utilisateur avec permissions moindre

docker-compose.yaml

@@ -1,13 +1,13 @@
 services:
   mariadb:
-    image: mariadb
+    build:
+      context: images
+      dockerfile: SQL_Dockerfile
     environment:
-      MARIADB_USER: laravel_user
-      MARIADB_PASSWORD: super_strong_password
       MARIADB_ROOT_PASSWORD: super_strong_password_of_root
       MARIADB_DATABASE: laravel_db
     volumes:
-      - ./sqldata:/var/lib/mysql
+      - laravel_db_volume:/var/lib/mysql
 
   laravel:
     image: bitnami/laravel
@@ -20,3 +20,5 @@ services:
     volumes:
       - ./laravel:/app
 
+volumes:
+  laravel_db_volume:

images/SQL_Dockerfile

@@ -0,0 +1,19 @@
+FROM mariadb:latest as builder
+
+COPY db_init.sql /docker-entrypoint-initdb.d/
+
+# That file does the DB initialization but also runs mysql daemon, by removing the last line it will only init
+RUN ["sed", "-i", "s/exec \"$@\"/echo \"not running $@\"/", "/usr/local/bin/docker-entrypoint.sh"]
+
+ENV MARIADB_USER=root
+ENV MARIADB_ROOT_PASSWORD=super_strong_password
+
+# Need to change the datadir to something else that /var/lib/mysql because the parent docker file defines it as a volume.
+# https://docs.docker.com/engine/reference/builder/#volume :
+#       Changing the volume from within the Dockerfile: If any build steps change the data within the volume after
+#       it has been declared, those changes will be discarded.
+RUN ["/usr/local/bin/docker-entrypoint.sh", "mariadbd", "--datadir", "/initialized-db", "--aria-log-dir-path", "/initialized-db"]
+
+FROM mariadb:latest
+
+COPY --from=builder /initialized-db /var/lib/mysql

images/db_init.sql

@@ -0,0 +1,3 @@
+CREATE USER laravel_user IDENTIFIED BY 'super_strong_password';
+
+GRANT CREATE, ALTER, DROP, SELECT, INSERT, UPDATE, DELETE ON laravel_db.* TO laravel_user;