Merge pull request #39 from movabletype/mysql-9

usualoma · web-flow · commit bd0dd7609e63 · 2024-11-14T10:20:00.000+09:00
feat: support MySQL 9 with caching_sha2_password
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Added
+
+* Added support for mysql:9.x docker images.
+* Enable to use SSL connection to MySQL.
+
 ### Changed
 
 * Update default image version.
diff --git a/Makefile b/Makefile
@@ -42,6 +42,7 @@ export DOCKER_HTTPD_BUILD_CONTEXT
 export DOCKER_HTTPD_DOCKERFILE
 export DOCKER_HTTPD_IMAGE
 export DOCKER_MYSQL_IMAGE
+export DOCKER_MYSQL_COMMAND
 export DOCKER_MEMCACHED_IMAGE
 export DOCKER_LDAP_IMAGE
 export DOCKER_FTPD_IMAGE
@@ -94,15 +95,20 @@ fixup:
 
 setup-mysql-volume:
 	$(eval export DOCKER_MYSQL_VOLUME=$(shell echo ${DOCKER_MYSQL_IMAGE} | sed -e 's/\..*//; s/[^a-zA-Z0-9]//g'))
-
+ifeq (${DOCKER_MYSQL_COMMAND},)
+	$(eval export DOCKER_MYSQL_COMMAND=$(shell if echo ${DOCKER_MYSQL_IMAGE} | egrep -q '^mysql:(9|[1-9][0-9]+)$$'; then echo ''; else echo '--default-authentication-plugin=mysql_native_password'; fi))
+endif
 
 ifneq (${SQL},)
 MYSQL_COMMAND_ARGS=-e '${SQL}'
 endif
 
+update-ssl:
+	${DOCKER} run --rm -v ${MAKEFILE_DIR}/ssl:/ssl -w /ssl --entrypoint /bin/sh alpine/openssl:latest generate-certs.sh
+
 exec-mysql:
 	opt=""; if ! [ -t 0 ] ; then opt="-T" ; fi; \
-		${_DC} exec $$opt db mysql -uroot -ppassword -h127.0.0.1 ${MYSQL_COMMAND_ARGS}
+		${_DC} exec $$opt db mysql -uroot -ppassword -hlocalhost ${MYSQL_COMMAND_ARGS}
 
 # FIXME:
 exec-ldappasswd:
@@ -122,7 +128,7 @@ else
 ARCHIVE_FOR_SETUP=${ARCHIVE}
 endif
 
-up-common: down fixup
+up-common: down fixup update-ssl
 	${MAKE} down-mt-home-volume
 	${DOCKER} volume create --label mt-dev-mt-home-tmp mt-dev-mt-home-tmp
 
diff --git a/mt/mysql.yml b/mt/mysql.yml
@@ -3,12 +3,16 @@ services:
     image: ${DOCKER_MYSQL_IMAGE:-mysql:8.0.32}
     environment:
       MYSQL_ROOT_PASSWORD: password
-    command: --default-authentication-plugin=mysql_native_password
+    command: ${DOCKER_MYSQL_COMMAND}
     volumes:
+      - "..:/mt-dev"
+      - "./mysql/conf.d:/etc/mysql/conf.d"
       - "${DOCKER_MYSQL_VOLUME:-mysql8}:/var/lib/mysql"
 volumes:
   mariadb10:
     driver: local
+  mysql9:
+    driver: local
   mysql8:
     driver: local
   mysql5:
diff --git a/mt/mysql/conf.d/mt.cnf b/mt/mysql/conf.d/mt.cnf
@@ -0,0 +1,9 @@
+[mysqld]
+ssl-ca=/mt-dev/ssl/certs/ca-cert.pem
+ssl-cert=/mt-dev/ssl/certs/server-cert.pem
+ssl-key=/mt-dev/ssl/certs/server-key.pem
+
+[client]
+ssl-ca=/mt-dev/ssl/certs/ca-cert.pem
+ssl-cert=/mt-dev/ssl/certs/client-cert.pem
+ssl-key=/mt-dev/ssl/certs/client-key.pem
diff --git a/ssl/.gitignore b/ssl/.gitignore
@@ -0,0 +1,3 @@
+certs/
+index.txt
+serial
diff --git a/ssl/generate-certs.sh b/ssl/generate-certs.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+mkdir -p certs
+touch index.txt
+echo 1000 > serial
+
+openssl genrsa -out certs/ca-key.pem 2048
+openssl req -new -x509 -nodes -days 3650 -key certs/ca-key.pem -out certs/ca-cert.pem \
+    -subj "/C=JP/ST=Tokyo/L=Tokyo/O=MyOrganization/CN=MyCA"
+
+openssl genrsa -out certs/server-key.pem 2048
+openssl req -new -key certs/server-key.pem -out certs/server-req.pem \
+    -subj "/C=JP/ST=Tokyo/L=Tokyo/O=MyOrganization/CN=db"
+openssl x509 -req -in certs/server-req.pem -days 3650 \
+    -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -CAcreateserial \
+    -out certs/server-cert.pem
+
+openssl genrsa -out certs/client-key.pem 2048
+openssl req -new -key certs/client-key.pem -out certs/client-req.pem \
+    -subj "/C=JP/ST=Tokyo/L=Tokyo/O=MyOrganization/CN=mysqlclient"
+openssl x509 -req -in certs/client-req.pem -days 3650 \
+    -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -CAcreateserial \
+    -out certs/client-cert.pem
diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf
@@ -0,0 +1,59 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = .
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+private_key       = $dir/private/ca-key.pem
+certificate       = $dir/certs/ca-cert.pem
+
+default_days      = 3650
+default_crl_days  = 30
+default_md        = sha256
+preserve          = no
+
+policy            = policy_match
+
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress           = optional
+
+[ req ]
+default_bits            = 2048
+default_md              = sha256
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+x509_extensions        = v3_ca
+req_extensions         = v3_req
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = JP
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = Tokyo
+localityName                   = Locality Name (eg, city)
+localityName_default           = Tokyo
+organizationName               = Organization Name (eg, company)
+organizationName_default       = MyOrganization
+commonName                     = Common Name (eg, YOUR name)
+commonName_max                 = 64
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth 
