Configure drush to skip requiring ssl for remote db connections

[tekante]

Last week Docksal switched from bookworm to trixie as their base. See docksal/service-cli@63e34db

Bookworm was using MariaDB 10.11 for the client package while Trixie uses MariaDB 11.8 for it. MariaDB at version 11.4 started defaulting to requiring SSL for remote database connections.

See https://mariadb.com/docs/server/security/securing-mariadb/encryption/data-in-transit-encryption/securing-connections-for-client-and-server

With the db in a docker container even local development considers the db to be remote. Thus requiring at least a self signed certificate for local development as well as configuration to either ignore validation or to treat the self signed certificate as valid.

Drush for doesn't honor flags disabling ssl in ~/.my.cnf or /etc/mysql/my.cnf as far as I can tell and drush-ops/drush#6355 seems to validate. So this seems to be the best way to disable requiring SSL.

Summary by CodeRabbit

• Chores
  • Docker image build updated to include a Drush configuration directory and ensure vendor binaries are available on the image PATH.
  • Added Drush configuration entries to set database- and site-install command options to disable SSL during those operations.

[coderabbitai]

Walkthrough

Dockerfile now creates a Drush config directory, copies a new drush.yml into the image, updates PATH to include /var/www/vendor/bin, and sets the final USER to root. A new Drush configuration file sets --disable-ssl for several sql and site.install commands.

Changes

Cohort / File(s)	Summary
Dockerfile changes src/Dockerfile	Creates /home/docker/.drush/config, copies drush.yml into that directory during image build, updates PATH to include /var/www/vendor/bin, and switches the final USER to root.
Drush config src/home/docker/.drush/config/drush.yml	New Drush YAML that adds --disable-ssl to sql (cli, query, dump, drop, create) and site.install command options.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped into the Docker den,
I placed a config now and then,
"Disable SSL"—I set the flag,
Vendor bin joined with a wag,
Root’s on stage; the build says when.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the primary change: disabling SSL requirements for Drush remote database connections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch disable-forced-db-ssl

Tip

We've launched Issue Planner and it is currently in beta. Please try it out and share your feedback on Discord!

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/home/docker/.drush/config/drush.yml`:
- Around line 1-7: The Drush YAML config uses the wrong schema and isn't in a
discoverable location: update the drush.yml content to nest sql under the
required top-level command key (i.e., make the root key "command:" with "sql:"
beneath it and preserve the cli/query options), and ensure the drush.yml file is
placed where Drush will load it or add an explicit config path entry in an
already-discovered drush.yml so Drush reads this configuration.

🧹 Nitpick comments (1)

src/Dockerfile (1)

76-78: Make the Drush config writable by the docker user.

COPY creates root-owned files by default, which prevents the docker user from editing them at runtime. Use COPY --chown=docker:docker to keep ownership consistent if runtime customization is expected. This flag is supported in Docker Engine 17.09+ (available since 2017).

🔧 Suggested change

-RUN mkdir -p /home/docker/.drush/config
-COPY ./home/docker/.drush/config/drush.yml /home/docker/.drush/config
+RUN mkdir -p /home/docker/.drush/config
+COPY --chown=docker:docker ./home/docker/.drush/config/drush.yml /home/docker/.drush/config

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -name "Dockerfile*" -type f | head -20

Repository: phase2/docker-cli

Length of output: 77

---

🏁 Script executed:

cat -n ./src/Dockerfile

Repository: phase2/docker-cli

Length of output: 4257

---

🏁 Script executed:

find . -name "*.env*" -o -name "*.yml" -o -name "Makefile" -o -name "docker-compose*" | grep -v node_modules | head -20

Repository: phase2/docker-cli

Length of output: 150

---

🏁 Script executed:

cat -n ./.github/workflows/default.yml

Repository: phase2/docker-cli

Length of output: 3407

---

🌐 Web query:

Drush config search paths site directory

💡 Result:

Drush’s own configuration files (drush.yml) are discovered in this order (highest precedence first):

1. Drupal site folder: sites/<site>/drush.yml (e.g. sites/default/drush.yml)
2. sites/all/drush, WEBROOT/drush, or PROJECTROOT/drush
3. Anywhere you point to with --config
4. User config: ~/.drush/drush.yml
5. System-wide: /etc/drush/drush.yml (or C:\ProgramData\Drush\drush.yml) [1]

