Bump to version 19.6.0-9515

Dockerfile

@@ -21,55 +21,95 @@ FROM alpine:latest as gocd-server-unzip
 RUN \
  apk --no-cache upgrade && \
  apk add --no-cache curl && \
- curl --fail --location --silent --show-error "https://download.gocd.org/binaries/19.5.0-9272/generic/go-server-19.5.0-9272.zip" > /tmp/go-server-19.5.0-9272.zip
-RUN unzip /tmp/go-server-19.5.0-9272.zip -d /
-RUN mv /go-server-19.5.0 /go-server
+ curl --fail --location --silent --show-error "https://download.gocd.org/binaries/19.6.0-9515/generic/go-server-19.6.0-9515.zip" > /tmp/go-server-19.6.0-9515.zip
+RUN unzip /tmp/go-server-19.6.0-9515.zip -d /
+RUN mv /go-server-19.6.0 /go-server
 
 FROM alpine:3.9
 MAINTAINER ThoughtWorks, Inc. <[email protected]>
 
-LABEL gocd.version="19.5.0" \
+LABEL gocd.version="19.6.0" \
  description="GoCD server based on alpine version 3.9" \
  maintainer="ThoughtWorks, Inc. <[email protected]>" \
  url="https://www.gocd.org" \
- gocd.full.version="19.5.0-9272" \
- gocd.git.sha="496bf8b95e603c1f3980ae59042bc559eecbbbc0"
+ gocd.full.version="19.6.0-9515" \
+ gocd.git.sha="4b674c10941b6c27d7ec2a28dd946518d9211b7a"
 
 # the ports that go server runs on
 EXPOSE 8153 8154
 
 ADD https://github.com/krallin/tini/releases/download/v0.18.0/tini-static-amd64 /usr/local/sbin/tini
-ADD https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64 /usr/local/sbin/gosu
 
 # force encoding
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US:en
 ENV LC_ALL en_US.UTF-8
+ENV GO_JAVA_HOME="/gocd-jre"
 
 ARG UID=1000
-ARG GID=1000
 
 RUN \
 # add mode and permissions for files we added above
  chmod 0755 /usr/local/sbin/tini && \
  chown root:root /usr/local/sbin/tini && \
- chmod 0755 /usr/local/sbin/gosu && \
- chown root:root /usr/local/sbin/gosu && \
 # add our user and group first to make sure their IDs get assigned consistently,
 # regardless of whatever dependencies get added
- addgroup -g ${GID} go && \
- adduser -D -u ${UID} -s /bin/bash -G go go && \
+# add user to root group for gocd to work on openshift
+ adduser -D -u ${UID} -s /bin/bash -G root go && \
+ apk add --no-cache cyrus-sasl cyrus-sasl-plain && \
  apk --no-cache upgrade && \
- apk add --no-cache nss git mercurial subversion openssh-client bash curl && \
- apk add --no-cache openjdk8-jre-base && \
- mkdir -p /docker-entrypoint.d
+ apk add --no-cache nss git mercurial subversion openssh-client bash curl procps && \
+ # install glibc and zlib for adoptopenjdk && \
+ # See https://github.com/AdoptOpenJDK/openjdk-docker/blob/ce8b120411b131e283106ab89ea5921ebb1d1759/8/jdk/alpine/Dockerfile.hotspot.releases.slim#L24-L54 && \
+ apk add --no-cache --virtual .build-deps curl binutils && \
+ GLIBC_VER="2.29-r0" && \
+ ALPINE_GLIBC_REPO="https://github.com/sgerrand/alpine-pkg-glibc/releases/download" && \
+ GCC_LIBS_URL="https://archive.archlinux.org/packages/g/gcc-libs/gcc-libs-9.1.0-2-x86_64.pkg.tar.xz" && \
+ GCC_LIBS_SHA256=91dba90f3c20d32fcf7f1dbe91523653018aa0b8d2230b00f822f6722804cf08 && \
+ ZLIB_URL="https://archive.archlinux.org/packages/z/zlib/zlib-1%3A1.2.11-3-x86_64.pkg.tar.xz" && \
+ ZLIB_SHA256=17aede0b9f8baa789c5aa3f358fbf8c68a5f1228c5e6cba1a5dd34102ef4d4e5 && \
+ curl -LfsS https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -o /etc/apk/keys/sgerrand.rsa.pub && \
+ SGERRAND_RSA_SHA256="823b54589c93b02497f1ba4dc622eaef9c813e6b0f0ebbb2f771e32adf9f4ef2" && \
+ echo "${SGERRAND_RSA_SHA256} */etc/apk/keys/sgerrand.rsa.pub" | sha256sum -c - && \
+ curl -LfsS ${ALPINE_GLIBC_REPO}/${GLIBC_VER}/glibc-${GLIBC_VER}.apk > /tmp/glibc-${GLIBC_VER}.apk && \
+ apk add /tmp/glibc-${GLIBC_VER}.apk && \
+ curl -LfsS ${ALPINE_GLIBC_REPO}/${GLIBC_VER}/glibc-bin-${GLIBC_VER}.apk > /tmp/glibc-bin-${GLIBC_VER}.apk && \
+ apk add /tmp/glibc-bin-${GLIBC_VER}.apk && \
+ curl -Ls ${ALPINE_GLIBC_REPO}/${GLIBC_VER}/glibc-i18n-${GLIBC_VER}.apk > /tmp/glibc-i18n-${GLIBC_VER}.apk && \
+ apk add /tmp/glibc-i18n-${GLIBC_VER}.apk && \
+ /usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 "$LANG" || true && \
+ echo "export LANG=$LANG" > /etc/profile.d/locale.sh && \
+ curl -LfsS ${GCC_LIBS_URL} -o /tmp/gcc-libs.tar.xz && \
+ echo "${GCC_LIBS_SHA256} */tmp/gcc-libs.tar.xz" | sha256sum -c - && \
+ mkdir /tmp/gcc && \
+ tar -xf /tmp/gcc-libs.tar.xz -C /tmp/gcc && \
+ mv /tmp/gcc/usr/lib/libgcc* /tmp/gcc/usr/lib/libstdc++* /usr/glibc-compat/lib && \
+ strip /usr/glibc-compat/lib/libgcc_s.so.* /usr/glibc-compat/lib/libstdc++.so* && \
+ curl -LfsS ${ZLIB_URL} -o /tmp/libz.tar.xz && \
+ echo "${ZLIB_SHA256} */tmp/libz.tar.xz" | sha256sum -c - && \
+ mkdir /tmp/libz && \
+ tar -xf /tmp/libz.tar.xz -C /tmp/libz && \
+ mv /tmp/libz/usr/lib/libz.so* /usr/glibc-compat/lib && \
+ apk del --purge .build-deps glibc-i18n && \
+ rm -rf /tmp/*.apk /tmp/gcc /tmp/gcc-libs.tar.xz /tmp/libz /tmp/libz.tar.xz /var/cache/apk/* && \
+ # end installing adoptopenjre && \
+ curl --fail --location --silent --show-error 'https://github.com/AdoptOpenJDK/openjdk12-binaries/releases/download/jdk-12.0.1%2B12/OpenJDK12U-jre_x64_linux_hotspot_12.0.1_12.tar.gz' --output /tmp/jre.tar.gz && \
+ mkdir -p /gocd-jre && \
+ tar -xf /tmp/jre.tar.gz -C /gocd-jre --strip 1 && \
+ rm -rf /tmp/jre.tar.gz && \
+ mkdir -p /go-server /docker-entrypoint.d /go-working-dir /godata
+
+ADD docker-entrypoint.sh /
 
 COPY --from=gocd-server-unzip /go-server /go-server
 # ensure that logs are printed to console output
-COPY logback-include.xml /go-server/config/logback-include.xml
-COPY install-gocd-plugins /usr/local/sbin/install-gocd-plugins
-COPY git-clone-config /usr/local/sbin/git-clone-config
+COPY --chown=go:root logback-include.xml /go-server/config/logback-include.xml
+COPY --chown=go:root install-gocd-plugins /usr/local/sbin/install-gocd-plugins
+COPY --chown=go:root git-clone-config /usr/local/sbin/git-clone-config
 
-ADD docker-entrypoint.sh /
+RUN chown -R go:root /go-server /docker-entrypoint.d /go-working-dir /godata /docker-entrypoint.sh \
+ && chmod -R g=u /go-server /docker-entrypoint.d /go-working-dir /godata /docker-entrypoint.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
+
+USER go

README.md

@@ -2,12 +2,16 @@
 
 An alpine based docker image for [GoCD server](https://www.gocd.org).
 
+# Issues, feedback?
+
+Please make sure to log them at https://github.com/gocd/gocd.
+
 # Usage
 
 Start the container with this:
 
 ```shell
-docker run -d -p8153:8153 -p8154:8154 gocd/gocd-server:v19.5.0
+docker run -d -p8153:8153 -p8154:8154 gocd/gocd-server:v19.6.0
 ```
 
 This will expose container ports 8153(http) and 8154(https) onto your server.
@@ -22,7 +26,7 @@ artifacts, plugins, and logs into `/godata`. If you'd like to provide secure
 credentials like SSH private keys among other things, you can mount `/home/go`
 
 ```shell
-docker run -v /path/to/godata:/godata -v /path/to/home-dir:/home/go gocd/gocd-server:v19.5.0
+docker run -v /path/to/godata:/godata -v /path/to/home-dir:/home/go gocd/gocd-server:v19.6.0
 ```
 
 > **Note:** Ensure that `/path/to/home-dir` and `/path/to/godata` is accessible by the `go` user in container (`go` user - uid `1000`).
@@ -41,7 +45,7 @@ An example example would be `GOCD_PLUGIN_INSTALL_docker-elastic-agents=https://g
 ```shell
 docker run \
  -e GOCD_PLUGIN_INSTALL_docker-elastic-agents=https://github.com/gocd-contrib/docker-elastic-agents/releases/download/v0.8.0/docker-elastic-agents-0.8.0.jar \
- gocd/gocd-server:v19.5.0
+ gocd/gocd-server:v19.6.0
 ```
 
 To install multiple plugins, add several `-e` arguments as such:
@@ -50,7 +54,7 @@ To install multiple plugins, add several `-e` arguments as such:
 docker run \
  -e GOCD_PLUGIN_INSTALL_a-plugin=https://example.com/a-plugin.jar \
  -e GOCD_PLUGIN_INSTALL_b-plugin=https://example.com/b-plugin.jar \
- gocd/gocd-server:v19.5.0
+ gocd/gocd-server:v19.6.0
 ```
 
 ### Installing plugins using a custom entry-point script (see below)
@@ -72,7 +76,7 @@ Cloned repo **must** contain all files from `/godata/config` dir.
 docker run \
  -e CONFIG_GIT_REPO=https://gocd_user:<password_or_auth_token>/config.git \
  -e CONFIG_GIT_BRANCH=branch_with_config \
- gocd/gocd-server:v19.5.0
+ gocd/gocd-server:v19.6.0
 ```
 *Checkouted content would overwrite files in `/godata/config/`*.
 
@@ -82,13 +86,13 @@ docker run \
 To execute custom script(s) during the container boostrap, but **before** the GoCD server starts just add `-v /path/to/your/script.sh:/docker-entrypoint.d/your-script.sh` like so:
 
 ```shell
-docker run -v /path/to/your/script.sh:/docker-entrypoint.d/your-script.sh ... gocd/gocd-server:v19.5.0
+docker run -v /path/to/your/script.sh:/docker-entrypoint.d/your-script.sh ... gocd/gocd-server:v19.6.0
 ```
 
 If you have several scripts in a directory that you'd like to execute:
 
 ```shell
-docker run -v /path/to/script-dir:/docker-entrypoint.d ... gocd/gocd-server:v19.5.0
+docker run -v /path/to/script-dir:/docker-entrypoint.d ... gocd/gocd-server:v19.6.0
 ```
 
 > **Note:** Ensure that your scripts are executable `chmod a+x` — you can add as many scripts as you like, `bash` is available on the container. If your script uses other scripting language (perl, python), please ensure that the scripting language is installed in the container.
@@ -105,10 +109,10 @@ chown -R 1000 /path/to/godata/addons
 
 ## Tweaking JVM options (memory, heap etc)
 
-JVM options can be tweaked using the environment variable `GO_SERVER_SYSTEM_PROPERTIES`.
+JVM options can be tweaked using the environment variable `GOCD_SERVER_JVM_OPTS`.
 
 ```shell
-docker run -e GO_SERVER_SYSTEM_PROPERTIES="-Xmx4096mb -Dfoo=bar" gocd/gocd-server:v19.5.0
+docker run -e GOCD_SERVER_JVM_OPTS="-Xmx4096mb -Dfoo=bar" gocd/gocd-server:v19.6.0
 ```
 
 # Under the hood
@@ -131,7 +135,7 @@ Once the GoCD server is up, we should be able to determine its ip address and th
 The IP address and ports of the GoCD server in a docker container are important to know as they will be used by the GoCD agents to connect to it.
 If you have started the container with
 ```shell
-docker run --name server -it -p8153:8153 -p8154:8154 gocd/gocd-server:v19.5.0
+docker run --name server -it -p8153:8153 -p8154:8154 gocd/gocd-server:v19.6.0
 ```
 
