There are two ways you can write the script. One is running the script with a here-document.

A here document (aka heredoc) is a special-purpose code block. It uses a form of I/O redirection to feed a command list to an interactive program or a command

Basically, you provide only the answers to the question the script is going to ask you, and then redirect them as input to the interactive program.

Like so:


# Enter password for user root (${PASS_MYSQL_ROOT})
# Would you like to setup VALIDATE PASSWORD plugin? (y)
## Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1 (1) -- will only see this if answered y to the previous one
# Change the password for root ? (n)
# Remove anonymous users? (y)
# Disallow root login remotely? (y)
# Remove test database and access to it? (y)
# Reload privilege tables now? (y)

# mysql_secure_installation
mysql_secure_installation << EOF

The other way of securing the installation is running individual MySQL commands that achieve the same thing. Like following:

# mysql_secure_installation
mysqladmin -u root -p ${PASS_MYSQL_ROOT}
# mysql -u root -p ${PASS_MYSQL_ROOT} -e "UPDATE mysql.user SET Password=PASSWORD('${PASS_MYSQL_ROOT}') WHERE User='root'" # update root password
mysql -u root -p ${PASS_MYSQL_ROOT} -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '', '::1')" # Disable remote login
mysql -u root -p ${PASS_MYSQL_ROOT} -e "DELETE FROM mysql.user WHERE User=''" # Remove anonymous users
mysql -u root -p ${PASS_MYSQL_ROOT} -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'" # Remove test database
mysql -u root -p ${PASS_MYSQL_ROOT} -e "FLUSH PRIVILEGES" # Reload privileges

The disadvantage of the code above is that it’ll store the MySQL password in bash history. You can alter the code above and combine it with a here document code block, like so:

mysql --user=root --password=${PASS_MYSQL_ROOT} << EOF
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '', '::1');
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.db WHERE Db='test' OR Db='test_%';

But since heredocs usually can’t provide passwords for progarms, you’ll end up leaving your MySQL password in bash history anyway.