#!/bin/bash
set -eo pipefail
shopt -s nullglob

# logging functions
mysql_log() {
    local type="$1"
    shift
    printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
}
mysql_note() {
    mysql_log Note "$@"
}
mysql_warn() {
    mysql_log Warn "$@" >&2
}
mysql_error() {
    mysql_log ERROR "$@" >&2
    exit 1
}

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
    local var="$1"
    local fileVar="${var}_FILE"
    local def="${2:-}"
    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
        mysql_error "Both $var and $fileVar are set (but are exclusive)"
    fi
    local val="$def"
    if [ "${!var:-}" ]; then
        val="${!var}"
    elif [ "${!fileVar:-}" ]; then
        val="$(<"${!fileVar}")"
    fi
    export "$var"="$val"
    unset "$fileVar"
}

# set MARIADB_xyz from MYSQL_xyz when MARIADB_xyz is unset
# and make them the same value (so user scripts can use either)
_mariadb_file_env() {
    local var="$1"
    shift
    local maria="MARIADB_${var#MYSQL_}"
    file_env "$var" "$@"
    file_env "$maria" "${!var}"
    if [ "${!maria:-}" ]; then
        export "$var"="${!maria}"
    fi
}

# check to see if this file is being run or sourced from another script
_is_sourced() {
    # https://unix.stackexchange.com/a/215279
    [ "${#FUNCNAME[@]}" -ge 2 ] &&
        [ "${FUNCNAME[0]}" = '_is_sourced' ] &&
        [ "${FUNCNAME[1]}" = 'source' ]
}

# usage: docker_process_init_files [file [file [...]]]
#    ie: docker_process_init_files /always-initdb.d/*
# process initializer files, based on file extensions
docker_process_init_files() {
    # mysql here for backwards compatibility "${mysql[@]}"
    # ShellCheck: mysql appears unused. Verify use (or export if used externally)
    # shellcheck disable=SC2034
    mysql=(docker_process_sql)

    echo
    local f
    for f; do
        case "$f" in
        *.sh)
            # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
            # https://github.com/docker-library/postgres/pull/452
            if [ -x "$f" ]; then
                mysql_note "$0: running $f"
                "$f"
            else
                mysql_note "$0: sourcing $f"
                # ShellCheck can't follow non-constant source. Use a directive to specify location.
                # shellcheck disable=SC1090
                . "$f"
            fi
            ;;
        *.sql)
            mysql_note "$0: running $f"
            docker_process_sql <"$f"
            echo
            ;;
        *.sql.gz)
            mysql_note "$0: running $f"
            gunzip -c "$f" | docker_process_sql
            echo
            ;;
        *.sql.xz)
            mysql_note "$0: running $f"
            xzcat "$f" | docker_process_sql
            echo
            ;;
        *.sql.zst)
            mysql_note "$0: running $f"
            zstd -dc "$f" | docker_process_sql
            echo
            ;;
        *) mysql_warn "$0: ignoring $f" ;;
        esac
        echo
    done
}

# arguments necessary to run "mariadbd --verbose --help" successfully (used for testing configuration validity and for extracting default/configured values)
_verboseHelpArgs=(
    --verbose --help
)

mysql_check_config() {
    local toRun=("$@" "${_verboseHelpArgs[@]}") errors
    if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
        mysql_error $'mariadbd failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
    fi
}

# Fetch value from server config
# We use mariadbd --verbose --help instead of my_print_defaults because the
# latter only show values present in config files, and not server defaults
mysql_get_config() {
    local conf="$1"
    shift
    "$@" "${_verboseHelpArgs[@]}" 2>/dev/null |
        awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
    # match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
}

# Do a temporary startup of the MariaDB server, for init purposes
docker_temp_server_start() {
    "$@" --skip-networking --default-time-zone=SYSTEM --socket="${SOCKET}" --wsrep_on=OFF \
        --expire-logs-days=0 \
        --loose-innodb_buffer_pool_load_at_startup=0 \
        --skip-ssl --ssl-cert='' --ssl-key='' --ssl-ca='' \
        &
    declare -g MARIADB_PID
    MARIADB_PID=$!
    mysql_note "Waiting for server startup"
    # only use the root password if the database has already been initialized
    # so that it won't try to fill in a password file when it hasn't been set yet
    extraArgs=()
    if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
        extraArgs+=('--dont-use-mysql-root-password')
    fi
    local i
    for i in {30..0}; do
        if docker_process_sql "${extraArgs[@]}" --database=mysql \
            --skip-ssl --skip-ssl-verify-server-cert \
            <<<'SELECT 1' &>/dev/null; then
            break
        fi
        sleep 1
    done
    if [ "$i" = 0 ]; then
        mysql_error "Unable to start server."
    fi
}

