Merge pull request #122 from mendix/DES-3187_upgrade-cf-buildpack

DES-3187 Docker Buildpack improvements

Author: zlogic

Dockerfile

@@ -13,7 +13,7 @@ FROM ${BUILDER_ROOTFS_IMAGE} AS builder
 ARG BUILD_PATH=project
 ARG DD_API_KEY
 # CF buildpack version
-ARG CF_BUILDPACK=v4.15.4
+ARG CF_BUILDPACK=v4.17.1
 # CF buildpack download URL
 ARG CF_BUILDPACK_URL=https://github.com/mendix/cf-mendix-buildpack/releases/download/${CF_BUILDPACK}/cf-mendix-buildpack.zip
 
@@ -24,6 +24,9 @@ ARG EXCLUDE_LOGFILTER=true
 ARG BLOBSTORE
 ARG BUILDPACK_XTRACE
 
+# Set the user ID
+ARG USER_UID=1001
+
 # Each comment corresponds to the script line:
 # 1. Create all directories needed by scripts
 # 2. Download CF buildpack
@@ -36,7 +39,7 @@ RUN mkdir -p /opt/mendix/buildpack /opt/mendix/build &&\
     curl -fsSL ${CF_BUILDPACK_URL} -o /tmp/cf-mendix-buildpack.zip && \
     python3 -m zipfile -e /tmp/cf-mendix-buildpack.zip /opt/mendix/buildpack/ &&\
     rm /tmp/cf-mendix-buildpack.zip &&\
-    chgrp -R 0 /opt/mendix &&\
+    chown -R ${USER_UID}:0 /opt/mendix &&\
     chmod -R g=u /opt/mendix
 
 # Copy python scripts which execute the buildpack (exporting the VCAP variables)
@@ -69,7 +72,7 @@ RUN mkdir -p /tmp/buildcache /var/mendix/build /var/mendix/build/.local &&\
     ./compilation /opt/mendix/build /tmp/buildcache &&\
     rm -fr /tmp/buildcache /tmp/javasdk /tmp/opt /tmp/downloads /opt/mendix/buildpack/compilation /opt/mendix/buildpack/git &&\
     ln -s /opt/mendix/.java /opt/mendix/build &&\
-    chgrp -R 0 /opt/mendix /var/mendix &&\
+    chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\
     chmod -R g=u /opt/mendix /var/mendix
 
 FROM ${ROOTFS_IMAGE}
@@ -79,8 +82,14 @@ LABEL maintainer="[email protected]"
 # Uninstall build-time dependencies to remove potentially vulnerable libraries
 ARG UNINSTALL_BUILD_DEPENDENCIES=true
 
-# Allow the root group to modify /etc/passwd so that the startup script can update the non-root uid
-RUN chmod g=u /etc/passwd
+# Set the user ID
+ARG USER_UID=1001
+# Set the home path
+ENV HOME=/opt/mendix/build
+
+# Allow the user group to modify /etc/passwd so that OpenShift 3 randomized UIDs are supported by CF Buildpack 
+RUN chmod g=u /etc/passwd &&\
+    chown ${USER_UID}:0 /etc/passwd
 
 # Uninstall Ubuntu packages which are only required during build time
 RUN if [ "$UNINSTALL_BUILD_DEPENDENCIES" = "true" ] && grep -q ubuntu /etc/os-release ; then\
@@ -96,16 +105,20 @@ COPY scripts/startup scripts/vcap_application.json /opt/mendix/build/
 
 # Create vcap home directory for Datadog configuration
 RUN mkdir -p /home/vcap &&\
-    chgrp -R 0 /home/vcap &&\
+    chown -R ${USER_UID}:0 /home/vcap &&\
     chmod -R g=u /home/vcap
 
 # Each comment corresponds to the script line:
 # 1. Make the startup script executable
 # 2. Update ownership of /opt/mendix so that the app can run as a non-root user
 # 3. Update permissions of /opt/mendix so that the app can run as a non-root user
+# 4. Ensure that running Java 8 as root will still be able to load offline licenses
 RUN chmod +rx /opt/mendix/build/startup &&\
-    chgrp -R 0 /opt/mendix &&\
-    chmod -R g=u /opt/mendix
+    chown -R ${USER_UID}:0 /opt/mendix &&\
+    chmod -R g=u /opt/mendix &&\
+    ln -s /opt/mendix/.java /root
+
+USER ${USER_UID}
 
 # Copy jre from build container
 COPY --from=builder /var/mendix/build/.local/usr /opt/mendix/build/.local/usr
@@ -121,10 +134,6 @@ ENV NGINX_CUSTOM_BIN_PATH=/usr/sbin/nginx
 
 WORKDIR /opt/mendix/build
 
-USER 1001
-
-ENV HOME "/opt/mendix/build"
-
 # Expose nginx port
 ENV PORT 8080
 EXPOSE $PORT

Dockerfile.rootfs.bionic

@@ -19,7 +19,7 @@ ENV LC_ALL en_US.UTF-8
 
 # Set nginx permissions
 RUN touch /run/nginx.pid && \
-    chgrp -R 0 /var/log/nginx /var/lib/nginx /run/nginx.pid &&\
+    chown -R 1001:0 /var/log/nginx /var/lib/nginx /run/nginx.pid &&\
     chmod -R g=u /var/log/nginx /var/lib/nginx /run/nginx.pid
 
