diff --git a/docker/base/sudoers b/docker/base/sudoers
index 0205b920f8..76baefcb07 100644
--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@@ -14,3 +14,5 @@ root ALL=(ALL) ALL
 # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
 # root user via sudo without password confirmation
 %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
+
+#includedir /etc/sudoers.d
diff --git a/docker/mariadb/Dockerfile.j2 b/docker/mariadb/Dockerfile.j2
index a840d9b8da..d365048943 100644
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \
 
 {% endif %}
 
+COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY security_reset.expect /usr/local/bin/kolla_security_reset
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_security_reset
+    && chmod 755 /usr/local/bin/kolla_security_reset \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/mariadb_sudoers \
+    && usermod -a -G kolla mysql
+
+
+USER mysql
 
 {{ include_footer }}
diff --git a/docker/mariadb/extend_start.sh b/docker/mariadb/extend_start.sh
index 8a8699b886..2ff24b73bf 100644
--- a/docker/mariadb/extend_start.sh
+++ b/docker/mariadb/extend_start.sh
@@ -5,19 +5,19 @@ function bootstrap_db {
 
     # Waiting for deamon
     sleep 10
-    kolla_security_reset
+    sudo -E kolla_security_reset
 
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
-    mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown
+    mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
 }
 
-chown mysql: /var/lib/mysql
+sudo chown mysql: /var/lib/mysql
 
 # This catches all cases of the BOOTSTRAP variable being set, including empty
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
     ARGS="--wsrep-new-cluster"
     touch /var/lib/mysql/cluster.exists
-    mysql_install_db --user=mysql
+    mysql_install_db
     bootstrap_db
 fi
diff --git a/docker/mariadb/mariadb_sudoers b/docker/mariadb/mariadb_sudoers
new file mode 100644
index 0000000000..c95b1e2ad5
--- /dev/null
+++ b/docker/mariadb/mariadb_sudoers
@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset