diff --git a/.travis.yml b/.travis.yml index a302985..a9543ad 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,8 +3,8 @@ services: docker env: - VERSION=3.7-rc VARIANT=alpine - - VERSION=3.7 VARIANT=alpine - VERSION=3.7 VARIANT=ubuntu + - VERSION=3.7 VARIANT=alpine install: - git clone https://github.com/docker-library/official-images.git ~/official-images diff --git a/3.7/alpine/Dockerfile b/3.7/alpine/Dockerfile index 55fae64..299aa4b 100644 --- a/3.7/alpine/Dockerfile +++ b/3.7/alpine/Dockerfile @@ -1,92 +1,231 @@ +# Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk! FROM alpine:3.8 -# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN addgroup -S rabbitmq && adduser -S -h /var/lib/rabbitmq -G rabbitmq rabbitmq - # grab su-exec for easy step-down from root -RUN apk add --no-cache 'su-exec>=0.2' +# bash for docker-entrypoint.sh +RUN apk add --no-cache 'su-exec>=0.2' bash -RUN apk add --no-cache \ -# Bash for docker-entrypoint - bash \ -# Procps for rabbitmqctl - procps \ -# Erlang for RabbitMQ - erlang-asn1 \ - erlang-hipe \ - erlang-crypto \ - erlang-eldap \ - erlang-inets \ - erlang-mnesia \ - erlang \ - erlang-os-mon \ - erlang-public-key \ - erlang-sasl \ - erlang-ssl \ - erlang-syntax-tools \ - erlang-xmerl +# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally +ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net +# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, +# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu +# For context, see https://github.com/docker-library/official-images/issues/4252 -# get logs to stdout (thanks @dumbbell for pushing this upstream! :D) -ENV RABBITMQ_LOGS=- RABBITMQ_SASL_LOGS=- -# https://github.com/rabbitmq/rabbitmq-server/commit/53af45bf9a162dec849407d114041aad3d84feaf +# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/ +ENV OPENSSL_VERSION="1.1.1a" +ENV OPENSSL_SOURCE_SHA256="fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41" +# https://www.openssl.org/community/omc.html +ENV OPENSSL_PGP_KEY_ID=0x8657ABB260F056B1E5190839D9C4D26D0E604491 -ENV RABBITMQ_HOME /opt/rabbitmq -ENV PATH $RABBITMQ_HOME/sbin:$PATH +# Use the latest stable Erlang/OTP release (https://github.com/erlang/otp/tags) +ENV OTP_VERSION="21.2.3" +# TODO add PGP checking when the feature will be added to Erlang/OTP's build system +# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html +ENV OTP_SOURCE_SHA256="109a5722e398bdcd3aeb4f4833cde90bf441a9c014006439643aab550a770923" -# gpg: key 6026DFCA: public key "RabbitMQ Release Signing Key " imported -ENV RABBITMQ_GPG_KEY 0A9AF2115F4687BD29803A206B73A36E6026DFCA +# Install dependencies required to build Erlang/OTP from source +# http://erlang.org/doc/installation_guide/INSTALL.html +# autoconf: Required to configure Erlang/OTP before compiling +# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP +# gnupg: Required to verify OpenSSL artefacts +# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli +# m4: Required for Erlang/OTP HiPE support +RUN set -eux; \ + \ + apk add --no-cache --virtual .build-deps \ + autoconf \ + ca-certificates \ + dpkg-dev dpkg \ + gcc \ + gnupg \ + libc-dev \ + linux-headers \ + m4 \ + make \ + ncurses-dev \ + wget \ + ; \ + \ + OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ + OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ + OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + \ +# /usr/local/src doesn't exist in Alpine by default + mkdir /usr/local/src; \ + \ +# Required by the crypto & ssl Erlang/OTP applications + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$OPENSSL_PGP_KEY_ID"; \ + gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum -c -; \ + mkdir -p "$OPENSSL_PATH"; \ + tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ + \ +# Configure OpenSSL for compilation + cd "$OPENSSL_PATH"; \ + ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ +# Compile, install OpenSSL, verify that the command-line works & development headers are present + make -j "$(getconf _NPROCESSORS_ONLN)"; \ + make install_sw install_ssldirs; \ + cd ..; \ + rm -rf "$OPENSSL_PATH"*; \ +# use Alpine's CA certificates + rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ + ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"; \ +# smoke test + openssl version; \ + \ + OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz"; \ + OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ + \ +# Download, verify & extract OTP_SOURCE + mkdir -p "$OTP_PATH"; \ + wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ + echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum -c -; \ + tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ + \ +# Configure Erlang/OTP for compilation, disable unused features & applications +# http://erlang.org/doc/applications.html +# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation + cd "$OTP_PATH"; \ + export ERL_TOP="$OTP_PATH"; \ + ./otp_build autoconf; \ + CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ + hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ + buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --host="$hostArch" \ + --build="$buildArch" \ + --disable-dynamic-ssl-lib \ + --disable-sctp \ + --disable-silent-rules \ + --enable-clock-gettime \ + --enable-hipe \ + --enable-hybrid-heap \ + --enable-kernel-poll \ + --enable-shared-zlib \ + --enable-smp-support \ + --enable-threads \ + --with-microstate-accounting=extra \ + --without-common_test \ + --without-debugger \ + --without-dialyzer \ + --without-diameter \ + --without-edoc \ + --without-erl_docgen \ + --without-erl_interface \ + --without-et \ + --without-eunit \ + --without-ftp \ + --without-jinterface \ + --without-megaco \ + --without-observer \ + --without-odbc \ + --without-reltool \ + --without-ssh \ + --without-tftp \ + --without-wx \ + ; \ +# Compile & install Erlang/OTP + make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ + make install; \ + cd ..; \ + rm -rf "$OTP_PATH"* /usr/local/lib/erlang/lib/*/src; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --no-cache --virtual .otp-run-deps $runDeps; \ + apk del --no-network .build-deps; \ + \ +# Check that OpenSSL still works after purging build dependencies + openssl version; \ +# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly + erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' -ENV RABBITMQ_VERSION 3.7.8 -ENV RABBITMQ_GITHUB_TAG v3.7.8 +# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added +ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM +RUN set -eux; \ + addgroup -g 101 -S rabbitmq; \ + adduser -u 100 -S -h /var/lib/rabbitmq -G rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie -RUN set -ex; \ +# Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) +ENV RABBITMQ_VERSION="3.7.10" +# https://www.rabbitmq.com/signatures.html#importing-gpg +ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" +ENV RABBITMQ_HOME=/opt/rabbitmq + +# Add RabbitMQ to PATH, send all logs to TTY +ENV PATH=$RABBITMQ_HOME/sbin:$PATH \ + RABBITMQ_LOGS=- RABBITMQ_SASL_LOGS=- + +# Install RabbitMQ +RUN set -eux; \ \ apk add --no-cache --virtual .build-deps \ ca-certificates \ gnupg \ - libressl \ wget \ xz \ ; \ \ - wget -O rabbitmq-server.tar.xz.asc "https://github.com/rabbitmq/rabbitmq-server/releases/download/$RABBITMQ_GITHUB_TAG/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz.asc"; \ - wget -O rabbitmq-server.tar.xz "https://github.com/rabbitmq/rabbitmq-server/releases/download/$RABBITMQ_GITHUB_TAG/rabbitmq-server-generic-unix-${RABBITMQ_VERSION}.tar.xz"; \ + RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-$RABBITMQ_VERSION.tar.xz"; \ + RABBITMQ_PATH="/usr/local/src/rabbitmq-$RABBITMQ_VERSION"; \ + \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz" "$RABBITMQ_SOURCE_URL"; \ \ export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$RABBITMQ_GPG_KEY"; \ - gpg --batch --verify rabbitmq-server.tar.xz.asc rabbitmq-server.tar.xz; \ - command -v gpgconf && gpgconf --kill all || :; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$RABBITMQ_PGP_KEY_ID"; \ + gpg --batch --verify "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_PATH.tar.xz"; \ + gpgconf --kill all; \ rm -rf "$GNUPGHOME"; \ \ mkdir -p "$RABBITMQ_HOME"; \ - tar \ - --extract \ - --verbose \ - --file rabbitmq-server.tar.xz \ - --directory "$RABBITMQ_HOME" \ - --strip-components 1 \ - ; \ - rm -f rabbitmq-server.tar.xz*; \ - \ -# update SYS_PREFIX (first making sure it's set to what we expect it to be) + tar --extract --file "$RABBITMQ_PATH.tar.xz" --directory "$RABBITMQ_HOME" --strip-components 1; \ + rm -rf "$RABBITMQ_PATH"*; \ +# Do not default SYS_PREFIX to RABBITMQ_HOME, leave it empty grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ - sed -ri 's!^(SYS_PREFIX=).*$!\1!g' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \ \ - apk del .build-deps + apk del .build-deps; \ + \ +# verify assumption of no stale cookies + [ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \ +# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user +# If they all succeed, it's safe to assume that things have been set up correctly + su-exec rabbitmq rabbitmqctl help; \ + su-exec rabbitmq rabbitmqctl list_ciphers; \ + su-exec rabbitmq rabbitmq-plugins list; \ +# no stale cookies + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" + +# Added for backwards compatibility - users can simply COPY custom plugins to /plugins +RUN ln -sf /opt/rabbitmq/plugins /plugins # set home so that any `--user` knows where to put the erlang cookie -ENV HOME /var/lib/rabbitmq +ENV HOME $RABBITMQ_DATA_DIR +# Hint that the data (a.k.a. home dir) dir should be separate volume +VOLUME $RABBITMQ_DATA_DIR -RUN mkdir -p /var/lib/rabbitmq /etc/rabbitmq /var/log/rabbitmq /tmp/rabbitmq-ssl \ - && chown -R rabbitmq:rabbitmq /var/lib/rabbitmq /etc/rabbitmq /var/log/rabbitmq /tmp/rabbitmq-ssl \ - && chmod -R 777 /var/lib/rabbitmq /etc/rabbitmq /var/log/rabbitmq /tmp/rabbitmq-ssl -VOLUME /var/lib/rabbitmq - -# add a symlink to the .erlang.cookie in /root so we can "docker exec rabbitmqctl ..." without gosu -RUN ln -sf /var/lib/rabbitmq/.erlang.cookie /root/ - -RUN ln -sf "$RABBITMQ_HOME/plugins" /plugins +# warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell) +# Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable +# https://docs.docker.com/samples/library/ubuntu/#locales +ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8 COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/3.7/docker-entrypoint.sh b/3.7/docker-entrypoint.sh deleted file mode 100755 index a1bdb3d..0000000 --- a/3.7/docker-entrypoint.sh +++ /dev/null @@ -1,404 +0,0 @@ -#!