Merge pull request #340 from marklogic/release-2.1.2

Release 2.1.2

Author: vitalykorolev

Jenkinsfile

@@ -354,7 +354,7 @@ pipeline {
 
     parameters {
         string(name: 'emailList', defaultValue: emailList, description: 'List of email for build notification', trim: true)
-        string(name: 'dockerVersion', defaultValue: '2.1.1', description: 'ML Docker version. This version along with ML rpm package version will be the image tag as {ML_Version}_{dockerVersion}', trim: true)
+        string(name: 'dockerVersion', defaultValue: '2.1.2', description: 'ML Docker version. This version along with ML rpm package version will be the image tag as {ML_Version}_{dockerVersion}', trim: true)
         choice(name: 'dockerImageType', choices: 'ubi-rootless\nubi\nubi9-rootless\nubi9', description: 'Platform type for Docker image. Will be made part of the docker image tag')
         string(name: 'upgradeDockerImage', defaultValue: '', description: 'Docker image for testing upgrades. Defaults to ubi image if left blank.\n Currently upgrading to ubi-rotless is not supported hence the test is skipped when ubi-rootless image is provided.', trim: true)
         choice(name: 'marklogicVersion', choices: '11\n12\n10', description: 'MarkLogic Server Branch. used to pick appropriate rpm')

LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright © 2023 MarkLogic Corporation. 
+Copyright © 2018-2024 MarkLogic Corporation. 
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

NOTICE.txt

@@ -1,6 +1,6 @@
-MarkLogic® Docker Container Image v2.1.1
+MarkLogic® Docker Container Image v2
 
-Copyright © 2022-2024 MarkLogic Corporation. MarkLogic and MarkLogic logo are trademarks or registered trademarks of MarkLogic Corporation in the United States and other countries.  All other trademarks are the property of their respective owners.
+Copyright © 2018-2025 MarkLogic Corporation. MarkLogic and MarkLogic logo are trademarks or registered trademarks of MarkLogic Corporation in the United States and other countries.  All other trademarks are the property of their respective owners.
 
 This project is licensed under the Apache License, Version 2.0 (the "License"); you may not use this project except in compliance with the License. You may obtain a copy of the License at
 
@@ -21,11 +21,11 @@ Licensee is responsible for obtaining, at its own expense, any required licenses
 Third Party Components
 
        RedHat UBI Docker Base Image 8 (Commercial)
-RedHat UBI Docker Base Image 9 (Commercial)
-robotframework 7.0 (Apache-2.0)
-  	robotframework-requests 0.9.7 (MIT)
-   	test (MIT)
-   	Tini 0.19.0 (MIT)
+       RedHat UBI Docker Base Image 9 (Commercial)
+       robotframework 7.0 (Apache-2.0)
+       robotframework-requests 0.9.7 (MIT)
+       test (MIT)
+       Tini 0.19.0 (MIT)
 
 Common Licenses
 
@@ -85,6 +85,7 @@ Permission is hereby granted, free of charge, to any person obtaining a copy of
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+-------------------------------------------------------------------------
 
 Common License Appendix
 
@@ -139,3 +140,4 @@ You may add Your own copyright statement to Your modifications and may provide a
 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
 
 END OF TERMS AND CONDITIONS
+

README.md

@@ -46,10 +46,21 @@ Docker images are maintained by MarkLogic. Send feedback to the MarkLogic Docker
 
 Supported Docker architectures: x86_64
 
-Base OS: UBI8 and UBI9 with rootless variants.
+Base OS: UBI8 and UBI9 with `rootless` variants.
 
 Published image artifact details: https://github.com/marklogic/marklogic-docker, https://hub.docker.com/r/progressofficial/marklogic-db
 
+## Docker image hardening
+
+Docker images with `rootless` variants are hardened using Openscap (<https://github.com/OpenSCAP/openscap>).
+
+Scoring : 96.67%
+See [Known Issues and Limitations](#known-issues-and-limitations)
+
+## FIPS Enabled
+
+Only Docker images under Base OS UBI8 with `rootless` variants are FIPS enabled following RedHat (<https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies>)
+
 # MarkLogic
 
 [MarkLogic Server](http://www.marklogic.com/) is a multi-model database that has both NoSQL and trusted enterprise data management capabilities. It is the most secure multi-model database, and it’s deployable in any environment.
@@ -853,6 +864,14 @@ The /space mounted on the Docker volume can now be used as backup directory for
 