# Stop the server. When using a local socket file mariadb-admin will block until
# the shutdown is complete.
docker_temp_server_stop() {
    kill "$MARIADB_PID"
    wait "$MARIADB_PID"
}

# Verify that the minimally required password settings are set for new databases.
docker_verify_minimum_env() {
    # Restoring from backup requires no environment variables
    declare -g DATABASE_INIT_FROM_BACKUP
    for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do
        if [ -f "${file}" ]; then
            DATABASE_INIT_FROM_BACKUP='true'
            return
        fi
    done
    if [ -z "$MARIADB_ROOT_PASSWORD" ] && [ -z "$MARIADB_ROOT_PASSWORD_HASH" ] && [ -z "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] && [ -z "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
        mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD'
    fi
    # More preemptive exclusions of combinations should have been made before *PASSWORD_HASH was added, but for now we don't enforce due to compatibility.
    if [ -n "$MARIADB_ROOT_PASSWORD" ] || [ -n "$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" ] || [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ] && [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then
        mysql_error "Cannot specify MARIADB_ROOT_PASSWORD_HASH and another MARIADB_ROOT_PASSWORD* option."
    fi
    if [ -n "$MARIADB_PASSWORD" ] && [ -n "$MARIADB_PASSWORD_HASH" ]; then
        mysql_error "Cannot specify MARIADB_PASSWORD_HASH and MARIADB_PASSWORD option."
    fi
    if [ -n "$MARIADB_REPLICATION_USER" ]; then
        if [ -z "$MARIADB_MASTER_HOST" ]; then
            # its a master, we're creating a user
            if [ -z "$MARIADB_REPLICATION_PASSWORD" ] && [ -z "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then
                mysql_error "MARIADB_REPLICATION_PASSWORD or MARIADB_REPLICATION_PASSWORD_HASH not found to create replication user for master"
            fi
        else
            # its a replica
            if [ -z "$MARIADB_REPLICATION_PASSWORD" ]; then
                mysql_error "MARIADB_REPLICATION_PASSWORD is mandatory to specify the replication on the replica image."
            fi
            if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then
                mysql_warn "MARIADB_REPLICATION_PASSWORD_HASH cannot be specified on a replica"
            fi
        fi
    fi
    if [ -n "$MARIADB_MASTER_HOST" ] && { [ -z "$MARIADB_REPLICATION_USER" ] || [ -z "$MARIADB_REPLICATION_PASSWORD" ]; }; then
        mysql_error "For a replica, MARIADB_REPLICATION_USER and MARIADB_REPLICATION is mandatory."
    fi
}

# creates folders for the database
# also ensures permission for user mysql of run as root
docker_create_db_directories() {
    local user
    user="$(id -u)"

    # TODO other directories that are used by default? like /var/lib/mysql-files
    # see https://github.com/docker-library/mysql/issues/562
    mkdir -p "$DATADIR"

    if [ "$user" = "0" ]; then
        # this will cause less disk access than `chown -R`
        find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \)
        # See https://github.com/MariaDB/mariadb-docker/issues/363
        if [ "${SOCKET:0:1}" != '@' ]; then # not abstract sockets
            find "${SOCKET%/*}" -maxdepth 0 \! -user mysql \( -exec chown mysql: '{}' \; -o -true \)
        fi

        # memory.pressure
        local cgroup
        cgroup=$(</proc/self/cgroup)
        local mempressure="/sys/fs/cgroup/${cgroup:3}/memory.pressure"
        if [ -w "$mempressure" ]; then
            chown mysql: "$mempressure" || mysql_warn "unable to change ownership of $mempressure, functionality unavailable to MariaDB"
        else
            mysql_warn "$mempressure not writable, functionality unavailable to MariaDB"
        fi
    fi
}

