From 3292d0df098ade1f18e5f84b841ca2cba2098d7a Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Fri, 19 Jan 2024 01:13:10 +0900
Subject: [PATCH] Removed MySQL root secret for server and proxy containers

---
 compose_databases.yaml                | 7 +++++--
 compose_zabbix_components.yaml        | 4 ----
 env_vars/.env_db_mysql                | 2 +-
 env_vars/.env_db_mysql_proxy          | 1 -
 env_vars/mysql_init/init_proxy_db.sql | 2 ++
 5 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 env_vars/mysql_init/init_proxy_db.sql

diff --git a/compose_databases.yaml b/compose_databases.yaml
index b04e384a2..50f5368dd 100644
--- a/compose_databases.yaml
+++ b/compose_databases.yaml
@@ -6,8 +6,8 @@ services:
    - mysqld
    - --character-set-server=utf8mb4
    - --collation-server=utf8mb4_bin
-# Only during upgrade from versions prior 6.4
-#   - --log_bin_trust_function_creators=1
+# Only during upgrade from versions prior 6.4 and new installations (schema deployment)
+   - --log_bin_trust_function_creators=1
 # Use TLS encryption for connections to database
 #   - --require-secure-transport
 #   - --ssl-ca=/run/secrets/root-ca.pem
@@ -16,9 +16,12 @@ services:
   restart: "${RESTART_POLICY}"
   volumes:
    - ${DATA_DIRECTORY}/var/lib/mysql:/var/lib/mysql:rw
+   - ${ENV_VARS_DIRECTORY}/mysql_init/init_proxy_db.sql:/docker-entrypoint-initdb.d/mysql_init_proxy.sql:ro
 #   - dbsocket:/var/run/mysqld/
   env_file:
    - ${ENV_VARS_DIRECTORY}/.env_db_mysql
+  environment:
+   - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/MYSQL_ROOT_PASSWORD
   secrets:
    - MYSQL_USER
    - MYSQL_PASSWORD
diff --git a/compose_zabbix_components.yaml b/compose_zabbix_components.yaml
index fde74c977..0a06f2cfc 100644
--- a/compose_zabbix_components.yaml
+++ b/compose_zabbix_components.yaml
@@ -65,8 +65,6 @@ services:
   secrets:
    - MYSQL_USER
    - MYSQL_PASSWORD
-   - MYSQL_ROOT_USER
-   - MYSQL_ROOT_PASSWORD
 #   - client-key.pem
 #   - client-cert.pem
 #   - root-ca.pem
@@ -171,8 +169,6 @@ services:
   secrets:
    - MYSQL_USER
    - MYSQL_PASSWORD
-   - MYSQL_ROOT_USER
-   - MYSQL_ROOT_PASSWORD
 #   - client-key.pem
 #   - client-cert.pem
 #   - root-ca.pem
diff --git a/env_vars/.env_db_mysql b/env_vars/.env_db_mysql
index a11e1b391..9d5be3dee 100644
--- a/env_vars/.env_db_mysql
+++ b/env_vars/.env_db_mysql
@@ -6,7 +6,7 @@ MYSQL_USER_FILE=/run/secrets/MYSQL_USER
 # MYSQL_PASSWORD=zabbix
 MYSQL_PASSWORD_FILE=/run/secrets/MYSQL_PASSWORD
 # MYSQL_ROOT_PASSWORD=
-MYSQL_ROOT_PASSWORD_FILE=/run/secrets/MYSQL_ROOT_PASSWORD
+# MYSQL_ROOT_PASSWORD_FILE=/run/secrets/MYSQL_ROOT_PASSWORD
 # MYSQL_ALLOW_EMPTY_PASSWORD=false
 # MYSQL_DATABASE=zabbix
 MYSQL_DATABASE=zabbix
diff --git a/env_vars/.env_db_mysql_proxy b/env_vars/.env_db_mysql_proxy
index 5efa465ca..f79f9679c 100644
--- a/env_vars/.env_db_mysql_proxy
+++ b/env_vars/.env_db_mysql_proxy
@@ -8,7 +8,6 @@ MYSQL_USER=zabbix
 MYSQL_PASSWORD=zabbix
 # MYSQL_PASSWORD_FILE=/run/secrets/MYSQL_PASSWORD
 # MYSQL_ROOT_PASSWORD=
-MYSQL_ROOT_PASSWORD=root_pwd
 # MYSQL_ROOT_PASSWORD_FILE=/run/secrets/MYSQL_ROOT_PASSWORD
 # MYSQL_ALLOW_EMPTY_PASSWORD=false
 # MYSQL_DATABASE=zabbix_proxy
diff --git a/env_vars/mysql_init/init_proxy_db.sql b/env_vars/mysql_init/init_proxy_db.sql
new file mode 100644
index 000000000..ca8c6e4c8
--- /dev/null
+++ b/env_vars/mysql_init/init_proxy_db.sql
@@ -0,0 +1,2 @@
+CREATE DATABASE IF NOT EXISTS `zabbix_proxy`;
+GRANT ALL ON `zabbix_proxy`.* TO 'zabbix'@'%';
\ No newline at end of file