Chainguard Container for mysql

MySQL is a widely used open-source relational database management system.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/mysql:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

Chainguard's MySQL image is comparable to the official mysql image from Docker Hub. Chainguard images are designed with minimalism and security in mind, and thus the MySQL image has a few key differences from the upstream image:

• Chainguard's MySQL image only has the minimum set of dependencies needed to function. This means it does not come with certain tools or utilities, such as a package manager.
  • Unlike most of Chainguard's container images, though, the MySQL image does come with a shell.
• Chainguard's MySQL image does not ship with a default configuration file (such as /etc/my.cnf). However, you can run the image with a custom configuration, or extend it with environment variables. Refer to the Initializing the database using environment variables and Running MySQL with a custom options file sections for more information.

Getting Started

The default MySQL port is 3306. To run a quick test MySQL server container with an empty root password, use the following command:

docker run -p 3306:3306 --rm -e MYSQL_ALLOW_EMPTY_PASSWORD=1 cgr.dev/ORGANIZATION/mysql

Don't forget to replace ORGANIZATION with your organization's designated private repository.

Thu Sep 12 13:42:59 UTC 2024 [Note] [Entrypoint]: Entrypoint script for MySQL Server  started.
Thu Sep 12 13:42:59 UTC 2024 [Note] [Entrypoint]: Initializing database files
2024-09-12T13:42:59.828911Z 0 [System] [MY-015017] [Server] MySQL Server Initialization - start.
2024-09-12T13:42:59.829672Z 0 [System] [MY-013169] [Server] /usr/bin/mysqld (mysqld 8.4.2) initializing of server in progress as process 41
2024-09-12T13:42:59.837924Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-09-12T13:43:00.401495Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-09-12T13:43:02.507476Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2024-09-12T13:43:05.547743Z 0 [System] [MY-015018] [Server] MySQL Server Initialization - end.
Thu Sep 12 13:43:05 UTC 2024 [Note] [Entrypoint]: Database files initialized
Thu Sep 12 13:43:05 UTC 2024 [Note] [Entrypoint]: Starting temporary server

(...)

2024-09-12T13:43:09.669017Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2024-09-12T13:43:09.876146Z 0 [System] [MY-010116] [Server] /usr/bin/mysqld (mysqld 8.4.2) starting as process 1
2024-09-12T13:43:09.889947Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-09-12T13:43:10.365620Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-09-12T13:43:10.656614Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2024-09-12T13:43:10.656633Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2024-09-12T13:43:10.665823Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/lib/mysql' in the path is accessible to all OS users. Consider choosing a different directory.
2024-09-12T13:43:10.696239Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /run/mysqld/mysqlx.sock
2024-09-12T13:43:10.696283Z 0 [System] [MY-010931] [Server] /usr/bin/mysqld: ready for connections. Version: '8.4.2'  socket: '/run/mysqld/mysqld.sock'  port: 3306  Source distribution.

After the server is up and running, you can connect to it using the mysql client. This is available for most Linux-based systems in a package called mysql-client, in case you don't have it installed yet. To connect to the server as root and without a password, use the following command:

mysql -h 127.0.0.1 -uroot

Please note this only works because the server was initialized with the option MYSQL_ALLOW_EMPTY_PASSWORD, which should never be used on production environments.

Following that, you will be able to manage the database using the MySQL prompt:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 9.1.0 Source distribution

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

You can now create databases, users, and tables as you would with a regular MySQL server. To exit the client, run the exit command on the MySQL prompt. To stop the server, press CTRL + C in the terminal where Docker is running. The container will stop and be removed automatically.

