Unable to set password for 'root' using Docker image memsql/cluster-in-a-box

Hello! I have been using MemSQL’s cluster-in-a-box Docker image for some local automated testing and it’s been working great. I use the init.sql file to load up a schema and a small sample of real data at startup time.

My question is: is there a way to set the password for the ‘root’ user at startup so that it’s not blank? The reason I wanted to do this is because (I believe) it slightly improves our security in the case an attacker were to get access to this container. (Please correct me if I am wrong in thinking.)

My Dockerfile looks like the following:

FROM memsql/cluster-in-a-box:6.7.14-fa416b0a53-1.5.5-1.0.6

# This line does not work as I expected it to...
RUN memsql-admin change-root-password --all --yes --password test

# Add our schema and data files to load at container init time
ADD ./init.sql /init.sql
ADD ./data /data/

I had thought running the change-root-password would work, but it does not.

Because the data may be stored on a Volume (which doesn’t exist as the image is built), the MemSQL cluster is built as the container starts. This is why it doesn’t work.

SET PASSWORD FOR 'root'@'%' = PASSWORD('password') in init.sql could work since this is a single-node box. https://docs.memsql.com/v7.1/reference/sql-reference/security-management-commands/set-password/ notes that it only changes the password on this node, so it’s a fragile statement.

The other option is to take over CMD and run your own cluster initialization. It’s quite hairy though because the Docker container disables hardware minimum limits, and doing that by hand is a lot of commands. If you can live with a minimum of 4 gigs for the container, a regular memsql-deploy cluster-in-a-box ... will get the cluster setup. Wrap it in a check to see if the cluster already exists (because you’re restarting the container) and run memsql-admin start-node --all -y instead.

Thanks for the explanation. I think your answers are effective for protecting a running Docker container, but I was hoping to improve protection against someone who gained access to the Docker image.

SET PASSWORD FOR 'root'@'%' = PASSWORD('password') in init.sql could work

This approach doesn’t seem to improve security for our use case because we’re only running these containers on local laptops. Anyone who has access to the container would simply be able to inspect the init script to get the password:

docker run -it --rm --entrypoint cat <image> init.sql

The other option is to take over CMD and run your own cluster initialization.

It would seem that overriding the CMD would be too late in the container building process to set a password. Anyone with access to the Docker image would be able to override the command, preventing the password being set.

I appreciate the thought put into how we could get around this. From what it seems this is a difficult path to set the password, so we will leave it blank for now.

Ideally it would be nice during the image building process to set the root password, such as through a Docker environment variable.