 # Debugging
 
+## Platform warnings on Apple Silicon
+
+When running the MarkLogic Docker image on Apple Silicon, you may see the following warning message:
+`WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested`
+
+Add the `--platform linux/amd64` flag to the `docker run` command to avoid this warning message.
+
+
 ## View MarkLogic Server Startup Status
 To check the MarkLogic Server startup status, run the below command to tail the MarkLogic log file
 ```
@@ -901,7 +920,7 @@ $ docker exec -it f484a784d998 /bin/bash
 4. To verify that MarkLogic is running, use this command:
 
 ```
-$ sudo service MarkLogic status
+$ service MarkLogic status
 ```
 
 Example output:  
@@ -915,7 +934,7 @@ MarkLogic (pid  34) is running...
 For example, you can list the 8001 error logs, and view them with a single command:
 
 ```
-$ sudo cd /var/opt/MarkLogic/Logs && ls && vi ./8001_ErrorLog.txt
+$ cd /var/opt/MarkLogic/Logs && ls && cat ./8001_ErrorLog.txt
 ```
 
 6. To exit the container when you are through debugging, use the exit command:
@@ -1049,8 +1068,13 @@ Where is calculated as described in the [Configuring HugePages](https://github.c
 3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
 4. MarkLogic Server will default to the UTC timezone.
 5. The latest released version of RedHat UBI images have known security vulnerabilities.
-    - CVE-2024-6602, CVE-2024-34397, CVE-2024-2236, CVE-2023-7207, CVE-2023-51764, CVE-2023-37920, CVE-2023-32636, CVE-2023-29499, CVE-2023-2650, CVE-2022-4899, CVE-2021-42694, CVE-2021-3997, CVE-2020-35512, CVE-2020-15945, CVE-2019-9937, CVE-2019-9936, CVE-2019-9705, CVE-2019-19244, CVE-2019-17543, CVE-2019-12904, CVE-2019-12900, CVE-2018-20839, CVE-2024-6602, CVE-2024-6119, CVE-2024-26462, CVE-2024-2236, CVE-2023-7207, CVE-2023-37920, CVE-2023-2953, CVE-2022-4899, CVE-2021-3997, CVE-2024-10041
+    - CVE-2024-6602, CVE-2024-34397, CVE-2024-2236, CVE-2023-7207, CVE-2023-51764, CVE-2023-37920, CVE-2023-32636, CVE-2023-29499, CVE-2023-2650, CVE-2022-4899, CVE-2021-42694, CVE-2021-3997, CVE-2020-35512, CVE-2020-15945, CVE-2019-9937, CVE-2019-9936, CVE-2019-9705, CVE-2019-19244, CVE-2019-17543, CVE-2019-12904, CVE-2019-12900, CVE-2018-20839, CVE-2024-6119, CVE-2024-26462, CVE-2024-2236, CVE-2023-7207, CVE-2023-2953, CVE-2022-4899, CVE-2024-10041, CVE-2022-49043
 
 These libraries are included in the RedHat UBI base images but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.
 
 6. As part of the hardening process, the following packages are removed from the image: `vim-minimal`, `cups-client`, `cups-libs`, `tar`, `python3-pip-wheel`, `platform-python`, `python3-libs`, `platform-python-setuptools`, `avahi-libs`, `binutils`, `expat`, `libarchive`, `python3`, `python3-libs`, `python-unversioned-command`. These packages are not required for the operation of MarkLogic Server and are removed to reduce the attack surface of the image. If you require any of these packages, you can install them in your own Dockerfile.
+
+7. The scoring of the hardening process is 96.67% that because `authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced.`
+
+It is a medium severity and not applicable in container environment there is not authentication required when login into a container.
+8. The cryptographic modules of RHEL 9 are not yet certified for the FIPS 140-3 requirements.

dockerFiles/marklogic-deps-ubi9:base

@@ -1,18 +1,18 @@
 ###############################################################
 #
-#   Copyright (c) 2023 MarkLogic Corporation
+#   Copyright © 2018-2025 MarkLogic Corporation
 #
 ###############################################################
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1733767867
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109
 LABEL "com.marklogic.maintainer"="[email protected]"
 
 ###############################################################
