Merge pull request #164 from jfrog/openshift-docker-images

Copied Dockerfile of redhat images from jfrog-distroless repo

Openshift4/RedHatImages/Dockerfile.redhat-ubi-jfrog-rabbitmq

@@ -0,0 +1,68 @@
+# BITNAMI DEBIAN-10 DOCKERFILE CAN BE FOUND HERE:
+# https://github.com/bitnami/bitnami-docker-rabbitmq/blob/master/3.8/debian-10/Dockerfile
+# JFROG REDHAT UBI PORT TO WORK IN BITNAMI RABBITMQ HELM CHARTS
+
+
+FROM bitnami/rabbitmq:3.8.9-debian-10-r88 as base
+
+FROM registry.access.redhat.com/ubi8
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+LABEL name="JFrog Rabbit MQ" \
+      description="JFrog Rabbit MQ image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Rabbit MQ (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+ARG RABBITMQ_VERSION=3.8.9-debian-10-r88
+
+LABEL io.k8s.description="Lightweight open source message broker" \
+    io.k8s.display-name="RabbitMQ" \
+    io.openshift.expose-services="4369:epmd, 5671:amqp, 5672:amqp, 15672:http" \
+    io.openshift.tags="rabbitmq"
+
+# FIX THE LOCALE ISSUE
+RUN yum install -y --disableplugin=subscription-manager -y openssl curl ca-certificates fontconfig gzip glibc-langpack-en tar \
+    && yum  -y --disableplugin=subscription-manager update; yum --disableplugin=subscription-manager clean all
+
+ENV GPG_KEY="0A9AF2115F4687BD29803A206B73A36E6026DFCA" \
+    HOME=/var/lib/rabbitmq \
+    RABBITMQ_HOME=/opt/rabbitmq \
+    RABBITMQ_LOGS=- \
+    RABBITMQ_SASL_LOGS=- \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.:en \
+    LC_ALL=en_US.UTF-8
+
+RUN yum install -y --disableplugin=subscription-manager xz
+RUN set -xe && \
+    curl -LO https://github.com/rabbitmq/erlang-rpm/releases/download/v23.0/erlang-23.0-1.el8.x86_64.rpm && \
+    rpm -Uvh ./erlang-23.0-1.el8.x86_64.rpm && \
+    rm *.rpm && \
+    INSTALL_PKGS="wget procps net-tools hostname" && \
+    yum install -y $INSTALL_PKGS && \
+    rm -rf /var/cache/yum
+
+# COPY OVER THE RABBITMQ LICENSES INTO THE FOLDER FOR REDHAT TO SCAN
+COPY --from=base /opt/bitnami /opt/bitnami
+
+RUN mkdir -p /opt/bitnami/rabbitmq/ && chown -R 0777 /opt/bitnami/rabbitmq && chown -R 1000721001:1000721001 /opt/bitnami/rabbitmq
+RUN mkdir -p /var/log/rabbitmq/log/ && chmod -R 0777 /var/log
+RUN mkdir -p /var/lib/rabbitmq					 && chmod -R 0777 /var/lib/rabbitmq				   && chown -R 1000721001:1000721001 	/var/lib/rabbitmq
+RUN mkdir -p /opt/rabbitmq                       && chmod -R 0777 /opt/rabbitmq                    && chown -R 1000721001:1000721001    /opt/rabbitmq
+RUN mkdir -p /opt/bitnami                        && chmod -R 0777 /opt/bitnami                     && chown -R 1000721001:1000721001    /opt/bitnami
+RUN mkdir -p /licenses                           && chmod -R 0777 /licenses                        && chown -R 1000721001:1000721001    /licenses
+RUN mkdir -p /opt/bitnami/rabbitmq/licenses      && chmod -R 0777 /opt/bitnami/rabbitmq/licenses   && chown -R 1000721001:1000721001    /opt/bitnami/rabbitmq/licenses && cp -rf /opt/bitnami/rabbitmq/licenses/* /licenses && chmod 0777 /opt/bitnami/scripts/rabbitmq/setup.sh
+RUN mkdir -p /opt/bitnami/rabbitmq/test          && chmod -R 0777 /opt/bitnami/rabbitmq/test       && chown -R 1000721001:1000721001    /opt/bitnami/rabbitmq/test
+
+ENV BITNAMI_APP_NAME="rabbitmq" \
+    LANG="en_US.UTF-8" \
+    LANGUAGE="en_US:en"
+
+EXPOSE 4369 5672 15672 25672
+
+USER 1000721001
+ENV PATH=/opt/bitnami/rabbitmq/sbin:$PATH
+ENTRYPOINT [ "/opt/bitnami/scripts/rabbitmq/entrypoint.sh" ]
+CMD [ "/opt/bitnami/scripts/rabbitmq/run.sh" ]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-api

@@ -0,0 +1,50 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-api:${PIPELINES_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8/nodejs-10
+
+USER root
+
+LABEL name="JFrog Pipelines API" \
+      description="JFrog Pipelines API image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines API (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/pipelines \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \
+    SERVICE_NAME=api \
+    APP_HOME_DIR=/opt/jfrog/pipelines/app/api \
+    LOG_DIR=/opt/jfrog/pipelines/var/log
+
+ENV LOG_DIR=/opt/jfrog/pipelines/var/log
+ENV NODE_PATH=/opt/jfrog/pipelines/app/node_modules
+ENV API_BIN_DIR /opt/jfrog/pipelines/app/api/bin
+
+# COPY IN PIPELINES FROM BASE IMAGE
+COPY --from=base /opt/jfrog/pipelines/app/api /opt/jfrog/pipelines/app/api
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+RUN mkdir -p /opt/jfrog/pipelines/var/tmp
+RUN mkdir -p $LOG_DIR
+USER ${JF_PIPELINES_USER}
+WORKDIR /opt/jfrog/pipelines/app/api
+CMD ["node","api.app.js"]
+EXPOSE 30000

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-initcontainer

@@ -0,0 +1,30 @@
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+USER root
+
+LABEL name="JFrog Pipelines Init Container" \
+      description="JFrog Pipelines Init Container image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Init Container (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# install the necessary programs for the init container
+RUN yum install -y --disableplugin=subscription-manager nc
+RUN yum install -y --disableplugin=subscription-manager libcap libcap-ng
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117
+
+RUN mkdir -p /home/${JF_PIPELINES_USER}
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group ${JF_PIPELINES_USER} && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /home/${JF_PIPELINES_USER}
+
+USER ${JF_PIPELINES_USER}
+
+WORKDIR /home/${JF_PIPELINES_USER}
+
+ENTRYPOINT ["bash"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-installer

