From 1c0dd050dba6d3d30d25ff7cda0da047c0592e43 Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sat, 5 Mar 2022 14:54:26 +0100 Subject: [PATCH 1/4] fix(Dockerfile): Make Dockerfile more consistent - Add proper switchable non root user - Add sudo capabilities - Add proper net tools and locale to container - Remove excessive use of uneeded layers for final image Signed-off-by: Helio Chissini de Castro --- Dockerfile | 66 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index e2689e4788..6847fcf065 100644 --- a/Dockerfile +++ b/Dockerfile @@ -117,23 +117,35 @@ RUN --mount=type=tmpfs,target=/build \ && rm -rf /deps #-------------------------------------------------------------------------------------------------- -# Base container +# Runtime image # We need use JDK, JRE is not enough as Liferay do runtime changes and require javac -FROM eclipse-temurin:11-jdk-focal as imagebase +FROM eclipse-temurin:11-jdk-focal WORKDIR /app/ ARG LIFERAY_SOURCE="liferay-ce-portal-tomcat-7.3.4-ga5-20200811154319029.tar.gz" +ENV LANG=en_US.UTF-8 +ENV LANGUAGE=en_US:en +ENV LC_ALL=en_US.UTF-8 + RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ ca-certificates \ + curl \ gnupg2 \ + iproute2 \ + iputils-ping \ + libarchive-tools \ + locales \ lsof \ + netbase \ openssh-client \ + openssl \ tzdata \ + sudo \ vim \ unzip \ zip \ @@ -146,40 +158,50 @@ COPY --from=thriftbuild /thrift-bin.tar.gz . RUN tar xzf thrift-bin.tar.gz -C / \ && rm thrift-bin.tar.gz +ENV LIFERAY_HOME=/app/sw360 +ENV LIFERAY_INSTALL=/app/sw360 + +ARG USERNAME=sw360 +ARG USER_ID=1000 +ARG USER_GID=$USER_ID +ARG HOMEDIR=/workspace +ENV HOME=$HOMEDIR + # Prepare system for non-priv user -RUN groupadd --gid 1000 sw360 \ - && useradd --uid 1000 --gid sw360 --shell /bin/bash --home-dir /workspace --create-home sw360 +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd \ + --uid $USER_ID \ + --gid $USER_GID \ + --shell /bin/bash \ + --home-dir $HOMEDIR \ + --create-home $USERNAME + +# sudo support +RUN echo "$USERNAME ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME # Unpack liferay as sw360 and link current tomcat version # to tomcat to make future proof updates RUN mkdir sw360 \ - && tar xzf /deps/$LIFERAY_SOURCE -C sw360 --strip-components=1 \ + && tar xzf /deps/$LIFERAY_SOURCE -C $USERNAME --strip-components=1 \ && cp /deps/jars/* sw360/deploy \ - && chown -R sw360:sw360 sw360 \ + && chown -R $USERNAME:$USERNAME sw360 \ && ln -s /app/sw360/tomcat-* /app/sw360/tomcat \ && rm -rf /deps -#-------------------------------------------------------------------------------------------------- -# SW360 Final image - -FROM imagebase - -ENV LIFERAY_HOME=/app/sw360 -ENV LIFERAY_INSTALL=/app/sw360 - -COPY --chown=sw360:sw360 --from=sw360build /sw360_deploy/* /app/sw360/deploy -COPY --chown=sw360:sw360 --from=sw360build /sw360_tomcat_webapps/* /app/sw360/tomcat/webapps/ -COPY --chown=sw360:sw360 --from=clucenebuild /couchdb-lucene.war /app/sw360/tomcat/webapps/ +COPY --chown=$USERNAME:$USERNAME --from=sw360build /sw360_deploy/* /app/sw360/deploy +COPY --chown=$USERNAME:$USERNAME --from=sw360build /sw360_tomcat_webapps/* /app/sw360/tomcat/webapps/ +COPY --chown=$USERNAME:$USERNAME --from=clucenebuild /couchdb-lucene.war /app/sw360/tomcat/webapps/ # Copy tomcat base files -COPY --chown=sw360:sw360 ./scripts/docker-config/setenv.sh /app/sw360/tomcat/bin +COPY --chown=$USERNAME:$USERNAME ./scripts/docker-config/setenv.sh /app/sw360/tomcat/bin # Copy liferay/sw360 config files -COPY --chown=sw360:sw360 ./scripts/docker-config/portal-ext.properties /app/sw360/portal-ext.properties -COPY --chown=sw360:sw360 ./scripts/docker-config/etc_sw360 /etc/sw360 -COPY --chown=sw360:sw360 ./scripts/docker-config/entry_point.sh /app/entry_point.sh +COPY --chown=$USERNAME:$USERNAME ./scripts/docker-config/portal-ext.properties /app/sw360/portal-ext.properties +COPY --chown=$USERNAME:$USERNAME ./scripts/docker-config/etc_sw360 /etc/sw360 +COPY --chown=$USERNAME:$USERNAME ./scripts/docker-config/entry_point.sh /app/entry_point.sh -USER sw360 +USER $USERNAME STOPSIGNAL SIGINT From 7dd31343d08fd7f1293137d635281519f7307b3d Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sat, 5 Mar 2022 15:03:02 +0100 Subject: [PATCH 2/4] feat(compose): Common network adn Fossology decoupling - Decouple from Fossology. README_DOCKER.mdhas instructions on how to use