-
Notifications
You must be signed in to change notification settings - Fork 31
/
Dockerfile.rh
136 lines (117 loc) · 5.66 KB
/
Dockerfile.rh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Copyright (c) 2017-present Sonatype, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# hadolint ignore=DL3026
FROM registry.access.redhat.com/ubi9/openjdk-17:1.20-2
# Build parameters
ARG IQ_SERVER_VERSION=1.165.0-01
ARG IQ_SERVER_SHA256=582376f426406cc3e361fd8eed79e87d62adf0f33395e11c1f7ab31d9df1786d
ARG IQ_RELEASE="1.165.0"
ARG TEMP="/tmp/work"
ARG IQ_HOME="/opt/sonatype/nexus-iq-server"
ARG SONATYPE_WORK="/sonatype-work"
ARG CONFIG_HOME="/etc/nexus-iq-server"
ARG LOGS_HOME="/var/log/nexus-iq-server"
ARG GID=1000
ARG UID=1000
ARG TIMEOUT=600
LABEL name="Nexus IQ Server image" \
maintainer="Sonatype <[email protected]>" \
vendor=Sonatype \
version="${IQ_SERVER_VERSION}" \
release="${IQ_RELEASE}" \
url="https://www.sonatype.com" \
summary="The Nexus IQ Server" \
description="Nexus IQ Server is a policy engine powered by precise intelligence on open source components. \
It provides a number of tools to improve component usage in your software supply chain, allowing you to \
automate your processes and achieve accelerated speed to delivery while also increasing product quality" \
com.sonatype.license="Apache License, Version 2.0" \
com.sonatype.name="Nexus IQ Server image" \
run="docker run -d -p 8070:8070 -p 8071:8071 IMAGE" \
io.k8s.description="Nexus IQ Server is a policy engine powered by precise intelligence on open source components. \
It provides a number of tools to improve component usage in your software supply chain, allowing you to \
automate your processes and achieve accelerated speed to delivery while also increasing product quality" \
io.k8s.display-name="Nexus IQ Server" \
io.openshift.expose-services="8071:8071" \
io.openshift.tags="Sonatype,Nexus,IQ Server"
USER root
# For testing
# hadolint ignore=DL3041
RUN microdnf update -y \
&& microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y procps gzip unzip tar shadow-utils findutils util-linux less rsync git which\
&& microdnf clean all
# Create folders & set permissions
RUN mkdir -p ${TEMP} \
&& mkdir -p ${IQ_HOME} \
&& mkdir -p ${SONATYPE_WORK} \
&& mkdir -p ${CONFIG_HOME} \
&& mkdir -p ${LOGS_HOME} \
&& chmod 0755 ${TEMP} \
&& chmod 0755 "/opt/sonatype" ${IQ_HOME} \
&& chmod 0755 ${CONFIG_HOME} \
&& chmod 0755 ${LOGS_HOME}
# Copy config.yml and set sonatypeWork to the correct value
COPY config.yml ${TEMP}
# hadolint ignore=DL4006,SC3060
RUN cat ${TEMP}/config.yml | sed -r "s/\s*sonatypeWork\s*:\s*\"?[-0-9a-zA-Z_/\\]+\"?/sonatypeWork: ${SONATYPE_WORK//\//\\/}/" > ${CONFIG_HOME}/config.yml \
&& chmod 0644 ${CONFIG_HOME}/config.yml
# Create start script
RUN echo "trap 'kill -TERM \`cut -f1 -d@ ${SONATYPE_WORK}/lock\`; timeout ${TIMEOUT} tail --pid=\`cut -f1 -d@ ${SONATYPE_WORK}/lock\` -f /dev/null' SIGTERM" > ${IQ_HOME}/start.sh \
&& echo "/usr/bin/java \${JAVA_OPTS} -jar nexus-iq-server-${IQ_SERVER_VERSION}.jar server ${CONFIG_HOME}/config.yml 2> ${LOGS_HOME}/stderr.log & " >> ${IQ_HOME}/start.sh \
&& echo "wait" >> ${IQ_HOME}/start.sh \
&& chmod 0755 ${IQ_HOME}/start.sh
# Download the server bundle, verify its checksum, and extract the server jar to the install directory
WORKDIR ${TEMP}
RUN curl -L https://download.sonatype.com/clm/server/nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz --output nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz \
&& echo "${IQ_SERVER_SHA256} nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz" > nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz.sha256 \
&& sha256sum -c nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz.sha256 \
&& tar -xvf nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz \
&& mv nexus-iq-server-${IQ_SERVER_VERSION}.jar ${IQ_HOME}
WORKDIR ${IQ_HOME}
RUN rm -rf ${TEMP} \
\
# Add group and user
&& groupadd -g ${GID} nexus \
&& adduser -u ${UID} -d ${IQ_HOME} -c "Nexus IQ user" -g nexus -s /bin/false nexus \
\
# Change owner to nexus user
&& chown -R nexus:nexus ${IQ_HOME} \
&& chown -R nexus:nexus ${SONATYPE_WORK} \
&& chown -R nexus:nexus ${CONFIG_HOME} \
&& chown -R nexus:nexus ${LOGS_HOME}
# Red Hat Certified Container commands
COPY rh-docker /
RUN usermod -a -G root nexus \
&& chmod -R 0755 /licenses \
&& chmod 0755 /help.1 \
&& chmod 0755 /uid_entrypoint.sh \
&& chmod 0755 /uid_template.sh \
&& bash /uid_template.sh \
&& chmod 0664 /etc/passwd
# enabling back support for SHA1 signed certificates
RUN update-crypto-policies --set DEFAULT:SHA1
# This is where we will store persistent data
VOLUME ${SONATYPE_WORK}
VOLUME ${LOGS_HOME}
# Expose the ports
EXPOSE 8070
EXPOSE 8071
# Wire up health check
HEALTHCHECK CMD curl --fail --silent --show-error http://localhost:8071/healthcheck || exit 1
# Change to nexus user
USER nexus
ENV JAVA_OPTS="--add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xerces.internal.jaxp.datatype=ALL-UNNAMED -Djava.util.prefs.userRoot=${SONATYPE_WORK}/javaprefs"
ENV SONATYPE_INTERNAL_HOST_SYSTEM=Docker-RedHat
WORKDIR ${IQ_HOME}
ENTRYPOINT ["/uid_entrypoint.sh"]
CMD [ "sh", "./start.sh" ]