@@ -0,0 +1,60 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-installer:${PIPELINES_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8/nodejs-10
+
+USER root
+
+LABEL name="JFrog Pipelines Installer" \
+      description="JFrog Pipelines Installer image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Installer (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/pipelines \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines
+
+ENV NODE_PATH /usr/local/lib/node_modules
+ENV TMP_DIR /opt/jfrog/pipelines/var/tmp
+ENV SRC_DIR /opt/jfrog/pipelines/installer
+ENV DEPENDENCIES /opt/jfrog/pipelines/dependencies
+
+# COPY IN PIPELINES FROM BASE IMAGE
+COPY --from=base /usr/local/lib /usr/local/lib
+COPY --from=base /opt/jfrog/pipelines/var/tmp /opt/jfrog/pipelines/var/tmp
+COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+RUN mkdir p /opt/jfrog/pipelines/var/etc/ && chmod 0777 /opt/jfrog/pipelines/var/etc/
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
+    yum install -y --disableplugin=subscription-manager hostname python36 python3-pip nc
+
+RUN yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/atomic-release-1.0-21.el7.art.noarch.rpm && \
+    yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/oniguruma-5.9.5-3.el7.art.x86_64.rpm && \
+    yum install -y --disableplugin=subscription-manager http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/jq-1.5-1.el7.art.x86_64.rpm
+
+RUN wget https://github.com/mikefarah/yq/releases/download/3.4.0/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
+
+# install psql
+RUN yum install -y --disableplugin=subscription-manager https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-8-x86_64/postgresql10-libs-10.14-1PGDG.rhel8.x86_64.rpm && \
+    yum install -y --disableplugin=subscription-manager https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-8-x86_64/postgresql10-10.14-1PGDG.rhel8.x86_64.rpm
+
+RUN mkdir -p /usr/local/bin && cp -rf /usr/bin/psql /usr/local/bin/psql
+USER ${JF_PIPELINES_USER}
+WORKDIR /opt/jfrog/pipelines/installer
+ENTRYPOINT ["/bin/bash", "execUtil.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-k8snode

@@ -0,0 +1,89 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-api:${PIPELINES_BASE_VERSION} AS base
+FROM jfrog-docker-reg2.bintray.io/pipelines-node:1.4.2 AS base2
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+USER root
+
+LABEL name="JFrog Pipelines K8s Node" \
+      description="JFrog Pipelines K8s Node image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines K8s Node (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Set vars
+ENV DOCKER_VERSION=18.09.9
+ENV NODE_VERSION=10.19.0
+
+#RUN apt-get update && \
+#    apt-get install sudo grep jq tar curl python-minimal wget ca-certificates rsync vim -y
+
+
+RUN yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname && \
+    yum install -y --disableplugin=subscription-manager https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
+    yum install -y --disableplugin=subscription-manager sudo grep tar python36 ca-certificates rsync vim
+
+
+
+RUN wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.36.0/install.sh | bash
+ENV NVM_DIR=/root/.nvm
+RUN . "$NVM_DIR/nvm.sh" && nvm install ${NODE_VERSION}
+RUN . "$NVM_DIR/nvm.sh" && nvm use v${NODE_VERSION}
+RUN . "$NVM_DIR/nvm.sh" && nvm alias default v${NODE_VERSION}
+RUN cp /root/.nvm/versions/node/v${NODE_VERSION}/bin/node /usr/bin/
+RUN cp /root/.nvm/versions/node/v${NODE_VERSION}/bin/npm /usr/bin/
+RUN /root/.nvm/versions/node/v${NODE_VERSION}/bin/npm install leasot@latest -g
+
+RUN curl -0 -L https://npmjs.com/install.sh | sh
+
+# Get files needed to run Build Plane node
+COPY --from=base /opt/jfrog/pipelines/app/api/bin/buildPlane-x86_64-RHEL_7.rpm /tmp/buildPlane-x86_64-RHEL_7.rpm
+COPY ./executeAffinityGroup_fix.js /tmp
+
+RUN yum localinstall -y --disableplugin=subscription-manager /tmp/buildPlane-x86_64-RHEL_7.rpm
+RUN mkdir -p /tmp/var/opt/jfrog/pipelines/reqKick/execute/
+RUN mkdir -p /jfrog-init
+RUN cat /tmp/executeAffinityGroup_fix.js >> /tmp/var/opt/jfrog/pipelines/reqKick/execute/executeAffinityGroup.js
+RUN sed -i '/function __restart(bag) {/,$d' /tmp/var/opt/jfrog/pipelines/reqKick/execute/executeAffinityGroup.js
+RUN cp -fr /tmp/var/opt/jfrog/pipelines/ /jfrog-init
+RUN rm -fr /tmp/var && rm -fr /tmp/*
+
+COPY --from=base2 /jfrog-init /jfrog-init
+
+# Install app dependencies
+RUN cd /jfrog-init/reqKick; npm install
+
+# Install docker client
+RUN wget https://download.docker.com/linux/static/stable/x86_64/docker-$DOCKER_VERSION.tgz -P /tmp/docker && \
+    tar -xzf /tmp/docker/docker-$DOCKER_VERSION.tgz --directory /opt && \
+    ln -s /opt/docker/docker /usr/bin/docker && \
+    rm -fr /tmp/docker
+
+
+# Install nodejs pm2 monitoring
+RUN npm install pm2 -g
+
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION}
+
+RUN mkdir -p /home/${JF_PIPELINES_USER}
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /jfrog-init /home/${JF_PIPELINES_USER}
+
+USER ${JF_PIPELINES_USER}
+
+
+WORKDIR /jfrog-init/reqKick
+CMD ["pm2-runtime", "/jfrog-init/reqKick/reqKick.app.js"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-micro

