@@ -17,44 +17,35 @@ USER ${STACKABLE_USER_UID}
1717WORKDIR /stackable
1818
1919# Download ZooKeeper sources from our own repo
20- RUN curl "https://repo.stackable.tech/repository/packages/zookeeper/apache-zookeeper-${PRODUCT}.tar.gz" | tar -xzC . && \
21- # Apply any required patches
22- patches/apply_patches.sh ${PRODUCT} && \
23- cd /stackable/apache-zookeeper-${PRODUCT}/ && \
24- # Exclude the `zookeeper-client` submodule, this is not needed and has c parts
25- # that created all kinds of issues for the build container
26- mvn --batch-mode --no-transfer-progress -pl "!zookeeper-client/zookeeper-client-c" clean install checkstyle:check spotbugs:check -DskipTests -Pfull-build && \
27- mv zookeeper-assembly/target/apache-zookeeper-${PRODUCT}-bin.tar.gz /stackable && \
28- cd /stackable && \
29- # Unpack the archive which contains the build artifacts from above. Remove some
30- # unused files to shrink the final image size.
31- tar xvzf /stackable/apache-zookeeper-${PRODUCT}-bin.tar.gz && \
32- mv /stackable/apache-zookeeper-${PRODUCT}/zookeeper-assembly/target/bom.json /stackable/apache-zookeeper-${PRODUCT}-bin/apache-zookeeper-${PRODUCT}.cdx.json && \
33- rm -rf /stackable/apache-zookeeper-${PRODUCT}-bin/docs && \
34- rm /stackable/apache-zookeeper-${PRODUCT}-bin/README_packaging.md && \
35- # Download the JMX exporter jar from our own repo
36- curl "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" \
37- -o "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" && \
38- chmod +x "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" && \
39- ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar
40-
41- # ===
42- # For earlier versions this script removes the .class file that contains the
43- # vulnerable code.
44- # TODO: This can be restricted to target only versions which do not honor the environment
45- # varible that has been set above but this has not currently been implemented
46- COPY shared/log4shell.sh /bin
47- RUN /bin/log4shell.sh /stackable/apache-zookeeper-${PRODUCT}-bin
48-
49- # Ensure no vulnerable files are left over
50- # This will currently report vulnerable files being present, as it also alerts
51- # on SocketNode.class, which we do not remove with our scripts. Further
52- # investigation will be needed whether this should also be removed.
53- COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
54- COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
55- COPY shared/log4shell_scanner /bin/log4shell_scanner
56- RUN /bin/log4shell_scanner s /stackable/apache-zookeeper-${PRODUCT}-bin
57- # ===
20+ RUN <<EOF
21+ curl --fail "https://repo.stackable.tech/repository/packages/zookeeper/apache-zookeeper-${PRODUCT}.tar.gz" | tar -xzC .
22+
23+ # Apply any required patches
24+ patches/apply_patches.sh ${PRODUCT}
25+ cd /stackable/apache-zookeeper-${PRODUCT}/
26+
27+ # Exclude the `zookeeper-client` submodule, this is not needed and has c parts
28+ # that created all kinds of issues for the build container
29+ mvn --batch-mode --no-transfer-progress -pl "!zookeeper-client/zookeeper-client-c" clean install checkstyle:check spotbugs:check -DskipTests -Pfull-build
30+ mv zookeeper-assembly/target/apache-zookeeper-${PRODUCT}-bin.tar.gz /stackable
31+
32+ cd /stackable
33+ # Unpack the archive which contains the build artifacts from above. Remove some
34+ # unused files to shrink the final image size.
