From 09e9b1be33b0f0b3ee75f9545e6430877b6e0264 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Tue, 10 Nov 2015 04:15:34 -0500
Subject: [PATCH] Move the mariadb expect code to a script

Atleast in a script, sudo can be made to only allow the script to
run from the mysql process in the future, versus all the proceesses
being able to be executed as root presently.

Change-Id: I030b57086e37e4dc8f668f98c04335d94ab9d2b0
Partially-Implements: blueprint drop-root
---
 docker/mariadb/Dockerfile.j2         |  4 +++-
 docker/mariadb/extend_start.sh       | 21 +--------------------
 docker/mariadb/security_reset.expect | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+), 21 deletions(-)
 create mode 100644 docker/mariadb/security_reset.expect

diff --git a/docker/mariadb/Dockerfile.j2 b/docker/mariadb/Dockerfile.j2
index fbc699290e..a840d9b8da 100644
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@@ -29,6 +29,8 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY security_reset.expect /usr/local/bin/kolla_security_reset
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 755 /usr/local/bin/kolla_security_reset
 
 {{ include_footer }}
diff --git a/docker/mariadb/extend_start.sh b/docker/mariadb/extend_start.sh
index 6fa4506758..8a8699b886 100644
--- a/docker/mariadb/extend_start.sh
+++ b/docker/mariadb/extend_start.sh
@@ -5,26 +5,7 @@ function bootstrap_db {
 
     # Waiting for deamon
     sleep 10
-    expect -c '
-    set timeout 10
-    spawn mysql_secure_installation
-    expect "Enter current password for root (enter for none):"
-    send "\r"
-    expect "Set root password?"
-    send "y\r"
-    expect "New password:"
-    send "'"${DB_ROOT_PASSWORD}"'\r"
-    expect "Re-enter new password:"
-    send "'"${DB_ROOT_PASSWORD}"'\r"
-    expect "Remove anonymous users?"
-    send "y\r"
-    expect "Disallow root login remotely?"
-    send "n\r"
-    expect "Remove test database and access to it?"
-    send "y\r"
-    expect "Reload privilege tables now?"
-    send "y\r"
-    expect eof'
+    kolla_security_reset
 
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
diff --git a/docker/mariadb/security_reset.expect b/docker/mariadb/security_reset.expect
new file mode 100644
index 0000000000..7c720136ff
--- /dev/null
+++ b/docker/mariadb/security_reset.expect
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn mysql_secure_installation
+expect "Enter current password for root (enter for none):"
+send "\r"
+expect "Set root password?"
+send "y\r"
+expect "New password:"
+send "$env(DB_ROOT_PASSWORD)\r"
+expect "Re-enter new password:"
+send "$env(DB_ROOT_PASSWORD)\r"
+expect "Remove anonymous users?"
+send "y\r"
+expect "Disallow root login remotely?"
+send "n\r"
+expect "Remove test database and access to it?"
+send "y\r"
+expect "Reload privilege tables now?"
+send "y\r"
+expect eof