@@ -0,0 +1,53 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-micro:${PIPELINES_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8/nodejs-10
+
+USER root
+
+LABEL name="JFrog Pipelines Micro" \
+      description="JFrog Pipelines Micro image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Micro (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/pipelines \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \
+    SERVICE_NAME=www \
+    APP_HOME_DIR=/opt/jfrog/pipelines/app/www \
+    LOG_DIR=/opt/jfrog/pipelines/var/log \
+    NODE_PATH=/opt/jfrog/pipelines/app/node_modules \
+    EXEC_TEMPLATES_DIR=/opt/jfrog/pipelines/app/execTemplates \
+    HOME=/home \
+    OLDPWD=/home \
+    SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# COPY IN PIPELINES FROM BASE IMAGE
+COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines
+COPY --from=base /home /home
+COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+RUN mkdir -p /opt/jfrog/pipelines/var/tmp
+RUN mkdir -p $LOG_DIR
+
+USER ${JF_PIPELINES_USER}
+WORKDIR /opt/jfrog/pipelines/app/micro/nexec
+CMD ["node","app.js"]
+EXPOSE 30001

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-router

@@ -0,0 +1,40 @@
+ARG ROUTER_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/router:${ROUTER_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Pipelines Router" \
+      description="JFrog Pipelines Router image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Router (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Router
+ENV JF_ROUTER_USER=router \
+    ROUTER_USER_ID=1000721117 \
+    ROUTER_VERSION=${ROUTER_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/router \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/router \
+    SERVICE_NAME=router
+
+COPY --from=base /opt/jfrog/router /opt/jfrog/router
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/router/app/doc/* /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${ROUTER_USER_ID} --user-group router && \
+    chown -R ${ROUTER_USER_ID}:${ROUTER_USER_ID} /opt/jfrog/router /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER router
+
+VOLUME /var/opt/jfrog/router
+
+ENTRYPOINT ["/opt/jfrog/router/app/bin/entrypoint-router.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault

@@ -0,0 +1,100 @@
+FROM registry.access.redhat.com/ubi8
+
+# This is the release of Vault to pull in.
+ARG VAULT_BASE_VERSION
+
+LABEL name="JFrog Pipelines Vault" \
+      description="JFrog Pipelines Vault image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Vault (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+ENV JF_VAULT_USER=vault \
+    JF_VAULT_USER_GROUP=vault \
+    VAULT_USER_ID=1000721117 \
+    VAULT_VERSION=${VAULT_BASE_VERSION}
+
+# Create a vault user and group first so the IDs get set the same way,
+# even as the rest of this may change over time.
+RUN useradd -M -s /usr/sbin/nologin --uid ${VAULT_USER_ID} --user-group ${JF_VAULT_USER_GROUP}
+RUN mkdir -p /home/${JF_VAULT_USER} && \
+    chown -R ${VAULT_USER_ID}:${VAULT_USER_ID} /home/${JF_VAULT_USER}
+
+RUN yum install -y --disableplugin=subscription-manager wget curl unzip ca-certificates gnupg openssl libcap tzdata
+
+# Set up certificates, our base tools, and Vault.
+RUN set -eux; \
+    apkArch="$(uname -a)"; \
+    case "$apkArch" in \
+        armhf) ARCH='arm' ;; \
+        aarch64) ARCH='arm64' ;; \
+        x86_64) x86_64 ;; \
+        x86) ARCH='386' ;; \
+        *) echo >&2 "Supported architecture: $apkArch" ;; \
+    esac && \
+    VAULT_GPGKEY=91A6E7F85D05C65630BEF18951852D87348FFC4C; \
+    found=''; \
+    for server in \
+        hkp://p80.pool.sks-keyservers.net:80 \
+        hkp://keyserver.ubuntu.com:80 \
+        hkp://pgp.mit.edu:80 \
+    ; do \
+        echo "Fetching GPG key $VAULT_GPGKEY from $server"; \
+        gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY" && exit 1; \
+    mkdir -p /tmp/build && \
+    cd /tmp/build && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
+    gpg --batch --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS && \
+    grep vault_${VAULT_VERSION}_linux_amd64.zip vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c && \
+    unzip -d /bin vault_${VAULT_VERSION}_linux_amd64.zip && \
+    cd /tmp && \
+    rm -rf /tmp/build && \
+    gpgconf --kill dirmngr && \
+    gpgconf --kill gpg-agent && \
+    rm -rf /root/.gnupg
+
+# /vault/logs is made available to use as a location to store audit logs, if
+# desired; /vault/file is made available to use as a location with the file
+# storage backend, if desired; the server will be started with /vault/config as
+# the configuration directory so you can add additional config files in that
+# location.
+RUN mkdir -p /vault/logs && \
+    mkdir -p /vault/file && \
+    mkdir -p /vault/config && \
+    chown -R vault:vault /vault
+
+# Expose the logs directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/logs
+
+# Expose the file directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/file
+
+# 8200/tcp is the primary interface that applications use to interact with
+# Vault.
+EXPOSE 8200
+
+# The entry point script uses dumb-init as the top-level process to reap any
+# zombie processes created by Vault sub-processes.
+#
+# For production derivatives of this container, you shoud add the IPC_LOCK
+# capability so that Vault can mlock memory.
+COPY vault-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+# SETUP VAULT TO USE MLOCK
+RUN setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+USER ${JF_VAULT_USER}
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# By default you'll get a single-node development server that stores everything
+# in RAM and bootstraps itself. Don't use this configuration for production.
+CMD ["server", "-dev"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-vault-init

@@ -0,0 +1,40 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-vault-init:${PIPELINES_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8/go-toolset
+
+USER root
+
+LABEL name="JFrog Pipelines Vault Init" \
+      description="JFrog Pipelines Vault Init image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines Vault Init (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=vault \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/pipelines \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \
+    SERVICE_NAME=vault-init
+
+# COPY IN PIPELINES FROM BASE IMAGE
+COPY --from=base /vault-init /opt/jfrog/pipelines/vault-init
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group ${JF_PIPELINES_USER} && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER ${JF_PIPELINES_USER}
+WORKDIR /opt/jfrog/pipelines
+ENTRYPOINT ["/opt/jfrog/pipelines/vault-init"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-pipelines-www

