diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..f4c701d --- /dev/null +++ b/Containerfile @@ -0,0 +1,108 @@ +FROM alpine:3.23 AS base + +# Install JDK +ARG JDK_VERSION=25 +RUN apk update && apk upgrade \ + && apk add --no-cache openjdk${JDK_VERSION}-jre-headless bash tar xz \ + && rm -rf /var/cache/apk/* + +################################################################################ + +FROM base AS build + +ARG OPENVOXSERVER_VERSION=8.13.0 +ARG OPENVOXDB_VERSION=8.13.0 + +ADD https://artifacts.voxpupuli.org/openvox-server/${OPENVOXSERVER_VERSION}/openvox-server-${OPENVOXSERVER_VERSION}.tar.gz / +ADD https://artifacts.voxpupuli.org/openvoxdb/${OPENVOXDB_VERSION}/openvoxdb-${OPENVOXDB_VERSION}.tar.gz / + +COPY openvoxserver/prep_build_container.sh / +RUN bash -x /prep_build_container.sh + +################################################################################ +FROM base AS final + +ARG vcs_ref +ARG build_date + +ARG HIERA_EYAML_VERSION=5.0.1 +ARG OPENVOX_VERSION=8.26.2 +ARG OPENVOXSERVER_CA_VERSION=3.2.0 +ARG R10K_VERSION=5.0.3 + +LABEL org.label-schema.maintainer="Voxpupuli Team " \ + org.label-schema.vendor="OpenVoxProject" \ + org.label-schema.url="https://github.com/OpenVoxProject/container-openvoxserver" \ + org.label-schema.vcs-url="https://github.com/OpenVoxProject/container-openvoxserver" \ + org.label-schema.schema-version="1.0" \ + org.label-schema.dockerfile="/Containerfile" \ + org.label-schema.name="OpenVox Server ($build_type)" \ + org.label-schema.version="$OPENVOXSERVER_VERSION" \ + org.label-schema.vcs-ref="$vcs_ref" \ + org.label-schema.build-date="$build_date" + +ENV AUTOSIGN=true \ + CA_ALLOW_SUBJECT_ALT_NAMES=false \ + CA_ENABLED=true \ + CA_TTL=157680000 \ + CA_HOSTNAME=puppet \ + CA_PORT=8140 \ + CERTNAME="" \ + CSR_ATTRIBUTES='{}' \ + DEBIAN_FRONTEND=noninteractive \ + DNS_ALT_NAMES="" \ + ENVIRONMENTPATH=/etc/puppetlabs/code/environments \ + HIERACONFIG='$confdir/hiera.yaml' \ + INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \ + INTERMEDIATE_CA_KEY=/etc/puppetlabs/intermediate/key.pem \ + INTERMEDIATE_CA=false \ + INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \ + LOGDIR=/var/log/puppetlabs/puppetserver \ + OPENVOX_REPORTS="puppetdb" \ + OPENVOX_STORECONFIGS_BACKEND="puppetdb" \ + OPENVOX_STORECONFIGS=true \ + OPENVOXDB_SERVER_URLS=https://openvoxdb:8081 \ + OPENVOXSERVER_ENABLE_ENV_CACHE_DEL_API=true \ + OPENVOXSERVER_ENVIRONMENT_TIMEOUT=unlimited \ + OPENVOXSERVER_GRAPHITE_EXPORTER_ENABLED=false \ + OPENVOXSERVER_GRAPHITE_HOST=exporter \ + OPENVOXSERVER_GRAPHITE_PORT=9109 \ + OPENVOXSERVER_HOSTNAME="" \ + OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \ + OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \ + OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \ + OPENVOXSERVER_PORT=8140 \ + PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \ + USE_OPENVOXDB=true + +# explicitly set HOME: random UIDs will cause HOME to be "/" generally +ENV HOME=/opt/puppetlabs/server/data/puppetserver + +COPY --from=build /etc/puppetlabs /etc/puppetlabs +COPY --from=build /opt/puppetlabs /opt/puppetlabs +COPY --from=build /var/log/puppetlabs /var/log/puppetlabs +COPY --from=build /var/run/puppetlabs /var/run/puppetlabs + +COPY Containerfile / +COPY openvoxserver/conf.d/product.conf /etc/puppetlabs/puppetserver/conf.d/ +COPY openvoxserver/conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/ +COPY openvoxserver/container-entrypoint.d /container-entrypoint.d +COPY openvoxserver/container-entrypoint.sh / +COPY openvoxserver/healthcheck.sh / +COPY openvoxserver/logback.xml /etc/puppetlabs/puppetserver/ +COPY openvoxserver/puppetdb.conf /var/tmp/puppet/ +COPY openvoxserver/puppetserver /etc/default/puppetserver +COPY openvoxserver/request-logging.xml /etc/puppetlabs/puppetserver/ + +COPY openvoxserver/prep_release_container.sh / +RUN bash -x /prep_release_container.sh + +USER puppet:0 + +# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK +HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] + +EXPOSE 8140 + +ENTRYPOINT ["dumb-init", "/container-entrypoint.sh"] +CMD ["foreground"] diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine deleted file mode 100644 index 06ba834..0000000 --- a/openvoxserver/Containerfile.alpine +++ /dev/null @@ -1,241 +0,0 @@ -FROM alpine:3.23 AS base - -# Install JDK -ARG JDK_VERSION=17 -RUN apk update && apk upgrade \ - && apk add --no-cache openjdk${JDK_VERSION}-jre-headless bash curl - -################################################################################ - -FROM base AS build - -ARG OPENVOXSERVER_VERSION=8.10.0 -ARG OPENVOXDB_VERSION=8.10.0 - -ADD https://artifacts.voxpupuli.org/openvox-server/${OPENVOXSERVER_VERSION}/openvox-server-${OPENVOXSERVER_VERSION}.tar.gz / -ADD https://artifacts.voxpupuli.org/openvoxdb/${OPENVOXDB_VERSION}/openvoxdb-${OPENVOXDB_VERSION}.tar.gz / - -ENV app_logdir=/var/log/puppetlabs -ENV apps_dir=/opt/puppetlabs/server/apps -ENV bindir=/opt/puppetlabs/server/apps/puppetserver/bin -ENV data_dir=/opt/puppetlabs/server/data -ENV etc_dir=/etc/puppetlabs -ENV rubylibdir=/opt/puppetlabs/puppet/lib/ruby/vendor_ruby -ENV run_dir=/var/run/puppetlabs -ENV symbindir=/opt/puppetlabs/server/bin -ENV uxbindir=/opt/puppetlabs/bin - -RUN apk update \ -&& tar -xzf /openvox-server-${OPENVOXSERVER_VERSION}.tar.gz \ -&& tar -xzf /openvoxdb-${OPENVOXDB_VERSION}.tar.gz \ -&& cd /puppetserver-${OPENVOXSERVER_VERSION} \ -&& install -d -m 0700 "${app_logdir}/puppetserver" \ -&& install -d -m 0700 "${data_dir}/puppetserver/jars" \ -&& install -d -m 0700 "${data_dir}/puppetserver/yaml" \ -&& install -d -m 0750 "${etc_dir}/puppetserver/ca" \ -&& install -d -m 0755 "${apps_dir}/puppetserver" \ -&& install -d -m 0755 "${apps_dir}/puppetserver/cli" \ -&& install -d -m 0755 "${apps_dir}/puppetserver/cli/apps" \ -&& install -d -m 0755 "${apps_dir}/puppetserver/config/services.d" \ -&& install -d -m 0755 "${bindir}" \ -&& install -d -m 0755 "${data_dir}/puppetserver/jruby-gems" \ -&& install -d -m 0755 "${etc_dir}/code" \ -&& install -d -m 0755 "${etc_dir}/puppetserver/conf.d" \ -&& install -d -m 0755 "${etc_dir}/puppetserver/services.d" \ -&& install -d -m 0755 "${run_dir}/puppetserver" \ -&& install -d -m 0755 "${symbindir}" \ -&& install -d -m 0755 "${uxbindir}" \ -&& install -d -m 0770 "${data_dir}/puppetserver" \ -&& install -d -m 0770 "${etc_dir}/puppet/ssl" \ -&& install -d -m 0775 "${data_dir}" \ -&& install -m 0644 ext/config/conf.d/auth.conf "${etc_dir}/puppetserver/conf.d/auth.conf" \ -&& install -m 0644 ext/config/conf.d/ca.conf "${etc_dir}/puppetserver/conf.d/ca.conf" \ -&& install -m 0644 ext/config/conf.d/global.conf "${etc_dir}/puppetserver/conf.d/global.conf" \ -&& install -m 0644 ext/config/conf.d/metrics.conf "${etc_dir}/puppetserver/conf.d/metrics.conf" \ -&& install -m 0644 ext/config/conf.d/puppetserver.conf "${etc_dir}/puppetserver/conf.d/puppetserver.conf" \ -&& install -m 0644 ext/config/conf.d/web-routes.conf "${etc_dir}/puppetserver/conf.d/web-routes.conf" \ -&& install -m 0644 ext/config/conf.d/webserver.conf "${etc_dir}/puppetserver/conf.d/webserver.conf" \ -&& install -m 0644 ext/config/logback.xml "${etc_dir}/puppetserver/logback.xml" \ -&& install -m 0644 ext/config/request-logging.xml "${etc_dir}/puppetserver/request-logging.xml" \ -&& install -m 0644 ext/config/services.d/ca.cfg "${etc_dir}/puppetserver/services.d/ca.cfg" \ -&& install -m 0644 ext/system-config/services.d/bootstrap.cfg "${apps_dir}/puppetserver/config/services.d/bootstrap.cfg" \ -&& install -m 0644 puppet-server-release.jar "${apps_dir}/puppetserver" \ -&& install -m 0755 ext/bin/puppetserver "${bindir}/puppetserver" \ -&& install -m 0755 ext/cli_defaults/cli-defaults.sh "${apps_dir}/puppetserver/cli" \ -&& install -m 0755 ext/cli/ca "${apps_dir}/puppetserver/cli/apps/ca" \ -&& install -m 0755 ext/cli/foreground "${apps_dir}/puppetserver/cli/apps/foreground" \ -&& install -m 0755 ext/cli/gem "${apps_dir}/puppetserver/cli/apps/gem" \ -&& install -m 0755 ext/cli/irb "${apps_dir}/puppetserver/cli/apps/irb" \ -&& install -m 0755 ext/cli/prune "${apps_dir}/puppetserver/cli/apps/prune" \ -&& install -m 0755 ext/cli/ruby "${apps_dir}/puppetserver/cli/apps/ruby" \ -&& ln -s "../apps/puppetserver/bin/puppetserver" "${symbindir}/puppetserver" \ -&& ln -s "../server/apps/puppetserver/bin/puppetserver" "${uxbindir}/puppetserver" \ -&& bash ext/build-scripts/install-vendored-gems.sh \ -# puppetdb-termini -&& cd /puppetdb-${OPENVOXDB_VERSION} \ -&& for f in puppet/face/node/deactivate.rb puppet/face/node/status.rb puppet/functions/puppetdb_query.rb puppet/indirector/catalog/puppetdb.rb puppet/indirector/facts/puppetdb_apply.rb puppet/indirector/facts/puppetdb.rb puppet/indirector/node/puppetdb.rb puppet/indirector/resource/puppetdb.rb puppet/reports/puppetdb.rb puppet/util/puppetdb.rb puppet/util/puppetdb/atom.rb puppet/util/puppetdb/char_encoding.rb puppet/util/puppetdb/command_names.rb puppet/util/puppetdb/command.rb puppet/util/puppetdb/config.rb puppet/util/puppetdb/http.rb; do \ - install -Dm 0644 $f "${rubylibdir}/$f"; \ - done \ -&& rm -rf /openvox-server-${OPENVOXSERVER_VERSION}.tar.gz /openvoxdb-${OPENVOXDB_VERSION}.tar.gz /puppetserver-${OPENVOXSERVER_VERSION} /puppetdb-${OPENVOXDB_VERSION} - -################################################################################ - -FROM base AS final - -ARG vcs_ref -ARG build_date -ARG R10K_VERSION=5.0.0 - -LABEL org.label-schema.maintainer="Voxpupuli Team " \ - org.label-schema.vendor="OpenVoxProject" \ - org.label-schema.url="https://github.com/OpenVoxProject/container-openvoxserver" \ - org.label-schema.vcs-url="https://github.com/OpenVoxProject/container-openvoxserver" \ - org.label-schema.schema-version="1.0" \ - org.label-schema.dockerfile="/Containerfile.alpine" \ - org.label-schema.name="OpenVox Server ($build_type)" \ - org.label-schema.version="$OPENVOXSERVER_VERSION" \ - org.label-schema.vcs-ref="$vcs_ref" \ - org.label-schema.build-date="$build_date" - -ENV AUTOSIGN=true \ - CA_ALLOW_SUBJECT_ALT_NAMES=false \ - CA_ENABLED=true \ - CA_TTL=157680000 \ - CA_HOSTNAME=puppet \ - CA_PORT=8140 \ - CERTNAME="" \ - CSR_ATTRIBUTES='{}' \ - DEBIAN_FRONTEND=noninteractive \ - DNS_ALT_NAMES="" \ - ENVIRONMENTPATH=/etc/puppetlabs/code/environments \ - HIERACONFIG='$confdir/hiera.yaml' \ - INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \ - INTERMEDIATE_CA_KEY=/etc/puppetlabs/intermediate/key.pem \ - INTERMEDIATE_CA=false \ - INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \ - LOGDIR=/var/log/puppetlabs/puppetserver \ - OPENVOX_REPORTS="puppetdb" \ - OPENVOX_STORECONFIGS_BACKEND="puppetdb" \ - OPENVOX_STORECONFIGS=true \ - OPENVOXDB_SERVER_URLS=https://openvoxdb:8081 \ - OPENVOXSERVER_ENABLE_ENV_CACHE_DEL_API=true \ - OPENVOXSERVER_ENVIRONMENT_TIMEOUT=unlimited \ - OPENVOXSERVER_GRAPHITE_EXPORTER_ENABLED=false \ - OPENVOXSERVER_GRAPHITE_HOST=exporter \ - OPENVOXSERVER_GRAPHITE_PORT=9109 \ - OPENVOXSERVER_HOSTNAME="" \ - OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \ - OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \ - OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \ - OPENVOXSERVER_PORT=8140 \ - PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \ - USE_OPENVOXDB=true \ - ### build variables - apps_dir=/opt/puppetlabs/server/apps \ - app_logdir=/var/log/puppetlabs \ - data_dir=/opt/puppetlabs/server/data \ - etc_dir=/etc/puppetlabs \ - run_dir=/var/run/puppetlabs \ - bindir=/opt/puppetlabs/server/apps/puppetserver/bin \ - symbindir=/opt/puppetlabs/server/bin \ - uxbindir=/opt/puppetlabs/bin - -COPY --from=build /opt/puppetlabs /opt/puppetlabs -COPY --from=build /etc/puppetlabs /etc/puppetlabs -COPY --from=build /var/log/puppetlabs /var/log/puppetlabs -COPY --from=build /var/run/puppetlabs /var/run/puppetlabs - -COPY container-entrypoint.sh \ - docker-entrypoint.sh \ - healthcheck.sh \ - Containerfile.alpine \ - / - -COPY conf.d/product.conf /etc/puppetlabs/puppetserver/conf.d/ -COPY conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/ -COPY container-entrypoint.d /container-entrypoint.d -COPY logback.xml /etc/puppetlabs/puppetserver/ -COPY puppetdb.conf /var/tmp/puppet/ -COPY puppetserver /etc/default/puppetserver -COPY request-logging.xml /etc/puppetlabs/puppetserver/ - -RUN apk update \ -&& apk add --no-cache dumb-init alpine-sdk openssh-client openssl libssh2 ruby ruby-dev runuser coreutils gcompat \ -&& gem install --no-document openvox:8.21.1 syslog hocon:1.4.0 racc:1.8.1 r10k:${R10K_VERSION} hiera-eyaml:4.3.0 openvoxserver-ca:3.0.0 \ -&& apk del --purge alpine-sdk \ -&& addgroup -g 1001 puppet \ -&& adduser -G puppet -u 1001 -h ${data_dir}/puppetserver -H -D -s /sbin/nologin puppet \ -&& chown -R puppet:puppet ${etc_dir}/code \ -&& chown -R puppet:puppet ${etc_dir}/puppet/ssl \ -&& chown -R puppet:puppet ${etc_dir}/puppetserver/ca \ -&& chown -R puppet:puppet ${app_logdir}/puppetserver \ -&& chown -R puppet:puppet ${run_dir}/puppetserver \ -&& chown -R puppet:puppet ${data_dir}/puppetserver \ -&& chmod 700 ${app_logdir}/puppetserver \ -&& chmod 770 ${data_dir}/puppetserver \ -&& chmod 750 ${etc_dir}/puppetserver \ -&& chmod 700 ${data_dir}/puppetserver/jars \ -&& chmod 700 ${data_dir}/puppetserver/yaml \ -&& find /etc/puppetlabs/puppet/ssl -type d -print0 | xargs -0 chmod 770 \ -&& echo 'alias ll="ls -la --color=auto"' >> ~/.bashrc \ -&& chmod +x /container-entrypoint.sh /docker-entrypoint.sh /healthcheck.sh /container-entrypoint.d/*.sh \ -&& mkdir -p /opt/puppetlabs/puppet/bin \ -&& ln -s /usr/bin/puppet /opt/puppetlabs/puppet/bin/puppet \ -&& ln -s /usr/bin/facter /opt/puppetlabs/puppet/bin/facter \ -&& ln -s /usr/bin/ruby /opt/puppetlabs/puppet/bin/ruby \ -&& ln -s /usr/bin/gem /opt/puppetlabs/puppet/bin/gem \ -&& ln -s /usr/bin/irb /opt/puppetlabs/puppet/bin/irb \ -&& ln -s /usr/bin/erb /opt/puppetlabs/puppet/bin/erb \ -&& ln -s /usr/bin/r10k /opt/puppetlabs/puppet/bin/r10k \ -&& ln -s /usr/bin/hiera-eyaml /opt/puppetlabs/puppet/bin/hiera-eyaml \ -# install puppet gem as library into jruby loadpath -&& puppetserver gem install --no-document openvox - -# explicitly set HOME: random UIDs will cause HOME to be "/" generally -ENV HOME=${data_dir}/puppetserver - -# use system/root paths instead of non-root paths to make permission management -# and volume mounting simpler. for this we link the appropiate paths and explicitly -# set the base paths used for interpolation, i.e confdir, codedir, vardir, rundir and -# logdir via the template and/or via `30-ensure-config.sh` in `puppet.conf` -RUN mkdir -p ${HOME}/.puppetlabs/var \ -&& ln -sf /etc/puppetlabs ${HOME}/.puppetlabs/etc \ -&& ln -sf /opt/puppetlabs ${HOME}/.puppetlabs/opt \ -&& ln -sf /var/log/puppetlabs ${HOME}/.puppetlabs/var/log \ -&& ln -sf /var/run/puppetlabs ${HOME}/.puppetlabs/var/run - -# mirror user permissions to group, set group to root, and set gid bit on dirs -RUN for d in \ - /etc/puppetlabs \ - /var/log/puppetlabs \ - /var/run/puppetlabs \ - /opt/puppetlabs/ \ - ; do \ - mkdir -p "$d"; \ - chgrp -R 0 "$d"; \ - chmod -R g=u "$d"; \ - find "$d" -type d -exec chmod g+s {} +; \ - done - -# the foreground starting script has this check before running the server: -# [ "$EUID" = "$(id -u ${USER})" ] -# simply calling `id -u` results in the UID of the current user and the check will pass -RUN sed -i 's/^ *USER="puppet"/USER=""/' /etc/default/puppetserver -# `puppetserver setup` forces symlinking the "old" cadir to the "new" one for puppet 6 compatibility -# reasons. this won't work because after creating a link ruby tries to call chown -RUN sed -i '/Puppetserver::Ca::Utils::Config\.symlink_to_old_cadir/ s/^/# /' \ - /usr/lib/ruby/gems/*/gems/openvoxserver-ca-*/lib/puppetserver/ca/action/setup.rb -# `FileUtils.chown` calls fail in rootless containers because the process -# lacks CAP_CHOWN. The ownership is already handled by the g=u / SGID pattern above. -RUN sed -i 's/FileUtils\.chown/# FileUtils.chown/' \ - /usr/lib/ruby/gems/*/gems/openvoxserver-ca-*/lib/puppetserver/ca/utils/file_system.rb - -USER puppet:0 - -# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK -HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] - -EXPOSE 8140 - -ENTRYPOINT ["dumb-init", "/container-entrypoint.sh"] -CMD ["foreground"] diff --git a/openvoxserver/docker-entrypoint.sh b/openvoxserver/docker-entrypoint.sh deleted file mode 100755 index 4257155..0000000 --- a/openvoxserver/docker-entrypoint.