 Then, the below commands will determine to GoCD server IP, server port and ssl port
@@ -141,6 +145,10 @@ docker inspect --format='{{(index (index .NetworkSettings.Ports "8153/tcp") 0).H
 docker inspect --format='{{(index (index .NetworkSettings.Ports "8154/tcp") 0).HostPort}}' server
 ```
 
+# Running GoCD Containers as Non Root
+
+With release `v19.6.0`, GoCD containers will run as non-root user, by default. The Dockerized GoCD application will run with user `go` (uid: `1000`) and group `root` (gid: `0`) instead of running as user `root` (uid: `0`) and group `root` (gid: `0`). For more information, checkout [Running Dockerized GoCD Containers as Non Root](https://www.gocd.org/2019/06/25/GoCD-non-root-containers/) blog post.
+
 # Troubleshooting
 
 ## The GoCD server does not come up

docker-entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2018 ThoughtWorks, Inc.
+# Copyright 2019 ThoughtWorks, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,76 +18,88 @@ yell() { echo "$0: $*" >&2; }
 die() { yell "$*"; exit 111; }
 try() { echo "$ $@" 1>&2; "$@" || die "cannot $*"; }
 
-VOLUME_DIR="/godata"
+declare -a _stringToArgs
+function stringToArgsArray() {
+ _stringToArgs=("$@")
+}
 
+SERVER_WORK_DIR="/go-working-dir"
 
 # no arguments are passed so assume user wants to run the gocd server
-# we prepend "/go-server/server.sh" to the argument list
+# we prepend "${SERVER_WORK_DIR}/bin/go-server console" to the argument list
 if [[ $# -eq 0 ]] ; then
- set -- /go-server/server.sh "$@"
+ set -- "${SERVER_WORK_DIR}/bin/go-server" console "$@"
 fi
 
-# if running go server as root, then initialize directory structure and call ourselves as `go` user
-if [ "$1" = '/go-server/server.sh' ]; then
+if [ "$1" = "${SERVER_WORK_DIR}/bin/go-server" ]; then
+ VOLUME_DIR="/godata"
 
- if [ "$(id -u)" = '0' ]; then
- export SERVER_WORK_DIR="/go-working-dir"
- export GO_CONFIG_DIR="/go-working-dir/config"
+ server_data_dirs=(artifacts config db logs plugins addons)
 
-  server_dirs=(artifacts config db logs plugins addons)
+ yell "Creating directories and symlinks to hold GoCD configuration, data, and logs"
 
- yell "Creating directories and symlinks to hold GoCD configuration, data, and logs"
+ for each_dir in "${server_data_dirs[@]}"; do
+ if [ ! -e "${VOLUME_DIR}/${each_dir}" ]; then
+ try mkdir -v "${VOLUME_DIR}/${each_dir}"
+ fi
 
- # ensure working dir exist
- if [ ! -e "${SERVER_WORK_DIR}" ]; then
- try mkdir "${SERVER_WORK_DIR}"
- try chown go:go "${SERVER_WORK_DIR}"
+ if [ ! -e "${SERVER_WORK_DIR}/${each_dir}" ]; then
+ try ln -sv "${VOLUME_DIR}/${each_dir}" "${SERVER_WORK_DIR}/${each_dir}"
  fi
+ done
+
+ wrapper_dirs=(bin lib run wrapper wrapper-config)
+
+ yell "Creating directories and symlinks to hold GoCD wrapper binaries"
 
- # ensure proper directory structure in the volume directory
- if [ ! -e "${VOLUME_DIR}" ]; then
- try mkdir "${VOLUME_DIR}"
- try chown go:go "${VOLUME_DIR}"
+ for each_dir in "${wrapper_dirs[@]}"; do
+ if [ ! -e "${SERVER_WORK_DIR}/${each_dir}" ]; then
+ try ln -sv "/go-server/${each_dir}" "${SERVER_WORK_DIR}/${each_dir}"
  fi
+ done
+
+ if [ ! -e "${SERVER_WORK_DIR}/config/logback-include.xml" ]; then
+ try cp -rfv "/go-server/config/logback-include.xml" "${SERVER_WORK_DIR}/config/logback-include.xml"
+ fi
+
+ try install-gocd-plugins
+ try git-clone-config
 
- for each_dir in "${server_dirs[@]}"; do