_mariadb_version() {
    echo -n "11.5.2-MariaDB"
}

# initializes the database directory
docker_init_database_dir() {
    mysql_note "Initializing database files"
    installArgs=(--datadir="$DATADIR" --rpm --auth-root-authentication-method=normal)
    # "Other options are passed to mariadbd." (so we pass all "mariadbd" arguments directly here)

    local mariadbdArgs=()
    for arg in "${@:2}"; do
        # Check if the argument contains whitespace
        if [[ "$arg" =~ [[:space:]] ]]; then
            mysql_warn "Not passing argument \'$arg\' to mariadb-install-db because mariadb-install-db does not support arguments with whitespace."
        else
            mariadbdArgs+=("$arg")
        fi
    done
    mariadb-install-db "${installArgs[@]}" "${mariadbdArgs[@]}" \
        --cross-bootstrap \
        --skip-test-db \
        --old-mode='UTF8_IS_UTF8MB3' \
        --default-time-zone=SYSTEM --enforce-storage-engine= \
        --skip-log-bin \
        --expire-logs-days=0 \
        --loose-innodb_buffer_pool_load_at_startup=0 \
        --loose-innodb_buffer_pool_dump_at_shutdown=0
    mysql_note "Database files initialized"
}

# Loads various settings that are used elsewhere in the script
# This should be called after mysql_check_config, but before any other functions
docker_setup_env() {
    # Get config
    declare -g DATADIR SOCKET PORT
    DATADIR="$(mysql_get_config 'datadir' "$@")"
    SOCKET="$(mysql_get_config 'socket' "$@")"
    PORT="$(mysql_get_config 'port' "$@")"

    # Initialize values that might be stored in a file
    _mariadb_file_env 'MYSQL_ROOT_HOST' '%'
    _mariadb_file_env 'MYSQL_DATABASE'
    _mariadb_file_env 'MYSQL_USER'
    _mariadb_file_env 'MYSQL_PASSWORD'
    _mariadb_file_env 'MYSQL_ROOT_PASSWORD'
    # No MYSQL_ compatibility needed for new variables
    file_env 'MARIADB_PASSWORD_HASH'
    file_env 'MARIADB_ROOT_PASSWORD_HASH'
    # env variables related to replication
    file_env 'MARIADB_REPLICATION_USER'
    file_env 'MARIADB_REPLICATION_PASSWORD'
    file_env 'MARIADB_REPLICATION_PASSWORD_HASH'
    # env variables related to master
    file_env 'MARIADB_MASTER_HOST'
    file_env 'MARIADB_MASTER_PORT' 3306

    # set MARIADB_ from MYSQL_ when it is unset and then make them the same value
    : "${MARIADB_ALLOW_EMPTY_ROOT_PASSWORD:=${MYSQL_ALLOW_EMPTY_PASSWORD:-}}"
    export MYSQL_ALLOW_EMPTY_PASSWORD="$MARIADB_ALLOW_EMPTY_ROOT_PASSWORD" MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
    : "${MARIADB_RANDOM_ROOT_PASSWORD:=${MYSQL_RANDOM_ROOT_PASSWORD:-}}"
    export MYSQL_RANDOM_ROOT_PASSWORD="$MARIADB_RANDOM_ROOT_PASSWORD" MARIADB_RANDOM_ROOT_PASSWORD
    : "${MARIADB_INITDB_SKIP_TZINFO:=${MYSQL_INITDB_SKIP_TZINFO:-}}"
    export MYSQL_INITDB_SKIP_TZINFO="$MARIADB_INITDB_SKIP_TZINFO" MARIADB_INITDB_SKIP_TZINFO

    declare -g DATABASE_ALREADY_EXISTS
    if [ -d "$DATADIR/mysql" ]; then
        DATABASE_ALREADY_EXISTS='true'
    fi
}

# Execute the client, use via docker_process_sql to handle root password
docker_exec_client() {
    # args sent in can override this db, since they will be later in the command
    if [ -n "$MYSQL_DATABASE" ]; then
        set -- --database="$MYSQL_DATABASE" "$@"
    fi
    mariadb --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
}

# Execute sql script, passed via stdin
# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
#    ie: docker_process_sql --database=mydb <<<'INSERT ...'
#    ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
docker_process_sql() {
    if [ '--dont-use-mysql-root-password' = "$1" ]; then
        shift
        MYSQL_PWD='' docker_exec_client "$@"
    else
        MYSQL_PWD=$MARIADB_ROOT_PASSWORD docker_exec_client "$@"
    fi
}