/bin/bash -set -eu - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# backwards compatibility for old environment variables -: "${RABBITMQ_SSL_CERTFILE:=${RABBITMQ_SSL_CERT_FILE:-}}" -: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}" -: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}" - -# "management" SSL config should default to using the same certs -: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}" -: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}" -: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}" - -# Allowed env vars that will be read from mounted files (i.e. Docker Secrets): -fileEnvKeys=( - default_user - default_pass -) - -# https://www.rabbitmq.com/configure.html -sslConfigKeys=( - cacertfile - certfile - depth - fail_if_no_peer_cert - keyfile - verify -) -managementConfigKeys=( - "${sslConfigKeys[@]/#/ssl_}" -) -rabbitConfigKeys=( - default_pass - default_user - default_vhost - hipe_compile - vm_memory_high_watermark -) -fileConfigKeys=( - management_ssl_cacertfile - management_ssl_certfile - management_ssl_keyfile - ssl_cacertfile - ssl_certfile - ssl_keyfile -) -allConfigKeys=( - "${managementConfigKeys[@]/#/management_}" - "${rabbitConfigKeys[@]}" - "${sslConfigKeys[@]/#/ssl_}" -) - -declare -A configDefaults=( - [management_ssl_fail_if_no_peer_cert]='false' - [management_ssl_verify]='verify_none' - - [ssl_fail_if_no_peer_cert]='true' - [ssl_verify]='verify_peer' -) - -# allow the container to be started with `--user` -if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then - # this needs to happen late enough that we have the SSL config - # https://github.com/docker-library/rabbitmq/issues/283 - for conf in "${allConfigKeys[@]}"; do - var="RABBITMQ_${conf^^}" - val="${!var:-}" - [ -n "$val" ] || continue - case "$conf" in - *_ssl_*file | ssl_*file ) - if [ -f "$val" ] && ! gosu rabbitmq test -r "$val"; then - newFile="/tmp/rabbitmq-ssl/$conf.pem" - echo >&2 - echo >&2 "WARNING: '$val' ($var) is not readable by rabbitmq ($(id rabbitmq)); copying to '$newFile'" - echo >&2 - cat "$val" > "$newFile" - chown rabbitmq "$newFile" - chmod 0400 "$newFile" - eval 'export '$var'="$newFile"' - fi - ;; - esac - done - - if [ "$1" = 'rabbitmq-server' ]; then - find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' + - fi - - exec gosu rabbitmq "$BASH_SOURCE" "$@" -fi - -haveConfig= -haveSslConfig= -haveManagementSslConfig= -for fileEnvKey in "${fileEnvKeys[@]}"; do file_env "RABBITMQ_${fileEnvKey^^}"; done -for conf in "${allConfigKeys[@]}"; do - var="RABBITMQ_${conf^^}" - val="${!var:-}" - if [ "$val" ]; then - if [ "${configDefaults[$conf]:-}" ] && [ "${configDefaults[$conf]}" = "$val" ]; then - # if the value set is the same as the default, treat it as if it isn't set - continue - fi - haveConfig=1 - case "$conf" in - ssl_*) haveSslConfig=1 ;; - management_ssl_*) haveManagementSslConfig=1 ;; - esac - fi -done -if [ "$haveSslConfig" ]; then - missing=() - for sslConf in cacertfile certfile keyfile; do - var="RABBITMQ_SSL_${sslConf^^}" - val="${!var}" - if [ -z "$val" ]; then - missing+=( "$var" ) - fi - done - if [ "${#missing[@]}" -gt 0 ]; then - { - echo - echo 'error: SSL requested, but missing required configuration' - for miss in "${missing[@]}"; do - echo " - $miss" - done - echo - } >&2 - exit 1 - fi -fi -missingFiles=() -for conf in "${fileConfigKeys[@]}"; do - var="RABBITMQ_${conf^^}" - val="${!var}" - if [ "$val" ] && [ ! -f "$val" ]; then - missingFiles+=( "$val ($var)" ) - fi -done -if [ "${#missingFiles[@]}" -gt 0 ]; then - { - echo - echo 'error: files specified, but missing' - for miss in "${missingFiles[@]}"; do - echo " - $miss" - done - echo - } >&2 - exit 1 -fi - -# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off) -for conf in "${!configDefaults[@]}"; do - default="${configDefaults[$conf]}" - var="RABBITMQ_${conf^^}" - [ -z "${!var:-}" ] || continue - eval "export $var=\"\$default\"" -done - -# if long and short hostnames are not the same, use long hostnames -if [ "$(hostname)" != "$(hostname -s)" ]; then - : "${RABBITMQ_USE_LONGNAME:=true}" -fi - -if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then - cookieFile='/var/lib/rabbitmq/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match RABBITMQ_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$RABBITMQ_ERLANG_COOKIE" > "$cookieFile" - fi - chmod 600 "$cookieFile" -fi - -configBase="${RABBITMQ_CONFIG_FILE:-/etc/rabbitmq/rabbitmq}" -oldConfigFile="$configBase.config" -newConfigFile="$configBase.conf" - -shouldWriteConfig="$haveConfig" -if [ -n "$shouldWriteConfig" ] && [ -f "$oldConfigFile" ]; then - { - echo "error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '$oldConfigFile' exists" - echo " Suggested fixes: (choose one)" - echo " - remove '$oldConfigFile'" - echo " - remove any Docker-specific 'RABBITMQ_...' environment variables" - echo " - convert '$oldConfigFile' to the newer sysctl format ('$newConfigFile'); see https://www.rabbitmq.com/configure.html#config-file" - } >&2 - exit 1 -fi -if [ -z "$shouldWriteConfig" ] && [ ! -f "$oldConfigFile" ] && [ ! -f "$newConfigFile" ]; then - # no config files, we should write one - shouldWriteConfig=1 -fi - -# http://stackoverflow.com/a/2705678/433558 -sed_escape_lhs() { - echo "$@" | sed -e 's/[]\/$*.