mariadb base images are doomed

.drone.jsonnet

@@ -1,45 +0,0 @@
-local Pipeline(mariadb_version) = {
-  kind: "pipeline",
-  type: "docker",
-  name: "maria-" + mariadb_version,
-  steps: [
-    {
-      name: "build_and_publish_" + mariadb_version,
-      image: "plugins/docker:linux-amd64",
-      pull: "always",
-      settings: {
-        dockerfile: "Dockerfile",
-        build_args: [
-          "MARIA_VERSION=" + mariadb_version,
-        ],
-        registry: "docker.asperti.com",
-        repo: "docker.asperti.com/paspo/mariadb-backup-slave",
-        username: {
-          from_secret: "docker_username",
-        },
-        password: {
-          from_secret: "docker_password",
-        },
-        tags: [ "latest-" + mariadb_version, "maria-" + mariadb_version ],
-        auto_tag: false,
-        force_tag: true,
-        daemon_off: false,
-      }
-    }
-  ],
-  trigger: {
-    event: ['tag'],
-  }
-};
-
-[
-  Pipeline("11.4"),
-  Pipeline("11.3"),
-  Pipeline("11.2"),
-  Pipeline("11.1"),
-  Pipeline("11.0"),
-  Pipeline("10.11"),
-  Pipeline("10.6"),
-  Pipeline("10.5"),
-  Pipeline("10.4"),
-]

.gitea/workflows/build_and_publish.yaml

@@ -7,10 +7,8 @@ env:
 
 on:
   push:
-    tags:
-      - '*'
   schedule:
-    - cron: "0 12 3 * *"
+    - cron: "0 12 * * 3"
   workflow_dispatch:
   workflow_call:
   workflow_run:

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,65 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/mariadb-backup-slave
+
+on:
+  # schedule:
+  #   - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        version: ["10.6", "10.11", "11.4", "11.8"]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.version }}-${{ matrix.arch }}
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.version }}-${{ matrix.arch }} > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`

Dockerfile

@@ -2,16 +2,12 @@ ARG MARIA_VERSION
 FROM mariadb:${MARIA_VERSION}
 
 RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
     DEBIAN_FRONTEND=noninteractive apt-get install -q -y cron sudo automysqlbackup
 
-COPY mysql.cnf /etc/mysql/mariadb.conf.d/settings.cnf
-COPY maria-include.cnf /etc/mysql/conf.d/maria-include.cnf
-COPY custom.cnf /etc/mysql/mariadb.conf.d/custom.cnf
+COPY rootfs /
+
 RUN chown mysql:mysql /etc/mysql/mariadb.conf.d/custom.cnf
-COPY docker-entrypoint-new.sh /usr/local/bin/
-COPY healthcheck.sh /usr/local/bin/
-COPY automysqlbackup /etc/default
-COPY sudoers /etc/sudoers.d/mysudoers
 
 HEALTHCHECK --interval=30s --start-period=30s --timeout=3s \
   CMD /usr/local/bin/healthcheck.sh

README.md

@@ -79,7 +79,7 @@ docker-compose up -d
 Create the database:
 
 ```bash
-docker exec my-container sh -c 'echo "create database aWordpressDatabase;" | exec mysql -uroot -p"$MYSQL_ROOT_PASSWORD"'
+docker-compose exec backup-slave sh -c 'echo "create database aWordpressDatabase;" | exec mysql -uroot -p"$MYSQL_ROOT_PASSWORD"'
 ```
 
 ### Freeze the master
@@ -109,7 +109,7 @@ The classic way is preferred when you have a big database because it locks the d
 Now, we need to import the backup from the master, so as we started the slave as readwrite, we can now do this on the slave:
 
 ```bash
-docker exec my-container sh -c 'mysqldump -C --lock-tables=false --quick -u repluser -h master.host --password="aRandomPassword" aWordpressDatabase | mysql -u root -p"$MYSQL_ROOT_PASSWORD" aWordpressDatabase'
+docker-compose exec backup-slave sh -c 'mysqldump -C --lock-tables=false --quick -u repluser -h master.host --password="aRandomPassword" aWordpressDatabase | mysql -u root -p"$MYSQL_ROOT_PASSWORD" aWordpressDatabase'
 ```
 
 Replace **my-container**, **repluser**, **master.host**, **aRandomPassword**, **aWordpressDatabase** with the correct values.
@@ -141,10 +141,10 @@ On the slave, copy the dump file in the running container, like this:
 docker cp thedump.sql.gz my-container:/thedump.sql.gz
 ```
 
-Then we import it:
+Then we import it: 
 
 ```bash
-docker exec my-container sh -c 'zcat /thedump.sql.gz | mysql -u root -p"$MYSQL_ROOT_PASSWORD" aWordpressDatabase'
+docker-compose exec backup-slave sh -c 'zcat /thedump.sql.gz | mysql -u root -p"$MYSQL_ROOT_PASSWORD" aWordpressDatabase'
 docker exec my-container sh -c 'rm /thedump.sql.gz'
 ```