Fix DB backup/restore scripts to avoid host process-list secret exposure

Author: borisolver

platform_blueprint/ops/db_backup/backup.sh

@@ -55,6 +55,18 @@ if ! sudo docker ps --format '{{.Names}}' | grep -qx cleanapp_db; then
   exit 1
 fi
 
+# Never pass secrets via `docker exec -e ...` (those end up visible in host `ps` output).
+# Instead, write the secret into a short-lived file inside the container and reference it
+# from inside the container process.
+pwfile="/tmp/cleanapp_mysql_backup_pw.$$.$RANDOM"
+cleanup_pwfile() {
+  sudo docker exec cleanapp_db sh -lc "rm -f '${pwfile}'" >/dev/null 2>&1 || true
+}
+trap cleanup_pwfile EXIT
+
+printf '%s' "${MYSQL_ROOT_PASSWORD}" | sudo docker exec -i cleanapp_db sh -lc \
+  "cat > '${pwfile}' && chmod 600 '${pwfile}'" >/dev/null
+
 if command -v pigz >/dev/null 2>&1; then
   COMPRESS=(pigz -1)
 else
@@ -65,15 +77,15 @@ started_ts="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
 started_epoch="$(date +%s)"
 
 log "INFO mysqldump stream start"
-sudo docker exec -e MYSQL_PWD="${MYSQL_ROOT_PASSWORD}" -i cleanapp_db sh -lc \
-  'exec mysqldump -uroot \
+sudo docker exec -i cleanapp_db sh -lc \
+  "MYSQL_PWD=\"\$(cat '${pwfile}')\" exec mysqldump -uroot \
     --all-databases \
     --single-transaction \
     --quick \
     --lock-tables=false \
     --routines --events --triggers \
     --hex-blob \
-    --set-gtid-purged=OFF' \
+    --set-gtid-purged=OFF" \
   | "${COMPRESS[@]}" \
   | gsutil -q -o GSUtil:parallel_composite_upload_threshold=150M cp - "${CURRENT_KEY}"
 
@@ -85,8 +97,8 @@ size_bytes="$(gsutil ls -l "${CURRENT_KEY}" | awk 'NR==1{print $1}')"
 size_bytes="${size_bytes:-0}"
 
 log "INFO capturing row counts"
-reports_count="$(sudo docker exec -e MYSQL_PWD="${MYSQL_ROOT_PASSWORD}" -i cleanapp_db sh -lc 'mysql -uroot -N -e "SELECT COUNT(*) FROM cleanapp.reports" 2>/dev/null' | tr -d '\r' | tail -n 1 || true)"
-analysis_count="$(sudo docker exec -e MYSQL_PWD="${MYSQL_ROOT_PASSWORD}" -i cleanapp_db sh -lc 'mysql -uroot -N -e "SELECT COUNT(*) FROM cleanapp.report_analysis" 2>/dev/null' | tr -d '\r' | tail -n 1 || true)"
+reports_count="$(sudo docker exec -i cleanapp_db sh -lc "MYSQL_PWD=\"\$(cat '${pwfile}')\" mysql -uroot -N -e \"SELECT COUNT(*) FROM cleanapp.reports\" 2>/dev/null" | tr -d '\r' | tail -n 1 || true)"
+analysis_count="$(sudo docker exec -i cleanapp_db sh -lc "MYSQL_PWD=\"\$(cat '${pwfile}')\" mysql -uroot -N -e \"SELECT COUNT(*) FROM cleanapp.report_analysis\" 2>/dev/null" | tr -d '\r' | tail -n 1 || true)"
 reports_count="${reports_count:-0}"
 analysis_count="${analysis_count:-0}"
 counts_json="{\"reports\":${reports_count},\"report_analysis\":${analysis_count}}"
@@ -120,4 +132,3 @@ if [[ "$(date -u +%u)" == "7" ]]; then
 fi
 
 log "INFO backup complete env=${ENV}"
-

platform_blueprint/ops/db_backup/restore_drill_prod_vm.sh

@@ -56,11 +56,14 @@ name="cleanapp_db_restore_drill_${ts}"
 vol="eko_mysql_restore_drill_${ts}"
 
 root_pw="$(python3 -c 'import secrets; print(secrets.token_hex(16))')"
+envfile="/tmp/${name}.env"
 
 echo "== create scratch mysql container =="
 sudo docker volume create "${vol}" >/dev/null
-sudo docker run -d --name "${name}" \
-  -e MYSQL_ROOT_PASSWORD="${root_pw}" \
+umask 077
+printf 'MYSQL_ROOT_PASSWORD=%s\n' "${root_pw}" >"${envfile}"
+
+sudo docker run -d --name "${name}" --env-file "${envfile}" \
   -p 127.0.0.1:3307:3306 \
   -v "${vol}":/var/lib/mysql \
   mysql:8.0 \
@@ -72,12 +75,14 @@ cleanup() {
   echo "== cleanup =="
   sudo docker rm -f "${name}" >/dev/null 2>&1 || true
   sudo docker volume rm "${vol}" >/dev/null 2>&1 || true
+  rm -f "${envfile}" >/dev/null 2>&1 || true
 }
 trap cleanup EXIT
 
 echo "== wait for mysql ready =="
 for i in $(seq 1 120); do
-  if sudo docker exec -e MYSQL_PWD="${root_pw}" "${name}" mysql -uroot -e "SELECT 1" >/dev/null 2>&1; then
+  # Use container env var to avoid putting secrets in host-visible process args.
+  if sudo docker exec "${name}" sh -lc 'mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -e "SELECT 1" >/dev/null 2>&1'; then
     break
   fi
   sleep 2
@@ -88,11 +93,11 @@ for i in $(seq 1 120); do
 done
 
 echo "== stream restore (this can take a long time) =="
-gsutil cat "${obj_sql}" | gunzip -c | sudo docker exec -i -e MYSQL_PWD="${root_pw}" "${name}" mysql -uroot
+gsutil cat "${obj_sql}" | gunzip -c | sudo docker exec -i "${name}" sh -lc 'mysql -uroot -p"$MYSQL_ROOT_PASSWORD"'
 
 echo "== verify counts =="
-got_reports="$(sudo docker exec -e MYSQL_PWD="${root_pw}" "${name}" mysql -uroot -N -e 'SELECT COUNT(*) FROM cleanapp.reports' 2>/dev/null | tr -d '\r' | tail -n 1)"
-got_analysis="$(sudo docker exec -e MYSQL_PWD="${root_pw}" "${name}" mysql -uroot -N -e 'SELECT COUNT(*) FROM cleanapp.report_analysis' 2>/dev/null | tr -d '\r' | tail -n 1)"
+got_reports="$(sudo docker exec "${name}" sh -lc 'mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -N -e \"SELECT COUNT(*) FROM cleanapp.reports\" 2>/dev/null' | tr -d '\r' | tail -n 1)"
+got_analysis="$(sudo docker exec "${name}" sh -lc 'mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -N -e \"SELECT COUNT(*) FROM cleanapp.report_analysis\" 2>/dev/null' | tr -d '\r' | tail -n 1)"
 
 echo "restored counts: reports=${got_reports} report_analysis=${got_analysis}"
 
@@ -103,4 +108,3 @@ fi
 
 echo "OK restore drill: counts match metadata"
 REMOTE
-