# SQL escape the string $1 to be placed in a string literal.
# escape, \ followed by '
docker_sql_escape_string_literal() {
    local newline=$'\n'
    local escaped=${1//\\/\\\\}
    escaped="${escaped//$newline/\\n}"
    echo "${escaped//\'/\\\'}"
}

# Creates replication user
create_replica_user() {
    if [ -n "$MARIADB_REPLICATION_PASSWORD_HASH" ]; then
        echo "CREATE USER '$MARIADB_REPLICATION_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_REPLICATION_PASSWORD_HASH';"
    else
        # SQL escape the user password, \ followed by '
        local userPasswordEscaped
        userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}")
        echo "CREATE USER '$MARIADB_REPLICATION_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';"
    fi
    echo "GRANT REPLICATION REPLICA ON *.* TO '$MARIADB_REPLICATION_USER'@'%';"
}

# Create healthcheck users
create_healthcheck_users() {
    local healthCheckGrant=USAGE
    local healthCheckConnectPass
    local healthCheckConnectPassEscaped
    healthCheckConnectPass="$(pwgen --numerals --capitalize --symbols --remove-chars="=#'\\" -1 32)"
    healthCheckConnectPassEscaped=$(docker_sql_escape_string_literal "${healthCheckConnectPass}")
    if [ -n "$MARIADB_HEALTHCHECK_GRANTS" ]; then
        healthCheckGrant="$MARIADB_HEALTHCHECK_GRANTS"
    fi
    for host in 127.0.0.1 ::1 localhost; do
        echo "CREATE USER IF NOT EXISTS healthcheck@'$host' IDENTIFIED BY '$healthCheckConnectPassEscaped';"
        # doing this so if the users exists, we're just setting the password, and not replacing the existing grants
        echo "SET PASSWORD FOR healthcheck@'$host' = PASSWORD('$healthCheckConnectPassEscaped');"
        echo "GRANT $healthCheckGrant ON *.* TO healthcheck@'$host';"
    done
    local maskPreserve
    maskPreserve=$(umask -p)
    umask 0077
    echo -e "[mariadb-client]\\nport=$PORT\\nsocket=$SOCKET\\nuser=healthcheck\\npassword=$healthCheckConnectPass\\n" >"$DATADIR"/.my-healthcheck.cnf
    $maskPreserve
}

# Initializes database with timezone info and root password, plus optional extra db/user
docker_setup_db() {
    # Load timezone info into database
    if [ -z "$MARIADB_INITDB_SKIP_TZINFO" ]; then
        # --skip-write-binlog usefully disables binary logging
        # but also outputs LOCK TABLES to improve the IO of
        # Aria (MDEV-23326) for 10.4+.
        mariadb-tzinfo-to-sql --skip-write-binlog /usr/share/zoneinfo |
            docker_process_sql --dont-use-mysql-root-password --database=mysql
        # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
    fi
    # Generate random root password
    if [ -n "$MARIADB_RANDOM_ROOT_PASSWORD" ]; then
        MARIADB_ROOT_PASSWORD="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
        export MARIADB_ROOT_PASSWORD MYSQL_ROOT_PASSWORD=$MARIADB_ROOT_PASSWORD
        mysql_note "GENERATED ROOT PASSWORD: $MARIADB_ROOT_PASSWORD"
    fi

    # Creates root users for non-localhost hosts
    local rootCreate=
    local rootPasswordEscaped=
    if [ -n "$MARIADB_ROOT_PASSWORD" ]; then
        # Sets root password and creates root users for non-localhost hosts
        rootPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}")
    fi

    # default root to listen for connections from anywhere
    if [ -n "$MARIADB_ROOT_HOST" ] && [ "$MARIADB_ROOT_HOST" != 'localhost' ]; then
        # ref "read -d ''", no, we don't care if read finds a terminating character in this heredoc
        # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
        if [ -n "$MARIADB_ROOT_PASSWORD_HASH" ]; then
            read -r -d '' rootCreate <<-EOSQL || true
				CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY PASSWORD '${MARIADB_ROOT_PASSWORD_HASH}' ;
				GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ;
				GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION;
			EOSQL
        else
            read -r -d '' rootCreate <<-EOSQL || true
				CREATE USER 'root'@'${MARIADB_ROOT_HOST}' IDENTIFIED BY '${rootPasswordEscaped}' ;
				GRANT ALL ON *.* TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION ;
				GRANT PROXY ON ''@'%' TO 'root'@'${MARIADB_ROOT_HOST}' WITH GRANT OPTION;
			EOSQL
        fi
    fi