35+ tar xvzf /stackable/apache-zookeeper-${PRODUCT}-bin.tar.gz
36+ mv /stackable/apache-zookeeper-${PRODUCT}/zookeeper-assembly/target/bom.json /stackable/apache-zookeeper-${PRODUCT}-bin/apache-zookeeper-${PRODUCT}.cdx.json
37+ rm -rf /stackable/apache-zookeeper-${PRODUCT}-bin/docs
38+ rm /stackable/apache-zookeeper-${PRODUCT}-bin/README_packaging.md
39+
40+ # Download the JMX exporter jar from our own repo
41+ curl "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" \
42+ -o "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar"
43+ chmod +x "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar"
44+ ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar
45+
46+ # set correct groups
47+ chmod -R g=u /stackable
48+ EOF
5849
5950# END ZOOKEEPER BUILDER
6051# ==============================================================================
@@ -68,42 +59,53 @@ ARG PRODUCT
6859ARG RELEASE
6960ARG STACKABLE_USER_UID
7061
71- LABEL name="Apache ZooKeeper" \
72- maintainer="info@stackable.tech" \
73- vendor="Stackable GmbH" \
74- version="${PRODUCT}" \
75- release="${RELEASE}" \
76- summary="The Stackable image for Apache ZooKeeper." \
77- description="This image is deployed by the Stackable Operator for Apache ZooKeeper."
78-
79- RUN microdnf update && \
80- microdnf clean all && \
81- rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n " | sort > /stackable/package_manifest.txt && \
82- rm -rf /var/cache/yum
83-
84- WORKDIR /stackable
62+ LABEL \
63+ name="Apache ZooKeeper" \
64+ maintainer="info@stackable.tech" \
65+ vendor="Stackable GmbH" \
66+ version="${PRODUCT}" \
67+ release="${RELEASE}" \
68+ summary="The Stackable image for Apache ZooKeeper." \
69+ description="This image is deployed by the Stackable Operator for Apache ZooKeeper."
8570
8671# Copy over the ZooKeeper binary folder
8772COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/apache-zookeeper-${PRODUCT}-bin /stackable/apache-zookeeper-${PRODUCT}-bin/
8873COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/jmx /stackable/jmx/
8974COPY zookeeper/licenses /licenses
9075
76+ RUN <<EOF
77+ microdnf update
78+ microdnf clean all
79+ rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n " | sort > /stackable/package_manifest.txt
80+ chown ${STACKABLE_USER_UID}:0 /stackable/package_manifest.txt
81+ chmod g=u /stackable/package_manifest.txt
82+ rm -rf /var/cache/yum
83+
9184# Add link pointing from /stackable/zookeeper to /stackable/apache-zookeeper-${PRODUCT}-bin/
9285# to preserve the folder name with the version.
93- RUN <<EOF
9486ln -s /stackable/apache-zookeeper-${PRODUCT}-bin/ /stackable/zookeeper
87+ chown -h ${STACKABLE_USER_UID}:0 /stackable/zookeeper
9588
96- # All files and folders owned by root group to support running as arbitrary users.
97- # This is best practice as all container users will belong to the root group (0).
98- chown -R ${STACKABLE_USER_UID}:0 /stackable
99- chmod -R g=u /stackable
89+ # fix missing permissions
90+ chmod g=u /stackable/jmx
91+ chmod g=u /stackable/apache-zookeeper-${PRODUCT}-bin/
92+ EOF
93+
94+ # ----------------------------------------
95+ # Checks
96+ # This section is to run final checks to ensure the created final images
97+ # adhere to several minimal requirements like:
98+ # - check file permissions and ownerships
99+ # ----------------------------------------
100+
101+ # Check that permissions and ownership in /stackable are set correctly
102+ # This will fail and stop the build if any mismatches are found.
103+ RUN <<EOF
104+ /bin/check-permissions-ownership.sh /stackable ${STACKABLE_USER_UID} 0
100105EOF
101106
102107# ----------------------------------------
103- # Attention: We are changing the group of all files in /stackable directly above
104- # If you do any file based actions (copying / creating etc.) below this comment you
105- # absolutely need to make sure that the correct permissions are applied!
106- # chown ${STACKABLE_USER_UID}:0
108+ # Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
107109# ----------------------------------------
108110
109111ENV ZOOKEEPER_HOME=/stackable/zookeeper
0 commit comments