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# bash is required to pass ENV vars with dots as sh cannot - -set -o errexit # exit on any command failure; use `whatever || true` to accept failures - # use `if something; then` instead of `something; if [ $? -eq 0 ]; then` - # use `rv=0; something || rv=$?` if you really need the exact exit code -set -o pipefail # pipes fail when any command fails, not just the last one. Use: ( whatever || true ) | somethingelse -set -o nounset # exit on use of undeclared var, use `${possibly_undefined-}` to substitute the empty string in that case - # You can assign default values like this: - # `: ${possibly_undefined=default}` - # `: ${possibly_undefined_or_empty:=default}` will also replace an empty (but declared) value -# set -o xtrace - -echoerr() { echo "$@" 1>&2; } - -echoerr "DEPRECATED: Use /container-entrypoint.sh instead of /docker-entrypoint.sh" -exec ./container-entrypoint.sh "$@" diff --git a/openvoxserver/prep_build_container.sh b/openvoxserver/prep_build_container.sh new file mode 100755 index 0000000..5f93ac3 --- /dev/null +++ b/openvoxserver/prep_build_container.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +tar -x -z -f /openvox-server-${OPENVOXSERVER_VERSION}.tar.gz -C / +tar -x -z -f /openvoxdb-${OPENVOXDB_VERSION}.tar.gz -C / + +cd /puppetserver-${OPENVOXSERVER_VERSION} + +install -d "/etc/puppetlabs/code" -m 0755 +install -d "/etc/puppetlabs/puppet/ssl" -m 0770 +install -d "/etc/puppetlabs/puppetserver/ca" -m 0750 +install -d "/etc/puppetlabs/puppetserver/conf.d" -m 0755 +install -d "/etc/puppetlabs/puppetserver/services.d" -m 0755 +install -d "/opt/puppetlabs/bin" -m 0755 +install -d "/opt/puppetlabs/server/apps/puppetserver" -m 0755 +install -d "/opt/puppetlabs/server/apps/puppetserver/bin" -m 0755 +install -d "/opt/puppetlabs/server/apps/puppetserver/cli" -m 0755 +install -d "/opt/puppetlabs/server/apps/puppetserver/cli/apps" -m 0755 +install -d "/opt/puppetlabs/server/apps/puppetserver/config/services.d" -m 0755 +install -d "/opt/puppetlabs/server/bin" -m 0755 +install -d "/opt/puppetlabs/server/data" -m 0775 +install -d "/opt/puppetlabs/server/data/puppetserver" -m 0770 +install -d "/opt/puppetlabs/server/data/puppetserver/jars" -m 0700 +install -d "/opt/puppetlabs/server/data/puppetserver/jruby-gems" -m 0755 +install -d "/opt/puppetlabs/server/data/puppetserver/yaml" -m 0700 +install -d "/var/log/puppetlabs/puppetserver" -m 0700 +install -d "/var/run/puppetlabs/puppetserver" -m 0755 + +install ext/bin/puppetserver "/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver" -m 0755 +install ext/cli_defaults/cli-defaults.sh "/opt/puppetlabs/server/apps/puppetserver/cli" -m 0755 +install ext/cli/ca "/opt/puppetlabs/server/apps/puppetserver/cli/apps/ca" -m 0755 +install ext/cli/foreground "/opt/puppetlabs/server/apps/puppetserver/cli/apps/foreground" -m 0755 +install ext/cli/gem "/opt/puppetlabs/server/apps/puppetserver/cli/apps/gem" -m 0755 +install ext/cli/irb "/opt/puppetlabs/server/apps/puppetserver/cli/apps/irb" -m 0755 +install ext/cli/prune "/opt/puppetlabs/server/apps/puppetserver/cli/apps/prune" -m 0755 +install ext/cli/ruby "/opt/puppetlabs/server/apps/puppetserver/cli/apps/ruby" -m 0755 + +install ext/config/conf.d/auth.conf "/etc/puppetlabs/puppetserver/conf.d/auth.conf" -m 0644 +install ext/config/conf.d/ca.conf "/etc/puppetlabs/puppetserver/conf.d/ca.conf" -m 0644 +install ext/config/conf.d/global.conf "/etc/puppetlabs/puppetserver/conf.d/global.conf" -m 0644 +install ext/config/conf.d/metrics.conf "/etc/puppetlabs/puppetserver/conf.d/metrics.conf" -m 0644 +install ext/config/conf.d/puppetserver.conf "/etc/puppetlabs/puppetserver/conf.d/puppetserver.conf" -m 0644 +install ext/config/conf.d/web-routes.conf "/etc/puppetlabs/puppetserver/conf.d/web-routes.conf" -m 0644 +install ext/config/conf.d/webserver.conf "/etc/puppetlabs/puppetserver/conf.d/webserver.conf" -m 0644 + +install ext/config/logback.xml "/etc/puppetlabs/puppetserver/logback.xml" -m 0644 +install ext/config/request-logging.xml "/etc/puppetlabs/puppetserver/request-logging.xml" -m 0644 +install ext/config/services.d/ca.cfg "/etc/puppetlabs/puppetserver/services.d/ca.cfg" -m 0644 + +install ext/system-config/services.d/bootstrap.cfg "/opt/puppetlabs/server/apps/puppetserver/config/services.d/bootstrap.cfg" -m 0644 +install puppet-server-release.jar "/opt/puppetlabs/server/apps/puppetserver" -m 0644 +install ext/ezbake-functions.sh "/opt/puppetlabs/server/apps/puppetserver/ezbake-functions.sh" -m 0755 + +ln -s "../apps/puppetserver/bin/puppetserver" "/opt/puppetlabs/server/bin/puppetserver" +ln -s "../server/apps/puppetserver/bin/puppetserver" "/opt/puppetlabs/bin/puppetserver" + +bash ext/build-scripts/install-vendored-gems.sh + +# puppetdb-termini +cd /puppetdb-${OPENVOXDB_VERSION} +RUBY_LIB_DIR="/opt/puppetlabs/puppet/lib/ruby/vendor_ruby" +install -d "$RUBY_LIB_DIR" +cp -r puppet "$RUBY_LIB_DIR/" + +# Cleanup +rm -rf /openvox-server-${OPENVOXSERVER_VERSION}.tar.gz +rm -rf /openvoxdb-${OPENVOXDB_VERSION}.tar.gz +rm -rf /puppetserver-${OPENVOXSERVER_VERSION} +rm -rf /puppetdb-${OPENVOXDB_VERSION} diff --git a/openvoxserver/prep_release_container.sh b/openvoxserver/prep_release_container.sh new file mode 100755 index 0000000..fdb0306 --- /dev/null +++ b/openvoxserver/prep_release_container.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +apk update +apk add --no-cache dumb-init alpine-sdk openssh-client openssl libssh2 ruby ruby-dev runuser coreutils gcompat + +gem install --no-document syslog:0.4.0 +gem install --no-document hocon:1.4.0 +gem install --no-document racc:1.8.1 +gem install --no-document openvox:${OPENVOX_VERSION} +gem install --no-document r10k:${R10K_VERSION} +gem install --no-document hiera-eyaml:${HIERA_EYAML_VERSION} +gem install --no-document openvoxserver-ca:${OPENVOXSERVER_CA_VERSION} +gem install --no-document r10k:${R10K_VERSION} + +apk del --purge alpine-sdk + +# Create puppet user and group, and set permissions on necessary directories +# Used for rootless execution of the container and to match permissions expected by Puppet Server +addgroup -g 1001 puppet +adduser -G puppet -u 1001 -h /opt/puppetlabs/server/data/puppetserver -H -D -s /sbin/nologin puppet + +chown -R puppet:puppet /etc/puppetlabs/code +chown -R puppet:puppet /etc/puppetlabs/puppet/ssl +chown -R puppet:puppet /etc/puppetlabs/puppetserver/ca +chown -R puppet:puppet /var/log/puppetlabs/puppetserver +chown -R puppet:puppet /var/run/puppetlabs/puppetserver +chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver + +chmod 0700 /var/log/puppetlabs/puppetserver +chmod 0770 /opt/puppetlabs/server/data/puppetserver +chmod 0750 /etc/puppetlabs/puppetserver +chmod 0700 /opt/puppetlabs/server/data/puppetserver/jars +chmod 0700 /opt/puppetlabs/server/data/puppetserver/yaml +find /etc/puppetlabs/puppet/ssl -type d -exec chmod 0770 {} \; +chmod +x /container-entrypoint.sh /healthcheck.sh /container-entrypoint.d/*.sh + +mkdir -p /opt/puppetlabs/puppet/bin +ln -s /usr/bin/puppet /opt/puppetlabs/puppet/bin/puppet +ln -s /usr/bin/facter /opt/puppetlabs/puppet/bin/facter +ln -s /usr/bin/ruby /opt/puppetlabs/puppet/bin/ruby +ln -s /usr/bin/gem /opt/puppetlabs/puppet/bin/gem +ln -s /usr/bin/irb /opt/puppetlabs/puppet/bin/irb +ln -s /usr/bin/erb /opt/puppetlabs/puppet/bin/erb +ln -s /usr/bin/r10k /opt/puppetlabs/puppet/bin/r10k +ln -s /usr/bin/hiera-eyaml /opt/puppetlabs/puppet/bin/hiera-eyaml + +# install puppet gem as library into jruby loadpath +puppetserver gem install --no-document openvox:${OPENVOX_VERSION} + +# shortcut for convinience +echo 'alias ll="ls -la --color=auto"' >> ~/.bashrc + +# use system/root paths instead of non-root paths to make permission management +# and volume mounting simpler. for this we link the appropiate paths and explicitly +# set the base paths used for interpolation, i.e confdir, codedir, vardir, rundir and +# logdir via the template and/or via `30-ensure-config.sh` in `puppet.conf` +# +mkdir -p ${HOME}/.puppetlabs/var +ln -sf /etc/puppetlabs ${HOME}/.puppetlabs/etc +ln -sf /opt/puppetlabs ${HOME}/.puppetlabs/opt +ln -sf /var/log/puppetlabs ${HOME}/.puppetlabs/var/log +ln -sf /var/run/puppetlabs ${HOME}/.puppetlabs/var/run + +# mirror user permissions to group, set group to root, and set gid bit on dirs +for d in /etc/puppetlabs /var/log/puppetlabs /var/run/puppetlabs /opt/puppetlabs/ +do + mkdir -p "$d"; + chgrp -R 0 "$d"; + chmod -R g=u "$d"; + find "$d" -type d -exec chmod g+s {} +; +done + +# the foreground starting script has this check before running the server: +# [ "$EUID" = "$(id -u ${USER})" ] +# simply calling `id -u` results in the UID of the current user and the check will pass +sed -i 's/^ *USER="puppet"/USER=""/' /etc/default/puppetserver + +# `puppetserver setup` forces symlinking the "old" cadir to the "new" one for puppet 6 compatibility +# reasons. this won't work because after creating a link ruby tries to call chown +sed -i '/Puppetserver::Ca::Utils::Config\.symlink_to_old_cadir/ s/^/# /' \ + /usr/lib/ruby/gems/*/gems/openvoxserver-ca-*/lib/puppetserver/ca/action/setup.rb + + # `FileUtils.chown` calls fail in rootless containers because the process +# lacks CAP_CHOWN. The ownership is already handled by the g=u / SGID pattern above. +sed -i 's/FileUtils\.chown/# FileUtils.chown/' \ + /usr/lib/ruby/gems/*/gems/openvoxserver-ca-*/lib/puppetserver/ca/utils/file_system.rb + +rm /prep_release_container.sh