diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml
index c434ab76c0..174acd4440 100644
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@@ -127,11 +127,26 @@ outputs:
             command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb']
         step_2:
           mysql_bootstrap:
+            start_order: 1
             detach: false
             image: *mysql_image
             net: host
+            user: root
             # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
-            command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
+            command:
+              - 'bash'
+              - '-ecx'
+              -
+                list_join:
+                  - "\n"
+                  - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
+                    - 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
+                    - 'sudo -u mysql -E kolla_start'
+                    - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+                    - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
+                    - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''mysql''@''localhost'';"'
+                    - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
+                    - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
             volumes: &mysql_volumes
               list_concat:
               -
@@ -143,7 +158,7 @@ outputs:
                 - /var/log/containers/mysql:/var/log/mariadb
               - if:
                 - internal_tls_enabled
-                - 
+                -
                   - list_join:
                     - ':'
                     - - {get_param: InternalTLSCAFile}
@@ -151,12 +166,13 @@ outputs:
                       - 'ro'
                   - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
                   - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
-                - null 
+                - null
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
               - KOLLA_BOOTSTRAP=True
               # NOTE(mandre) skip wsrep cluster status check
               - KOLLA_KUBERNETES=True
+              - DB_MAX_TIMEOUT=60
               -
                 list_join:
                   - '='
@@ -191,7 +207,7 @@ outputs:
               - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
             - if:
               - internal_tls_enabled
-              - 
+              -
                 - list_join:
                   - ':'
                   - - {get_param: InternalTLSCAFile}
@@ -199,7 +215,7 @@ outputs:
                     - 'ro'
                 - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
                 - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
-              - null 
+              - null
       metadata_settings:
         get_attr: [MysqlPuppetBase, role_data, metadata_settings]
       host_prep_tasks: