From 98097ce5c61c66a167fd6203feebf63ca0844657 Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 7 Jun 2026 15:07:20 -0500 Subject: [PATCH 1/3] Use a fixed bootstrap password instead of a random one in stack.yml generation --- .../update_stack_and_workflows.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/simplerisk-minimal/update_stack_and_workflows.sh b/simplerisk-minimal/update_stack_and_workflows.sh index 7fc4ff0..b94e4e3 100755 --- a/simplerisk-minimal/update_stack_and_workflows.sh +++ b/simplerisk-minimal/update_stack_and_workflows.sh @@ -5,12 +5,15 @@ set -euo pipefail SCRIPT_LOCATION="$(dirname "$(readlink -f "$0")")" readonly SCRIPT_LOCATION -generate_random_password() { - echo $(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-21}) -} - [ -z "${1:-}" ] && echo "No release version provided. Aborting." && exit 1 || release=$1 -pass=$(generate_random_password) + +# Fixed bootstrap password for the bundled MySQL. It is the root password used +# ONLY for first-run schema setup; mysql is not exposed outside the stack +# network, and SimpleRisk generates its own random application DB password at +# first run. Override DB_SETUP_PASS + MYSQL_ROOT_PASSWORD below for any +# non-trial deployment. Kept literal (not randomized) so the committed +# stack.yml is deterministic across releases. +readonly bootstrap_pass="simplerisk_setup" cat << EOF > "$SCRIPT_LOCATION/stack.yml" # Compose file generated automatically @@ -21,7 +24,7 @@ services: simplerisk: environment: - DB_SETUP=automatic - - DB_SETUP_PASS=$pass + - DB_SETUP_PASS=$bootstrap_pass - SIMPLERISK_DB_HOSTNAME=mysql image: simplerisk/simplerisk-minimal:$release ports: @@ -31,7 +34,7 @@ services: mysql: command: mysqld --sql_mode="NO_ENGINE_SUBSTITUTION" environment: - - MYSQL_ROOT_PASSWORD=$pass + - MYSQL_ROOT_PASSWORD=$bootstrap_pass image: mysql:8.0 smtp: From 3a07cf2acd5d71f4b28e8cf9f0bc005a3d707fb8 Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 7 Jun 2026 15:07:52 -0500 Subject: [PATCH 2/3] Regenerate stack.yml with the fixed bootstrap password --- simplerisk-minimal/stack.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/simplerisk-minimal/stack.yml b/simplerisk-minimal/stack.yml index 6f43a7b..d3ea61e 100644 --- a/simplerisk-minimal/stack.yml +++ b/simplerisk-minimal/stack.yml @@ -6,7 +6,7 @@ services: simplerisk: environment: - DB_SETUP=automatic - - DB_SETUP_PASS=Q29xIQhisPq8rDzjbzZKd + - DB_SETUP_PASS=simplerisk_setup - SIMPLERISK_DB_HOSTNAME=mysql image: simplerisk/simplerisk-minimal:20260519-001 ports: @@ -16,7 +16,7 @@ services: mysql: command: mysqld --sql_mode="NO_ENGINE_SUBSTITUTION" environment: - - MYSQL_ROOT_PASSWORD=Q29xIQhisPq8rDzjbzZKd + - MYSQL_ROOT_PASSWORD=simplerisk_setup image: mysql:8.0 smtp: From 55890d6f1bb76e5414af8ea344bb45c1599f6d7b Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 7 Jun 2026 15:08:48 -0500 Subject: [PATCH 3/3] Clarify the bootstrap vs application database passwords --- simplerisk-minimal/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/simplerisk-minimal/README.md b/simplerisk-minimal/README.md index 9ba6eaf..a8961c1 100644 --- a/simplerisk-minimal/README.md +++ b/simplerisk-minimal/README.md @@ -4,6 +4,8 @@ This image is intended to run SimpleRisk in a 'microservices' approach (database is not included). It uses PHP 8.X with Apache as a base image. Also has the capability of setting properties of the `config.php` file through environment variables. +> **Two passwords, two roles.** `DB_SETUP_PASS` / `MYSQL_ROOT_PASSWORD` is the *bootstrap* credential the entrypoint uses to create the database and the application's DB user during first-run setup — in the bundled `stack.yml` it defaults to `simplerisk_setup` and guards a MySQL that is only reachable inside the stack network. `SIMPLERISK_DB_PASSWORD` is the *application* credential SimpleRisk uses at runtime; if you do not supply one it is randomly generated per deployment and printed to the container log. Set both explicitly for production use. + For any of the executions, it is recommended to map the 80 and 443 ports to be able to access the application. ## Build @@ -60,7 +62,7 @@ docker run -d --name simplerisk -e SIMPLERISK_DB_PASSWORD=pass -e SIMPLERISK_DB_ |:-------------:|:-------------:|:--------| | `DB_SETUP` | `null` (Accepts any value) | The container will start as if the database has not been set up. The valid options here are `automatic` (in case you want the container to configure the database), `automatic-only` (the same as `automatic`, but stops the container after finishing the setup), `delete` (removes the SimpleRisk database and user from MySQL) or `manual` (allows the user to run the manual installation) | | `DB_SETUP_USER` | `root` | Used when `DB_SETUP=automatic\|automatic-only\|delete`. User name of database privileged user to install SimpleRisk schema and other components | -| `DB_SETUP_PASS` | `root` | Used when `DB_SETUP=automatic\|automatic-only\|delete`. Password for database privileged user to install SimpleRisk schema and other components | +| `DB_SETUP_PASS` | `root` (the bundled `stack.yml` ships `simplerisk_setup`) | Used when `DB_SETUP=automatic\|automatic-only\|delete`. Password of the privileged MySQL user used **only** to install the SimpleRisk schema and create the app DB user. In `stack.yml` it is also the bundled MySQL root password; since that MySQL is not exposed outside the stack network, a documented default is used for the zero-config trial. Override it (and `MYSQL_ROOT_PASSWORD` in `stack.yml`) for any non-trial deployment. | | `DB_SETUP_WAIT` | 20 | Used when `DB_SETUP=automatic\|automatic-only`. Time, in seconds, the application is going to wait to set up the database. Useful if you are deploying the database and SimpleRisk at the same time | | `SIMPLERISK_DB_HOSTNAME` | `localhost` | Hostname of the database server | | `SIMPLERISK_DB_PORT` | 3306 | Port to contact the database |