mirror of
https://github.com/kevinveenbirkenbach/docker-volume-backup.git
synced 2026-05-31 00:52:04 +00:00
Kevin Veen-Birkenbach
ad5d8fcda3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
144 lines
5.9 KiB
Python
144 lines
5.9 KiB
Python
"""
|
|
Bug-repro for: mariadb-dump fails with `ERROR 1045 Access denied for user
|
|
'<u>'@'localhost' (using password: YES)` when only '<u>'@'%' is granted and a
|
|
preempting ''@'localhost' user is present.
|
|
|
|
The fix forces TCP loopback in baudolo.backup.db so the dump matches the
|
|
'<u>'@'%' grant instead of the socket->localhost auth row.
|
|
|
|
This file:
|
|
- builds the exact preconditions that triggered the production failure,
|
|
- as a NEGATIVE control, runs a socket-based mariadb-dump (== the old code path)
|
|
and asserts that it fails with the literal 1045 / @'localhost' error,
|
|
- as a POSITIVE proof, calls backup_database() (where the fix lives) against
|
|
the same DB container and asserts the dump file is produced and contains the
|
|
seed data.
|
|
|
|
Note: the volume-rsync stage of baudolo is intentionally NOT exercised here.
|
|
That stage needs root on /var/lib/docker/volumes, which is provided by the
|
|
DinD wrapper in `make test-e2e` but not by an on-host invocation. The bug we
|
|
are verifying is in the DB-dump stage, so testing backup_database() directly
|
|
keeps the assertion focused and the test runnable both on-host and in DinD.
|
|
"""
|
|
|
|
import os
|
|
import tempfile
|
|
import unittest
|
|
|
|
import pandas
|
|
|
|
from baudolo.backup import db as db_mod
|
|
|
|
from .helpers import (
|
|
cleanup_docker,
|
|
require_docker,
|
|
run,
|
|
unique,
|
|
wait_for_mariadb,
|
|
wait_for_mariadb_sql,
|
|
)
|
|
|
|
|
|
class TestE2EMariaDBAnonymousPreemption(unittest.TestCase):
|
|
@classmethod
|
|
def setUpClass(cls) -> None:
|
|
require_docker()
|
|
cls.prefix = unique("baudolo-e2e-mariadb-anon")
|
|
cls.db_container = f"{cls.prefix}-mariadb"
|
|
cls.db_volume = f"{cls.prefix}-mariadb-vol"
|
|
cls.containers = [cls.db_container]
|
|
cls.volumes = [cls.db_volume]
|
|
|
|
cls.db_name = "appdb"
|
|
cls.db_user = "tcponly"
|
|
cls.db_password = "tcponlypw"
|
|
cls.root_password = "rootpw"
|
|
|
|
run(["docker", "volume", "create", cls.db_volume])
|
|
|
|
# Boot WITHOUT MARIADB_USER/MARIADB_PASSWORD/MARIADB_DATABASE so the
|
|
# entrypoint does not auto-create '<u>'@'%'. We provision the user
|
|
# explicitly below to mirror the SQL path used by svc-db-mariadb.
|
|
run([
|
|
"docker", "run", "-d",
|
|
"--name", cls.db_container,
|
|
"-e", f"MARIADB_ROOT_PASSWORD={cls.root_password}",
|
|
"-v", f"{cls.db_volume}:/var/lib/mysql",
|
|
"mariadb:12.2",
|
|
])
|
|
|
|
wait_for_mariadb(cls.db_container, root_password=cls.root_password, timeout_s=120)
|
|
|
|
# Provision: '<u>'@'%' (the app/backup grant) + anonymous ''@'localhost'
|
|
# (the preemption trigger). Mirrors the production state that produced
|
|
# `ERROR 1045 ... '<u>'@'localhost' (using password: YES)`.
|
|
bootstrap_sql = (
|
|
f"CREATE DATABASE {cls.db_name};"
|
|
f"CREATE USER '{cls.db_user}'@'%' IDENTIFIED BY '{cls.db_password}';"
|
|
f"GRANT ALL PRIVILEGES ON {cls.db_name}.* TO '{cls.db_user}'@'%';"
|
|
f"CREATE USER ''@'localhost' IDENTIFIED BY 'anonpw-not-{cls.db_password}';"
|
|
"FLUSH PRIVILEGES;"
|
|
f"CREATE TABLE {cls.db_name}.t (id INT PRIMARY KEY, v VARCHAR(50));"
|
|
f"INSERT INTO {cls.db_name}.t VALUES (1,'ok');"
|
|
)
|
|
run([
|
|
"docker", "exec", cls.db_container, "sh", "-lc",
|
|
f'mariadb -uroot --protocol=socket -e "{bootstrap_sql}"',
|
|
])
|
|
|
|
# Sanity: '<u>' can log in over TCP (matches '%'). If THIS fails,
|
|
# the precondition for the fix to even apply is broken.
|
|
wait_for_mariadb_sql(
|
|
cls.db_container, user=cls.db_user, password=cls.db_password, timeout_s=60
|
|
)
|
|
|
|
@classmethod
|
|
def tearDownClass(cls) -> None:
|
|
cleanup_docker(containers=cls.containers, volumes=cls.volumes)
|
|
|
|
def test_negative_control_socket_dump_fails_with_1045(self) -> None:
|
|
# Reproduces the OLD code path (no -h/--protocol). MUST fail with 1045
|
|
# under the configured preemption. If this ever starts passing, either
|
|
# the MariaDB auth semantics changed or the anonymous-user setup did
|
|
# not take effect — in both cases the positive test below loses its
|
|
# ability to discriminate "fix works" vs "bug never reproduced".
|
|
p = run(
|
|
[
|
|
"docker", "exec", self.db_container, "sh", "-lc",
|
|
f"mariadb-dump -u{self.db_user} -p{self.db_password} {self.db_name}",
|
|
],
|
|
capture=True,
|
|
check=False,
|
|
)
|
|
self.assertNotEqual(p.returncode, 0, "socket-based dump unexpectedly succeeded")
|
|
self.assertIn("1045", (p.stderr or "") + (p.stdout or ""))
|
|
self.assertIn("@'localhost'", (p.stderr or "") + (p.stdout or ""))
|
|
|
|
def test_backup_database_succeeds_with_tcp_fix(self) -> None:
|
|
# Drives the function where the fix lives. No rsync, no privileged
|
|
# paths — just the dump that the negative-control proved is failing
|
|
# under the same preemption setup.
|
|
with tempfile.TemporaryDirectory() as volume_dir:
|
|
df = pandas.DataFrame(
|
|
[(self.db_container, self.db_name, self.db_user, self.db_password)],
|
|
columns=["instance", "database", "username", "password"],
|
|
)
|
|
produced = db_mod.backup_database(
|
|
container=self.db_container,
|
|
volume_dir=volume_dir,
|
|
db_type="mariadb",
|
|
databases_df=df,
|
|
database_containers=[self.db_container],
|
|
)
|
|
self.assertTrue(produced, "backup_database did not produce a dump")
|
|
dump_path = os.path.join(volume_dir, "sql", f"{self.db_name}.backup.sql")
|
|
self.assertTrue(os.path.isfile(dump_path), f"expected dump at {dump_path}")
|
|
with open(dump_path, "r", encoding="utf-8", errors="replace") as f:
|
|
content = f.read()
|
|
self.assertIn("INSERT INTO", content)
|
|
self.assertIn("'ok'", content)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main(verbosity=2)
|