    local mysqlAtLocalhost=
    local mysqlAtLocalhostGrants=
    # Install mysql@localhost user
    if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
        read -r -d '' mysqlAtLocalhost <<-EOSQL || true
		CREATE USER mysql@localhost IDENTIFIED VIA unix_socket;
		EOSQL
        if [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
            if [ "$MARIADB_MYSQL_LOCALHOST_GRANTS" != USAGE ]; then
                mysql_warn "Excessive privileges ON *.* TO mysql@localhost facilitates risks to the confidentiality, integrity and availability of data stored"
            fi
            mysqlAtLocalhostGrants="GRANT ${MARIADB_MYSQL_LOCALHOST_GRANTS} ON *.* TO mysql@localhost;"
        fi
    fi

    local createHealthCheckUsers
    createHealthCheckUsers=$(create_healthcheck_users)

    local rootLocalhostPass=
    if [ -z "$MARIADB_ROOT_PASSWORD_HASH" ]; then
        # handle MARIADB_ROOT_PASSWORD_HASH for root@localhost after /docker-entrypoint-initdb.d
        rootLocalhostPass="SET PASSWORD FOR 'root'@'localhost'= PASSWORD('${rootPasswordEscaped}');"
    fi

    local createDatabase=
    # Creates a custom database and user if specified
    if [ -n "$MARIADB_DATABASE" ]; then
        mysql_note "Creating database ${MARIADB_DATABASE}"
        createDatabase="CREATE DATABASE IF NOT EXISTS \`$MARIADB_DATABASE\`;"
    fi

    local createUser=
    local userGrants=
    if [ -n "$MARIADB_PASSWORD" ] || [ -n "$MARIADB_PASSWORD_HASH" ] && [ -n "$MARIADB_USER" ]; then
        mysql_note "Creating user ${MARIADB_USER}"
        if [ -n "$MARIADB_PASSWORD_HASH" ]; then
            createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$MARIADB_PASSWORD_HASH';"
        else
            # SQL escape the user password, \ followed by '
            local userPasswordEscaped
            userPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_PASSWORD}")
            createUser="CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY '$userPasswordEscaped';"
        fi

        if [ -n "$MARIADB_DATABASE" ]; then
            mysql_note "Giving user ${MARIADB_USER} access to schema ${MARIADB_DATABASE}"
            userGrants="GRANT ALL ON \`${MARIADB_DATABASE//_/\\_}\`.* TO '$MARIADB_USER'@'%';"
        fi
    fi

    # To create replica user
    local createReplicaUser=
    local changeMasterTo=
    local startReplica=
    if [ -n "$MARIADB_REPLICATION_USER" ]; then
        if [ -z "$MARIADB_MASTER_HOST" ]; then
            # on master
            mysql_note "Creating user ${MARIADB_REPLICATION_USER}"
            createReplicaUser=$(create_replica_user)
        else
            # on replica
            local rplPasswordEscaped
            rplPasswordEscaped=$(docker_sql_escape_string_literal "${MARIADB_REPLICATION_PASSWORD}")
            # SC cannot follow how MARIADB_MASTER_PORT is assigned a default value.
            # shellcheck disable=SC2153
            changeMasterTo="CHANGE MASTER TO MASTER_HOST='$MARIADB_MASTER_HOST', MASTER_USER='$MARIADB_REPLICATION_USER', MASTER_PASSWORD='$rplPasswordEscaped', MASTER_PORT=$MARIADB_MASTER_PORT, MASTER_CONNECT_RETRY=10;"
            startReplica="START REPLICA;"
        fi
    fi

    mysql_note "Securing system users (equivalent to running mysql_secure_installation)"
    # tell docker_process_sql to not use MARIADB_ROOT_PASSWORD since it is just now being set
    # --binary-mode to save us from the semi-mad users go out of their way to confuse the encoding.
    docker_process_sql --dont-use-mysql-root-password --database=mysql --binary-mode <<-EOSQL
		-- Securing system users shouldn't be replicated
		SET @orig_sql_log_bin= @@SESSION.SQL_LOG_BIN;
		SET @@SESSION.SQL_LOG_BIN=0;
                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');

		DROP USER IF EXISTS root@'127.0.0.1', root@'::1';
		EXECUTE IMMEDIATE CONCAT('DROP USER IF EXISTS root@\'', @@hostname,'\'');