@@ -0,0 +1,47 @@
+ARG PIPELINES_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/pipelines-www:${PIPELINES_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8/nodejs-10
+
+USER root
+
+LABEL name="JFrog Pipelines WWW" \
+      description="JFrog Pipelines WWW image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Pipelines WWW (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# Environment needed for Pipelines
+ENV JF_PIPELINES_USER=pipelines \
+    PIPELINES_USER_ID=1000721117 \
+    PIPELINES_VERSION=${PIPELINES_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/pipelines \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/pipelines \
+    SERVICE_NAME=www \
+    APP_HOME_DIR=/opt/jfrog/pipelines/app/www \
+    LOG_DIR=/opt/jfrog/pipelines/var/log
+
+# COPY IN PIPELINES FROM BASE IMAGE
+COPY --from=base /opt/jfrog/pipelines /opt/jfrog/pipelines
+
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${PIPELINES_USER_ID} --user-group pipelines && \
+    chown -R ${PIPELINES_USER_ID}:${PIPELINES_USER_ID} /opt/jfrog/pipelines /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+RUN mkdir -p /opt/jfrog/pipelines/var/tmp
+RUN mkdir -p $LOG_DIR
+
+USER ${JF_PIPELINES_USER}
+WORKDIR /opt/jfrog/pipelines/app/www
+CMD ["node","www.app.js"]
+EXPOSE 30001

Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt-initcontainer

@@ -0,0 +1,32 @@
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+USER root
+
+LABEL name="JFrog Init Container" \
+      description="JFrog Init Container image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Init Container (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/"
+
+# install the necessary programs for the init container
+RUN yum install -y --disableplugin=subscription-manager nc
+RUN yum install -y --disableplugin=subscription-manager libcap libcap-ng
+# Add EULA information to meet the Red Hat container image certification requirements
+COPY entplus_EULA.txt /licenses/
+
+# Environment needed for Pipelines
+ENV JF_ART_USER=artifactory \
+    ART_USER_ID=1000721030
+
+RUN mkdir -p /home/${JF_ART_USER}
+RUN useradd -M -s /usr/sbin/nologin --uid ${ART_USER_ID} --user-group ${JF_ART_USER} && \
+    chown -R ${ART_USER_ID}:${ART_USER_ID} /home/${JF_ART_USER}
+
+VOLUME /var/opt/jfrog/artifactory
+
+USER ${JF_ART_USER}
+
+WORKDIR /home/${JF_ART_USER}
+
+ENTRYPOINT ["bash"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-rt7

@@ -0,0 +1,61 @@
+# An example of customising Artifactory using RedHat Univeral Base Image (UBI).
+# Using Docker multi stage build.
+# Taking the Artifactory file system
+ARG ARTIFACTORY_BASE_VERSION
+
+# The Artifactory official Docker image
+FROM docker.bintray.io/jfrog/artifactory-pro:${ARTIFACTORY_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Artifactory Pro" \
+      description="JFrog Artifactory Pro image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Artifactory Pro (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/artifactory/eula/"
+
+# Environment needed for Artifactory
+ENV JF_ARTIFACTORY_USER=artifactory \
+    ARTIFACTORY_USER_ID=1000721030 \
+    ARTIFACTORY_VERSION=${ARTIFACTORY_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/artifactory \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/artifactory \
+    RECOMMENDED_MAX_OPEN_FILES=32000 \
+    MIN_MAX_OPEN_FILES=10000 \
+    RECOMMENDED_MAX_OPEN_PROCESSES=1024 \
+    POSTGRESQL_VERSION=9.4.1212
+
+# Copy needed file system from base (Artifactory image)
+COPY --from=base /opt/jfrog /opt/jfrog
+COPY --from=base /var/opt/jfrog/artifactory /var/opt/jfrog/artifactory
+COPY --from=base /entrypoint-artifactory.sh /entrypoint-artifactory.sh
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/artifactory/app/doc/* /licenses/
+
+# Metadata to let Artifactory know its installation source
+RUN mkdir -p /artifactory_bootstrap/info/
+RUN echo "{\"productId\":\"UBI8_artifactory/1.0.0\",\"features\":[{\"featureId\":\"Partner/ACC-006983\"}]}" > /artifactory_bootstrap/info/installer-info.json
+
+# Create the user, fix file system ownership and install needed tools with Yum
+# NOTE - wget must be installed for Artifactory HA
+# procps must be installed to run Artifactory
+# hostname is needed to generate nodeID
+RUN useradd -M -s /usr/sbin/nologin --uid ${ARTIFACTORY_USER_ID} --user-group ${JF_ARTIFACTORY_USER} && \
+    chown -R ${JF_ARTIFACTORY_USER}:${JF_ARTIFACTORY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+# Add RUN instruction for updating the vulnerability found in openssl-libs package.
+
+RUN yum  update openssl-libs -y 
+
+
+USER $JF_ARTIFACTORY_USER
+
+VOLUME ${JF_PRODUCT_DATA_INTERNAL}
+
+ENTRYPOINT ["/entrypoint-artifactory.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-analysis

@@ -0,0 +1,43 @@
+ARG XRAY_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/xray-analysis:${XRAY_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Analysis" \
+      description="JFrog Xray Analysis image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Xray Analysis (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+# Environment needed for Xray
+ENV JF_XRAY_USER=xray \
+    XRAY_USER_ID=1000721035 \
+    XRAY_VERSION=${XRAY_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/xray \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \
+    SERVICE_NAME=analysis
+
+
+COPY --from=base /opt/jfrog/xray /opt/jfrog/xray
+COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray
+COPY --from=base /postgresql-client /postgresql-client
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \
+    chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER xray
+
+VOLUME /var/opt/jfrog/xray
+
+ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-indexer

@@ -0,0 +1,43 @@
+ARG XRAY_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/xray-indexer:${XRAY_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Indexer" \
+      description="JFrog Xray Indexer image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Xray Indexer (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+# Environment needed for Xray
+ENV JF_XRAY_USER=xray \
+    XRAY_USER_ID=1000721035 \
+    XRAY_VERSION=${XRAY_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/xray \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \
+    SERVICE_NAME=indexer
+
+COPY --from=base /opt/jfrog/xray /opt/jfrog/xray
+COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray
+COPY --from=base /postgresql-client /postgresql-client
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \
+    chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER xray
+
+VOLUME /var/opt/jfrog/xray
+
+ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-persist

