The CleanStart Mysql image provides a production-ready, security-hardened database server optimized for enterprise environments. Built on a minimal base OS with comprehensive security hardening, this image delivers reliable data storage with advanced security features.
📌 Base Foundation: Security-hardened, minimal base OS designed for enterprise containerized environments.
Image Path: ghcr.io/cleanstart-containers/mysql
Registry: cleanstart
Core capabilities and strengths of this container
- High-performance data storage and retrieval
- ACID compliance and transaction support
- Advanced indexing and query optimization
- Enterprise-grade security and access control
Typical scenarios where this container excels
- Primary database for web applications
- Data warehousing and analytics workloads
- High-availability database clusters
- Development and testing environments
Download the container image from the registry
docker pull ghcr.io/cleanstart-containers/mysql:latestdocker pull ghcr.io/cleanstart-containers/mysql:latest-devRun the container with basic configuration
docker run -it --name mysql -e MYSQL_ALLOW_EMPTY_PASSWORD=yes ghcr.io/cleanstart-containers/mysql:latestDeploy with production security settings
docker run -d --name mysql-prod \
--security-opt=no-new-privileges \
--restart unless-stopped \
-e MYSQL_ROOT_PASSWORD=yourpassword \
ghcr.io/cleanstart-containers/mysql:latestVolume Mount Mount local directory for persistent data
docker run -d \
--name mysql-app \
-p 3306:3306 \
-v mysql-data:/var/lib/mysql \
-e MYSQL_ALLOW_EMPTY_PASSWORD=yes \
ghcr.io/cleanstart-containers/mysql:latestPort Forwarding Run with custom port mappings
docker run -p 8080:8080 -e MYSQL_ALLOW_EMPTY_PASSWORD=yes ghcr.io/cleanstart-containers/mysql:latestConfiguration options available through environment variables
| Variable | Default | Description |
|---|---|---|
| PATH | /var/lib/mysql | System PATH configuration |
| MYSQL_ROOT_PASSWORD | Password for the mysql superuser | |
| MYSQL_ALLOW_EMPTY_PASSWORD | no password | |
| MYSQL_RANDOM_ROOT_PASSWORD | your password |
Recommended security configurations and practices
- Use specific image tags for production (avoid latest)
- Configure resource limits: memory and CPU constraints
- Enable read-only root filesystem when possible
- Run containers with non-root user (--user 1000:1000)
- Use --security-opt=no-new-privileges flag
- Regularly update container images for security patches
- Implement proper network segmentation
- Monitor container metrics for anomalies
Recommended security context for Kubernetes deployments
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALLEssential links and resources for further information
- Container Registry: https://www.cleanstart.com/
- CleanStart Website: https://www.cleanstart.com
- CleanStart Community Images: https://hub.docker.com/u/cleanstart
- How-to-Run CleanStart images & sample projects: https://github.com/cleanstart-dev/cleanstart-containers
- How to run sample projects using Dockerfile
- How to deploy via Kubernetes YAML
- How to migrate from public images to CleanStart images
Vulnerability Disclaimer
CleanStart offers Docker images that include third-party open-source libraries and packages maintained by independent contributors. While CleanStart maintains these images and applies industry-standard security practices, it cannot guarantee the security or integrity of upstream components beyond its control.
Users acknowledge and agree that open-source software may contain undiscovered vulnerabilities or introduce new risks through updates. CleanStart shall not be liable for security issues originating from third-party libraries, including but not limited to zero-day exploits, supply chain attacks, or contributor-introduced risks.
Security remains a shared responsibility: CleanStart provides updated images and guidance where possible, while users are responsible for evaluating deployments and implementing appropriate controls.