		${rootLocalhostPass}
		${rootCreate}
		${mysqlAtLocalhost}
		${mysqlAtLocalhostGrants}
		${createHealthCheckUsers}
		-- end of securing system users, rest of init now...
		SET @@SESSION.SQL_LOG_BIN=@orig_sql_log_bin;
		-- create users/databases
		${createDatabase}
		${createUser}
		${createReplicaUser}
		${userGrants}

		${changeMasterTo}
		${startReplica}
	EOSQL
}

# create a new installation
docker_mariadb_init() {

    # check dir permissions to reduce likelihood of half-initialized database
    ls /docker-entrypoint-initdb.d/ >/dev/null

    if [ -n "$DATABASE_INIT_FROM_BACKUP" ]; then
        shopt -s dotglob
        for file in /docker-entrypoint-initdb.d/*.tar{.gz,.xz,.zst}; do
            mkdir -p "$DATADIR"/.init
            tar --auto-compress --extract --file "$file" --directory="$DATADIR"/.init
            mariadb-backup --target-dir="$DATADIR"/.init --datadir="$DATADIR"/.restore --move-back

            mv "$DATADIR"/.restore/** "$DATADIR"/
            if [ -f "$DATADIR/.init/backup-my.cnf" ]; then
                mv "$DATADIR/.init/backup-my.cnf" "$DATADIR/.my.cnf"
                mysql_note "Adding startup configuration:"
                my_print_defaults --defaults-file="$DATADIR/.my.cnf" --mariadbd
            fi
            rm -rf "$DATADIR"/.init "$DATADIR"/.restore
            if [ "$(id -u)" = "0" ]; then
                # this will cause less disk access than `chown -R`
                find "$DATADIR" \! -user mysql \( -exec chown mysql: '{}' + -o -true \)
            fi
        done
        if _check_if_upgrade_is_needed; then
            docker_mariadb_upgrade "$@"
        fi
        return
    fi
    docker_init_database_dir "$@"

    mysql_note "Starting temporary server"
    docker_temp_server_start "$@"
    mysql_note "Temporary server started."

    docker_setup_db
    docker_process_init_files /docker-entrypoint-initdb.d/*
    # Wait until after /docker-entrypoint-initdb.d is performed before setting
    # root@localhost password to a hash we don't know the password for.
    if [ -n "${MARIADB_ROOT_PASSWORD_HASH}" ]; then
        mysql_note "Setting root@localhost password hash"
        docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL
			SET @@SESSION.SQL_LOG_BIN=0;
			SET PASSWORD FOR 'root'@'localhost'= '${MARIADB_ROOT_PASSWORD_HASH}';
		EOSQL
    fi

    mysql_note "Stopping temporary server"
    docker_temp_server_stop
    mysql_note "Temporary server stopped"

    echo
    mysql_note "MariaDB init process done. Ready for start up."
    echo
}

# backup the mysql database
docker_mariadb_backup_system() {
    if [ -n "$MARIADB_DISABLE_UPGRADE_BACKUP" ] &&
        [ "$MARIADB_DISABLE_UPGRADE_BACKUP" = 1 ]; then
        mysql_note "MariaDB upgrade backup disabled due to \$MARIADB_DISABLE_UPGRADE_BACKUP=1 setting"
        return
    fi
    local backup_db="system_mysql_backup_unknown_version.sql.zst"
    local oldfullversion="unknown_version"
    if [ -r "$DATADIR"/mariadb_upgrade_info ]; then
        read -r -d '' oldfullversion <"$DATADIR"/mariadb_upgrade_info || true
        if [ -n "$oldfullversion" ]; then
            backup_db="system_mysql_backup_${oldfullversion}.sql.zst"
        fi
    fi

    mysql_note "Backing up system database to $backup_db"
    if ! mariadb-dump --skip-lock-tables --replace --databases mysql --socket="${SOCKET}" | zstd >"${DATADIR}/${backup_db}"; then
        mysql_error "Unable backup system database for upgrade from $oldfullversion."
    fi
    mysql_note "Backing up complete"
}

