test: add Batch 4 mysql-* container tests (binlog-cache, database-metrics, table-indexes, user-security)

markuslf · markuslf · commit 6e42a70dd39c · 2026-04-13T18:57:38.000+02:00
Four happy-path (and intentional-warn-path) container tests for the
mysql-* plugins that need explicit schema, config or privilege
setup beyond a stock MariaDB boot.

- mysql-binlog-cache: boots MariaDB with `--log-bin --server-id=1`
  so the binlog counters are actually exposed and exercises the
  "binlog active" code path.
- mysql-database-metrics: seeds a small user table in the default
  `test` database via the run_mariadb seed= param so
  information_schema has a real user schema to walk; asserts the
  happy-path "Everything is ok." output.
- mysql-table-indexes: seeds one indexed and one intentionally
  unindexed table, then pins STATE_WARN plus the "no_index_tbl"
  string. A freshly booted default MariaDB with a table missing
  an index is the correct monitoring signal and the test exists
  to keep the detection logic in place.
- mysql-user-security: grants the test user SELECT on mysql.* so
  the plugin can read `mysql.user` / `mysql.global_priv`, then
  pins the two legitimate warnings every default MariaDB image
  produces (test user has the username as password; both root
  and test are declared with host `%`).

The grant step works across both image families: sclorg boots
MariaDB as the mysql OS user which lets `mariadb -uroot` connect
without a password via socket auth, while the upstream image
requires the `-p&lt;root-password&gt;` flag. The test tries the
password-less variant first and falls back on failure.

mysql-logfile was considered for this batch but deferred: it
reads a local filesystem error log from the host running the
plugin, which is a cpu-usage-style "plugin runs inside the
container" pattern rather than a "plugin runs from the host
against a service container" pattern.
diff --git a/check-plugins/mysql-binlog-cache/unit-test/run b/check-plugins/mysql-binlog-cache/unit-test/run
@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8; py-indent-offset: 4 -*-
+#
+# Author:  Linuxfabrik GmbH, Zurich, Switzerland
+# Contact: info (at) linuxfabrik (dot) ch
+#          https://www.linuxfabrik.ch/
+# License: The Unlicense, see LICENSE file.
+
+# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md
+
+"""Integration tests for the mysql-binlog-cache check plugin.
+
+The plugin opens a real `pymysql` connection and reads
+`Binlog_cache_use` / `Binlog_cache_disk_use` from
+`SHOW GLOBAL STATUS` plus `binlog_cache_size` from `SHOW VARIABLES`,
+so a static fixture cannot drive it. A freshly booted MariaDB with
+the binary log disabled has all binlog counters at zero and the
+variables are still exposed, so the plugin reports OK. To make
+sure the "binlog actually active" code path is exercised too, we
+boot the server with `--log-bin` enabled.
+
+Per CONTRIBUTING's "Combine container tests with fixtures" rule,
+this file holds only the happy-path integration test.
+
+Runs against the current MariaDB LTS releases
+(`lib.lftest.MARIADB_LTS_IMAGES`).
+
+Requirements:
+- podman (or docker) with a reachable socket
+- `pip install testcontainers`
+- `tools/run-unit-tests` auto-sets `CONTAINER_HOST` and
+  `TESTCONTAINERS_RYUK_DISABLED`
+"""
+
+import os
+import subprocess
+import sys
+import unittest
+
+sys.path.insert(0, '..')
+
+import lib.lftest
+from lib.globals import STATE_OK
+
+
+IMAGES = lib.lftest.MARIADB_LTS_IMAGES
+
+
+class TestCheck(unittest.TestCase):
+    pass
+
+
+def _check_image(test, image_pair):
+    image, label = image_pair
+    print(f'\n=== Testing {label} ({image}) ===', flush=True)
+    with lib.lftest.run_mariadb(
+        image,
+        extra_args='--log-bin --server-id=1',
+    ) as (_container, defaults_file):
+        cmd = [
+            'python3', '../mysql-binlog-cache',
+            f'--defaults-file={defaults_file}',
+        ]
+        print(f'Run plugin: {" ".join(cmd)}', flush=True)
+        result = subprocess.run(
+            cmd,
+            cwd=os.path.dirname(os.path.abspath(__file__)),
+            capture_output=True,
+            text=True,
+        )
+        combined = result.stdout + result.stderr
+        print(f'Script output:\n{combined.strip()}', flush=True)
+
+        test.assertEqual(result.returncode, STATE_OK)
+        test.assertIn("|'mysql_", combined)
+
+
+lib.lftest.attach_each(TestCheck, IMAGES, _check_image, id_func=lambda it: it[1])
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/check-plugins/mysql-database-metrics/unit-test/run b/check-plugins/mysql-database-metrics/unit-test/run
@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8; py-indent-offset: 4 -*-
+#
+# Author:  Linuxfabrik GmbH, Zurich, Switzerland
+# Contact: info (at) linuxfabrik (dot) ch
+#          https://www.linuxfabrik.ch/
+# License: The Unlicense, see LICENSE file.
