From 6f833e53a94439be6fd1cb55df102acb8dea9cf9 Mon Sep 17 00:00:00 2001 From: anupteal Date: Wed, 6 Oct 2021 21:22:43 +0530 Subject: [PATCH] Copied Dockerfile of redhat images from jfrog-distroless repo --- .../Dockerfile.redhat-ubi-jfrog-rabbitmq | 68 +++ .../Dockerfile.redhat-ubi-pipelines-api | 50 +++ ...kerfile.redhat-ubi-pipelines-initcontainer | 30 ++ .../Dockerfile.redhat-ubi-pipelines-installer | 60 +++ .../Dockerfile.redhat-ubi-pipelines-k8snode | 89 ++++ .../Dockerfile.redhat-ubi-pipelines-micro | 53 +++ .../Dockerfile.redhat-ubi-pipelines-router | 40 ++ .../Dockerfile.redhat-ubi-pipelines-vault | 100 +++++ ...Dockerfile.redhat-ubi-pipelines-vault-init | 40 ++ .../Dockerfile.redhat-ubi-pipelines-www | 47 ++ .../Dockerfile.redhat-ubi-rt-initcontainer | 32 ++ .../RedHatImages/Dockerfile.redhat-ubi-rt7 | 61 +++ .../Dockerfile.redhat-ubi-xray-analysis | 43 ++ .../Dockerfile.redhat-ubi-xray-indexer | 43 ++ .../Dockerfile.redhat-ubi-xray-persist | 43 ++ .../Dockerfile.redhat-ubi-xray-rabbitmq | 73 ++++ .../Dockerfile.redhat-ubi-xray-router | 41 ++ .../Dockerfile.redhat-ubi-xray-server | 46 ++ .../RedHatImages/vault-docker-entrypoint.sh | 104 +++++ .../xray-rabbitmq-docker-entrypoint.sh | 407 ++++++++++++++++++ 20 files changed, 1470 insertions(+) create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-jfrog-rabbitmq create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-api create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-initcontainer create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-installer create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-k8snode create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-micro create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-router create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault-init create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-www create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt-initcontainer create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt7 create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-analysis create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-indexer create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-persist create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-rabbitmq create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-router create mode 100644 Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-server create mode 100644 Openshift4/RedHatImages/vault-docker-entrypoint.sh create mode 100644 Openshift4/RedHatImages/xray-rabbitmq-docker-entrypoint.sh diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-jfrog-rabbitmq b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-jfrog-rabbitmq new file mode 100644 index 0000000..5a820a1 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-jfrog-rabbitmq @@ -0,0 +1,68 @@ +# BITNAMI DEBIAN-10 DOCKERFILE CAN BE FOUND HERE: +# https://github.com/bitnami/bitnami-docker-rabbitmq/blob/master/3.8/debian-10/Dockerfile +# JFROG REDHAT UBI PORT TO WORK IN BITNAMI RABBITMQ HELM CHARTS + + +FROM bitnami/rabbitmq:3.8.9-debian-10-r88 as base + +FROM registry.access.redhat.com/ubi8 + +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +LABEL name="JFrog Rabbit MQ" \ + description="JFrog Rabbit MQ image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Rabbit MQ (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +ARG RABBITMQ_VERSION=3.8.9-debian-10-r88 + +LABEL io.k8s.description="Lightweight open source message broker" \ + io.k8s.display-name="RabbitMQ" \ + io.openshift.expose-services="4369:epmd, 5671:amqp, 5672:amqp, 15672:http" \ + io.openshift.tags="rabbitmq" + +# FIX THE LOCALE ISSUE +RUN yum install -y --disableplugin=subscription-manager -y openssl curl ca-certificates fontconfig gzip glibc-langpack-en tar \ + && yum -y --disableplugin=subscription-manager update; yum --disableplugin=subscription-manager clean all + +ENV GPG_KEY="0A9AF2115F4687BD29803A206B73A36E6026DFCA" \ + HOME=/var/lib/rabbitmq \ + RABBITMQ_HOME=/opt/rabbitmq \ + RABBITMQ_LOGS=- \ + RABBITMQ_SASL_LOGS=- \ + LANG=en_US.UTF-8 \ + LANGUAGE=en_US.:en \ + LC_ALL=en_US.UTF-8 + +RUN yum install -y --disableplugin=subscription-manager xz +RUN set -xe && \ + curl -LO https://github.com/rabbitmq/erlang-rpm/releases/download/v23.0/erlang-23.0-1.el8.x86_64.rpm && \ + rpm -Uvh ./erlang-23.0-1.el8.x86_64.rpm && \ + rm *.rpm && \ + INSTALL_PKGS="wget procps net-tools hostname" && \ + yum install -y $INSTALL_PKGS && \ + rm -rf /var/cache/yum + +# COPY OVER THE RABBITMQ LICENSES INTO THE FOLDER FOR REDHAT TO SCAN +COPY --from=base /opt/bitnami /opt/bitnami + +RUN mkdir -p /opt/bitnami/rabbitmq/ && chown -R 0777 /opt/bitnami/rabbitmq && chown -R 1000721001:1000721001 /opt/bitnami/rabbitmq +RUN mkdir -p /var/log/rabbitmq/log/ && chmod -R 0777 /var/log +RUN mkdir -p /var/lib/rabbitmq && chmod -R 0777 /var/lib/rabbitmq && chown -R 1000721001:1000721001 /var/lib/rabbitmq +RUN mkdir -p /opt/rabbitmq && chmod -R 0777 /opt/rabbitmq && chown -R 1000721001:1000721001 /opt/rabbitmq +RUN mkdir -p /opt/bitnami && chmod -R 0777 /opt/bitnami && chown -R 1000721001:1000721001 /opt/bitnami +RUN mkdir -p /licenses && chmod -R 0777 /licenses && chown -R 1000721001:1000721001 /licenses +RUN mkdir -p /opt/bitnami/rabbitmq/licenses && chmod -R 0777 /opt/bitnami/rabbitmq/licenses && chown -R 1000721001:1000721001 /opt/bitnami/rabbitmq/licenses && cp -rf /opt/bitnami/rabbitmq/licenses/* /licenses && chmod 0777 /opt/bitnami/scripts/rabbitmq/setup.sh +RUN mkdir -p /opt/bitnami/rabbitmq/test && chmod -R 0777 /opt/bitnami/rabbitmq/test && chown -R 1000721001:1000721001 /opt/bitnami/rabbitmq/test + +ENV BITNAMI_APP_NAME="rabbitmq" \ + LANG="en_US.UTF-8" \ + LANGUAGE="en_US:en" + +EXPOSE 4369 5672 15672 25672 + +USER 1000721001 +ENV PATH=/opt/bitnami/rabbitmq/sbin:$PATH +ENTRYPOINT [ "/opt/bitnami/scripts/rabbitmq/entrypoint.sh" ] +CMD [ "/opt/bitnami/scripts/rabbitmq/run.sh" ] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-api b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-api new file mode 100644 index 0000000..58df7e6 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-api @@ -0,0 +1,50 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-api:${PIPELINES_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8/nodejs-10 + +USER root + +LABEL name="JFrog Pipelines API" \ + description="JFrog Pipelines