# perform mariadb-upgrade
# backup the mysql database if this is a major upgrade
docker_mariadb_upgrade() {
    if [ -z "$MARIADB_AUTO_UPGRADE" ] ||
        [ "$MARIADB_AUTO_UPGRADE" = 0 ]; then
        mysql_note "MariaDB upgrade (mariadb-upgrade or creating healthcheck users) required, but skipped due to \$MARIADB_AUTO_UPGRADE setting"
        return
    fi
    mysql_note "Starting temporary server"
    docker_temp_server_start "$@" --skip-grant-tables \
        --loose-innodb_buffer_pool_dump_at_shutdown=0 \
        --skip-slave-start
    mysql_note "Temporary server started."

    docker_mariadb_backup_system

    if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then
        mysql_note "Creating healthcheck users"
        local createHealthCheckUsers
        createHealthCheckUsers=$(create_healthcheck_users)
        docker_process_sql --dont-use-mysql-root-password --binary-mode <<-EOSQL
		-- Healthcheck users shouldn't be replicated
		SET @@SESSION.SQL_LOG_BIN=0;
                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
		FLUSH PRIVILEGES;
		$createHealthCheckUsers
EOSQL
        mysql_note "Stopping temporary server"
        docker_temp_server_stop
        mysql_note "Temporary server stopped"

        if _check_if_upgrade_is_needed; then
            # need a restart as FLUSH PRIVILEGES isn't reversable
            mysql_note "Restarting temporary server for upgrade"
            docker_temp_server_start "$@" --skip-grant-tables \
                --loose-innodb_buffer_pool_dump_at_shutdown=0 \
                --skip-slave-start
        else
            return 0
        fi
    fi

    mysql_note "Starting mariadb-upgrade"
    mariadb-upgrade --upgrade-system-tables
    mysql_note "Finished mariadb-upgrade"

    mysql_note "Stopping temporary server"
    docker_temp_server_stop
    mysql_note "Temporary server stopped"
}

_check_if_upgrade_is_needed() {
    if [ ! -f "$DATADIR"/mariadb_upgrade_info ]; then
        mysql_note "MariaDB upgrade information missing, assuming required"
        return 0
    fi
    local mariadbVersion
    mariadbVersion="$(_mariadb_version)"
    IFS='.-' read -ra newversion <<<"$mariadbVersion"
    IFS='.-' read -ra oldversion <"$DATADIR"/mariadb_upgrade_info || true

    if [[ ${#newversion[@]} -lt 2 ]] || [[ ${#oldversion[@]} -lt 2 ]] ||
        [[ ${oldversion[0]} -lt ${newversion[0]} ]] ||
        [[ ${oldversion[0]} -eq ${newversion[0]} && ${oldversion[1]} -lt ${newversion[1]} ]]; then
        return 0
    fi
    if [ ! -f "$DATADIR"/.my-healthcheck.cnf ]; then
        mysql_note "MariaDB heathcheck configation file missing, assuming desirable"
        return 0
    fi
    mysql_note "MariaDB upgrade not required"
    return 1
}

# check arguments for an option that would cause mariadbd to stop
# return true if there is one
_mysql_want_help() {
    local arg
    for arg; do
        case "$arg" in
        -'?' | --help | --print-defaults | -V | --version)
            return 0
            ;;
        esac
    done
    return 1
}

_main() {
    # if command starts with an option, prepend mariadbd
    if [ "${1:0:1}" = '-' ]; then
        set -- mariadbd "$@"
    fi

    #ENDOFSUBSTITUTIONS
    # skip setup if they aren't running mysqld or want an option that stops mysqld
    if [ "$1" = 'mariadbd' ] || [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
        mysql_note "Entrypoint script for MariaDB Server ${MARIADB_VERSION} started."

        mysql_check_config "$@"
        # Load various environment variables
        docker_setup_env "$@"
        docker_create_db_directories

        # If container is started as root user, restart as dedicated mysql user
        if [ "$(id -u)" = "0" ]; then
            mysql_note "Switching to dedicated user 'mysql'"
            exec gosu mysql "${BASH_SOURCE[0]}" "$@"
        fi

        # there's no database, so it needs to be initialized
        if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
            docker_verify_minimum_env

            docker_mariadb_init "$@"
        # MDEV-27636 mariadb_upgrade --check-if-upgrade-is-needed cannot be run offline
        #elif mariadb-upgrade --check-if-upgrade-is-needed; then
        elif _check_if_upgrade_is_needed; then
            docker_mariadb_upgrade "$@"
        fi
    fi
    exec "$@"
}

# If we are sourced from elsewhere, don't perform any further actions
if ! _is_sourced; then
    _main "$@"
fi