^|[]/\\&/g' -} -sed_escape_rhs() { - echo "$@" | sed -e 's/[\/&]/\\&/g' -} -rabbit_set_config() { - local key="$1"; shift - local val="$1"; shift - - [ -e "$newConfigFile" ] || touch "$newConfigFile" - - local sedKey="$(sed_escape_lhs "$key")" - local sedVal="$(sed_escape_rhs "$val")" - sed -ri \ - "s/^[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*)\S.*\$/\1${sedVal}/" \ - "$newConfigFile" - if ! grep -qE "^${sedKey}[[:space:]]*=" "$newConfigFile"; then - echo "$key = $val" >> "$newConfigFile" - fi -} -rabbit_comment_config() { - local key="$1"; shift - - [ -e "$newConfigFile" ] || touch "$newConfigFile" - - local sedKey="$(sed_escape_lhs "$key")" - sed -ri \ - "s/^[[:space:]]*#?[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*\S.*)\$/# \1/" \ - "$newConfigFile" -} -rabbit_env_config() { - local prefix="$1"; shift - - local conf - for conf; do - local var="rabbitmq${prefix:+_$prefix}_$conf" - var="${var^^}" - - local key="$conf" - case "$prefix" in - ssl) key="ssl_options.$key" ;; - management_ssl) key="management.listener.ssl_opts.$key" ;; - esac - - local val="${!var:-}" - local rawVal="$val" - case "$conf" in - fail_if_no_peer_cert|hipe_compile) - case "${val,,}" in - false|no|0|'') rawVal='false' ;; - true|yes|1|*) rawVal='true' ;; - esac - ;; - - vm_memory_high_watermark) continue ;; # handled separately - esac - - if [ -n "$rawVal" ]; then - rabbit_set_config "$key" "$rawVal" - else - rabbit_comment_config "$key" - fi - done -} - -if [ "$1" = 'rabbitmq-server' ] && [ "$shouldWriteConfig" ]; then - rabbit_set_config 'loopback_users.guest' 'false' - - # determine whether to set "vm_memory_high_watermark" (based on cgroups) - memTotalKb= - if [ -r /proc/meminfo ]; then - memTotalKb="$(awk -F ':? +' '$1 == "MemTotal" { print $2; exit }' /proc/meminfo)" - fi - memLimitB= - if [ -r /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then - # "18446744073709551615" is a valid value for "memory.limit_in_bytes", which is too big for Bash math to handle - # "$(( 18446744073709551615 / 1024 ))" = 0; "$(( 18446744073709551615 * 40 / 100 ))" = 0 - memLimitB="$(awk -v totKb="$memTotalKb" '{ - limB = $0; - limKb = limB / 1024; - if (!totKb || limKb < totKb) { - printf "%.0f\n", limB; - } - }' /sys/fs/cgroup/memory/memory.limit_in_bytes)" - fi - if [ -n "$memLimitB" ]; then - # if we have a cgroup memory limit, let's inform RabbitMQ of what it is (so it can calculate vm_memory_high_watermark properly) - # https://github.com/rabbitmq/rabbitmq-server/pull/1234 - rabbit_set_config 'total_memory_available_override_value' "$memLimitB" - fi - # https://www.rabbitmq.com/memory.html#memsup-usage - if [ "${RABBITMQ_VM_MEMORY_HIGH_WATERMARK:-}" ]; then - # https://github.com/docker-library/rabbitmq/pull/105#issuecomment-242165822 - vmMemoryHighWatermark="$( - echo "$RABBITMQ_VM_MEMORY_HIGH_WATERMARK" | awk ' - /^[0-9]*[.][0-9]+$|^[0-9]+([.][0-9]+)?%$/ { - perc = $0; - if (perc ~ /%$/) { - gsub(/%$/, "", perc); - perc = perc / 100; - } - if (perc > 1.0 || perc <= 0.0) { - printf "error: invalid percentage for vm_memory_high_watermark: %s (must be > 0%%, <= 100%%)\n", $0 > "/dev/stderr"; - exit 1; - } - printf "vm_memory_high_watermark.relative %0.03f\n", perc; - next; - } - /^[0-9]+$/ { - printf "vm_memory_high_watermark.absolute %s\n", $0; - next; - } - /^[0-9]+([.][0-9]+)?[a-zA-Z]+$/ { - printf "vm_memory_high_watermark.absolute %s\n", $0; - next; - } - { - printf "error: unexpected input for vm_memory_high_watermark: %s\n", $0; - exit 1; - } - ' - )" - if [ "$vmMemoryHighWatermark" ]; then - vmMemoryHighWatermarkKey="${vmMemoryHighWatermark%% *}" - vmMemoryHighWatermarkVal="${vmMemoryHighWatermark#$vmMemoryHighWatermarkKey }" - rabbit_set_config "$vmMemoryHighWatermarkKey" "$vmMemoryHighWatermarkVal" - case "$vmMemoryHighWatermarkKey" in - # make sure we only set one or the other - 'vm_memory_high_watermark.absolute') rabbit_comment_config 'vm_memory_high_watermark.relative' ;; - 'vm_memory_high_watermark.relative') rabbit_comment_config 'vm_memory_high_watermark.absolute' ;; - esac - fi - fi - - if [ "$haveSslConfig" ]; then - rabbit_set_config 'listeners.ssl.default' 5671 - rabbit_env_config 'ssl' "${sslConfigKeys[@]}" - else - rabbit_set_config 'listeners.tcp.default' 5672 - fi - - rabbit_env_config '' "${rabbitConfigKeys[@]}" - - # if management plugin is installed, generate config for it - # https://www.rabbitmq.com/management.html#configuration - if [ "$(rabbitmq-plugins list -q -m -e rabbitmq_management)" ]; then - if [ "$haveManagementSslConfig" ]; then - rabbit_set_config 'management.listener.port' 15671 - rabbit_set_config 'management.listener.ssl' 'true' - rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}" - else - rabbit_set_config 'management.listener.port' 15672 - rabbit_set_config 'management.listener.ssl' 'false' - fi - - # if definitions file exists, then load it - # https://www.rabbitmq.com/management.html#load-definitions - managementDefinitionsFile='/etc/rabbitmq/definitions.json' - if [ -f "$managementDefinitionsFile" ]; then - # see also https://github.com/docker-library/rabbitmq/pull/112#issuecomment-271485550 - rabbit_set_config 'management.load_definitions' "$managementDefinitionsFile" - fi - fi -fi - -combinedSsl='/tmp/rabbitmq-ssl/combined.pem' -if [ "$haveSslConfig" ] && [[ "$1" == rabbitmq* ]] && [ ! -f "$combinedSsl" ]; then - # Create combined cert - cat "$RABBITMQ_SSL_CERTFILE" "$RABBITMQ_SSL_KEYFILE" > "$combinedSsl" - chmod 0400 "$combinedSsl" -fi -if [ "$haveSslConfig" ] && [ -f "$combinedSsl" ]; then - # More ENV vars for make clustering happiness - # we don't handle clustering in this script, but these args should ensure - # clustered SSL-enabled members will talk nicely - export ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)" - sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile $combinedSsl -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true" - export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="${RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS:-} $sslErlArgs" - export RABBITMQ_CTL_ERL_ARGS="${RABBITMQ_CTL_ERL_ARGS:-} $sslErlArgs" -fi - -exec "$@" diff --git a/3.7/ubuntu/Dockerfile b/3.7/ubuntu/Dockerfile index 266d641..4d10418 100644 --- a/3.7/ubuntu/Dockerfile +++ b/3.7/ubuntu/Dockerfile @@ -1,255 +1,245 @@ # The official Canonical Ubuntu Bionic image is ideal from a security perspective, # especially for the enterprises that we, the RabbitMQ team, have to deal with -FROM ubuntu:18.04 AS release +FROM ubuntu:18.04 -# Start a new builder image so that the release image remains unmodified -FROM release AS builder +# grab gosu for easy step-down from root +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends gosu; \ + rm -rf /var/lib/apt/lists/*; \ +# verify that the binary works + gosu nobody true -# Install curl & CA certificates -# Verify that CA certificates work correctly - https://github.com HTTP request succeeds -# I believe in progressive checks: run the simplest checks to ensure that the installed dependency works -RUN apt-get update && \ - apt-get install --yes --no-install-recommends curl ca-certificates && \ - curl --version && \ - curl --verbose --head --fail --fail-early --silent https://github.com +# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally +ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net +# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, +# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu +# For context, see https://github.com/docker-library/official-images/issues/4252 + +# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/ +ENV OPENSSL_VERSION="1.1.1a" +ENV OPENSSL_SOURCE_SHA256="fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41" +# https://www.openssl.org/community/omc.html +ENV OPENSSL_PGP_KEY_ID=0x8657ABB260F056B1E5190839D9C4D26D0E604491 + +# Use the latest stable Erlang/OTP release (https://github.com/erlang/otp/tags) +ENV OTP_VERSION="21.2.3" +# TODO add PGP checking when the feature will be added to Erlang/OTP's build system +# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html +ENV OTP_SOURCE_SHA256="109a5722e398bdcd3aeb4f4833cde90bf441a9c014006439643aab550a770923" # Install dependencies required to build Erlang/OTP from source # http://erlang.org/doc/installation_guide/INSTALL.html -RUN apt-get update && \ - apt-get install --yes --no-install-recommends make && \ - make --version -RUN apt-get update && \ - apt-get install --yes --no-install-recommends gcc && \ - gcc --version - -# Required to configure Erlang/OTP before compiling -RUN apt-get update && \ - apt-get install --yes --no-install-recommends autoconf && \ - autoconf --version - -# Required to set up host & build type when compiling Erlang/OTP -RUN apt-get update && \ - apt-get install --yes --no-install-recommends dpkg-dev && \ - dpkg-architecture - -# Required for Erlang/OTP HiPE support -RUN apt-get update && \ - apt-get install --yes --no-install-recommends m4 && \ - m4 --version - -# Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli -# It would be nice to have a basic check here, same as we do for other dependencies, but I'm not sure what/how to check this... -RUN apt-get update && \ - apt-get install --yes --no-install-recommends libncurses5-dev - -# Required to verify OpenSSL & RabbitMQ artefacts -RUN apt-get update && \ - apt-get install --yes --no-install-recommends gnupg && \ - gpg --version - -# Required to uncompress xz files, such as rabbitmq-server-generic-unix-3.7.10.tar.xz -RUN apt-get update && \ - apt-get install --yes --no-install-recommends xz-utils && \ - xz --version - -# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally -# https://github.com/docker-library/official-images/issues/4252 -# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, -# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu -# For context, see -ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net - -# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/ -ARG OPENSSL_VERSION="1.1.1a" -ARG OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" -ARG OPENSSL_PATH=/usr/local/src/openssl-$OPENSSL_VERSION -ARG OPENSSL_INSTALL_DIR=/opt/openssl -ARG OPENSSL_CONFIG_DIR=/usr/local/ssl -RUN mkdir -p $OPENSSL_PATH $OPENSSL_INSTALL_DIR -# https://www.openssl.org/community/omc.html -ARG OPENSSL_PGP_KEY_ID=0x8657ABB260F056B1E5190839D9C4D26D0E604491 - +# autoconf: Required to configure Erlang/OTP before compiling +# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP +# gnupg: Required to verify OpenSSL artefacts +# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli +# m4: Required for Erlang/OTP HiPE support +RUN set -eux; \ + \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install --yes --no-install-recommends \ + autoconf \ + ca-certificates \ + dpkg-dev \ + gcc \ + gnupg \ + libncurses5-dev \ + m4 \ + make \ + wget \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ + OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ + OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ + OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + \ # Required by the crypto & ssl Erlang/OTP applications -# Fail fast if SOURCE URL returns HTTP errors -RUN curl --verbose --head --fail --fail-early $OPENSSL_SOURCE_URL 1>/dev/null && \ - curl --verbose --location --silent --fail --fail-early --output $OPENSSL_PATH.tar.gz $OPENSSL_SOURCE_URL && \ - curl --verbose --location --silent --fail --fail-early --output $OPENSSL_PATH.tar.gz.asc $OPENSSL_SOURCE_URL.asc && \ - gpg --batch --keyserver $PGP_KEYSERVER --recv-keys $OPENSSL_PGP_KEY_ID && \ - gpg --batch --verify $OPENSSL_PATH.tar.gz.asc $OPENSSL_PATH.tar.gz && \ - command -v gpgconf > /dev/null && gpgconf --kill all && \ - tar -xvf $OPENSSL_PATH.tar.gz --directory $OPENSSL_PATH --strip-components=1 + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$OPENSSL_PGP_KEY_ID"; \ + gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \ + mkdir -p "$OPENSSL_PATH"; \ + tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ + \ # Configure OpenSSL for compilation -RUN cd $OPENSSL_PATH && \ - ./config --prefix=$OPENSSL_INSTALL_DIR --openssldir=$OPENSSL_CONFIG_DIR + cd "$OPENSSL_PATH"; \ + ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present -# Remove docs & man pages to keep the artefact small (saves ~11MB) -RUN cd $OPENSSL_PATH && \ - make -j $(getconf _NPROCESSORS_ONLN) && \ - make test install uninstall_docs && \ - LD_LIBRARY_PATH=$OPENSSL_INSTALL_DIR/lib $OPENSSL_INSTALL_DIR/bin/openssl help && \ - ls $OPENSSL_INSTALL_DIR/lib/libcrypto.so $OPENSSL_INSTALL_DIR/include/openssl/*.h -# Record OpenSSL artefacts size -RUN du -kh -d 1 $OPENSSL_INSTALL_DIR $OPENSSL_CONFIG_DIR >> /OPENSSL_BUILD_ARTEFACTS - -# Use the latest stable Erlang/OTP release -ARG OTP_VERSION="21.2.3" -# TODO add PGP checking when the feature will be added to Erlang/OTP's build system -# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html -ARG OTP_SOURCE_SHA256="109a5722e398bdcd3aeb4f4833cde90bf441a9c014006439643aab550a770923" -ARG OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz" -ARG OTP_PATH=/usr/local/src/otp-$OTP_VERSION -ARG OTP_INSTALL_DIR=/opt/otp -RUN mkdir -p $OTP_PATH $OTP_INSTALL_DIR - + make -j "$(getconf _NPROCESSORS_ONLN)"; \ + make install_sw install_ssldirs; \ + cd ..; \ + rm -rf "$OPENSSL_PATH"*; \ + ldconfig; \ +# use Debian's CA certificates + rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ + ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"; \ +# smoke test + openssl version; \ + \ + OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz"; \ + OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ + \ # Download, verify & extract OTP_SOURCE -# Fail fast if SOURCE URL returns HTTP errors -RUN curl --verbose --head --fail --fail-early $OTP_SOURCE_URL 1>/dev/null && \ - curl --verbose --location --silent --fail --fail-early --output $OTP_PATH.tar.gz $OTP_SOURCE_URL && \ - echo "$OTP_SOURCE_SHA256 $OTP_PATH.tar.gz" > $OTP_PATH.sha256 && \ - sha256sum --check --strict $OTP_PATH.sha256 && \ - tar -xvf $OTP_PATH.tar.gz --directory $OTP_PATH --strip-components=1 - + mkdir -p "$OTP_PATH"; \ + wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ + echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ + tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ + \ # Configure Erlang/OTP for compilation, disable unused features & applications # http://erlang.org/doc/applications.html # ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation -RUN cd $OTP_PATH && \ - export ERL_TOP=$OTP_PATH && \ - ./otp_build autoconf && \ - export CFLAGS="$(dpkg-buildflags --get CFLAGS)" && \ - ./configure \ - --host="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)" \ - --build="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - --prefix=$OTP_INSTALL_DIR \ - --disable-sctp \ - --disable-silent-rules \ - --disable-dynamic-ssl-lib \ - --with-ssl=$OPENSSL_INSTALL_DIR \ - --enable-clock-gettime \ - --enable-hybrid-heap \ - --enable-kernel-poll \ - --enable-shared-zlib \ - --enable-threads \ - --enable-smp-support \ - --enable-hipe \ - --with-microstate-accounting=extra \ - --without-odbc \ - --without-diameter \ - --without-erl_interface \ - --without-ftp \ - --without-jinterface \ - --without-megaco \ - --without-ssh \ - --without-tftp \ - --without-wx \ - --without-debugger \ - --without-dialyzer \ - --without-et \ - --without-observer \ - --without-reltool \ - --without-common_test \ - --without-eunit \ - --without-edoc \ - --without-erl_docgen - + cd "$OTP_PATH"; \ + export ERL_TOP="$OTP_PATH"; \ + ./otp_build autoconf; \ + CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ + hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ + buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --host="$hostArch" \ + --build="$buildArch" \ + --disable-dynamic-ssl-lib \ + --disable-sctp \ + --disable-silent-rules \ + --enable-clock-gettime \ + --enable-hipe \ + --enable-hybrid-heap \ + --enable-kernel-poll \ + --enable-shared-zlib \ + --enable-smp-support \ + --enable-threads \ + --with-microstate-accounting=extra \ + --without-common_test \ + --without-debugger \ + --without-dialyzer \ + --without-diameter \ + --without-edoc \ + --without-erl_docgen \ + --without-erl_interface \ + --without-et \ + --without-eunit \ + --without-ftp \ + --without-jinterface \ + --without-megaco \ + --without-observer \ + --without-odbc \ + --without-reltool \ + --without-ssh \ + --without-tftp \ + --without-wx \ + ; \ # Compile & install Erlang/OTP -RUN cd $OTP_PATH && export ERL_TOP=$OTP_PATH && make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing" && make install - -# Delete all src dirs to keep the final image size down, they add an extra 19MB -# TODO @dumbbell could this be done better, in the build/install phases? -RUN rm -fr $OTP_INSTALL_DIR/lib/erlang/lib/*/src - -# Record Erlang/OTP artefacts size -RUN du -kh -d 1 $OTP_INSTALL_DIR/lib/erlang >> /OTP_BUILD_ARTEFACTS - + make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ + make install; \ + cd ..; \ + rm -rf "$OTP_PATH"* /usr/local/lib/erlang/lib/*/src; \ + \ +# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ + find /usr/local -type f -executable -exec ldd '{}' ';' \ + | awk '/=>/ { print $(NF-1) }' \ + | sort -u \ + | xargs -r dpkg-query --search \ + | cut -d: -f1 \ + | sort -u \ + | xargs -r apt-mark manual \ + ; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +# Check that OpenSSL still works after purging build dependencies + openssl version; \ # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly -RUN $OTP_INSTALL_DIR/bin/erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' + erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' -# Use the latest stable RabbitMQ release -ARG RABBITMQ_VERSION="3.7.10" -ARG RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-$RABBITMQ_VERSION.tar.xz" -ARG RABBITMQ_PATH=/usr/local/src/rabbitmq-$RABBITMQ_VERSION -ARG RABBITMQ_INSTALL_DIR=/opt/rabbitmq -RUN mkdir -p $RABBITMQ_INSTALL_DIR +ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM +RUN set -eux; \ + groupadd --gid 999 --system rabbitmq; \ + useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie + +# Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) +ENV RABBITMQ_VERSION="3.7.10" # https://www.rabbitmq.com/signatures.html#importing-gpg ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" +ENV RABBITMQ_HOME=/opt/rabbitmq + +# Add RabbitMQ to PATH, send all logs to TTY +ENV PATH=$RABBITMQ_HOME/sbin:$PATH \ + RABBITMQ_LOGS=- RABBITMQ_SASL_LOGS=- # Install RabbitMQ -# Fail fast if SOURCE URL returns HTTP errors -RUN curl --verbose --head --fail --fail-early $RABBITMQ_SOURCE_URL 1>/dev/null && \ - curl --verbose --location --silent --fail --fail-early --output $RABBITMQ_PATH.tar.xz $RABBITMQ_SOURCE_URL && \ - curl --verbose --location --silent --fail --fail-early --output $RABBITMQ_PATH.tar.xz.asc $RABBITMQ_SOURCE_URL.asc && \ - gpg --batch --keyserver $PGP_KEYSERVER --recv-keys "$RABBITMQ_PGP_KEY_ID" && \ - gpg --batch --verify $RABBITMQ_PATH.tar.xz.asc $RABBITMQ_PATH.tar.xz && \ - command -v gpgconf > /dev/null && gpgconf --kill all && \ - tar -xvf $RABBITMQ_PATH.tar.xz --directory $RABBITMQ_INSTALL_DIR --strip-components=1 - +RUN set -eux; \ + \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install --yes --no-install-recommends \ + ca-certificates \ + gnupg \ + wget \ + xz-utils \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ + RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-$RABBITMQ_VERSION.tar.xz"; \ + RABBITMQ_PATH="/usr/local/src/rabbitmq-$RABBITMQ_VERSION"; \ + \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz" "$RABBITMQ_SOURCE_URL"; \ + \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$RABBITMQ_PGP_KEY_ID"; \ + gpg --batch --verify "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_PATH.tar.xz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + \ + mkdir -p "$RABBITMQ_HOME"; \ + tar --extract --file "$RABBITMQ_PATH.tar.xz" --directory "$RABBITMQ_HOME" --strip-components 1; \ + rm -rf "$RABBITMQ_PATH"*; \ # Do not default SYS_PREFIX to RABBITMQ_HOME, leave it empty -RUN sed -i 's/^SYS_PREFIX=.