@@ -0,0 +1,43 @@
+ARG XRAY_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/xray-persist:${XRAY_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Persist" \
+      description="JFrog Xray Persist image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Xray Persist (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+# Environment needed for Xray
+ENV JF_XRAY_USER=xray \
+    XRAY_USER_ID=1000721035 \
+    XRAY_VERSION=${XRAY_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/xray \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \
+    SERVICE_NAME=persist
+
+COPY --from=base /opt/jfrog/xray /opt/jfrog/xray
+COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray
+COPY --from=base /postgresql-client /postgresql-client
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \
+    chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER xray
+
+VOLUME /var/opt/jfrog/xray
+
+ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-rabbitmq

@@ -0,0 +1,73 @@
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Rabbit MQ" \
+      description="JFrog Rabbit MQ image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Rabbit MQ (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+
+ARG RABBITMQ_AUTOCLUSTER_VERSION=0.10.0
+ARG RABBITMQ_VERSION=3.8.8
+
+LABEL io.k8s.description="Lightweight open source message broker" \
+    io.k8s.display-name="RabbitMQ" \
+    io.openshift.expose-services="4369:epmd, 5671:amqp, 5672:amqp, 15672:http" \
+    io.openshift.tags="rabbitmq"
+
+ENV GPG_KEY="0A9AF2115F4687BD29803A206B73A36E6026DFCA" \
+    HOME=/var/lib/rabbitmq \
+    RABBITMQ_HOME=/opt/rabbitmq \
+    RABBITMQ_LOGS=- \
+    RABBITMQ_SASL_LOGS=- \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.:en \
+    LC_ALL=en_US.UTF-8
+
+
+# FIX THE LOCALE ISSUE
+RUN yum install -y --disableplugin=subscription-manager -y openssl curl ca-certificates fontconfig gzip glibc-langpack-en tar xz \
+    && yum  -y --disableplugin=subscription-manager update; yum --disableplugin=subscription-manager clean all
+
+RUN set -xe && \
+    curl -LO https://github.com/rabbitmq/erlang-rpm/releases/download/v23.0/erlang-23.0-1.el8.x86_64.rpm && \
+    rpm -Uvh ./erlang-23.0-1.el8.x86_64.rpm && \
+    rm *.rpm && \
+    curl -Lo rabbitmq-server.tar.xz https://github.com/rabbitmq/rabbitmq-server/releases/download/v${RABBITMQ_VERSION}/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz && \
+    curl -Lo rabbitmq-server.tar.xz.asc https://github.com/rabbitmq/rabbitmq-server/releases/download/v${RABBITMQ_VERSION}/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz.asc && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    env | grep GNUPG && \
+    gpg --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys "$GPG_KEY" && \
+    gpg --batch --verify rabbitmq-server.tar.xz.asc rabbitmq-server.tar.xz && \
+    rm -rf "$GNUPGHOME" && \
+    mkdir -p "$RABBITMQ_HOME" && \
+    tar \
+      --extract \
+      --verbose \
+      --file rabbitmq-server.tar.xz \
+      --directory "$RABBITMQ_HOME" \
+      --strip-components 1 && \
+    rm rabbitmq-server.tar.xz* && \
+    grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \
+    sed -ri 's!^(SYS_PREFIX=).*$!\1!' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \
+    grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults" && \
+    groupadd --system rabbitmq && \
+    adduser -u 1000721001 -r -c "RabbitMQ User" -d /var/lib/rabbitmq -g rabbitmq rabbitmq && \
+    mkdir -p /var/lib/rabbitmq /etc/rabbitmq && \
+    chown -R 1000721001:1000721001 /var/lib/rabbitmq /etc/rabbitmq ${RABBITMQ_HOME}/plugins && \
+    chmod -R g=u /var/lib/rabbitmq /etc/rabbitmq && \
+    rm -rf /var/lib/rabbitmq/.erlang.cookie && \
+    ln -sf "$RABBITMQ_HOME/plugins" /plugins && \
+    INSTALL_PKGS="wget procps net-tools hostname" && \
+    yum install -y $INSTALL_PKGS && \
+    rm -rf /var/cache/yum
+
+COPY xray-rabbitmq-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN mkdir -p /licenses && chmod 0777 /licenses && cp -rf /opt/rabbitmq/LICENSE /licenses/LICENSE
+
+USER 1000721001
+ENV PATH=$RABBITMQ_HOME/sbin:$PATH
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 4369 5672 15672
+CMD ["rabbitmq-server"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-router

@@ -0,0 +1,41 @@
+ARG ROUTER_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/router:${ROUTER_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Router" \
+      description="JFrog Xray Router image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Xray Router (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+# Environment needed for Router
+ENV JF_ROUTER_USER=router \
+    ROUTER_USER_ID=1000721035 \
+    ROUTER_VERSION=${ROUTER_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/router \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/router \
+    SERVICE_NAME=router
+
+COPY --from=base /opt/jfrog/router /opt/jfrog/router
+COPY --from=base /var/opt/jfrog/router /var/opt/jfrog/router
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/router/app/doc/* /licenses/
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${ROUTER_USER_ID} --user-group router && \
+    chown -R ${ROUTER_USER_ID}:${ROUTER_USER_ID} /opt/jfrog/router /var/opt/jfrog && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER router
+
+VOLUME /var/opt/jfrog/router
+
+ENTRYPOINT ["/opt/jfrog/router/app/bin/entrypoint-router.sh"]