API image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines API (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/pipelines \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \ + SERVICE_NAME=api \ + APP_HOME_DIR=/opt/jfrog/pipelines/app/api \ + LOG_DIR=/opt/jfrog/pipelines/var/log + +ENV LOG_DIR=/opt/jfrog/pipelines/var/log +ENV NODE_PATH=/opt/jfrog/pipelines/app/node_modules +ENV API_BIN_DIR /opt/jfrog/pipelines/app/api/bin + +# COPY IN PIPELINES FROM BASE IMAGE +COPY --from=base /opt/jfrog/pipelines/app/api /opt/jfrog/pipelines/app/api + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +RUN mkdir -p /opt/jfrog/pipelines/var/tmp +RUN mkdir -p $LOG_DIR +USER ${JF_PIPELINES_USER} +WORKDIR /opt/jfrog/pipelines/app/api +CMD ["node","api.app.js"] +EXPOSE 30000 \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-initcontainer b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-initcontainer new file mode 100644 index 0000000..1cc8e43 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-initcontainer @@ -0,0 +1,30 @@ +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +USER root + +LABEL name="JFrog Pipelines Init Container" \ + description="JFrog Pipelines Init Container image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Init Container (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# install the necessary programs for the init container +RUN yum install -y --disableplugin=subscription-manager nc +RUN yum install -y --disableplugin=subscription-manager libcap libcap-ng +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 + +RUN mkdir -p /home/${JF_PIPELINES_USER} +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group ${JF_PIPELINES_USER} && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /home/${JF_PIPELINES_USER} + +USER ${JF_PIPELINES_USER} + +WORKDIR /home/${JF_PIPELINES_USER} + +ENTRYPOINT ["bash"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-installer b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-installer new file mode 100644 index 0000000..cd0ef5c --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-installer @@ -0,0 +1,60 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-installer:${PIPELINES_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8/nodejs-10 + +USER root + +LABEL name="JFrog Pipelines Installer" \ + description="JFrog Pipelines Installer image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Installer (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/pipelines \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines + +ENV NODE_PATH /usr/local/lib/node_modules +ENV TMP_DIR /opt/jfrog/pipelines/var/tmp +ENV SRC_DIR /opt/jfrog/pipelines/installer +ENV DEPENDENCIES /opt/jfrog/pipelines/dependencies + +# COPY IN PIPELINES FROM BASE IMAGE +COPY --from=base /usr/local/lib /usr/local/lib +COPY --from=base /opt/jfrog/pipelines/var/tmp /opt/jfrog/pipelines/var/tmp +COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog +RUN mkdir p /opt/jfrog/pipelines/var/etc/ && chmod 0777 /opt/jfrog/pipelines/var/etc/ + +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ + yum install -y --disableplugin=subscription-manager hostname python36 python3-pip nc + +RUN yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/atomic-release-1.0-21.el7.art.noarch.rpm && \ + yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/oniguruma-5.9.5-3.el7.art.x86_64.rpm && \ + yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/jq-1.5-1.el7.art.x86_64.rpm + +RUN wget https://github.com/mikefarah/yq/releases/download/3.4.0/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq + +# install psql +RUN yum install -y --disableplugin=subscription-manager https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-8-x86_64/postgresql10-libs-10.14-1PGDG.rhel8.x86_64.rpm && \ + yum install -y --disableplugin=subscription-manager https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-8-x86_64/postgresql10-10.14-1PGDG.rhel8.x86_64.rpm + +RUN mkdir -p /usr/local/bin && cp -rf /usr/bin/psql /usr/local/bin/psql +USER ${JF_PIPELINES_USER} +WORKDIR /opt/jfrog/pipelines/installer +ENTRYPOINT ["/bin/bash", "execUtil.sh"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-k8snode b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-k8snode new file mode 100644 index 0000000..3036737 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-k8snode @@ -0,0 +1,89 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-api:${PIPELINES_BASE_VERSION} AS base +FROM jfrog-docker-reg2.bintray.io/pipelines-node:1.4.2 AS base2 + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +USER root + +LABEL name="JFrog Pipelines K8s Node" \ + description="JFrog Pipelines K8s Node image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines K8s Node (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Set vars +ENV DOCKER_VERSION=18.09.9 +ENV NODE_VERSION=10.19.0 + +#RUN apt-get update && \ +# apt-get install sudo grep jq tar curl python-minimal wget ca-certificates rsync vim -y + + +RUN yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname && \ + yum install -y --disableplugin=subscription-manager https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ + yum install -y --disableplugin=subscription-manager sudo grep tar python36 ca-certificates rsync vim + + + +RUN wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.36.0/install.sh | bash +ENV NVM_DIR=/root/.nvm +RUN . "$NVM_DIR/nvm.sh" && nvm install ${NODE_VERSION} +RUN . "$NVM_DIR/nvm.sh" && nvm use v${NODE_VERSION} +RUN . "$NVM_DIR/nvm.sh" && nvm alias default v${NODE_VERSION} +RUN cp /root/.nvm/versions/node/v${NODE_VERSION}/bin/node /usr/bin/ +RUN cp /root/.nvm/versions/node/v${NODE_VERSION}/bin/npm /usr/bin/ +RUN /root/.nvm/versions/node/v${NODE_VERSION}/bin/npm install leasot@latest -g + +RUN curl -0 -L https://npmjs.com/install.sh | sh + +# Get files needed to run Build Plane node +COPY --from=base /opt/jfrog/pipelines/app/api/bin/buildPlane-x86_64-RHEL_7.rpm /tmp/buildPlane-x86_64-RHEL_7.rpm +COPY ./executeAffinityGroup_fix.js /tmp + +RUN yum localinstall -y --disableplugin=subscription-manager /tmp/buildPlane-x86_64-RHEL_7.rpm +RUN mkdir -p /tmp/var/opt/jfrog/pipelines/reqKick/execute/ +RUN mkdir -p /jfrog-init +RUN cat /tmp/executeAffinityGroup_fix.js >> /tmp/var/opt/jfrog/pipelines/reqKick/execute/executeAffinityGroup.js +RUN sed -i '/function __restart(bag) {/,$d' /tmp/var/opt/jfrog/pipelines/reqKick/execute/executeAffinityGroup.js +RUN cp -fr /tmp/var/opt/jfrog/pipelines/ /jfrog-init +RUN rm -fr /tmp/var && rm -fr /tmp/* + +COPY --from=base2 /jfrog-init /jfrog-init + +# Install app dependencies +RUN cd /jfrog-init/reqKick; npm install + +# Install docker client +RUN wget https://download.docker.com/linux/static/stable/x86_64/docker-$DOCKER_VERSION.tgz -P /tmp/docker && \ + tar -xzf /tmp/docker/docker-$DOCKER_VERSION.tgz --directory /opt && \ + ln -s /opt/docker/docker /usr/bin/docker && \ + rm -fr /tmp/docker + + +# Install nodejs pm2 monitoring +RUN npm install pm2 -g + + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} + +RUN mkdir -p /home/${JF_PIPELINES_USER} +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /jfrog-init /home/${JF_PIPELINES_USER} + +USER ${JF_PIPELINES_USER} + + +WORKDIR /jfrog-init/reqKick +CMD ["pm2-runtime", "/jfrog-init/reqKick/reqKick.app.js"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-micro b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-micro new file mode 100644 index 0000000..92dad60 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-micro @@ -0,0 +1,53 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-micro:${PIPELINES_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8/nodejs-10 + +USER root + +LABEL name="JFrog Pipelines Micro" \ + description="JFrog Pipelines Micro image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Micro (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/pipelines \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \ + SERVICE_NAME=www \ + APP_HOME_DIR=/opt/jfrog/pipelines/app/www \ + LOG_DIR=/opt/jfrog/pipelines/var/log \ + NODE_PATH=/opt/jfrog/pipelines/app/node_modules \ + EXEC_TEMPLATES_DIR=/opt/jfrog/pipelines/app/execTemplates \ + HOME=/home \ + OLDPWD=/home \ + SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# COPY IN PIPELINES FROM BASE IMAGE +COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines +COPY --from=base /home /home +COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +RUN mkdir -p /opt/jfrog/pipelines/var/tmp +RUN mkdir -p $LOG_DIR + +USER ${JF_PIPELINES_USER} +WORKDIR /opt/jfrog/pipelines/app/micro/nexec +CMD ["node","app.js"] +EXPOSE 30001 \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-router b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-router new file mode 100644 index 0000000..a3855a1 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-router @@ -0,0 +1,40 @@ +ARG ROUTER_BASE_VERSION + +FROM docker.bintray.io/jfrog/router:${ROUTER_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Pipelines Router" \ + description="JFrog Pipelines Router image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Router (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Router +ENV JF_ROUTER_USER=router \ + ROUTER_USER_ID=1000721117 \ + ROUTER_VERSION=${ROUTER_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/router \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/router \ + SERVICE_NAME=router + +COPY --from=base /opt/jfrog/router /opt/jfrog/router + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/router/app/doc/* /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${ROUTER_USER_ID} --user-group router && \ + chown -R ${ROUTER_USER_ID}:${ROUTER_USER_ID} /opt/jfrog/router /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER router + +VOLUME /var/opt/jfrog/router + +ENTRYPOINT ["/opt/jfrog/router/app/bin/entrypoint-router.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault new file mode 100644 index 0000000..1cadd5f --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault @@ -0,0 +1,100 @@ +FROM registry.access.redhat.com/ubi8 + +# This is the release of Vault to pull in. +ARG VAULT_BASE_VERSION + +LABEL name="JFrog Pipelines Vault" \ + description="JFrog Pipelines Vault image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Vault (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +ENV JF_VAULT_USER=vault \ + JF_VAULT_USER_GROUP=vault \ + VAULT_USER_ID=1000721117 \ + VAULT_VERSION=${VAULT_BASE_VERSION} + +# Create a vault user and group first so the IDs get set the same way, +# even as the rest of this may change over time. +RUN useradd -M -s /usr/sbin/nologin --uid ${VAULT_USER_ID} --user-group ${JF_VAULT_USER_GROUP} +RUN mkdir -p /home/${JF_VAULT_USER} && \ + chown -R ${VAULT_USER_ID}:${VAULT_USER_ID} /home/${JF_VAULT_USER} + +RUN yum install -y --disableplugin=subscription-manager wget curl unzip ca-certificates gnupg openssl libcap tzdata + +# Set up certificates, our base tools, and Vault. +RUN set -eux; \ + apkArch="$(uname -a)"; \ + case "$apkArch" in \ + armhf) ARCH='arm' ;; \ + aarch64) ARCH='arm64' ;; \ + x86_64) x86_64 ;; \ + x86) ARCH='386' ;; \ + *) echo >&2 "Supported architecture: $apkArch" ;; \ + esac && \ + VAULT_GPGKEY=91A6E7F85D05C65630BEF18951852D87348FFC4C; \ + found=''; \ + for server in \ + hkp://p80.pool.sks-keyservers.net:80 \ + hkp://keyserver.ubuntu.com:80 \ + hkp://pgp.mit.edu:80 \ + ; do \ + echo "Fetching GPG key $VAULT_GPGKEY from $server"; \ + gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY" && exit 1; \ + mkdir -p /tmp/build && \ + cd /tmp/build && \ + wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ + wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \ + wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \ + gpg --batch --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS && \ + grep vault_${VAULT_VERSION}_linux_amd64.zip vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c && \ + unzip -d /bin vault_${VAULT_VERSION}_linux_amd64.zip && \ + cd /tmp && \ + rm -rf /tmp/build && \ + gpgconf --kill dirmngr && \ + gpgconf --kill gpg-agent && \ + rm -rf /root/.gnupg + +# /vault/logs is made available to use as a location to store audit logs, if +# desired; /vault/file is made available to use as a location with the file +# storage backend, if desired; the server will be started with /vault/config as +# the configuration directory so you can add additional config files in that +# location. +RUN mkdir -p /vault/logs && \ + mkdir -p /vault/file && \ + mkdir -p /vault/config && \ + chown -R vault:vault /vault + +# Expose the logs directory as a volume since there's potentially long-running +# state in there +VOLUME /vault/logs + +# Expose the file directory as a volume since there's potentially long-running +# state in there +VOLUME /vault/file + +# 8200/tcp is the primary interface that applications use to interact with +# Vault. +EXPOSE 8200 + +# The entry point script uses dumb-init as the top-level process to reap any +# zombie processes created by Vault sub-processes. +# +# For production derivatives of this container, you shoud add the IPC_LOCK +# capability so that Vault can mlock memory. +COPY vault-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +# SETUP VAULT TO USE MLOCK +RUN setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) + +USER ${JF_VAULT_USER} +ENTRYPOINT ["docker-entrypoint.sh"] + +# By default you'll get a single-node development server that stores everything +# in RAM and bootstraps itself. Don't use this configuration for production. +CMD ["server", "-dev"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault-init b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault-init new file mode 100644 index 0000000..8828abb --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault-init @@ -0,0 +1,40 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-vault-init:${PIPELINES_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8/go-toolset + +USER root + +LABEL name="JFrog Pipelines Vault Init" \ + description="JFrog Pipelines Vault Init image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Vault Init (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=vault \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/pipelines \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \ + SERVICE_NAME=vault-init + +# COPY IN PIPELINES FROM BASE IMAGE +COPY --from=base /vault-init /opt/jfrog/pipelines/vault-init + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group ${JF_PIPELINES_USER} && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER ${JF_PIPELINES_USER} +WORKDIR /opt/jfrog/pipelines +ENTRYPOINT ["/opt/jfrog/pipelines/vault-init"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-www b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-www new file mode 100644 index 0000000..a61c00e --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-www @@ -0,0 +1,47 @@ +ARG PIPELINES_BASE_VERSION + +FROM docker.bintray.io/jfrog/pipelines-www:${PIPELINES_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8/nodejs-10 + +USER root + +LABEL name="JFrog Pipelines WWW" \ + description="JFrog Pipelines WWW image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines WWW (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# Environment needed for Pipelines +ENV JF_PIPELINES_USER=pipelines \ + PIPELINES_USER_ID=1000721117 \ + PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/pipelines \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \ + SERVICE_NAME=www \ + APP_HOME_DIR=/opt/jfrog/pipelines/app/www \ + LOG_DIR=/opt/jfrog/pipelines/var/log + +# COPY IN PIPELINES FROM BASE IMAGE +COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines + +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \ + chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +RUN mkdir -p /opt/jfrog/pipelines/var/tmp +RUN mkdir -p $LOG_DIR + +USER ${JF_PIPELINES_USER} +WORKDIR /opt/jfrog/pipelines/app/www +CMD ["node","www.app.js"] +EXPOSE 30001 \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt-initcontainer b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt-initcontainer new file mode 100644 index 0000000..75a5207 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt-initcontainer @@ -0,0 +1,32 @@ +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +USER root + +LABEL name="JFrog Init Container" \ + description="JFrog Init Container image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Init Container (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +# install the necessary programs for the init container +RUN yum install -y --disableplugin=subscription-manager nc +RUN yum install -y --disableplugin=subscription-manager libcap libcap-ng +# Add EULA information to meet the Red Hat container image certification requirements +COPY entplus_EULA.txt /licenses/ + +# Environment needed for Pipelines +ENV JF_ART_USER=artifactory \ + ART_USER_ID=1000721030 + +RUN mkdir -p /home/${JF_ART_USER} +RUN useradd -M -s /usr/sbin/nologin --uid ${ART_USER_ID} --user-group ${JF_ART_USER} && \ + chown -R ${ART_USER_ID}:${ART_USER_ID} /home/${JF_ART_USER} + +VOLUME /var/opt/jfrog/artifactory + +USER ${JF_ART_USER} + +WORKDIR /home/${JF_ART_USER} + +ENTRYPOINT ["bash"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt7 b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt7 new file mode 100644 index 0000000..36809ef --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt7 @@ -0,0 +1,61 @@ +# An example of customising Artifactory using RedHat Univeral Base Image (UBI). +# Using Docker multi stage build. +# Taking the Artifactory file system +ARG ARTIFACTORY_BASE_VERSION + +# The Artifactory official Docker image +FROM docker.bintray.io/jfrog/artifactory-pro:${ARTIFACTORY_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Artifactory Pro" \ + description="JFrog Artifactory Pro image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Artifactory Pro (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/artifactory/eula/" + +# Environment needed for Artifactory +ENV JF_ARTIFACTORY_USER=artifactory \ + ARTIFACTORY_USER_ID=1000721030 \ + ARTIFACTORY_VERSION=${ARTIFACTORY_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/artifactory \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/artifactory \ + RECOMMENDED_MAX_OPEN_FILES=32000 \ + MIN_MAX_OPEN_FILES=10000 \ + RECOMMENDED_MAX_OPEN_PROCESSES=1024 \ + POSTGRESQL_VERSION=9.4.1212 + +# Copy needed file system from base (Artifactory image) +COPY --from=base /opt/jfrog /opt/jfrog +COPY --from=base /var/opt/jfrog/artifactory /var/opt/jfrog/artifactory +COPY --from=base /entrypoint-artifactory.sh /entrypoint-artifactory.sh + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/artifactory/app/doc/* /licenses/ + +# Metadata to let Artifactory know its installation source +RUN mkdir -p /artifactory_bootstrap/info/ +RUN echo "{\"productId\":\"UBI8_artifactory/1.0.0\",\"features\":[{\"featureId\":\"Partner/ACC-006983\"}]}" > /artifactory_bootstrap/info/installer-info.json + +# Create the user, fix file system ownership and install needed tools with Yum +# NOTE - wget must be installed for Artifactory HA +# procps must be installed to run Artifactory +# hostname is needed to generate nodeID +RUN useradd -M -s /usr/sbin/nologin --uid ${ARTIFACTORY_USER_ID} --user-group ${JF_ARTIFACTORY_USER} && \ + chown -R ${JF_ARTIFACTORY_USER}:${JF_ARTIFACTORY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +# Add RUN instruction for updating the vulnerability found in openssl-libs package. + +RUN yum update openssl-libs -y + + +USER $JF_ARTIFACTORY_USER + +VOLUME ${JF_PRODUCT_DATA_INTERNAL} + +ENTRYPOINT ["/entrypoint-artifactory.