The problem
When using k8s-backup 1.3.1, which runs on Alpine and installs mysql-client via apk, the mysqldump binary in Alpine is actually MariaDB’s client source
Recent MariaDB (≥10.5.25 / 10.6.18 / 11.x) injects this line at the top of SQL dumps:
/*!999999\- enable the sandbox mode */
This "sandbox mode" directive was added on May 17, 2024 to address CVE‑2024‑21096 by disabling shell commands in the dump client source. However, MySQL clients (and older MariaDB ones) do not recognize it and throw:
ERROR at line 1: Unknown command '\-'
The solutions
A) Remove the line at backup time.
In backup_mysql() replace
mysqldump … > /tmp/db-backup.sql
with
mysqldump … | tail -n +2 > /tmp/db-backup.sql
Pros: Compatible with mysql and old mariadb clients 💓 Cons:: It disables the the CVE protection for mysql versions prior to 8.0.40 (later versions fix it) ⚠
B) Remove the line at import time
Something like tail +2 | mysql ....
dbagent+mysql users should customize running make db.restore. I've tested and it works.
C) Install the proper mysqlclient.
GPT proposes adding these stages to the Dockerfile:
# Build the official mysql client
FROM alpine:3.21 AS mysqlclient
RUN apk update \
&& apk add --no-cache bash build-base cmake openssl-dev ncurses-dev wget \
&& wget https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-8.0.34.tar.gz \
&& tar xzf mysql-8.0.34.tar.gz \
&& cd mysql-8.0.34 \
&& cmake . -DWITHOUT_SERVER=ON \
&& make -j"$(nproc)" && make install
FROM alpine:3.21
# Get the mysql client from their built stage
COPY --from=mysqlclient /usr/local/bin/mysql* /usr/local/bin/
COPY --from=mysqlclient /usr/local/bin/mysqldump /usr/local/bin/
COPY --from=mysqlclient /usr/local/libexec /usr/local/libexec
COPY --from=mysqlclient /usr/local/share/mysql /usr/local/share/mysql
COPY --from=mysqlclient /usr/local/lib /usr/local/lib
# Rest of the code
RUN apk update \
&& apk add --update \
postgresql-client \
mysql-client \ # REMOVE THIS
gnupg \
D) Implement something really flexible
We could install both mariadb and mysql clients, and decide which to use by an environment variable.
Meanwhile I would add it to the README.md.
The problem
When using k8s-backup 1.3.1, which runs on Alpine and installs mysql-client via apk, the mysqldump binary in Alpine is actually MariaDB’s client source
Recent MariaDB (≥10.5.25 / 10.6.18 / 11.x) injects this line at the top of SQL dumps:
/*!999999\- enable the sandbox mode */This "sandbox mode" directive was added on May 17, 2024 to address CVE‑2024‑21096 by disabling shell commands in the dump client source. However, MySQL clients (and older MariaDB ones) do not recognize it and throw:
The solutions
A) Remove the line at backup time.
In backup_mysql() replace
with
Pros: Compatible with mysql and old mariadb clients 💓 Cons:: It disables the the CVE protection for mysql versions prior to 8.0.40 (later versions fix it) ⚠
B) Remove the line at import time
Something like
tail +2 | mysql ....dbagent+mysql users should customize running
make db.restore. I've tested and it works.C) Install the proper mysqlclient.
GPT proposes adding these stages to the Dockerfile:
D) Implement something really flexible
We could install both mariadb and mysql clients, and decide which to use by an environment variable.
Meanwhile I would add it to the README.md.