Openshift4/RedHatImages/Dockerfile.redhat-ubi-xray-server

@@ -0,0 +1,46 @@
+ARG XRAY_BASE_VERSION
+
+FROM docker.bintray.io/jfrog/xray-server:${XRAY_BASE_VERSION} AS base
+
+# The new image based on registry.access.redhat.com/ubi
+FROM registry.access.redhat.com/ubi8
+
+LABEL name="JFrog Xray Server" \
+      description="JFrog Xray Server image based on the Red Hat Universal Base Image." \
+      vendor="JFrog" \
+      summary="JFrog Xray Server (Red Hat UBI)" \
+      com.jfrog.license_terms="https://jfrog.com/xray/eula/"
+
+# Environment needed for Xray
+ENV JF_XRAY_USER=xray \
+    XRAY_USER_ID=1000721035 \
+    XRAY_VERSION=${XRAY_BASE_VERSION} \
+    JF_PRODUCT_HOME=/opt/jfrog/xray \
+    JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray \
+    SERVICE_NAME=server
+
+COPY --from=base /opt/jfrog/xray /opt/jfrog/xray
+COPY --from=base /var/opt/jfrog/xray /var/opt/jfrog/xray
+COPY --from=base /postgresql-client /postgresql-client
+
+# Add license information to meet the Red Hat container image certification requirements
+COPY --from=base /opt/jfrog/xray/app/doc/* /licenses/
+
+# Add call home
+COPY xray.default /opt/jfrog/xray/app/bin
+
+RUN mkdir -p /var/opt/jfrog && chmod 0777 /var/opt/jfrog
+
+
+RUN useradd -M -s /usr/sbin/nologin --uid ${XRAY_USER_ID} --user-group ${JF_XRAY_USER} && \
+    chown -R ${JF_XRAY_USER}:${JF_XRAY_USER} ${JF_PRODUCT_HOME} ${JF_PRODUCT_DATA_INTERNAL} /postgresql-client && \
+    yum install -y --disableplugin=subscription-manager wget && \
+    yum install -y --disableplugin=subscription-manager procps && \
+    yum install -y --disableplugin=subscription-manager net-tools && \
+    yum install -y --disableplugin=subscription-manager hostname
+
+USER xray
+
+VOLUME /var/opt/jfrog/xray
+
+ENTRYPOINT ["/opt/jfrog/xray/app/bin/wrapper.sh"]

Openshift4/RedHatImages/vault-docker-entrypoint.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+
+# Prevent core dumps
+ulimit -c 0
+
+# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface
+# name instead of an IP address. The interface name is specified using
+# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
+# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
+# number with the IP of the named interface.
+get_addr () {
+    local if_name=$1
+    local uri_template=$2
+    ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+      ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
+      print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
+      exit}'
+}
+
+if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
+    export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+    echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
+fi
+if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
+    export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+    echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
+fi
+
+# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional
+# config files in there if you use this image as a base, or use
+# VAULT_LOCAL_CONFIG below.
+VAULT_CONFIG_DIR=/vault/config
+
+# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some
+# Vault configuration JSON without having to bind any volumes.
+if [ -n "$VAULT_LOCAL_CONFIG" ]; then
+    echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json"
+fi
+
+# If the user is trying to run Vault directly with some arguments, then
+# pass them to Vault.
+if [ "${1:0:1}" = '-' ]; then
+    set -- vault "$@"
+fi
+
+# Look for Vault subcommands.
+if [ "$1" = 'server' ]; then
+    shift
+    set -- vault server \
+        -config="$VAULT_CONFIG_DIR" \
+        -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
+        -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
+        "$@"
+elif [ "$1" = 'version' ]; then
+    # This needs a special case because there's no help output.
+    set -- vault "$@"
+elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
+    # We can't use the return code to check for the existence of a subcommand, so
+    # we have to use grep to look for a pattern in the help output.
+    set -- vault "$@"
+fi
+
+# If we are running Vault, make sure it executes as the proper user.
+if [ "$1" = 'vault' ]; then
+    if [ -z "$SKIP_CHOWN" ]; then
+        # If the config dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+        fi
+
+        # If the logs dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/logs
+        fi
+
+        # If the file dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/file
+        fi
+    fi
+
+    if [ -z "$SKIP_SETCAP" ]; then
+        # Allow mlock to avoid swapping Vault memory to disk
+        #sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+        # In the case vault has been started in a container without IPC_LOCK privileges
+        if ! vault -version 1>/dev/null 2>/dev/null; then
+            >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+            #sudo setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+        fi
+    fi
+
+    if [ "$(id -u)" = '0' ]; then
+      set -- exec vault "$@"
+    fi
+fi
+
+exec "$@"