external Fossology docker if wanted - Updated to Postgres 14 - Removed all Fossology related Docker configs - Use a common internal network called sw360net Signed-off-by: Helio Chissini de Castro --- README_DOCKER.md | 100 ++++++++++++------ docker-compose.yml | 17 +-- docker_build.sh | 23 +++- fossology-docker-compose.yml | 28 ----- scripts/docker-config/default.docker.env | 29 ----- .../pg-init-scripts/fossology.sql | 12 --- 6 files changed, 100 insertions(+), 109 deletions(-) delete mode 100644 fossology-docker-compose.yml delete mode 100644 scripts/docker-config/default.docker.env delete mode 100644 scripts/docker-config/pg-init-scripts/fossology.sql diff --git a/README_DOCKER.md b/README_DOCKER.md index 1a1ecbcac5..1b85582d05 100644 --- a/README_DOCKER.md +++ b/README_DOCKER.md @@ -25,45 +25,54 @@ The script will download all dependencies in the deps folder. Docker compose for sw360 are configured with default entries on docker-compose.yml. - The default sample environment file is under `scripts/docker-config/default.docker.env` - - The config file looks like this: + + The config entries that can be modifiled: ```ini - # scripts/docker-config/default.docker.env + # Postgres POSTGRES_USER=liferay POSTGRES_PASSWORD=liferay POSTGRES_DB=lportal + # Couchdb COUCHDB_USER=admin COUCHDB_PASSWORD=password COUCHDB_CREATE_DATABASE=yes - SW360_DATA=./data/sw360 ``` - By default, data for postgres, couchdb and sw360 document will be persisted under `data` on current directory. + By default couchdb, postgres and sw360 have their own storage volumes: - If you want to override all configs, copy `scripts/docker-config/default.docker.env` to project root as `.env` file and alter for your needs. + **Postgres** + ```yml + - postgres:/var/lib/postgresql/data/ + ``` - Then just rebuild the project with -env_file option + **CouchDB** + ```yml + - couchdb:/opt/couchdb/data + ``` -* Proxy setup + **sw360** + ```yml + - etc:/etc/sw360 + - webapps:/app/sw360/tomcat/webapps + - document_library:/app/sw360/data/document_library + ``` + There's a local mounted as binded dir volume to add customizations + ```yml + - ./config:/app/sw360/config + ``` - To build under proxy system, add this options on your custom env file: + If you want to override all configs, create a docker env file and alter for your needs. - ```ini - PROXY_ENABLED=true - PROXY_HTTP_HOST= - PROXY_HTTPS_HOST= - PROXY_PORT= - ``` + Then just rebuild the project with **-env_file** option -### Fossology -If you want to add Fossology in the mix, add FOSSOLOGY=1 on the build: +## Networking + +This composed image runs unde a single ndefault network, called **sw360net** + +So any external docker image can connect to internal couchdb or postgresql through this network -```sh -FOSSOLOGY=1 ./docker_build.sh -``` ## Running the image @@ -73,16 +82,10 @@ FOSSOLOGY=1 ./docker_build.sh docker-compose up ``` - or with fossology ( see above build instructions ) - - ```sh - docker-compose -f docker-compose.yml -f fossology-docker-compose.yml up - ``` - * With custom env file ```sh - docker-compose --env-file up + docker-compose --env-file up ``` You can add **-d** parameter at end of line to start in daemon mode and see the logs with the following command: @@ -91,13 +94,47 @@ FOSSOLOGY=1 ./docker_build.sh docker logs -f sw360 ``` +## Fossology +For docker based approach, is recommended use official [Fossology docker image](https://hub.docker.com/r/fossology/fossology/) + +This is the steps to quick perform this: + +```sh +# Create Fossology database on ingternal postgres +docker exec -it sw360_postgresdb_1 createdb -U liferay -W fossology + +# Start Fossology container connected to sw360 env +docker run \ + --network sw360net \ + -p 8081:80 \ + -name fossology \ + -e FOSSOLOGY_DB_HOST=postgresdb \ + -e FOSSOLOGY_DB_USER=liferay \ + -e FOSSOLOGY_DB_PASSWORD=liferay \ + -d fossology/fossology +``` + +This will pull/start the fossology container and made it available on the host machine at port 8081 + +### Configure Fossology + +* **On Fossology** + * Login on Fossology + * Create an API token for the user intended to be used +* **On sw360** + * Go to fossology admin config + * Add the host, will be something like: `http(s)://:8081/repo/api/v1/` + * Add the id of folder. The default id is **1** (Software Repository). You can get the ID of the folder you