To add extra config search paths, put this in a discovered drush.yml (e.g. sites/default/drush.yml):

drush:
  paths:
    config:
      - ${env.HOME}/.drush/config/drush.yml

(Entries may be a file path or a directory containing drush.yml.) [2]

To see exactly what Drush loaded, run:

• drush status --fields=drush-conf [1]
• drush status --fields=drush-conf --format=yaml [2]

If you meant Drupal config sync import/export paths (used by drush cim/cex), those come from the site’s $config_directories['sync'] in sites/<site>/settings.php, or you can override per command with drush cim --source=/path and drush cex --destination=/path. [3] [4]

---

🌐 Web query:

Drush sql command options extra configuration key schema

💡 Result:

In Drush, --extra is a common option on the sql:* commands that lets you append raw flags to the underlying DB client “connect string” (e.g., mysql / psql invocation). For example: drush sql:cli --extra=--skip-column-names. [1]

Command-line options (examples)

• drush sql:cli --extra=EXTRA (open SQL CLI) [1]
• drush sql:connect --extra=EXTRA (print a connection command) [2]
• drush sql:query --extra=EXTRA (run a query) [3]
• drush sql:drop --extra=EXTRA (drop all tables) [4]

Related: sql:sync also has --extra-dump (passes options to mysqldump or equivalent), plus table-selection options like --structure-tables-key, --skip-tables-key, etc. [5]

Drush YAML configuration “schema” (key path) for extra

To persist the same option via config (e.g., drush.yml or an alias file), set it under command-specific options like this: [6]

command:
  sql:
    cli:
      options:
        extra: "--auto-rehash"

Similarly, you can preconfigure other sql command options (example shown for sql:dump): [6]

command:
  sql:
    dump:
      options:
        structure-tables-key: common

Where the table-key lists live (non-options)

If you use --structure-tables-key=common, --skip-tables-key=common, etc., the actual lists are configured under the top-level sql: section (not under command:), e.g. sql: structure-tables: common: ... and sql: skip-tables: common: .... [6]

Sources: Drush command docs and configuration docs. [1][2][3][4][5][6]

---

🏁 Script executed:

cat -n ./src/home/docker/.drush/config/drush.yml

Repository: phase2/docker-cli

Length of output: 222

---

Fix Drush config path and schema: file won't be loaded and keys are incorrect.

The config file at /home/docker/.drush/config/drush.yml is not discoverable by Drush's default search paths (which include ~/.drush/drush.yml, /etc/drush/drush.yml, and project-root paths, but not ~/.drush/config/). Additionally, the YAML structure is missing the required command: prefix—it should be under command: sql: not just sql:.

Either move the file to ~/.drush/drush.yml and fix the schema:

command:
  sql:
    cli:
      options:
        extra: '--skip-ssl'
    query:
      options:
        extra: '--skip-ssl'

or add an explicit config path reference in a discovered drush.yml.

🤖 Prompt for AI Agents

In `@src/home/docker/.drush/config/drush.yml` around lines 1 - 7, The Drush YAML
config uses the wrong schema and isn't in a discoverable location: update the
drush.yml content to nest sql under the required top-level command key (i.e.,
make the root key "command:" with "sql:" beneath it and preserve the cli/query
options), and ensure the drush.yml file is placed where Drush will load it or
add an explicit config path entry in an already-discovered drush.yml so Drush
reads this configuration.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/home/docker/.drush/config/drush.yml`:
- Around line 2-22: Update the mysqldump-related Drush config: change
sql.dump.options.extra (and any sql.dump.options.extra-dump) values from
'--disable-ssl' to '--skip-ssl' so mysqldump disables SSL correctly; keep
site.install.options.extra as-is; also verify whether the
sql.dump.options.extra-dump key is supported by your Drush version and remove or
consolidate it into sql.dump.options.extra if it’s not supported (referencing
the sql.dump.options.extra, sql.dump.options.extra-dump, and
site.install.options.extra entries).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

MariaDB 11.4 mysql client --disable-ssl flag

💡 Result:

For the MariaDB 11.4 command-line client (mariadb, and often the mysql symlink on MariaDB installs), the way to disable TLS/SSL is:

• Disable SSL entirely: --disable-ssl (synonym: --skip-ssl) [1][2]
  Example:

  mariadb -h <host> -u <user> -p --skip-ssl
  # or
  mysql -h <host> -u <user> -p --disable-ssl

• If you only meant “don’t verify the server cert” (but still use TLS): --disable-ssl-verify-server-cert [1]

If you’re coming from Oracle MySQL docs: --ssl-mode=DISABLED is the MySQL-style flag, but the MariaDB client historically did not support --ssl-mode (see MariaDB issue discussion) [3].