 # Set python alias to python3 (required for Datadog)

Dockerfile.rootfs.ubi8

@@ -18,7 +18,7 @@ RUN dnf update -y && \
 
 # Set nginx permissions
 RUN touch /run/nginx.pid && \
-    chgrp -R 0 /run/nginx.pid &&\
+    chown -R 1001:0 /run/nginx.pid &&\
     chmod -R g=u /run/nginx.pid
 
 # Set python alias to python3 (required for Datadog)

README.md

@@ -57,7 +57,7 @@ For build you can provide next arguments:
 - **BUILD_PATH** indicates where the application model is located. It is a root directory of an unzipped .MDA or .MPK file. In the latter case, this is the directory where your .MPR file is located. Must be within [build context](https://docs.docker.com/engine/reference/commandline/build/#extended-description). Defaults to `./project`.
 - **ROOTFS_IMAGE** is a type of rootfs image. Defaults to `mendix/rootfs:ubi8` (Red Hat Universal Base Image 8). To use Ubuntu 18.04, change this to `mendix/rootfs:bionic`. It's also possible to use a custom rootfs image as described in [Advanced feature: full-build](#advanced-feature-full-build).
 - **BUILDER_ROOTFS_IMAGE** is a type of rootfs image used for downloading the Mendix app dependencies and compiling the Mendix app from source. Defaults to `mendix/rootfs:bionic`. It's also possible to use a custom rootfs image as described in [Advanced feature: full-build](#advanced-feature-full-build).
-- **CF_BUILDPACK** is a version of CloudFoundry buildpack. Defaults to `v4.15.4`. For stable pipelines, it's recommended to use a fixed version from **v4.15.4** and later. CloudFoundry buildpack versions below **v4.15.4** are not supported.
+- **CF_BUILDPACK** is a version of CloudFoundry buildpack. Defaults to `v4.17.1`. For stable pipelines, it's recommended to use a fixed version from **v4.17.1** and later. CloudFoundry buildpack versions below **v4.17.1** are not supported.
 - **EXCLUDE_LOGFILTER** will exclude the `mendix-logfilter` binary from the resulting Docker image if set to `true`. Defaults to `true`. Excluding `mendix-logfilter` will reduce the image size and remove a component that's not commonly used; the `LOG_RATELIMIT` environment variable option will be disabled.
 - **UNINSTALL_BUILD_DEPENDENCIES** will uninstall packages which are not needed to launch an app, and are only used during the build phase. Defaults to `true`. This option will remove several libraries which are known to have unpatched CVE vulnerabilities.
 - **CF_BUILDPACK_URL** specifies the URL where the CF buildpack should be downloaded from (for example, a local mirror). Defaults to `https://github.com/mendix/cf-mendix-buildpack/releases/download/${CF_BUILDPACK}/cf-mendix-buildpack.zip`. Specifying **CF_BUILDPACK_URL** will override the version from **CF_BUILDPACK**.

cf-buildpack.version

@@ -1 +1 @@
-v4.15.4
+v4.17.1

scripts/cleanupjdk

@@ -36,15 +36,6 @@ def call_buildpack_compilation():
     logging.debug("Executing call_buildpack_compilation...")
     return subprocess.check_call(["/opt/mendix/buildpack/buildpack/stage.py", BUILD_PATH, CACHE_PATH])
 
-def remove_jdk():
-    logging.info("Removing JDK...")
-    runtime.get_version(BUILD_PATH)
-    
-    jdk = java.determine_jdk(runtime.get_java_version(runtime.get_version(BUILD_PATH)), 'jdk')
-    jdk_path = os.path.join(DOT_LOCAL_LOCATION, java.compose_jvm_target_dir(jdk))
-    if os.path.exists(jdk_path):
-        shutil.rmtree(jdk_path, ignore_errors=False)
-
 def fix_logfilter():
     exclude_logfilter = os.getenv("EXCLUDE_LOGFILTER", "true").lower() == "true"
     if exclude_logfilter:
@@ -74,7 +65,5 @@ if __name__ == '__main__':
     exit_code = call_buildpack_compilation()
     if exit_code != 0:
         sys.exit(exit_code)
-    remove_jdk()
     fix_logfilter()
     make_dependencies_reusable()
-

scripts/compilation

@@ -2,7 +2,6 @@
 import json
 import logging
 import os
-import pwd
 import re
 import subprocess
 import signal
@@ -106,12 +105,15 @@ def call_buildpack_startup():
 
     signal.signal(signal.SIGTERM, sig_forwarder)
 
-    proc.wait()
+    try:
+        proc.wait()
+    except KeyboardInterrupt:
+        logging.debug("Interrupted by keyboard")
 
 def add_uid():
     logging.info("Adding uid to /etc/passwd")
     with open('/etc/passwd','a') as passwd_file:
-        passwd_file.write('mendix:x:{uid}:0:mendix user:/opt/mendix/build:/sbin/nologin\n'.format(uid=os.getuid()))
+        passwd_file.write('mendix:x:{uid}:{gid}:mendix user:/opt/mendix/build:/sbin/nologin\n'.format(uid=os.getuid(),gid=os.getgid()))
 
 def get_welcome_header():
     welcome_ascii_header = '''