- if [ ! -e "${VOLUME_DIR}/${each_dir}" ]; then
- try mkdir -v "${VOLUME_DIR}/${each_dir}"
- try chown go:go "${VOLUME_DIR}/${each_dir}"
- fi
-
- if [ ! -e "${SERVER_WORK_DIR}/${each_dir}" ]; then
- try ln -sv "${VOLUME_DIR}/${each_dir}" "${SERVER_WORK_DIR}/${each_dir}"
- try chown go:go "${SERVER_WORK_DIR}/${each_dir}"
- fi
- done
-
- if [ ! -e "${SERVER_WORK_DIR}/config/logback-include.xml" ]; then
- try cp -rfv "/go-server/config/logback-include.xml" "${SERVER_WORK_DIR}/config/logback-include.xml"
- try chown go:go "${VOLUME_DIR}/config/logback-include.xml"
+ yell "Running custom scripts in /docker-entrypoint.d/ ..."
+
+ # to prevent expansion to literal string `/docker-entrypoint.d/*` when there is nothing matching the glob
+ shopt -s nullglob
+
+ for file in /docker-entrypoint.d/*; do
+ if [ -f "$file" ] && [ -x "$file" ]; then
+ try "$file"
+ else
+ yell "Ignoring $file, it is either not a file or is not executable"
  fi
+ done
 
- try install-gocd-plugins
- try git-clone-config
+ # setup the java binary and wrapper log
+ try sed -i \
+ -e "[email protected]=.*@/wrapper.logfile=${SERVER_WORK_DIR}/logs/go-server-wrapper.log@g" \
+ -e "[email protected]=.*@wrapper.java.command=${GO_JAVA_HOME}/bin/java@g" \
+ -e "[email protected]=.*@wrapper.working.dir=${SERVER_WORK_DIR}@g" \
+ /go-server/wrapper-config/wrapper.conf
 
- yell "Running custom scripts in /docker-entrypoint.d/ ..."
+ # parse/split an environment var to an array like how it should pass to the CLI
+ # GOCD_SERVER_JVM_OPTS is mostly for advanced users.
+ eval stringToArgsArray "$GOCD_SERVER_JVM_OPTS"
+ GOCD_SERVER_JVM_OPTS=("${_stringToArgs[@]}")
 
- # to prevent expansion to literal string `/docker-entrypoint.d/*` when there is nothing matching the glob
- shopt -s nullglob
 
- for file in /docker-entrypoint.d/*; do
- if [ -f "$file" ] && [ -x "$file" ]; then
- try "$file"
- else
- yell "Ignoring $file, it is either not a file or is not executable"
- fi
- done
+ GOCD_SERVER_JVM_OPTS+=("-Dgo.console.stdout=true")
 
- try exec /usr/local/sbin/tini -- /usr/local/sbin/gosu go "$0" "$@"
- fi
-fi
+ # write out each system property using its own index
+ for array_index in "${!GOCD_SERVER_JVM_OPTS[@]}"
+ do
+ tanuki_index=$(($array_index + 100))
+ echo "wrapper.java.additional.${tanuki_index}=${GOCD_SERVER_JVM_OPTS[$array_index]}" >> /go-server/wrapper-config/wrapper-properties.conf
+ done
 
-# these 3 vars are used by `/go-server/server.sh`, so we export
-export GO_SERVER_SYSTEM_PROPERTIES="${GO_SERVER_SYSTEM_PROPERTIES}${GO_SERVER_SYSTEM_PROPERTIES:+ }-Dgo.console.stdout=true"
+fi
 
-try exec "$@"
+try exec /usr/local/sbin/tini -- "$@"

git-clone-config

@@ -14,5 +14,4 @@ if [ ! -z "$CONFIG_GIT_REPO" ] && [ ! `git status` ]; then
  try git remote add origin $CONFIG_GIT_REPO 
  try git fetch
  try git checkout -f $BRANCH
- try chown -R go:go /godata/config
 fi

install-gocd-plugins

@@ -8,7 +8,6 @@ GOCD_PLUGIN_EXTERNAL_HOME="/godata/plugins/external"
 
 if [ ! -e "${GOCD_PLUGIN_EXTERNAL_HOME}" ]; then
  try mkdir -p "${GOCD_PLUGIN_EXTERNAL_HOME}"
- try chown go:go "${GOCD_PLUGIN_EXTERNAL_HOME}"
 fi
 
 (while IFS='=' read -r name value ; do
@@ -25,6 +24,5 @@ fi
  try rm "${plugin_dest}"
  fi
  try curl --silent --location --fail --retry 3 "${plugin_url}" --output "${plugin_dest}"
- try chown go:go "${plugin_dest}"
  fi
 done) < <(env)