*/SYS_PREFIX=/' $RABBITMQ_INSTALL_DIR/sbin/rabbitmq-defaults - -# Start with the unmodified release image -FROM release -# Duplicate ARGs since they are not preserved between stages in multi-stage builds -ARG OPENSSL_INSTALL_DIR=/opt/openssl -ARG OPENSSL_CONFIG_DIR=/usr/local/ssl -ARG OTP_INSTALL_DIR=/opt/otp -ARG RABBITMQ_INSTALL_DIR=/opt/rabbitmq - -ARG RABBITMQ_DATA_DIR=/var/lib/rabbitmq -ARG RABBITMQ_LOG_DIR=/var/log/rabbitmq -ARG RABBITMQ_CONF_DIR=/etc/rabbitmq -ARG RABBITMQ_TMP_SSL_DIR=/tmp/rabbitmq-ssl -# Only copy the build artefacts required to run RabbitMQ -COPY --from=builder $OPENSSL_INSTALL_DIR $OPENSSL_INSTALL_DIR -COPY --from=builder $OPENSSL_CONFIG_DIR $OPENSSL_CONFIG_DIR -COPY --from=builder $OTP_INSTALL_DIR $OTP_INSTALL_DIR -COPY --from=builder $RABBITMQ_INSTALL_DIR $RABBITMQ_INSTALL_DIR - -# Add OpenSSL to PATH -ENV PATH=$OPENSSL_INSTALL_DIR/bin:$PATH LD_LIBRARY_PATH=$OPENSSL_INSTALL_DIR/lib -# Ensure OpenSSL works by listing all commands -RUN openssl help - -# Add Erlang/OTP to PATH -ENV PATH=$OTP_INSTALL_DIR/bin:$PATH -# Ensure Erlang/OTP works by listing all loaded modules -RUN erl -noshell -eval 'io:format("~p~n", [code:all_loaded()]), init:stop().' - -# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM -RUN groupadd --system rabbitmq && \ - useradd --system --home-dir $RABBITMQ_DATA_DIR --create-home --gid rabbitmq rabbitmq && \ - mkdir -p $RABBITMQ_CONF_DIR $RABBITMQ_LOG_DIR $RABBITMQ_DATA_DIR $RABBITMQ_TMP_SSL_DIR $RABBITMQ_TMP_SSL_DIR && \ - chown -fR rabbitmq:rabbitmq $RABBITMQ_INSTALL_DIR $RABBITMQ_CONF_DIR $RABBITMQ_LOG_DIR $RABBITMQ_DATA_DIR && \ - ln -sf $RABBITMQ_DATA_DIR/.erlang.cookie /root/.erlang.cookie + grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \ + \ + apt-mark auto '.*' > /dev/null; \ + apt-mark manual $savedAptMark; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +# verify assumption of no stale cookies + [ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \ +# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user +# If they all succeed, it's safe to assume that things have been set up correctly + gosu rabbitmq rabbitmqctl help; \ + gosu rabbitmq rabbitmqctl list_ciphers; \ + gosu rabbitmq rabbitmq-plugins list; \ +# no stale cookies + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Added for backwards compatibility - users can simply COPY custom plugins to /plugins RUN ln -sf /opt/rabbitmq/plugins /plugins +# set home so that any `--user` knows where to put the erlang cookie +ENV HOME $RABBITMQ_DATA_DIR # Hint that the data (a.k.a. home dir) dir should be separate volume VOLUME $RABBITMQ_DATA_DIR -# Add RabbitMQ to PATH, send all logs to TTY -ENV PATH=$RABBITMQ_INSTALL_DIR/sbin:$PATH RABBITMQ_LOGS=- - # warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell) # Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable # https://docs.docker.com/samples/library/ubuntu/#locales ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8 -# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user -# If they all succeed, it's safe to assume that things have been set up correctly -RUN rabbitmqctl help && rabbitmqctl list_ciphers && rabbitmq-plugins list - -# grab gosu for easy step-down from root -ENV GOSU_VERSION 1.10 -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends gosu; \ - rm -rf /var/lib/apt/lists/*; \ -# verify that the binary works - gosu nobody true - COPY docker-entrypoint.sh /usr/local/bin/ -RUN ln -s /usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] EXPOSE 4369 5671 5672 25672 diff --git a/3.7-rc/docker-entrypoint.sh b/docker-entrypoint.sh similarity index 100% rename from 3.7-rc/docker-entrypoint.sh rename to docker-entrypoint.sh diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh index bdb1d73..5c78303 100755 --- a/generate-stackbrew-library.sh +++ b/generate-stackbrew-library.sh @@ -4,7 +4,7 @@ set -eu declare -A aliases=( [3.7]='3 latest' ) -defaultVariant='debian' +defaultVariant='ubuntu' self="$(basename "$BASH_SOURCE")" cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" @@ -71,7 +71,7 @@ join() { for version in "${versions[@]}"; do rcVersion="${version%-rc}" - for variant in debian alpine; do + for variant in ubuntu alpine; do commit="$(dirCommit "$version/$variant")" fullVersion="$(git show "$commit":"$version/$variant/Dockerfile" | awk '$1 == "ENV" && $2 == "RABBITMQ_VERSION" { print $3; exit }')" diff --git a/update.sh b/update.sh index cdd4169..6a3664e 100755 --- a/update.sh +++ b/update.sh @@ -51,7 +51,7 @@ for version in "${versions[@]}"; do echo "$version: $fullVersion" - for variant in alpine debian; do + for variant in alpine ubuntu; do [ -f "$version/$variant/Dockerfile" ] || continue sed -ri \ @@ -59,7 +59,7 @@ for version in "${versions[@]}"; do -e 's/^(ENV RABBITMQ_GITHUB_TAG) .*/\1 '"$githubTag"'/' \ -e 's/^(ENV RABBITMQ_DEBIAN_VERSION) .*/\1 '"$debianVersion"'/' \ "$version/$variant/Dockerfile" - cp -a "$version/docker-entrypoint.sh" "$version/$variant/" + cp -a docker-entrypoint.sh "$version/$variant/" managementFrom="rabbitmq:$version" if [ "$variant" = 'alpine' ]; then