+
+# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md
+
+"""Integration tests for the mysql-database-metrics check plugin.
+
+The plugin opens a real `pymysql` connection and queries
+`information_schema.schemata`, then for every user database it
+walks `information_schema.tables` / `COLUMNS` to collect table
+count, row count, data/index size and charset information. We
+spin up an actual MariaDB server, seed the default `test`
+database with a tiny table so the plugin has something to walk,
+and let it talk to the server over TCP.
+
+Per CONTRIBUTING's "Combine container tests with fixtures" rule,
+this file holds only the happy-path integration test.
+
+Runs against the current MariaDB LTS releases
+(`lib.lftest.MARIADB_LTS_IMAGES`).
+
+Requirements:
+- podman (or docker) with a reachable socket
+- `pip install testcontainers`
+- `tools/run-unit-tests` auto-sets `CONTAINER_HOST` and
+  `TESTCONTAINERS_RYUK_DISABLED`
+"""
+
+import os
+import subprocess
+import sys
+import unittest
+
+sys.path.insert(0, '..')
+
+import lib.lftest
+from lib.globals import STATE_OK
+
+
+IMAGES = lib.lftest.MARIADB_LTS_IMAGES
+
+
+class TestCheck(unittest.TestCase):
+    pass
+
+
+def _check_image(test, image_pair):
+    image, label = image_pair
+    print(f'\n=== Testing {label} ({image}) ===', flush=True)
+    with lib.lftest.run_mariadb(
+        image,
+        seed=(
+            'CREATE TABLE countries ('
+            'code CHAR(3) PRIMARY KEY, '
+            'name VARCHAR(64) NOT NULL'
+            ') ENGINE=InnoDB; '
+            "INSERT INTO countries VALUES "
+            "('CHE', 'Switzerland'), ('DEU', 'Germany'), ('FRA', 'France')"
+        ),
+    ) as (_container, defaults_file):
+        cmd = [
+            'python3', '../mysql-database-metrics',
+            f'--defaults-file={defaults_file}',
+        ]
+        print(f'Run plugin: {" ".join(cmd)}', flush=True)
+        result = subprocess.run(
+            cmd,
+            cwd=os.path.dirname(os.path.abspath(__file__)),
+            capture_output=True,
+            text=True,
+        )
+        combined = result.stdout + result.stderr
+        print(f'Script output:\n{combined.strip()}', flush=True)
+
+        test.assertEqual(result.returncode, STATE_OK)
+        test.assertIn('Everything is ok', combined)
+
+
+lib.lftest.attach_each(TestCheck, IMAGES, _check_image, id_func=lambda it: it[1])
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/check-plugins/mysql-table-indexes/unit-test/run b/check-plugins/mysql-table-indexes/unit-test/run
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8; py-indent-offset: 4 -*-
+#
+# Author:  Linuxfabrik GmbH, Zurich, Switzerland
+# Contact: info (at) linuxfabrik (dot) ch
+#          https://www.linuxfabrik.ch/
+# License: The Unlicense, see LICENSE file.
+
+# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md
+
+"""Integration tests for the mysql-table-indexes check plugin.
+
+The plugin opens a real `pymysql` connection and walks
+`information_schema.tables` / `STATISTICS` for every user
+database to flag tables that have no index at all. We spin up an
+actual MariaDB server and seed the default `test` database with
+two tables - one fully indexed (PK + secondary), one intentionally
+without any index - so the plugin has real schema to walk.
+
+Per CONTRIBUTING's "Combine container tests with fixtures" rule,
+this file holds only the happy-path integration test. A freshly
+booted MariaDB with one indexed and one unindexed table trips the
+"table without index" warning, which is the correct monitoring
+signal on a real server and the behavior the test pins.
+
+Runs against the current MariaDB LTS releases
+(`lib.lftest.MARIADB_LTS_IMAGES`).
+
+Requirements:
+- podman (or docker) with a reachable socket
+- `pip install testcontainers`
+- `tools/run-unit-tests` auto-sets `CONTAINER_HOST` and
+  `TESTCONTAINERS_RYUK_DISABLED`
+"""
+
+import os
+import subprocess
+import sys
+import unittest
+
+sys.path.insert(0, '..')
