Add MariaDB 12.3 the new LTS

Adding a db/mariadb-12.3/ container for the new MariaDB 12.3 LTS series (GA 12.3.2, May 2026, supported through June 2029). Templated off the existing mariadb-10.11 container, pinned to docker.io/mariadb:12.3.2. While doing this I had to address a few 12.x deprecations/removals, and there are some worthwhile CI performance wins. Notes below for review before I push.

Deprecations / removals to respect (12.x)

These aren't optional cosmetics — several are fatal on MariaDB 12:

• mysql* CLI symlinks → canonical mariadb*. startup.sh currently calls mysql_install_db, mysqld_safe, and mysql -e .... On 11.x+ these emit "Deprecated program name … use mariadb… instead", which is treated as a fatal error in several contexts. Switching to:
  • mysql_install_db → mariadb-install-db
  • mysqld_safe → mariadbd-safe
  • mysql -e ... → mariadb -e ...

  (The pgrep -x mariadbd in the SIGTERM trap is already correct.)

• Drop default_authentication_plugin=mysql_native_password from my.cnf. It's a MySQL-only option; MariaDB loads the mysql_native_password plugin by default, and the line risks an "unknown variable" abort.
• utf8 → utf8mb3 (explicit). character_set_server = utf8 / collation_server = utf8_general_ci use the deprecated utf8 alias; writing them as utf8mb3 / utf8mb3_general_ci keeps identical behavior and silences the deprecation notice.
• Query cache + big_tables + large_page_size are removed in 12.x. Our my.cnf doesn't set any of them, so nothing to delete — just flagging so we don't reintroduce them.
• Behavioral change: innodb_snapshot_isolation now defaults ON in 12.3 (changes REPEATABLE READ semantics). Since this container pins transaction-isolation = READ-COMMITTED the impact is minimal, but I'd set it explicitly OFF for parity with the older MariaDB CI containers and to avoid surprising tests.

Performance improvements

Free, just by being on 12.3 (no config needed):

• Optimizer gains — Rowid Filtering and Index Condition Pushdown now apply to reverse-ordered scans, and Loose Index Scan (GROUP BY) can use DESC key parts.
• The headline "4× write performance" (binlog moved into InnoDB) does not apply here because the container runs with skip-log-bin — which is the right call for CI, so we keep binlog off.

Config tuning we can apply, given the DB is a throwaway CI instance (data discarded after each run, so durability can be traded for speed — these are CI-only, never for production):

Related: security patch bumps for other DB containers

Separate from 12.3, the maintained DB images are a few patch releases behind and have RCE/takeover-class CVEs (June 2026). Suggest bumping in the same effort:

• PostgreSQL 18.3→18.4, 17.9→17.10, 16.13→16.14, 15.17→15.18 — May 2026 set incl. CVE-2026-6637 (refint stack overflow → RCE) and CVE-2026-6475 (arbitrary file overwrite).
• MongoDB 7-jammy → 7.0.34-jammy — CVE-2026-8053 (time-series → server takeover) and MongoBleed (CVE-2025-14847, active exploitation).
• MariaDB 10.11.16→10.11.18 (Galera high-sev + 2026 CVEs); pin 10.6→10.6.27 (note 10.6 reaches EOL 2026-07-06).
• Lower priority / deferred: MySQL 9.6 & 8.4 (only CVE-2026-22015, CVSS 4.3); MySQL 8.0 is EOL (April 2026).

I'll build and validate mariadb-12.3 locally (warning-free init, user/grants, graceful shutdown) before pushing.

all images are pushed and tested