Openshift4/RedHatImages/xray-rabbitmq-docker-entrypoint.sh

@@ -0,0 +1,407 @@
+#!/bin/bash
+set -eu
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# backwards compatibility for old environment variables
+: "${RABBITMQ_SSL_CERTFILE:=${RABBITMQ_SSL_CERT_FILE:-}}"
+: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}"
+: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}"
+
+# "management" SSL config should default to using the same certs
+: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}"
+: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}"
+: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}"
+
+# Allowed env vars that will be read from mounted files (i.e. Docker Secrets):
+fileEnvKeys=(
+	default_user
+	default_pass
+)
+
+# https://www.rabbitmq.com/configure.html
+sslConfigKeys=(
+	cacertfile
+	certfile
+	depth
+	fail_if_no_peer_cert
+	keyfile
+	verify
+)
+managementConfigKeys=(
+	"${sslConfigKeys[@]/#/ssl_}"
+)
+rabbitConfigKeys=(
+	default_pass
+	default_user
+	default_vhost
+	vm_memory_high_watermark
+)
+fileConfigKeys=(
+	management_ssl_cacertfile
+	management_ssl_certfile
+	management_ssl_keyfile
+	ssl_cacertfile
+	ssl_certfile
+	ssl_keyfile
+)
+allConfigKeys=(
+	"${managementConfigKeys[@]/#/management_}"
+	"${rabbitConfigKeys[@]}"
+	"${sslConfigKeys[@]/#/ssl_}"
+)
+
+declare -A configDefaults=(
+	[management_ssl_fail_if_no_peer_cert]='false'
+	[management_ssl_verify]='verify_none'
+
+	[ssl_fail_if_no_peer_cert]='true'
+	[ssl_verify]='verify_peer'
+)
+
+# allow the container to be started with `--user`
+if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
+	# this needs to happen late enough that we have the SSL config
+	# https://github.com/docker-library/rabbitmq/issues/283
+	for conf in "${allConfigKeys[@]}"; do
+		var="RABBITMQ_${conf^^}"
+		val="${!var:-}"
+		[ -n "$val" ] || continue
+		case "$conf" in
+			*_ssl_*file | ssl_*file )
+				if [ -f "$val" ] && ! gosu rabbitmq test -r "$val"; then
+					newFile="/tmp/rabbitmq-ssl/$conf.pem"
+					echo >&2
+					echo >&2 "WARNING: '$val' ($var) is not readable by rabbitmq ($(id rabbitmq)); copying to '$newFile'"
+					echo >&2
+					cat "$val" > "$newFile"
+					chown rabbitmq "$newFile"
+					chmod 0400 "$newFile"
+					eval 'export '$var'="$newFile"'
+				fi
+				;;
+		esac
+	done
+
+	if [ "$1" = 'rabbitmq-server' ]; then
+		find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' +
+	fi
+
+	exec gosu rabbitmq "$BASH_SOURCE" "$@"
+fi
+
+haveConfig=
+haveSslConfig=
+haveManagementSslConfig=
+for fileEnvKey in "${fileEnvKeys[@]}"; do file_env "RABBITMQ_${fileEnvKey^^}"; done
+for conf in "${allConfigKeys[@]}"; do
+	var="RABBITMQ_${conf^^}"
+	val="${!var:-}"
+	if [ "$val" ]; then
+		if [ "${configDefaults[$conf]:-}" ] && [ "${configDefaults[$conf]}" = "$val" ]; then
+			# if the value set is the same as the default, treat it as if it isn't set
+			continue
+		fi
+		haveConfig=1
+		case "$conf" in
+			ssl_*) haveSslConfig=1 ;;
+			management_ssl_*) haveManagementSslConfig=1 ;;
+		esac
+	fi
+done
+if [ "$haveSslConfig" ]; then
+	missing=()
+	for sslConf in cacertfile certfile keyfile; do
+		var="RABBITMQ_SSL_${sslConf^^}"
+		val="${!var}"
+		if [ -z "$val" ]; then
+			missing+=( "$var" )
+		fi
+	done
+	if [ "${#missing[@]}" -gt 0 ]; then
+		{
+			echo
+			echo 'error: SSL requested, but missing required configuration'
+			for miss in "${missing[@]}"; do
+				echo "  - $miss"
+			done
+			echo
+		} >&2
+		exit 1
+	fi
+fi
+missingFiles=()
+for conf in "${fileConfigKeys[@]}"; do
+	var="RABBITMQ_${conf^^}"
+	val="${!var}"
+	if [ "$val" ] && [ ! -f "$val" ]; then
+		missingFiles+=( "$val ($var)" )
+	fi
+done
+if [ "${#missingFiles[@]}" -gt 0 ]; then
+	{
+		echo
+		echo 'error: files specified, but missing'
+		for miss in "${missingFiles[@]}"; do
+			echo "  - $miss"
+		done
+		echo
+	} >&2
+	exit 1
+fi
+
+# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off)
+for conf in "${!configDefaults[@]}"; do
+	default="${configDefaults[$conf]}"
+	var="RABBITMQ_${conf^^}"
+	[ -z "${!var:-}" ] || continue
+	eval "export $var=\"\$default\""
+done
+
+# if long and short hostnames are not the same, use long hostnames
+if [ "$(hostname)" != "$(hostname -s)" ]; then
+	: "${RABBITMQ_USE_LONGNAME:=true}"
+fi
+
+if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then
+	cookieFile='/var/lib/rabbitmq/.erlang.cookie'
+	if [ -e "$cookieFile" ]; then
+		if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then
+			echo >&2
+			echo >&2 "warning: $cookieFile contents do not match RABBITMQ_ERLANG_COOKIE"
+			echo >&2
+		fi
+	else
+		echo "$RABBITMQ_ERLANG_COOKIE" > "$cookieFile"
+	fi
+	chmod 600 "$cookieFile"
+fi
+
+configBase="${RABBITMQ_CONFIG_FILE:-/etc/rabbitmq/rabbitmq}"
+oldConfigFile="$configBase.config"
+newConfigFile="$configBase.conf"
+
+shouldWriteConfig="$haveConfig"
+if [ -n "$shouldWriteConfig" ] && [ -f "$oldConfigFile" ]; then
+	{
+		echo "error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '$oldConfigFile' exists"
+		echo "  Suggested fixes: (choose one)"
+		echo "   - remove '$oldConfigFile'"
+		echo "   - remove any Docker-specific 'RABBITMQ_...' environment variables"
+		echo "   - convert '$oldConfigFile' to the newer sysctl format ('$newConfigFile'); see https://www.rabbitmq.com/configure.html#config-file"
+	} >&2
+	exit 1
+fi
+if [ -z "$shouldWriteConfig" ] && [ ! -f "$oldConfigFile" ] && [ ! -f "$newConfigFile" ]; then
+	# no config files, we should write one
+	shouldWriteConfig=1
+fi
+
+# http://stackoverflow.com/a/2705678/433558
+sed_escape_lhs() {
+	echo "$@" | sed -e 's/[]\/$*.^|[]/\\&/g'
+}
+sed_escape_rhs() {
+	echo "$@" | sed -e 's/[\/&]/\\&/g'
+}
+rabbit_set_config() {
+	local key="$1"; shift
+	local val="$1"; shift
+
+	[ -e "$newConfigFile" ] || touch "$newConfigFile"
+
+	local sedKey="$(sed_escape_lhs "$key")"
+	local sedVal="$(sed_escape_rhs "$val")"
+	sed -ri \
+		"s/^[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*)\S.*\$/\1${sedVal}/" \
