From 17259f7373dcb1d5d942e8b11775a06a221cc89f Mon Sep 17 00:00:00 2001 From: Will Holley Date: Fri, 10 May 2019 17:51:35 +0100 Subject: [PATCH 1/4] Dockerfile based on the RedHat UBI Installs CouchDB 2.3.1 via the official rpm. To build: ``` $ cd 2.3.1 $ docker build . -f ubi7/Dockerfile ``` --- 2.3.1/bintray-apache-couchdb-rpm.repo | 6 ++ 2.3.1/ubi7/Dockerfile | 126 ++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 2.3.1/bintray-apache-couchdb-rpm.repo create mode 100644 2.3.1/ubi7/Dockerfile diff --git a/2.3.1/bintray-apache-couchdb-rpm.repo b/2.3.1/bintray-apache-couchdb-rpm.repo new file mode 100644 index 0000000..18bb9c2 --- /dev/null +++ b/2.3.1/bintray-apache-couchdb-rpm.repo @@ -0,0 +1,6 @@ +[bintray-apache-couchdb-rpm] +name=bintray--apache-couchdb-rpm +baseurl=http://apache.bintray.com/couchdb-rpm/el7/x86_64 +gpgcheck=0 +repo_gpgcheck=0 +enabled=1 diff --git a/2.3.1/ubi7/Dockerfile b/2.3.1/ubi7/Dockerfile new file mode 100644 index 0000000..74851ee --- /dev/null +++ b/2.3.1/ubi7/Dockerfile @@ -0,0 +1,126 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +FROM registry.access.redhat.com/ubi7/ubi + +LABEL maintainer="CouchDB Developers dev@couchdb.apache.org" + +# Add CouchDB user account to make sure the IDs are assigned consistently +RUN groupadd -g 5984 -r couchdb && useradd -u 5984 -d /opt/couchdb -g couchdb couchdb + +# be sure GPG and apt-transport-https are available and functional +RUN set -ex; \ + yum update; \ + yum install -y \ + ca-certificates \ + dirmngr \ + gnupg \ + yum clean all; \ + rm -rf /var/cache/yum + +# grab gosu for easy step-down from root and tini for signal handling and zombie reaping +# see https://github.com/apache/couchdb-docker/pull/28#discussion_r141112407 +ENV GOSU_VERSION 1.11 +ENV TINI_VERSION 0.18.0 +RUN set -ex; \ + \ + yum update -y; \ + yum history new; \ + yum install -y wget; \ + \ +# install gosu + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-amd64.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \ + for server in $(shuf -e pgpkeys.mit.edu \ + ha.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + pgp.mit.edu) ; do \ + gpg --batch --keyserver $server --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ + done; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + chmod +x /usr/local/bin/gosu; \ + gosu nobody true; \ + \ +# install tini + wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-amd64"; \ + wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-amd64.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \ + for server in $(shuf -e pgpkeys.mit.edu \ + ha.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + pgp.mit.edu) ; do \ + gpg --batch --keyserver $server --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \ + done; \ + gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini; \ + rm -rf "$GNUPGHOME" /usr/local/bin/tini.asc; \ + chmod +x /usr/local/bin/tini; \ + tini --version; \ +\ +# Enable EPEL repositories + wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \ +# Remove wget + yum -y history undo 1; \ + yum install -y epel-release-latest-7.noarch.rpm; \ + rm epel-release-latest-7.noarch.rpm; \ +# Clean up + yum clean all; \ + rm -rf /var/cache/yum + + +# https://docs.couchdb.org/en/stable/install/unix.html +# ENV GPG_COUCH_KEY \ +# # gpg: key D401AB61: public key "Bintray (by JFrog) imported +# 8756C4F765C9AC3CB6B85D62379CE192D401AB61 +# RUN set -xe; \ +# export GNUPGHOME="$(mktemp -d)"; \ +# echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \ +# for server in $(shuf -e pgpkeys.mit.edu \ +# ha.pool.sks-keyservers.net \ +# hkp://p80.pool.sks-keyservers.net:80 \ +# pgp.mit.edu) ; do \ +# gpg --batch --keyserver $server --recv-keys $GPG_COUCH_KEY && break || : ; \ +# done; \ +# gpg --batch --export $GPG_COUCH_KEY > /etc/apt/trusted.gpg.d/couchdb.gpg; \ +# command -v gpgconf && gpgconf --kill all || :; \ +# rm -rf "$GNUPGHOME"; \ +# apt-key list + +COPY bintray-apache-couchdb-rpm.repo /etc/yum.repos.d/bintray-apache-couchdb-rpm.repo + +ENV COUCHDB_VERSION 2.3.1 + +# Install CouchDB +RUN set -xe; \ + yum install --enablerepo=bintray-apache-couchdb-rpm -y couchdb; \ + yum clean all; \ + rm -rf /var/cache/yum + +# Add configuration +COPY 10-docker-default.ini /opt/couchdb/etc/default.d/ +COPY vm.args /opt/couchdb/etc/ +COPY docker-entrypoint.sh /usr/local/bin +RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat +ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] + +# Setup directories and permissions +RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + +VOLUME /opt/couchdb/data + +# 5984: Main CouchDB endpoint +# 4369: Erlang portmap daemon (epmd) +# 9100: CouchDB cluster communication port +EXPOSE 5984 4369 9100 +CMD ["/opt/couchdb/bin/couchdb"] From c86125df5bc10c837a9bdb421d35787d65b08ea3 Mon Sep 17 00:00:00 2001 From: Will Holley Date: Tue, 14 May 2019 17:47:06 +0100 Subject: [PATCH 2/4] move bintray config under ubi7 directory --- 2.3.1/ubi7/Dockerfile | 2 +- 2.3.1/{ => ubi7}/bintray-apache-couchdb-rpm.repo | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename 2.3.1/{ => ubi7}/bintray-apache-couchdb-rpm.repo (100%) diff --git a/2.3.1/ubi7/Dockerfile b/2.3.1/ubi7/Dockerfile index 74851ee..3cfae95 100644 --- a/2.3.1/ubi7/Dockerfile +++ b/2.3.1/ubi7/Dockerfile @@ -98,7 +98,7 @@ RUN set -ex; \ # rm -rf "$GNUPGHOME"; \ # apt-key list -COPY bintray-apache-couchdb-rpm.repo /etc/yum.repos.d/bintray-apache-couchdb-rpm.repo +COPY ubi7/bintray-apache-couchdb-rpm.repo /etc/yum.repos.d/bintray-apache-couchdb-rpm.repo ENV COUCHDB_VERSION 2.3.1 diff --git a/2.3.1/bintray-apache-couchdb-rpm.repo b/2.3.1/ubi7/bintray-apache-couchdb-rpm.repo similarity index 100% rename from 2.3.1/bintray-apache-couchdb-rpm.repo rename to 2.3.1/ubi7/bintray-apache-couchdb-rpm.repo From c40f9ce430f7f072f34b8e4a0b45567479d4ace2 Mon Sep 17 00:00:00 2001 From: Will Holley Date: Wed, 15 May 2019 13:43:43 +0100 Subject: [PATCH 3/4] suppress RHEL subscription warnings --- 2.3.1/ubi7/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/2.3.1/ubi7/Dockerfile b/2.3.1/ubi7/Dockerfile index 3cfae95..05cb389 100644 --- a/2.3.1/ubi7/Dockerfile +++ b/2.3.1/ubi7/Dockerfile @@ -19,7 +19,7 @@ RUN groupadd -g 5984 -r couchdb && useradd -u 5984 -d /opt/couchdb -g couchdb co # be sure GPG and apt-transport-https are available and functional RUN set -ex; \ - yum update; \ + yum update --disableplugin=subscription-manager -y && rm -rf /var/cache/yum; \ yum install -y \ ca-certificates \ dirmngr \ @@ -33,7 +33,7 @@ ENV GOSU_VERSION 1.11 ENV TINI_VERSION 0.18.0 RUN set -ex; \ \ - yum update -y; \ + yum update --disableplugin=subscription-manager -y && rm -rf /var/cache/yum; \ yum history new; \ yum install -y wget; \ \ @@ -104,6 +104,7 @@ ENV COUCHDB_VERSION 2.3.1 # Install CouchDB RUN set -xe; \ + yum update --disableplugin=subscription-manager -y && rm -rf /var/cache/yum; \ yum install --enablerepo=bintray-apache-couchdb-rpm -y couchdb; \ yum clean all; \ rm -rf /var/cache/yum From 1b54c58f3d07496ed7237477e509238cbbe96224 Mon Sep 17 00:00:00 2001 From: Will Holley Date: Wed, 15 May 2019 13:51:13 +0100 Subject: [PATCH 4/4] ubi as a top-level release variant Move the ubi-based Dockerfile into its own top level folder, similar to the couchperuser variant. This makes integration with existing build scripts/processes simpler though means a bit of duplication of config files between the different base images. --- .travis.yml | 1 + 2.3.1-ubi7/10-docker-default.ini | 11 +++ {2.3.1/ubi7 => 2.3.1-ubi7}/Dockerfile | 2 +- .../bintray-apache-couchdb-rpm.repo | 0 2.3.1-ubi7/docker-entrypoint.sh | 95 +++++++++++++++++++ 2.3.1-ubi7/vm.args | 28 ++++++ 6 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 2.3.1-ubi7/10-docker-default.ini rename {2.3.1/ubi7 => 2.3.1-ubi7}/Dockerfile (98%) rename {2.3.1/ubi7 => 2.3.1-ubi7}/bintray-apache-couchdb-rpm.repo (100%) create mode 100755 2.3.1-ubi7/docker-entrypoint.sh create mode 100644 2.3.1-ubi7/vm.args diff --git a/.travis.yml b/.travis.yml index cebe9ef..680928b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,6 +13,7 @@ services: env: - RELEASES=2.3.0 - RELEASES=2.3.1 + - RELEASES=2.3.1-ubi7 - RELEASES=dev - RELEASES=dev-cluster diff --git a/2.3.1-ubi7/10-docker-default.ini b/2.3.1-ubi7/10-docker-default.ini new file mode 100644 index 0000000..c1bac9e --- /dev/null +++ b/2.3.1-ubi7/10-docker-default.ini @@ -0,0 +1,11 @@ +; CouchDB Configuration Settings + +; Custom settings should be made in this file. They will override settings +; in default.ini, but unlike changes made to default.ini, this file won't be +; overwritten on server upgrade. + +[chttpd] +bind_address = any + +[httpd] +bind_address = any diff --git a/2.3.1/ubi7/Dockerfile