From 55cde0de6da7ad9300af13e1d766c6033840ac73 Mon Sep 17 00:00:00 2001 From: John Wyles Date: Thu, 7 Feb 2019 01:21:19 -0800 Subject: [PATCH 1/2] Issue #329: Initialization of a user defined database, username, and password using environment variables --- 3.4/docker-entrypoint.sh | 27 +++++++++++++++++++++++++++ 3.6/docker-entrypoint.sh | 27 +++++++++++++++++++++++++++ 4.0/docker-entrypoint.sh | 27 +++++++++++++++++++++++++++ 4.1/docker-entrypoint.sh | 27 +++++++++++++++++++++++++++ docker-entrypoint.sh | 27 +++++++++++++++++++++++++++ 5 files changed, 135 insertions(+) diff --git a/3.4/docker-entrypoint.sh b/3.4/docker-entrypoint.sh index d340570997..437f87f938 100755 --- a/3.4/docker-entrypoint.sh +++ b/3.4/docker-entrypoint.sh @@ -180,6 +180,8 @@ _dbPath() { if [ "$originalArgOne" = 'mongod' ]; then file_env 'MONGO_INITDB_ROOT_USERNAME' file_env 'MONGO_INITDB_ROOT_PASSWORD' + file_env 'MONGO_NON_ROOT_USERNAME' + file_env 'MONGO_NON_ROOT_PASSWORD' # pre-check a few factors to see if it's even worth bothering with initdb shouldPerformInitdb= if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then @@ -207,6 +209,11 @@ if [ "$originalArgOne" = 'mongod' ]; then ;; esac done + + # we should also initdb if we have set a non-root username and password + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + shouldPerformInitdb="$f" + fi fi # check for a few known paths (to determine whether we've already initialized and should thus skip our initdb scripts) @@ -300,8 +307,28 @@ if [ "$originalArgOne" = 'mongod' ]; then EOJS fi + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi + echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in diff --git a/3.6/docker-entrypoint.sh b/3.6/docker-entrypoint.sh index d340570997..437f87f938 100755 --- a/3.6/docker-entrypoint.sh +++ b/3.6/docker-entrypoint.sh @@ -180,6 +180,8 @@ _dbPath() { if [ "$originalArgOne" = 'mongod' ]; then file_env 'MONGO_INITDB_ROOT_USERNAME' file_env 'MONGO_INITDB_ROOT_PASSWORD' + file_env 'MONGO_NON_ROOT_USERNAME' + file_env 'MONGO_NON_ROOT_PASSWORD' # pre-check a few factors to see if it's even worth bothering with initdb shouldPerformInitdb= if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then @@ -207,6 +209,11 @@ if [ "$originalArgOne" = 'mongod' ]; then ;; esac done + + # we should also initdb if we have set a non-root username and password + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + shouldPerformInitdb="$f" + fi fi # check for a few known paths (to determine whether we've already initialized and should thus skip our initdb scripts) @@ -300,8 +307,28 @@ if [ "$originalArgOne" = 'mongod' ]; then EOJS fi + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi + echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in diff --git a/4.0/docker-entrypoint.sh b/4.0/docker-entrypoint.sh index d340570997..437f87f938 100755 --- a/4.0/docker-entrypoint.sh +++ b/4.0/docker-entrypoint.sh @@ -180,6 +180,8 @@ _dbPath() { if [ "$originalArgOne" = 'mongod' ]; then file_env 'MONGO_INITDB_ROOT_USERNAME' file_env 'MONGO_INITDB_ROOT_PASSWORD' + file_env 'MONGO_NON_ROOT_USERNAME' + file_env 'MONGO_NON_ROOT_PASSWORD' # pre-check a few factors to see if it's even worth bothering with initdb shouldPerformInitdb= if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then @@ -207,6 +209,11 @@ if [ "$originalArgOne" = 'mongod' ]; then ;; esac done + + # we should also initdb if we have set a non-root username and password + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + shouldPerformInitdb="$f" + fi fi # check for a few known paths (to determine whether we've already initialized and should thus skip our initdb scripts) @@ -300,8 +307,28 @@ if [ "$originalArgOne" = 'mongod' ]; then EOJS fi + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi + echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in diff --git a/4.1/docker-entrypoint.sh b/4.1/docker-entrypoint.sh index d340570997..437f87f938 100755 --- a/4.1/docker-entrypoint.sh +++ b/4.1/docker-entrypoint.sh @@ -180,6 +180,8 @@ _dbPath() { if [ "$originalArgOne" = 'mongod' ]; then file_env 'MONGO_INITDB_ROOT_USERNAME' file_env 'MONGO_INITDB_ROOT_PASSWORD' + file_env 'MONGO_NON_ROOT_USERNAME' + file_env 'MONGO_NON_ROOT_PASSWORD' # pre-check a few factors to see if it's even worth