+
+import lib.lftest
+from lib.globals import STATE_WARN
+
+
+IMAGES = lib.lftest.MARIADB_LTS_IMAGES
+
+
+class TestCheck(unittest.TestCase):
+    pass
+
+
+def _check_image(test, image_pair):
+    image, label = image_pair
+    print(f'\n=== Testing {label} ({image}) ===', flush=True)
+    with lib.lftest.run_mariadb(
+        image,
+        seed=(
+            'CREATE TABLE indexed_tbl ('
+            'id INT PRIMARY KEY, '
+            'name VARCHAR(64), '
+            'INDEX idx_name (name)'
+            ') ENGINE=InnoDB; '
+            'CREATE TABLE no_index_tbl ('
+            'col1 VARCHAR(16), '
+            'col2 VARCHAR(16)'
+            ') ENGINE=InnoDB'
+        ),
+    ) as (_container, defaults_file):
+        cmd = [
+            'python3', '../mysql-table-indexes',
+            f'--defaults-file={defaults_file}',
+        ]
+        print(f'Run plugin: {" ".join(cmd)}', flush=True)
+        result = subprocess.run(
+            cmd,
+            cwd=os.path.dirname(os.path.abspath(__file__)),
+            capture_output=True,
+            text=True,
+        )
+        combined = result.stdout + result.stderr
+        print(f'Script output:\n{combined.strip()}', flush=True)
+
+        test.assertEqual(result.returncode, STATE_WARN)
+        test.assertIn('no_index_tbl', combined)
+
+
+lib.lftest.attach_each(TestCheck, IMAGES, _check_image, id_func=lambda it: it[1])
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/check-plugins/mysql-user-security/unit-test/run b/check-plugins/mysql-user-security/unit-test/run
@@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8; py-indent-offset: 4 -*-
+#
+# Author:  Linuxfabrik GmbH, Zurich, Switzerland
+# Contact: info (at) linuxfabrik (dot) ch
+#          https://www.linuxfabrik.ch/
+# License: The Unlicense, see LICENSE file.
+
+# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md
+
+"""Integration tests for the mysql-user-security check plugin.
+
+The plugin opens a real `pymysql` connection and queries
+`mysql.user` / `mysql.global_priv` for anonymous accounts,
+passwordless accounts and hosts granted wildcard access. Reading
+the `mysql` system database requires elevated privileges, so the
+test grants the regular `test` user SELECT on `mysql.*` via
+`container.exec` as root before running the plugin.
+
+On a default-configured MariaDB image, the plugin legitimately
+flags two security issues: the `test` user has its username as
+its password ("user with username as password"), and both root
+and test are defined as `@'%'` ("accounts without hostname
+restriction"). Both are real findings worth monitoring; the test
+pins the WARN state so the plugin's detection logic stays in
+place and a future refactor cannot silently mask either signal.
+
+Runs against the current MariaDB LTS releases
+(`lib.lftest.MARIADB_LTS_IMAGES`).
+
+Requirements:
+- podman (or docker) with a reachable socket
+- `pip install testcontainers`
+- `tools/run-unit-tests` auto-sets `CONTAINER_HOST` and
+  `TESTCONTAINERS_RYUK_DISABLED`
+"""
+
+import os
+import subprocess
+import sys
+import unittest
+
+sys.path.insert(0, '..')
+
+import lib.lftest
+from lib.globals import STATE_WARN
+
+
+IMAGES = lib.lftest.MARIADB_LTS_IMAGES
+
+
+class TestCheck(unittest.TestCase):
+    pass
+
+
+def _check_image(test, image_pair):
+    image, label = image_pair
+    print(f'\n=== Testing {label} ({image}) ===', flush=True)
+    with lib.lftest.run_mariadb(image) as (container, defaults_file):
+        # Grant the `test` user read access to the `mysql` system
+        # database so it can query `mysql.user` / `mysql.global_priv`.
+        # sclorg images accept root via socket auth (no password
+        # because the container runs as the mysql OS user); upstream
+        # images require the `-p` password. Try without password
+        # first, fall back to the password-auth variant.
+        container.exec([
+            'sh', '-c',
+            'if command -v mariadb >/dev/null 2>&1; then C=mariadb; '
+            'else C=mysql; fi; '
+            'GRANT_SQL="GRANT SELECT ON mysql.* TO '
+            "'test'@'%'"
+            '"; '
+            '"$C" -uroot -e "$GRANT_SQL" 2>/dev/null '
+            '|| "$C" -uroot -ptest -e "$GRANT_SQL"',
+        ])
+
+        cmd = [
+            'python3', '../mysql-user-security',
+            f'--defaults-file={defaults_file}',
+        ]
+        print(f'Run plugin: {" ".join(cmd)}', flush=True)
+        result = subprocess.run(
+            cmd,
+            cwd=os.path.dirname(os.path.abspath(__file__)),
+            capture_output=True,
+            text=True,
+        )
+        combined = result.stdout + result.stderr
+        print(f'Script output:\n{combined.strip()}', flush=True)
+
+        test.assertEqual(result.returncode, STATE_WARN)
+        test.assertIn('without hostname restriction', combined)
+
+
+lib.lftest.attach_each(TestCheck, IMAGES, _check_image, id_func=lambda it: it[1])
+
+
+if __name__ == '__main__':
+    unittest.main()
