1st start without --join) with SQL initialization #26722

Closed

docker: Create default database #19826

Closed

knz added A-cli A-orchestration Relating to orchestration systems like Kubernetes and removed A-build-system labels Sep 21, 2020

This was referenced Sep 24, 2020

server: split server pre-start from accepting clients #54758

Merged

cli: support executing "initial SQL" from a directory #54771

Closed

jseldess mentioned this issue Mar 1, 2021

docker: document default database creation in docker hub cockroachdb/docs#4687

Closed

knz added A-cli-admin CLI commands that pertain to controlling and configuring nodes and removed A-cli labels Mar 20, 2021

rafiss added the T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions) label May 7, 2021

jlinder added T-dev-inf T-server-and-security DB Server & Security labels Jun 16, 2021

rafiss added the A-tools-testcontainers label Jul 29, 2021

ZhouXing19 mentioned this issue Sep 27, 2021

docker: support env variables and init scripts for start-single-node #70238

Merged

craig bot closed this as completed in 2862374 Jan 7, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build: docker image should support init scripts in docker-entrypoint-initdb.d #48647

build: docker image should support init scripts in docker-entrypoint-initdb.d #48647

rafiss commented May 9, 2020 •

edited

Loading

knz commented Aug 24, 2020

Uh oh!

rafiss commented Aug 24, 2020 •

edited

Loading

Uh oh!

knz commented Sep 21, 2020

Uh oh!

knz commented Sep 21, 2020

Uh oh!

rafiss commented Sep 23, 2020

Uh oh!

knz commented Sep 23, 2020

Uh oh!

rafiss commented Sep 23, 2020

Uh oh!

knz commented Sep 22, 2021

Uh oh!

knz commented Sep 22, 2021 •

edited

Loading

Uh oh!

build: docker image should support init scripts in docker-entrypoint-initdb.d #48647

build: docker image should support init scripts in docker-entrypoint-initdb.d #48647

Comments

rafiss commented May 9, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

knz commented Aug 24, 2020

Uh oh!

rafiss commented Aug 24, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

knz commented Sep 21, 2020

Uh oh!

knz commented Sep 21, 2020

Uh oh!

rafiss commented Sep 23, 2020

Uh oh!

knz commented Sep 23, 2020

Uh oh!

rafiss commented Sep 23, 2020

Uh oh!

knz commented Sep 22, 2021

Uh oh!

knz commented Sep 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rafiss commented May 9, 2020 •

edited

Loading

rafiss commented Aug 24, 2020 •

edited

Loading

knz commented Sep 22, 2021 •

edited

Loading