bothering with initdb shouldPerformInitdb= if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then @@ -207,6 +209,11 @@ if [ "$originalArgOne" = 'mongod' ]; then ;; esac done + + # we should also initdb if we have set a non-root username and password + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + shouldPerformInitdb="$f" + fi fi # check for a few known paths (to determine whether we've already initialized and should thus skip our initdb scripts) @@ -300,8 +307,28 @@ if [ "$originalArgOne" = 'mongod' ]; then EOJS fi + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi + echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d340570997..437f87f938 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -180,6 +180,8 @@ _dbPath() { if [ "$originalArgOne" = 'mongod' ]; then file_env 'MONGO_INITDB_ROOT_USERNAME' file_env 'MONGO_INITDB_ROOT_PASSWORD' + file_env 'MONGO_NON_ROOT_USERNAME' + file_env 'MONGO_NON_ROOT_PASSWORD' # pre-check a few factors to see if it's even worth bothering with initdb shouldPerformInitdb= if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then @@ -207,6 +209,11 @@ if [ "$originalArgOne" = 'mongod' ]; then ;; esac done + + # we should also initdb if we have set a non-root username and password + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + shouldPerformInitdb="$f" + fi fi # check for a few known paths (to determine whether we've already initialized and should thus skip our initdb scripts) @@ -300,8 +307,28 @@ if [ "$originalArgOne" = 'mongod' ]; then EOJS fi + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi + echo for f in /docker-entrypoint-initdb.d/*; do case "$f" in From a18fe185c83453a83bb1568918ef774ca1efdd8e Mon Sep 17 00:00:00 2001 From: John Wyles Date: Mon, 4 Mar 2019 14:08:13 -0800 Subject: [PATCH 2/2] Gating the non-root username/password based on the presence of root username/password and rearranging ordering to suit this --- docker-entrypoint.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 437f87f938..361da333a2 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -295,6 +295,10 @@ if [ "$originalArgOne" = 'mongod' ]; then sleep 1 done + # we use the test database if one was not set and this will be used + # if we have specified scripts or a non-root username and password + export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" + if [ "$MONGO_INITDB_ROOT_USERNAME" ] && [ "$MONGO_INITDB_ROOT_PASSWORD" ]; then rootAuthDatabase='admin' @@ -305,28 +309,24 @@ if [ "$originalArgOne" = 'mongod' ]; then roles: [ { role: 'root', db: $(_js_escape "$rootAuthDatabase") } ] }) EOJS - fi - # we use the test database if one was not set and this will be used - # if we have specified scripts or a non-root username and password - export MONGO_INITDB_DATABASE="${MONGO_INITDB_DATABASE:-test}" - - # we set a default non-root role of readWrite if one is not supplied - export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" - - if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then - "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS - db.createUser({ - user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), - pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), - roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] - }) - EOJS - - # we don't need an else here because we checked for a non-root - # username and password above and set shouldPerformInitdb so we - # are already under the condition where they are set - # or /docker-entrypoint-initdb.d/* scripts have been found + if [ -n "${MONGO_NON_ROOT_USERNAME:-}" ] && [ -n "${MONGO_NON_ROOT_PASSWORD:-}" ]; then + # we set a default non-root role of readWrite if one is not supplied + export MONGO_NON_ROOT_ROLE="${MONGO_NON_ROOT_ROLE:-readWrite}" + + "${mongo[@]}" "$MONGO_INITDB_DATABASE" <<-EOJS + db.createUser({ + user: $(_js_escape "$MONGO_NON_ROOT_USERNAME"), + pwd: $(_js_escape "$MONGO_NON_ROOT_PASSWORD"), + roles: [ { role: $(_js_escape "$MONGO_NON_ROOT_ROLE"), db: $(_js_escape "$MONGO_INITDB_DATABASE") } ] + }) + EOJS + + # we don't need an else here because we checked for a non-root + # username and password above and set shouldPerformInitdb so we + # are already under the condition where they are set + # or /docker-entrypoint-initdb.d/* scripts have been found + fi fi echo