+		"$newConfigFile"
+	if ! grep -qE "^${sedKey}[[:space:]]*=" "$newConfigFile"; then
+		echo "$key = $val" >> "$newConfigFile"
+	fi
+}
+rabbit_comment_config() {
+	local key="$1"; shift
+
+	[ -e "$newConfigFile" ] || touch "$newConfigFile"
+
+	local sedKey="$(sed_escape_lhs "$key")"
+	sed -ri \
+		"s/^[[:space:]]*#?[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*\S.*)\$/# \1/" \
+		"$newConfigFile"
+}
+rabbit_env_config() {
+	local prefix="$1"; shift
+
+	local conf
+	for conf; do
+		local var="rabbitmq${prefix:+_$prefix}_$conf"
+		var="${var^^}"
+
+		local key="$conf"
+		case "$prefix" in
+			ssl) key="ssl_options.$key" ;;
+			management_ssl) key="management.ssl.$key" ;;
+		esac
+
+		local val="${!var:-}"
+		local rawVal="$val"
+		case "$conf" in
+			fail_if_no_peer_cert)
+				case "${val,,}" in
+					false|no|0|'') rawVal='false' ;;
+					true|yes|1|*) rawVal='true' ;;
+				esac
+				;;
+
+			vm_memory_high_watermark) continue ;; # handled separately
+		esac
+
+		if [ -n "$rawVal" ]; then
+			rabbit_set_config "$key" "$rawVal"
+		else
+			rabbit_comment_config "$key"
+		fi
+	done
+}
+
+if [ "$1" = 'rabbitmq-server' ] && [ "$shouldWriteConfig" ]; then
+	rabbit_set_config 'loopback_users.guest' 'false'
+
+	# determine whether to set "vm_memory_high_watermark" (based on cgroups)
+	memTotalKb=
+	if [ -r /proc/meminfo ]; then
+		memTotalKb="$(awk -F ':? +' '$1 == "MemTotal" { print $2; exit }' /proc/meminfo)"
+	fi
+	memLimitB=
+	if [ -r /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then
+		# "18446744073709551615" is a valid value for "memory.limit_in_bytes", which is too big for Bash math to handle
+		# "$(( 18446744073709551615 / 1024 ))" = 0; "$(( 18446744073709551615 * 40 / 100 ))" = 0
+		memLimitB="$(awk -v totKb="$memTotalKb" '{
+			limB = $0;
+			limKb = limB / 1024;
+			if (!totKb || limKb < totKb) {
+				printf "%.0f\n", limB;
+			}
+		}' /sys/fs/cgroup/memory/memory.limit_in_bytes)"
+	fi
+	if [ -n "$memLimitB" ]; then
+		# if we have a cgroup memory limit, let's inform RabbitMQ of what it is (so it can calculate vm_memory_high_watermark properly)
+		# https://github.com/rabbitmq/rabbitmq-server/pull/1234
+		rabbit_set_config 'total_memory_available_override_value' "$memLimitB"
+	fi
+	# https://www.rabbitmq.com/memory.html#memsup-usage
+	if [ "${RABBITMQ_VM_MEMORY_HIGH_WATERMARK:-}" ]; then
+		# https://github.com/docker-library/rabbitmq/pull/105#issuecomment-242165822
+		vmMemoryHighWatermark="$(
+			echo "$RABBITMQ_VM_MEMORY_HIGH_WATERMARK" | awk '
+				/^[0-9]*[.][0-9]+$|^[0-9]+([.][0-9]+)?%$/ {
+					perc = $0;
+					if (perc ~ /%$/) {
+						gsub(/%$/, "", perc);
+						perc = perc / 100;
+					}
+					if (perc > 1.0 || perc < 0.0) {
+						printf "error: invalid percentage for vm_memory_high_watermark: %s (must be >= 0%%, <= 100%%)\n", $0 > "/dev/stderr";
+						exit 1;
+					}
+					printf "vm_memory_high_watermark.relative %0.03f\n", perc;
+					next;
+				}
+				/^[0-9]+$/ {
+					printf "vm_memory_high_watermark.absolute %s\n", $0;
+					next;
+				}
+				/^[0-9]+([.][0-9]+)?[a-zA-Z]+$/ {
+					printf "vm_memory_high_watermark.absolute %s\n", $0;
+					next;
+				}
+				{
+					printf "error: unexpected input for vm_memory_high_watermark: %s\n", $0;
+					exit 1;
+				}
+			'
+		)"
+		if [ "$vmMemoryHighWatermark" ]; then
+			vmMemoryHighWatermarkKey="${vmMemoryHighWatermark%% *}"
+			vmMemoryHighWatermarkVal="${vmMemoryHighWatermark#$vmMemoryHighWatermarkKey }"
+			rabbit_set_config "$vmMemoryHighWatermarkKey" "$vmMemoryHighWatermarkVal"
+			case "$vmMemoryHighWatermarkKey" in
+				# make sure we only set one or the other
+				'vm_memory_high_watermark.absolute') rabbit_comment_config 'vm_memory_high_watermark.relative' ;;
+				'vm_memory_high_watermark.relative') rabbit_comment_config 'vm_memory_high_watermark.absolute' ;;
+			esac
+		fi
+	fi
+
+	if [ "$haveSslConfig" ]; then
+		rabbit_set_config 'listeners.ssl.default' 5671
+		rabbit_env_config 'ssl' "${sslConfigKeys[@]}"
+	else
+		rabbit_set_config 'listeners.tcp.default' 5672
+	fi
+
+	rabbit_env_config '' "${rabbitConfigKeys[@]}"
+
+	# if management plugin is installed, generate config for it
+	# https://www.rabbitmq.com/management.html#configuration
+	if [ "$(rabbitmq-plugins list -q -m -e rabbitmq_management)" ]; then
+		if [ "$haveManagementSslConfig" ]; then
+			rabbit_set_config 'management.ssl.port' 15671
+			rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}"
+		else
+			rabbit_set_config 'management.tcp.port' 15672
+		fi
+
+		# if definitions file exists, then load it
+		# https://www.rabbitmq.com/management.html#load-definitions
+		managementDefinitionsFile='/etc/rabbitmq/definitions.json'
+		if [ -f "$managementDefinitionsFile" ]; then
+			# see also https://github.com/docker-library/rabbitmq/pull/112#issuecomment-271485550
+			rabbit_set_config 'management.load_definitions' "$managementDefinitionsFile"
+		fi
+	fi
+fi
+
+rabbitmq-plugins enable rabbitmq_management
+
+combinedSsl='/tmp/rabbitmq-ssl/combined.pem'
+if [ "$haveSslConfig" ] && [[ "$1" == rabbitmq* ]] && [ ! -f "$combinedSsl" ]; then
+	# Create combined cert
+	{
+		cat "$RABBITMQ_SSL_CERTFILE"
+		echo # https://github.com/docker-library/rabbitmq/issues/357#issuecomment-517755647
+		cat "$RABBITMQ_SSL_KEYFILE"
+	} > "$combinedSsl"
+	chmod 0400 "$combinedSsl"
+fi
+if [ "$haveSslConfig" ] && [ -f "$combinedSsl" ]; then
+	# More ENV vars for make clustering happiness
+	# we don't handle clustering in this script, but these args should ensure
+	# clustered SSL-enabled members will talk nicely
+	export ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)"
+	sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile $combinedSsl -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
+	export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="${RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS:-} $sslErlArgs"
+	export RABBITMQ_CTL_ERL_ARGS="${RABBITMQ_CTL_ERL_ARGS:-} $sslErlArgs"
+fi
+
+exec "$@"