 # install libnsl rpm package
 ###############################################################
 
 RUN microdnf -y update \
-    && curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.34-125.el9_5.1.x86_64.rpm \
+    && curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.34-125.el9_5.3.x86_64.rpm \
     && rpm -i libnsl.rpm \
     && rm -f libnsl.rpm
 
@@ -21,7 +21,7 @@ RUN microdnf -y update \
 ###############################################################
 # hadolint ignore=DL3006
 RUN echo "NETWORKING=yes" > /etc/sysconfig/network \
-    && microdnf -y install --setopt install_weak_deps=0 gdb nss libtool-ltdl cpio tzdata util-linux \
+    && microdnf -y install --setopt install_weak_deps=0 gdb nss libtool-ltdl cpio tzdata util-linux hostname \
     && microdnf clean all
 
 

dockerFiles/marklogic-deps-ubi:base

@@ -1,18 +1,18 @@
 ###############################################################
 #
-#   Copyright (c) 2023 MarkLogic Corporation
+#   Copyright © 2018-2025 MarkLogic Corporation
 #
 ###############################################################
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1130
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1179.1741795396
 LABEL "com.marklogic.maintainer"="[email protected]"
 
 ###############################################################
 # install libnsl rpm package
 ###############################################################
 
 RUN microdnf -y update \
-    && curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.28-251.el8_10.5.x86_64.rpm \
+    && curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.28-251.el8_10.14.x86_64.rpm \
     && rpm -i libnsl.rpm \
     && rm -f libnsl.rpm
 
@@ -21,7 +21,7 @@ RUN microdnf -y update \
 ###############################################################
 # hadolint ignore=DL3006
 RUN echo "NETWORKING=yes" > /etc/sysconfig/network \
-    && microdnf -y install --setopt install_weak_deps=0 gdb redhat-lsb-core initscripts tzdata glibc libstdc++.i686 \
+    && microdnf -y install --setopt install_weak_deps=0 gdb redhat-lsb-core initscripts tzdata glibc libstdc++.i686 hostname \
     && microdnf clean all
 
 

dockerFiles/marklogic-server-ubi-rootless:base

@@ -1,6 +1,6 @@
 ###############################################################
 #
-#   Copyright (c) 2023 MarkLogic Corporation
+#   Copyright © 2018-2025 MarkLogic Corporation
 #
 ###############################################################
 
@@ -71,7 +71,7 @@ FROM ${BASE_IMAGE}
 COPY --from=builder / /
 
 ARG ML_USER="marklogic_user"
-ARG ML_VERSION=10-internal
+ARG ML_VERSION=11-internal
 ARG ML_DOCKER_VERSION=local
 ARG BUILD_BRANCH=local
 ARG ML_DOCKER_TYPE=ubi

dockerFiles/marklogic-server-ubi:base

@@ -1,6 +1,6 @@
 ###############################################################
 #
-#   Copyright (c) 2023 MarkLogic Corporation
+#   Copyright © 2018-2025 MarkLogic Corporation
 #
 ###############################################################
 
@@ -59,7 +59,7 @@ FROM ${BASE_IMAGE}
 COPY --from=builder / /
 
 ARG ML_USER="marklogic_user"
-ARG ML_VERSION=10-internal
+ARG ML_VERSION=11-internal
 ARG ML_DOCKER_VERSION=local
 ARG BUILD_BRANCH=local
 ARG ML_DOCKER_TYPE=ubi

src/scripts/start-marklogic-rootless.sh

@@ -1,7 +1,7 @@
 #! /bin/bash
 ###############################################################
 #
-#   Copyright 2023 MarkLogic Corporation.  All Rights Reserved.
+#   Copyright © 2018-2025 MarkLogic Corporation.  All Rights Reserved.
 #
 ###############################################################
 #   Initialise and start MarkLogic server
@@ -32,11 +32,6 @@ log () {
   echo "${TIMESTAMP} ${LOG_LEVEL}: $*"
 }
 
-###############################################################
-# removing MarkLogic ready file and create it when 8001 is accessible on node
-###############################################################
-rm -f /var/opt/MarkLogic/ready
-
 ###############################################################
 # Prepare script
 ###############################################################
@@ -92,8 +87,6 @@ else
     error "INSTALL_CONVERTERS must be true or false." exit
 fi
 
-
-# Values taken directy from documentation: https://docs.marklogic.com/guide/admin-api/cluster#id_10889
 N_RETRY=5
 RETRY_INTERVAL=10
 
@@ -113,7 +106,7 @@ function restart_check {
     local retry_count LAST_START
     LAST_START=$(curl -s --anyauth --user "${ML_ADMIN_USERNAME}":"${ML_ADMIN_PASSWORD}" "http://$1:8001/admin/v1/timestamp")
     for ((retry_count = 0; retry_count < N_RETRY; retry_count = retry_count + 1)); do
-        if [ "$2" == "${LAST_START}" ] || [ -z "${LAST_START}" ]; then
+        if [[ "$2" == "${LAST_START}" ]] || [[ -z "${LAST_START}" ]]; then
             sleep ${RETRY_INTERVAL}
             LAST_START=$(curl -s --anyauth --user "${ML_ADMIN_USERNAME}":"${ML_ADMIN_PASSWORD}" "http://$1:8001/admin/v1/timestamp")
         else
@@ -174,7 +167,7 @@ function validate_cert {
     local curl_output
     curl_output=$(curl -s -S -L --cacert "${cacertfile}" --ssl "${ML_BOOTSTRAP_PROTOCOL}"://"${MARKLOGIC_BOOTSTRAP_HOST}":8001 --anyauth --user "${ML_ADMIN_USERNAME}":"${ML_ADMIN_PASSWORD}")
     return_code=$?
-    if [ $return_code -ne 0 ]; then
+    if [[ $return_code != 0 ]]; then
         info "$curl_output"
         error "MARKLOGIC_JOIN_CACERT_FILE is not valid, please check above error for details. Node shutting down." exit
     fi
@@ -214,10 +207,10 @@ function curl_retry_validate {
 
         sleep ${RETRY_INTERVAL}
     done
-    if [[ "${return_error}" = "false" ]] ; then
+    if [[ "${return_error}" == "false" ]] ; then
         return "${response_code}"
     fi
-    [ -f "start-marklogic_curl_retry_validate.log" ] && cat start-marklogic_curl_retry_validate.log
+    [[ -f "start-marklogic_curl_retry_validate.log" ]] && cat start-marklogic_curl_retry_validate.log
     error "Expected response code ${expected_response_code}, got ${response_code} from ${endpoint}." exit
 }
 
@@ -470,31 +463,29 @@ fi
 # use latest health check only for version 11 and up
 if [[ "${MARKLOGIC_VERSION}" =~ "10" ]] || [[ "${MARKLOGIC_VERSION}" =~ "9" ]]; then
     HEALTH_CHECK="7997"
-else 
+else
      HEALTH_CHECK="7997/LATEST/healthcheck"
+     OLD_HEALTH_CHECK="7997"
 fi
 ML_HOST_PROTOCOL=$(get_host_protocol "localhost" "7997")
 
 while true
 do
     HOST_RESP_CODE=$(curl "${ML_HOST_PROTOCOL}"://"${HOSTNAME}":"${HEALTH_CHECK}" -X GET -o host_health.xml -s -w "%{http_code}\n" --cacert "${ML_CACERT_FILE}")
-    if [[ "${MARKLOGIC_INIT}" == "true" ]] && [ "${HOST_RESP_CODE}" -eq 200 ]; then
-        touch /var/opt/MarkLogic/ready
-        info "Cluster config complete, marking this container as ready."
-        break
-    elif [[ "${MARKLOGIC_INIT}" != "true" ]]; then
-        touch /var/opt/MarkLogic/ready
-        info "Cluster config complete, marking this container as ready."
-        rm -f host_health.xml
-        break
-    elif [[ -f /var/opt/MarkLogic/DOCKER_INIT ]] && [ "${HOST_RESP_CODE}" -eq 200 ]; then
-        touch /var/opt/MarkLogic/ready
+    if [[ "${HOST_RESP_CODE}" == "200" ]] || [[ "${MARKLOGIC_INIT}" != "true" ]]; then
         info "Cluster config complete, marking this container as ready."
         break
+    elif [[ "${HOST_RESP_CODE}" == "404" ]]; then
+        # check old healthcheck in case of upgrade
+        HOST_RESP_CODE=$(curl "${ML_HOST_PROTOCOL}"://"${HOSTNAME}":"${OLD_HEALTH_CHECK}" -X GET -o host_health.xml -s -w "%{http_code}\n" --cacert "${ML_CACERT_FILE}")
+        if [[ "${HOST_RESP_CODE}" == "200" ]]; then
+            info "Cluster config complete, marking this container as ready."
+            break
+        fi
     else
         info "MarkLogic not ready yet, retrying."
-        sleep 5
     fi
+    sleep 5
 done
 
 ################################################################