Make it permanent (no flag each time):

# ~/.my.cnf
[client]
skip-ssl=true

[2]

Sources: MariaDB client option docs [1], MariaDB docs mirror [1], Stack Overflow discussion of MariaDB 11 client SSL defaults and --skip-ssl/config file [2], MariaDB Jira about missing --ssl-mode and equivalence to --skip-ssl/--disable-ssl [3].

---

🌐 Web query:

mysqldump disable SSL flag MariaDB

💡 Result:

To disable TLS/SSL for mysqldump when using MariaDB’s client, use:

mysqldump --skip-ssl -h HOST -u USER -p DBNAME > dump.sql

--ssl enables TLS, and the way to disable it is --skip-ssl. [1]

Notes:

• On newer MariaDB versions the tool may be named mariadb-dump (with mysqldump as a legacy name/symlink), and the same flag works: mariadb-dump --skip-ssl .... [2]
• If you’re looking at MySQL examples like --ssl-mode=DISABLED, MariaDB commonly uses --skip-ssl instead. [3]

Sources:
[1] https://manpages.debian.org/experimental/mariadb-client-10.6/mysqldump.1.en.html
[2] https://mariadb.com/kb/en/mysqldump/
[3] https://stackoverflow.com/questions/61649764/mysql-error-2026-ssl-connection-error-ubuntu-20-04

---

🌐 Web query:

Drush site:install options.extra configuration support

💡 Result:

Yes—site:install supports an --extra option, and you can configure it in drush.yml as a command-specific option.

CLI option

drush site:install includes --extra=EXTRA (“Add custom options to the SQL connect string”). [1]

drush.yml configuration

In drush.yml, command-specific options go under command.<namespace>.<command>.options, so for site:install:

command:
  site:
    install:
      options:
        extra: "--skip-column-names"
        # examples of other supported options:
        # account-name: "alice"
        # account-pass: "secret"
        # existing-config: true

Drush’s config docs show this exact structure for site:install options (e.g., account-name, account-pass). [2]

Note: the config key is extra, not options.extra—options: is the YAML section name Drush uses for “command options.” [2]

Sources: [1] [2]

---

Update sql.dump.options.extra to use --skip-ssl instead of --disable-ssl for mysqldump compatibility.

The --disable-ssl flag is valid for the MariaDB mysql client but mysqldump requires --skip-ssl to disable SSL. Update the dump configuration:

Diff

  sql:
    dump:
      options:
-       extra: '--disable-ssl'
+       extra: '--skip-ssl'
        extra-dump: '--disable-ssl'

The site:install options.extra configuration is valid. Verify that extra-dump under sql.dump.options is a supported Drush configuration key for your version.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sql:
	cli:
	options:
	extra: '--disable-ssl'
	query:
	options:
	extra: '--disable-ssl'
	dump:
	options:
	extra: '--disable-ssl'
	extra-dump: '--disable-ssl'
	drop:
	options:
	extra: '--disable-ssl'
	create:
	options:
	extra: '--disable-ssl'
	site:
	install:
	options:
	extra: '--disable-ssl'
	sql:
	cli:
	options:
	extra: '--disable-ssl'
	query:
	options:
	extra: '--disable-ssl'
	dump:
	options:
	extra: '--skip-ssl'
	extra-dump: '--disable-ssl'
	drop:
	options:
	extra: '--disable-ssl'
	create:
	options:
	extra: '--disable-ssl'
	site:
	install:
	options:
	extra: '--disable-ssl'

🤖 Prompt for AI Agents

In `@src/home/docker/.drush/config/drush.yml` around lines 2 - 22, Update the
mysqldump-related Drush config: change sql.dump.options.extra (and any
sql.dump.options.extra-dump) values from '--disable-ssl' to '--skip-ssl' so
mysqldump disables SSL correctly; keep site.install.options.extra as-is; also
verify whether the sql.dump.options.extra-dump key is supported by your Drush
version and remove or consolidate it into sql.dump.options.extra if it’s not
supported (referencing the sql.dump.options.extra, sql.dump.options.extra-dump,
and site.install.options.extra entries).

[mike-potter]

I wonder if putting this into our base container is the right place for it. This only applies to Drupal projects and the drush.yml file can be placed within the /projects/drush folder within Octane Drupal projects with the same effect.