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-analysis b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-analysis new file mode 100644 index 0000000..6c2f911 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-analysis @@ -0,0 +1,43 @@ +ARG XRAY_BASE_VERSION + +FROM docker.bintray.io/jfrog/xray-analysis:${XRAY_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Analysis" \ + description="JFrog Xray Analysis image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Analysis (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +# Environment needed for Xray +ENV JF_XRAY_USER=xray \ + XRAY_USER_ID=1000721035 \ + XRAY_VERSION=${XRAY_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/xray \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \ + SERVICE_NAME=analysis + + +COPY --from=base /opt/jfrog/xray /opt/jfrog/xray +COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray +COPY --from=base /postgresql-client /postgresql-client + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \ + chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER xray + +VOLUME /var/opt/jfrog/xray + +ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-indexer b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-indexer new file mode 100644 index 0000000..8a42ff8 --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-indexer @@ -0,0 +1,43 @@ +ARG XRAY_BASE_VERSION + +FROM docker.bintray.io/jfrog/xray-indexer:${XRAY_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Indexer" \ + description="JFrog Xray Indexer image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Indexer (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +# Environment needed for Xray +ENV JF_XRAY_USER=xray \ + XRAY_USER_ID=1000721035 \ + XRAY_VERSION=${XRAY_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/xray \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \ + SERVICE_NAME=indexer + +COPY --from=base /opt/jfrog/xray /opt/jfrog/xray +COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray +COPY --from=base /postgresql-client /postgresql-client + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + + +RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \ + chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER xray + +VOLUME /var/opt/jfrog/xray + +ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-persist b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-persist new file mode 100644 index 0000000..cf9bd8e --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-persist @@ -0,0 +1,43 @@ +ARG XRAY_BASE_VERSION + +FROM docker.bintray.io/jfrog/xray-persist:${XRAY_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Persist" \ + description="JFrog Xray Persist image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Persist (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +# Environment needed for Xray +ENV JF_XRAY_USER=xray \ + XRAY_USER_ID=1000721035 \ + XRAY_VERSION=${XRAY_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/xray \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \ + SERVICE_NAME=persist + +COPY --from=base /opt/jfrog/xray /opt/jfrog/xray +COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray +COPY --from=base /postgresql-client /postgresql-client + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + + +RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \ + chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER xray + +VOLUME /var/opt/jfrog/xray + +ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-rabbitmq b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-rabbitmq new file mode 100644 index 0000000..ee9348c --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-rabbitmq @@ -0,0 +1,73 @@ +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Rabbit MQ" \ + description="JFrog Rabbit MQ image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Rabbit MQ (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + + +ARG RABBITMQ_AUTOCLUSTER_VERSION=0.10.0 +ARG RABBITMQ_VERSION=3.8.8 + +LABEL io.k8s.description="Lightweight open source message broker" \ + io.k8s.display-name="RabbitMQ" \ + io.openshift.expose-services="4369:epmd, 5671:amqp, 5672:amqp, 15672:http" \ + io.openshift.tags="rabbitmq" + +ENV GPG_KEY="0A9AF2115F4687BD29803A206B73A36E6026DFCA" \ + HOME=/var/lib/rabbitmq \ + RABBITMQ_HOME=/opt/rabbitmq \ + RABBITMQ_LOGS=- \ + RABBITMQ_SASL_LOGS=- \ + LANG=en_US.UTF-8 \ + LANGUAGE=en_US.:en \ + LC_ALL=en_US.UTF-8 + + +# FIX THE LOCALE ISSUE +RUN yum install -y --disableplugin=subscription-manager -y openssl curl ca-certificates fontconfig gzip glibc-langpack-en tar xz \ + && yum -y --disableplugin=subscription-manager update; yum --disableplugin=subscription-manager clean all + +RUN set -xe && \ + curl -LO https://github.com/rabbitmq/erlang-rpm/releases/download/v23.0/erlang-23.0-1.el8.x86_64.rpm && \ + rpm -Uvh ./erlang-23.0-1.el8.x86_64.rpm && \ + rm *.rpm && \ + curl -Lo rabbitmq-server.tar.xz https://github.com/rabbitmq/rabbitmq-server/releases/download/v${RABBITMQ_VERSION}/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz && \ + curl -Lo rabbitmq-server.tar.xz.asc https://github.com/rabbitmq/rabbitmq-server/releases/download/v${RABBITMQ_VERSION}/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz.asc && \ + export GNUPGHOME="$(mktemp -d)" && \ + env | grep GNUPG && \ + gpg --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys "$GPG_KEY" && \ + gpg --batch --verify rabbitmq-server.tar.xz.asc rabbitmq-server.tar.xz && \ + rm -rf "$GNUPGHOME" && \ + mkdir -p "$RABBITMQ_HOME" && \ + tar \ + --extract \ + --verbose \ + --file rabbitmq-server.tar.xz \ + --directory "$RABBITMQ_HOME" \ + --strip-components 1 && \ + rm rabbitmq-server.tar.xz* && \ + grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \ + sed -ri 's!^(SYS_PREFIX=).*$!\1!' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \ + grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \ + groupadd --system rabbitmq && \ + adduser -u 1000721001 -r -c "RabbitMQ User" -d /var/lib/rabbitmq -g rabbitmq rabbitmq && \ + mkdir -p /var/lib/rabbitmq /etc/rabbitmq && \ + chown -R 1000721001:1000721001 /var/lib/rabbitmq /etc/rabbitmq ${RABBITMQ_HOME}/plugins && \ + chmod -R g=u /var/lib/rabbitmq /etc/rabbitmq && \ + rm -rf /var/lib/rabbitmq/.erlang.cookie && \ + ln -sf "$RABBITMQ_HOME/plugins" /plugins && \ + INSTALL_PKGS="wget procps net-tools hostname" && \ + yum install -y $INSTALL_PKGS && \ + rm -rf /var/cache/yum + +COPY xray-rabbitmq-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN mkdir -p /licenses && chmod 0777 /licenses && cp -rf /opt/rabbitmq/LICENSE /licenses/LICENSE + +USER 1000721001 +ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 4369 5672 15672 +CMD ["rabbitmq-server"] \ No newline at end of file diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-router b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-router new file mode 100644 index 0000000..68bf7bc --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-router @@ -0,0 +1,41 @@ +ARG ROUTER_BASE_VERSION + +FROM docker.bintray.io/jfrog/router:${ROUTER_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Router" \ + description="JFrog Xray Router image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Router (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +# Environment needed for Router +ENV JF_ROUTER_USER=router \ + ROUTER_USER_ID=1000721035 \ + ROUTER_VERSION=${ROUTER_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/router \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/router \ + SERVICE_NAME=router + +COPY --from=base /opt/jfrog/router /opt/jfrog/router +COPY --from=base /var/opt/jfrog/router /var/opt/jfrog/router + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/router/app/doc/* /licenses/ + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + +RUN useradd -M -s /usr/sbin/nologin --uid ${ROUTER_USER_ID} --user-group router && \ + chown -R ${ROUTER_USER_ID}:${ROUTER_USER_ID} /opt/jfrog/router /var/opt/jfrog && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER router + +VOLUME /var/opt/jfrog/router + +ENTRYPOINT ["/opt/jfrog/router/app/bin/entrypoint-router.sh"] diff --git a/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-server b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-server new file mode 100644 index 0000000..540838d --- /dev/null +++ b/Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-server @@ -0,0 +1,46 @@ +ARG XRAY_BASE_VERSION + +FROM docker.bintray.io/jfrog/xray-server:${XRAY_BASE_VERSION} AS base + +# The new image based on registry.access.redhat.com/ubi +FROM registry.access.redhat.com/ubi8 + +LABEL name="JFrog Xray Server" \ + description="JFrog Xray Server image based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Server (Red Hat UBI)" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +# Environment needed for Xray +ENV JF_XRAY_USER=xray \ + XRAY_USER_ID=1000721035 \ + XRAY_VERSION=${XRAY_BASE_VERSION} \ + JF_PRODUCT_HOME=/opt/jfrog/xray \ + JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \ + SERVICE_NAME=server + +COPY --from=base /opt/jfrog/xray /opt/jfrog/xray +COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray +COPY --from=base /postgresql-client /postgresql-client + +# Add license information to meet the Red Hat container image certification requirements +COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/ + +# Add call home +COPY xray.default /opt/jfrog/xray/app/bin + +RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog + + +RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \ + chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \ + yum install -y --disableplugin=subscription-manager wget && \ + yum install -y --disableplugin=subscription-manager procps && \ + yum install -y --disableplugin=subscription-manager net-tools && \ + yum install -y --disableplugin=subscription-manager hostname + +USER xray + +VOLUME /var/opt/jfrog/xray + +ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"] diff --git a/Openshift4/RedHatImages/vault-docker-entrypoint.sh b/Openshift4/RedHatImages/vault-docker-entrypoint.sh new file mode 100644 index 0000000..49dd6d4 --- /dev/null +++ b/Openshift4/RedHatImages/vault-docker-entrypoint.sh @@ -0,0 +1,104 @@ +#!/bin/sh +set -e + +# Note above that we run dumb-init as PID 1 in order to reap zombie processes +# as well as forward signals to all processes in its session. Normally, sh +# wouldn't do either of these functions so we'd leak zombies as well as do +# unclean termination of all our sub-processes. + +# Prevent core dumps +ulimit -c 0 + +# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface +# name instead of an IP address. The interface name is specified using +# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If +# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port +# number with the IP of the named interface. +get_addr () { + local if_name=$1 + local uri_template=$2 + ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \ + ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \ + print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \ + exit}' +} + +if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then + export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"}) + echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR" +fi +if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then + export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"}) + echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR" +fi + +# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional +# config files in there if you use this image as a base, or use +# VAULT_LOCAL_CONFIG below. +VAULT_CONFIG_DIR=/vault/config + +# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some +# Vault configuration JSON without having to bind any volumes. +if [ -n "$VAULT_LOCAL_CONFIG" ]; then + echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json" +fi + +# If the user is trying to run Vault directly with some arguments, then +# pass them to Vault. +if [ "${1:0:1}" = '-' ]; then + set -- vault "$@" +fi + +# Look for Vault subcommands. +if [ "$1" = 'server' ]; then + shift + set -- vault server \ + -config="$VAULT_CONFIG_DIR" \ + -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \ + -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \ + "$@" +elif [ "$1" = 'version' ]; then + # This needs a special case because there's no help output. + set -- vault "$@" +elif vault --help "$1" 2>&1 | grep -q "vault $1"; then + # We can't use the return code to check for the existence of a subcommand, so + # we have to use grep to look for a pattern in the help output. + set -- vault "$@" +fi + +# If we are running Vault, make sure it executes as the proper user. +if [ "$1" = 'vault' ]; then + if [ -z "$SKIP_CHOWN" ]; then + # If the config dir is bind mounted then chown it + if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then + chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)" + fi + + # If the logs dir is bind mounted then chown it + if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then + chown -R vault:vault /vault/logs + fi + + # If the file dir is bind mounted then chown it + if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then + chown -R vault:vault /vault/file + fi + fi + + if [ -z "$SKIP_SETCAP" ]; then + # Allow mlock to avoid swapping Vault memory to disk + #sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) + + # In the case vault has been started in a container without IPC_LOCK privileges + if ! vault -version 1>/dev/null 2>/dev/null; then + >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK" + #sudo setcap cap_ipc_lock=-ep $(readlink -f $(which vault)) + fi + fi + + if [ "$(id -u)" = '0' ]; then + set -- exec vault "$@" + fi +fi + +exec "$@" diff --git a/Openshift4/RedHatImages/xray-rabbitmq-docker-entrypoint.sh b/Openshift4/RedHatImages/xray-rabbitmq-docker-entrypoint.sh new file mode 100644 index 0000000..6d33d3d --- /dev/null +++ b/Openshift4/RedHatImages/xray-rabbitmq-docker-entrypoint.sh @@ -0,0 +1,407 @@ +#!/bin/bash +set -eu + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# backwards compatibility for old environment variables +: "${RABBITMQ_SSL_CERTFILE:=${RABBITMQ_SSL_CERT_FILE:-}}" +: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}" +: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}" + +# "management" SSL config should default to using the same certs +: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}" + +# Allowed env vars that will be read from mounted files (i.e. Docker Secrets): +fileEnvKeys=( + default_user + default_pass +) + +# https://www.rabbitmq.com/configure.html +sslConfigKeys=( + cacertfile + certfile + depth + fail_if_no_peer_cert + keyfile + verify +) +managementConfigKeys=( + "${sslConfigKeys[@]/#/ssl_}" +) +rabbitConfigKeys=( + default_pass + default_user + default_vhost + vm_memory_high_watermark +) +fileConfigKeys=( + management_ssl_cacertfile + management_ssl_certfile + management_ssl_keyfile + ssl_cacertfile + ssl_certfile + ssl_keyfile +) +allConfigKeys=( + "${managementConfigKeys[@]/#/management_}" + "${rabbitConfigKeys[@]}" + "${sslConfigKeys[@]/#/ssl_}" +) + +declare -A configDefaults=( + [management_ssl_fail_if_no_peer_cert]='false' + [management_ssl_verify]='verify_none' + + [ssl_fail_if_no_peer_cert]='true' + [ssl_verify]='verify_peer' +) + +# allow the container to be started with `--user` +if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then + # this needs to happen late enough that we have the SSL config + # https://github.com/docker-library/rabbitmq/issues/283 + for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + [ -n "$val" ] || continue + case "$conf" in + *_ssl_*file | ssl_*file ) + if [ -f "$val" ] && ! gosu rabbitmq test -r "$val"; then + newFile="/tmp/rabbitmq-ssl/$conf.pem" + echo >&2 + echo >&2 "WARNING: '$val' ($var) is not readable by rabbitmq ($(id rabbitmq)); copying to '$newFile'" + echo >&2 + cat "$val" > "$newFile" + chown rabbitmq "$newFile" + chmod 0400 "$newFile" + eval 'export '$var'="$newFile"' + fi + ;; + esac + done + + if [ "$1" = 'rabbitmq-server' ]; then + find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' + + fi + + exec gosu rabbitmq "$BASH_SOURCE" "$@" +fi + +haveConfig= +haveSslConfig= +haveManagementSslConfig= +for fileEnvKey in "${fileEnvKeys[@]}"; do file_env "RABBITMQ_${fileEnvKey^^}"; done +for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + if [ "$val" ]; then + if [ "${configDefaults[$conf]:-}" ] && [ "${configDefaults[$conf]}" = "$val" ]; then + # if the value set is the same as the default, treat it as if it isn't set + continue + fi + haveConfig=1 + case "$conf" in + ssl_*) haveSslConfig=1 ;; + management_ssl_*) haveManagementSslConfig=1 ;; + esac + fi +done +if [ "$haveSslConfig" ]; then + missing=() + for sslConf in cacertfile certfile keyfile; do + var="RABBITMQ_SSL_${sslConf^^}" + val="${!var}" + if [ -z "$val" ]; then + missing+=( "$var" ) + fi + done + if [ "${#missing[@]}" -gt 0 ]; then + { + echo + echo 'error: SSL requested, but missing required configuration' + for miss in "${missing[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 + fi +fi +missingFiles=() +for conf in "${fileConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var}" + if [ "$val" ] && [ ! -f "$val" ]; then + missingFiles+=( "$val ($var)" ) + fi +done +if [ "${#missingFiles[@]}" -gt 0 ]; then + { + echo + echo 'error: files specified, but missing' + for miss in "${missingFiles[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 +fi + +# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off) +for conf in "${!configDefaults[@]}"; do + default="${configDefaults[$conf]}" + var="RABBITMQ_${conf^^}" + [ -z "${!var:-}" ] || continue + eval "export $var=\"\$default\"" +done + +# if long and short hostnames are not the same, use long hostnames +if [ "$(hostname)" != "$(hostname -s)" ]; then + : "${RABBITMQ_USE_LONGNAME:=true}" +fi + +if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then + cookieFile='/var/lib/rabbitmq/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match RABBITMQ_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$RABBITMQ_ERLANG_COOKIE" > "$cookieFile" + fi + chmod 600 "$cookieFile" +fi + +configBase="${RABBITMQ_CONFIG_FILE:-/etc/rabbitmq/rabbitmq}" +oldConfigFile="$configBase.config" +newConfigFile="$configBase.conf" + +shouldWriteConfig="$haveConfig" +if [ -n "$shouldWriteConfig" ] && [ -f "$oldConfigFile" ]; then + { + echo "error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '$oldConfigFile' exists" + echo " Suggested fixes: (choose one)" + echo " - remove '$oldConfigFile'" + echo " - remove any Docker-specific 'RABBITMQ_...' environment variables" + echo " - convert '$oldConfigFile' to the newer sysctl format ('$newConfigFile'); see https://www.rabbitmq.com/configure.html#config-file" + } >&2 + exit 1 +fi +if [ -z "$shouldWriteConfig" ] && [ ! -f "$oldConfigFile" ] && [ ! -f "$newConfigFile" ]; then + # no config files, we should write one + shouldWriteConfig=1 +fi + +# http://stackoverflow.com/a/2705678/433558 +sed_escape_lhs() { + echo "$@" | sed -e 's/[]\/$*.