b/2.3.1-ubi7/Dockerfile similarity index 98% rename from 2.3.1/ubi7/Dockerfile rename to 2.3.1-ubi7/Dockerfile index 05cb389..f264993 100644 --- a/2.3.1/ubi7/Dockerfile +++ b/2.3.1-ubi7/Dockerfile @@ -98,7 +98,7 @@ RUN set -ex; \ # rm -rf "$GNUPGHOME"; \ # apt-key list -COPY ubi7/bintray-apache-couchdb-rpm.repo /etc/yum.repos.d/bintray-apache-couchdb-rpm.repo +COPY bintray-apache-couchdb-rpm.repo /etc/yum.repos.d/bintray-apache-couchdb-rpm.repo ENV COUCHDB_VERSION 2.3.1 diff --git a/2.3.1/ubi7/bintray-apache-couchdb-rpm.repo b/2.3.1-ubi7/bintray-apache-couchdb-rpm.repo similarity index 100% rename from 2.3.1/ubi7/bintray-apache-couchdb-rpm.repo rename to 2.3.1-ubi7/bintray-apache-couchdb-rpm.repo diff --git a/2.3.1-ubi7/docker-entrypoint.sh b/2.3.1-ubi7/docker-entrypoint.sh new file mode 100755 index 0000000..7fdb04b --- /dev/null +++ b/2.3.1-ubi7/docker-entrypoint.sh @@ -0,0 +1,95 @@ +#!/bin/bash +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +set -e + +# first arg is `-something` or `+something` +if [ "${1#-}" != "$1" ] || [ "${1#+}" != "$1" ]; then + set -- /opt/couchdb/bin/couchdb "$@" +fi + +# first arg is the bare word `couchdb` +if [ "$1" = 'couchdb' ]; then + shift + set -- /opt/couchdb/bin/couchdb "$@" +fi + +if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then + # Check that we own everything in /opt/couchdb and fix if necessary. We also + # add the `-f` flag in all the following invocations because there may be + # cases where some of these ownership and permissions issues are non-fatal + # (e.g. a config file owned by root with o+r is actually fine), and we don't + # to be too aggressive about crashing here ... + find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + + + # Ensure that data files have the correct permissions. We were previously + # preventing any access to these files outside of couchdb:couchdb, but it + # turns out that CouchDB itself does not set such restrictive permissions + # when it creates the files. The approach taken here ensures that the + # contents of the datadir have the same permissions as they had when they + # were initially created. This should minimize any startup delay. + find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + + # Do the same thing for configuration files and directories. Technically + # CouchDB only needs read access to the configuration files as all online + # changes will be applied to the "docker.ini" file below, but we set 644 + # for the sake of consistency. + find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + + if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then + echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args + fi + + # Ensure that CouchDB will write custom settings in this file + touch /opt/couchdb/etc/local.d/docker.ini + + if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then + printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini + fi + fi + + if [ "$COUCHDB_SECRET" ]; then + # Set secret only if not already present + if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then + printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini + fi + fi + + chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true + + # if we don't find an [admins] section followed by a non-comment, display a warning + if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: CouchDB is running in Admin Party mode. + This will allow anyone with access to the + CouchDB port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. + Use "-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password" + to set it in "docker run". + **************************************************** + EOWARN + fi + + + exec gosu couchdb "$@" +fi + +exec "$@" diff --git a/2.3.1-ubi7/vm.args b/2.3.1-ubi7/vm.args new file mode 100644 index 0000000..0425756 --- /dev/null +++ b/2.3.1-ubi7/vm.args @@ -0,0 +1,28 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +# Ensure that the Erlang VM listens on a known port +-kernel inet_dist_listen_min 9100 +-kernel inet_dist_listen_max 9100 + +# Tell kernel and SASL not to log anything +-kernel error_logger silent +-sasl sasl_error_logger false + +# Use kernel poll functionality if supported by emulator ++K true + +# Start a pool of asynchronous IO threads ++A 16 + +# Comment this line out to enable the interactive Erlang shell on startup ++Bd -noinput