Upgrade GeoServer to 2.27.2 to fix vulnerabilities

CHANGES.md

@@ -15,7 +15,31 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+## Changes
+
+- GeoServer: upgrade to 2.27.2 to fix vulnerabilities
+
+  See:
+  * https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2
+  * https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f
+  * https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
+
+  As for the docker image changes, unfortunately there was no github tag for our
+  existing `2.25.2--v2024.06.25` so this is the best approximate diff we can have
+  https://github.com/kartoza/docker-geoserver/compare/v2.25.4--2024.11.17--e7732f7...v2.27.2--2025.08.05--f411524
+
+  `fix-geoserver-data-dir-perm` is not required anymore, it has been disabled
+  but kept for backward compatibility if we ever need to rollback to older
+  versions of GeoServer.  If you need to rollback to any versions before 2.25.2
+  you might need to run `fix-geoserver-data-dir-perm` manually, only if it is
+  required.  Do not run it if not required. It takes lots of time if you have
+  lots of data.
+
+  Please **backup** your GeoServer data before the upgrade.  If the upgrade
+  fails, you won't be able to rollback.  If you have upgrade problem, please
+  look at
+  [kartoza/docker-geoserver#760](https://github.com/kartoza/docker-geoserver/issues/760).
+
 
 [2.18.7](https://github.com/bird-house/birdhouse-deploy/tree/2.18.7) (2025-10-17)
 ------------------------------------------------------------------------------------------------------------------

birdhouse/components/geoserver/default.env

@@ -9,23 +9,26 @@
 # See https://github.com/kartoza/docker-geoserver/issues/232#issuecomment-808754831
 # The version is used for representation in CanarieAPI, while the full tag is used to reference the image.
 export GEOSERVER_DOCKER="pavics/geoserver"
-export GEOSERVER_VERSION="2.25.2"
-export GEOSERVER_TAGGED="2.25.2--v2024.06.25-kartoza"
+export GEOSERVER_VERSION="2.27.2"
+export GEOSERVER_TAGGED="2.27.2--v2025.08.05-kartoza"
 export GEOSERVER_IMAGE='${GEOSERVER_DOCKER}:${GEOSERVER_TAGGED}'
 export GEOSERVER_IMAGE_URI='registry.hub.docker.com/${GEOSERVER_IMAGE}'
 
 export GEOSERVER_ADMIN_USER="admin"
 
 # # Install the stable plugin specified in
-# https://github.com/kartoza/docker-geoserver/blob/master/build_data/stable_plugins.txt
+# https://github.com/kartoza/docker-geoserver/blob/develop/build_data/stable_plugins.txt
 export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,\
+ogcapi-features-plugin,\
 netcdf-plugin,\
 netcdf-out-plugin,\
 csw-iso-plugin,\
 metadata-plugin"
 
 # Install the community edition plugins specified in
-# https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt
+# https://github.com/kartoza/docker-geoserver/blob/develop/build_data/community_plugins.txt
+# ogcapi-features-plugin moved to stable_plugins in 2.27.0 but kept here for
+# back-compat with older version of GeoServer image.
 export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\
 ogcapi-coverages-plugin,\
 ogcapi-dggs-plugin,\

birdhouse/components/geoserver/docker-compose-extra.yml

@@ -24,6 +24,7 @@ services:
     volumes:
       # run deployment/fix-geoserver-data-dir-perm on existing
       # GEOSERVER_DATA_DIR to match user geoserveruser inside docker image
+      # only needed for versions before pavics/geoserver:2.25.2--v2024.06.25-kartoza
       - ${GEOSERVER_DATA_DIR}:/opt/geoserver/data_dir
     links:
       - postgis

birdhouse/components/raven/default.env

@@ -1,10 +1,14 @@
 # The Geoserver that Raven will connect to.
 # Same default value as
-# https://github.com/CSHS-CWRA/RavenPy/blob/2e56041b605e83ab28ffdc5d817e645481dcc5fc/ravenpy/utilities/geoserver.py#L51
+# https://github.com/CSHS-CWRA/RavenPy/blob/1dc534cd3b7faed2ff18a90a915d448b2fca6bf7/src/ravenpy/utilities/geoserver.py#L50-L52
+# https://github.com/Ouranosinc/raven/blob/dc5a3750c551c3d2aa5b5a8c9d61190ed4f4c3ba/src/raven/utilities/geoserver.py#L43-L45
 # This is the production Geoserver that is always available with appropriate data.
 # For site that want to run your own Geoserver with your own data, please
 # override this variable with your own Geoserver instance.
 # Ex: RAVEN_GEO_URL="${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN}/geoserver/"
+# The mapping to GEO_URL, RAVEN_GEOSERVER_URL, RAVENPY_GEOSERVER_URL
+# are done in components/raven/docker-compose-extra.yml.
+# RAVEN_GEO_URL will be our "stable" interface in birdhouse-deploy.
 __DEFAULT__RAVEN_GEO_URL="https://pavics.ouranos.ca/geoserver/"
 export RAVEN_GEO_URL='${__DEFAULT__RAVEN_GEO_URL}'
 

birdhouse/components/raven/docker-compose-extra.yml

@@ -12,7 +12,11 @@ services:
     container_name: raven
     environment:
       PYWPS_CFG: /wps.cfg
+      # Keep for backward-compat with older RavenWPS.
       GEO_URL: "${RAVEN_GEO_URL}"
+      # Forward-compat with newer RavenWPS not yet in this stack.
+      RAVEN_GEOSERVER_URL: "${RAVEN_GEO_URL}"
+      RAVENPY_GEOSERVER_URL: "${RAVEN_GEO_URL}"
     volumes:
       - ./components/raven/wps.cfg:/wps.cfg
       - /tmp

birdhouse/deployment/fix-geoserver-data-dir-perm

@@ -3,6 +3,12 @@
 #
 # Geoserver container runs with hardcoded uid 1000 and gid 10001.
 #
+# NOT needed since version `pavics/geoserver:2.25.2--v2024.06.25-kartoza`.
+# It will auto chown if wrong ownership detected.
+#
+# Keep here only for backward compatibility if we ever need to revert to older
+# image of GeoServer (older than 2.25.2--v2024.06.25-kartoza) from kartoza.
+#
 # Set env var FIRST_RUN_ONLY to only execute this script once, before first
 # startup of Geoserver.  If Geoserver has already run at least once, file
 # global.xml will exist and this script will not execute.  Without

birdhouse/scripts/sync-data

@@ -58,10 +58,9 @@ for item in ${GEOSERVER_DATA_DIR}/ ${JUPYTERHUB_USER_DATA_DIR}/ ${MAGPIE_PERSIST
 done
 
 if [ ! x"$FORCE_MODE" = xforce ]; then
-    log INFO "Dry-run mode, not executing '${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm' and other permission fixup"
+    log INFO "Dry-run mode, not executing various permission fixup"
 else
-    log INFO "Executing '${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm' and other permission fixup"
-    "${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm"
+    log INFO "Executing various permission fixup"
 
     docker run --rm --name fix-jupyter-data-dir-perm \
         --volume "${JUPYTERHUB_USER_DATA_DIR}":/datadir \