^|[]/\\&/g' +} +sed_escape_rhs() { + echo "$@" | sed -e 's/[\/&]/\\&/g' +} +rabbit_set_config() { + local key="$1"; shift + local val="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + local sedVal="$(sed_escape_rhs "$val")" + sed -ri \ + "s/^[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*)\S.*\$/\1${sedVal}/" \ + "$newConfigFile" + if ! grep -qE "^${sedKey}[[:space:]]*=" "$newConfigFile"; then + echo "$key = $val" >> "$newConfigFile" + fi +} +rabbit_comment_config() { + local key="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + sed -ri \ + "s/^[[:space:]]*#?[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*\S.*)\$/# \1/" \ + "$newConfigFile" +} +rabbit_env_config() { + local prefix="$1"; shift + + local conf + for conf; do + local var="rabbitmq${prefix:+_$prefix}_$conf" + var="${var^^}" + + local key="$conf" + case "$prefix" in + ssl) key="ssl_options.$key" ;; + management_ssl) key="management.ssl.$key" ;; + esac + + local val="${!var:-}" + local rawVal="$val" + case "$conf" in + fail_if_no_peer_cert) + case "${val,,}" in + false|no|0|'') rawVal='false' ;; + true|yes|1|*) rawVal='true' ;; + esac + ;; + + vm_memory_high_watermark) continue ;; # handled separately + esac + + if [ -n "$rawVal" ]; then + rabbit_set_config "$key" "$rawVal" + else + rabbit_comment_config "$key" + fi + done +} + +if [ "$1" = 'rabbitmq-server' ] && [ "$shouldWriteConfig" ]; then + rabbit_set_config 'loopback_users.guest' 'false' + + # determine whether to set "vm_memory_high_watermark" (based on cgroups) + memTotalKb= + if [ -r /proc/meminfo ]; then + memTotalKb="$(awk -F ':? +' '$1 == "MemTotal" { print $2; exit }' /proc/meminfo)" + fi + memLimitB= + if [ -r /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then + # "18446744073709551615" is a valid value for "memory.limit_in_bytes", which is too big for Bash math to handle + # "$(( 18446744073709551615 / 1024 ))" = 0; "$(( 18446744073709551615 * 40 / 100 ))" = 0 + memLimitB="$(awk -v totKb="$memTotalKb" '{ + limB = $0; + limKb = limB / 1024; + if (!totKb || limKb < totKb) { + printf "%.0f\n", limB; + } + }' /sys/fs/cgroup/memory/memory.limit_in_bytes)" + fi + if [ -n "$memLimitB" ]; then + # if we have a cgroup memory limit, let's inform RabbitMQ of what it is (so it can calculate vm_memory_high_watermark properly) + # https://github.com/rabbitmq/rabbitmq-server/pull/1234 + rabbit_set_config 'total_memory_available_override_value' "$memLimitB" + fi + # https://www.rabbitmq.com/memory.html#memsup-usage + if [ "${RABBITMQ_VM_MEMORY_HIGH_WATERMARK:-}" ]; then + # https://github.com/docker-library/rabbitmq/pull/105#issuecomment-242165822 + vmMemoryHighWatermark="$( + echo "$RABBITMQ_VM_MEMORY_HIGH_WATERMARK" | awk ' + /^[0-9]*[.][0-9]+$|^[0-9]+([.][0-9]+)?%$/ { + perc = $0; + if (perc ~ /%$/) { + gsub(/%$/, "", perc); + perc = perc / 100; + } + if (perc > 1.0 || perc < 0.0) { + printf "error: invalid percentage for vm_memory_high_watermark: %s (must be >= 0%%, <= 100%%)\n", $0 > "/dev/stderr"; + exit 1; + } + printf "vm_memory_high_watermark.relative %0.03f\n", perc; + next; + } + /^[0-9]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + /^[0-9]+([.][0-9]+)?[a-zA-Z]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + { + printf "error: unexpected input for vm_memory_high_watermark: %s\n", $0; + exit 1; + } + ' + )" + if [ "$vmMemoryHighWatermark" ]; then + vmMemoryHighWatermarkKey="${vmMemoryHighWatermark%% *}" + vmMemoryHighWatermarkVal="${vmMemoryHighWatermark#$vmMemoryHighWatermarkKey }" + rabbit_set_config "$vmMemoryHighWatermarkKey" "$vmMemoryHighWatermarkVal" + case "$vmMemoryHighWatermarkKey" in + # make sure we only set one or the other + 'vm_memory_high_watermark.absolute') rabbit_comment_config 'vm_memory_high_watermark.relative' ;; + 'vm_memory_high_watermark.relative') rabbit_comment_config 'vm_memory_high_watermark.absolute' ;; + esac + fi + fi + + if [ "$haveSslConfig" ]; then + rabbit_set_config 'listeners.ssl.default' 5671 + rabbit_env_config 'ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'listeners.tcp.default' 5672 + fi + + rabbit_env_config '' "${rabbitConfigKeys[@]}" + + # if management plugin is installed, generate config for it + # https://www.rabbitmq.com/management.html#configuration + if [ "$(rabbitmq-plugins list -q -m -e rabbitmq_management)" ]; then + if [ "$haveManagementSslConfig" ]; then + rabbit_set_config 'management.ssl.port' 15671 + rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'management.tcp.port' 15672 + fi + + # if definitions file exists, then load it + # https://www.rabbitmq.com/management.html#load-definitions + managementDefinitionsFile='/etc/rabbitmq/definitions.json' + if [ -f "$managementDefinitionsFile" ]; then + # see also https://github.com/docker-library/rabbitmq/pull/112#issuecomment-271485550 + rabbit_set_config 'management.load_definitions' "$managementDefinitionsFile" + fi + fi +fi + +rabbitmq-plugins enable rabbitmq_management + +combinedSsl='/tmp/rabbitmq-ssl/combined.pem' +if [ "$haveSslConfig" ] && [[ "$1" == rabbitmq* ]] && [ ! -f "$combinedSsl" ]; then + # Create combined cert + { + cat "$RABBITMQ_SSL_CERTFILE" + echo # https://github.com/docker-library/rabbitmq/issues/357#issuecomment-517755647 + cat "$RABBITMQ_SSL_KEYFILE" + } > "$combinedSsl" + chmod 0400 "$combinedSsl" +fi +if [ "$haveSslConfig" ] && [ -f "$combinedSsl" ]; then + # More ENV vars for make clustering happiness + # we don't handle clustering in this script, but these args should ensure + # clustered SSL-enabled members will talk nicely + export ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)" + sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile $combinedSsl -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true" + export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="${RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS:-} $sslErlArgs" + export RABBITMQ_CTL_ERL_ARGS="${RABBITMQ_CTL_ERL_ARGS:-} $sslErlArgs" +fi + +exec "$@"