Importing Data From an SQL File Upon Initialization

Another feature from the MySQL initialization script allows you to import an SQL file via a volume mounted to /docker-entrypoint-initdb.d. For example, if you have a my-data.sql file in your current folder, you can run the following command to have this data automatically imported to your database:

docker run -v ${PWD}/my-data.sql:/docker-entrypoint-initdb.d/my-data.sql cgr.dev/ORGANIZATION/mysql

Initializing the database using environment variables

You can use environment variables to set up your database upon initialization. The following variables are available for this purpose:

• MYSQL_ROOT_HOST: This variable allows you to specify the host from which the root user can connect. The default value is localhost.
• MYSQL_ROOT_PASSWORD: Sets the password for MySQL's root superuser account.
• MYSQL_RANDOM_ROOT_PASSWORD: When this variable is set, a random password is generated for the root superuser account. This password is printed to stdout at the end of the container initialization process.
• MYSQL_ALLOW_EMPTY_PASSWORD: This variable allows you to run the MySQL container with an empty root password. This is insecure and should only be used for tests and local development.
• MYSQL_DATABASE: Creates a new database upon initialization.
• MYSQL_USER: Together with MYSQL_PASSWORD, this environment variable can be used to create a new database user and grant them full access to the database defined by MYSQL_DATABASE.
• MYSQL_PASSWORD: This should be used in conjunction with the MYSQL_USER environment variable to set up the database user's password.

To facilitate testing the various environment variables and options when initializing your MySQL server, you can use a Docker Compose setup like the following. Again, remember to replace ORGANIZATION with your organization's designated private repository.

services:
  mysql:
    image: cgr.dev/ORGANIZATION/mysql
    restart: unless-stopped
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: 1
      MYSQL_USER: user
      MYSQL_PASSWORD: password
      MYSQL_DATABASE: test
    ports:
      - 3306:3306

Save this file as docker-compose.yaml. Then, from the same directory, start the container:

docker-compose up

Once the server is up and running, you can connect via the mysql client with the following command:

mysql -h 127.0.0.1 -uuser -ppassword

This docker-compose.yaml sets up a MySQL database with a default database and user. You can add other services to create a local multi-node environment for development and tests. You can iterate on this setup to test different configurations and scenarios.

_FILE variables

Chainguard's MySQL image also supports appending _FILE to several of the environment variables mentioned previously, allowing you to instruct the initialization script to load variable values from files. This is useful in cases where you want to avoid passing sensitive information — such as passwords — with environment variables.

Chainguard's MySQL image currently supports this for the MYSQL_ROOT_PASSWORD, MYSQL_ROOT_HOST, MYSQL_DATABASE, MYSQL_USER, and MYSQL_PASSWORD variables.

Running MySQL with a custom options file

You can also run Chainguard's MySQL image with a custom options file. To illustrate, create a configuration file named my.cnf with the following command:

cat > my.cnf <<EOF
[mysqld]
thread_cache_size=8
EOF

This command creates an options file with a single option (thread_cache_size) and changes its value to 8 from the default 9.

Then create and run a new MySQL container with the following command, which also mounts the my.cnf file to the container's /etc/ directory:

docker run --name custom-mysql -d --rm -e MYSQL_ALLOW_EMPTY_PASSWORD=1 -v $PWD/my.cnf:/etc/my.cnf cgr.dev/chainguard-private/mysql

This command includes the -d option to detach the container and run it in the background.

Next, run a docker exec command to access the container's shell:

docker exec -it custom-mysql sh

From there, you can confirm that the MySQL server is using the custom configuration using the mysqld command:

mysqld --verbose --help | grep thread-cache

  --thread-cache-size=#
thread-cache-size                                        	8

As this output shows, the MySQL server is using the thread-cache-size option value defined in the custom options file.

MySQL will read options files in the following order: /etc/mysql/my.cnf, /etc/my.cnf, and finally ~/.my.cnf. Be aware that it's recommended that you don't place your custom options file in the ~/ directory, as you will then have to consider which user is going to run the mysqld process when you run the image.

Documentation and Resources

• MySQL Documentation
• Upstream MySQL Image Overview
• Basic Steps for MySQL Server Deployment with Docker
• More Topics on Deploying MySQL Server with Docker

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.