want from the folder URL in FOssology + * Add your obtained Token from Fossology + + ## Configurations -By default, docker image of SW360 runs without internal web server and is assigned to be SSL as default. This is configured on *portal-ext.properties* +By default, docker image of sw360 runs without internal web server and is assigned to be on port 8080. This is configured on *portal-ext.properties* Here's some extra configurations that can be useful to fix some details. -## Customize portal-ext +### Customize portal-ext The config file __portal-ext.properties__ overrides a second file that can be created to add a custom configuration with all data related to your necessities. @@ -113,6 +150,7 @@ cat "company.default.name=MYCOMPANY" > config/sw360-portal-ext.properties Docker compose with treat config as a bind volume dir and will expose to application. + ### CSS layout looks wrong If you do not use an external web server with redirection ( see below ), you may find the main CSS theme scrambled ( not properly loaded ) @@ -127,6 +165,7 @@ web.server.host=: This will tell liferay where is your real host instead of trying to guess the wrong host. + ### Nginx config for reverse proxy and X-Frame issues on on host machine ( not docker ) For nginx, assuming you are using default config for your sw360, this is a simple configuration for root web server under Ubuntu. @@ -147,6 +186,7 @@ For nginx, assuming you are using default config for your sw360, this is a simpl ***WARNING*** - X-frame is enabled wide open for development purposes. If you intend to use the above config in production, remember to properly secure the web server. + ### Make https only **port 443** default Modify the following line on your custom __portal-sw360.properties__ to https: diff --git a/docker-compose.yml b/docker-compose.yml index 48e7d62a08..892339715f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,8 +30,9 @@ services: - webapps:/app/sw360/tomcat/webapps - document_library:/app/sw360/data/document_library - ./config:/app/sw360/config + postgresdb: - image: 'postgres:13' + image: 'postgres:14' restart: unless-stopped environment: - POSTGRES_USER=liferay @@ -58,8 +59,12 @@ services: - couchdb:/opt/couchdb/data volumes: - postgres: - couchdb: - etc: - webapps: - document_library: + postgres: null + couchdb: null + etc: null + webapps: null + document_library: null + +networks: + default: + name: sw360net diff --git a/docker_build.sh b/docker_build.sh index b5af18f0b3..58bb9d9099 100755 --- a/docker_build.sh +++ b/docker_build.sh @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash # ----------------------------------------------------------------------------- # Copyright BMW CarIT GmbH 2021 @@ -27,13 +27,28 @@ COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 export DOCKER_BUILDKIT COMPOSE_DOCKER_CLI_BUILD -[ -n "$FOSSOLOGY" ] && extra_args="-f $GIT_ROOT/fossology-docker-compose.yml" -[ -n "$VERBOSE" ] && docker_verbose="--progress=plain" +usage() { + echo "Usage:" + echo "-v Verbose build" + exit 0; +} + +while getopts "hv" arg; do + case $arg in + h) + usage + ;; + v) + docker_verbose="--progress=plain" + ;; + *) + ;; + esac +done #shellcheck disable=SC2086 docker-compose \ --file "$GIT_ROOT"/docker-compose.yml \ - $extra_args \ build \ --build-arg BUILDKIT_INLINE_CACHE=1 \ $docker_verbose \ diff --git a/fossology-docker-compose.yml b/fossology-docker-compose.yml deleted file mode 100644 index 7d44c84de4..0000000000 --- a/fossology-docker-compose.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright BMW CarIT GmbH, 2021. -# -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 - -version: '3.8' - -services: - sw360: - depends_on: - - fossology - postgresdb: - volumes: - - ./scripts/docker-config/pg-init-scripts/fossology.sql:/docker-entrypoint-initdb.d/fossology.sql - fossology: - image: fossology/fossology - environment: - - FOSSOLOGY_DB_HOST=postgresdb - - FOSSOLOGY_DB_USER=fossy - - FOSSOLOGY_DB_PASSWORD=fossy - - FOSSOLOGY_SCHEDULER_HOST=scheduler - depends_on: - - postgresdb - ports: - - 8181:80 diff --git a/scripts/docker-config/default.docker.env b/scripts/docker-config/default.docker.env deleted file mode 100644 index 1560bea2d8..0000000000 --- a/scripts/docker-config/default.docker.env +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright BMW CarIT GmbH, 2021. -# -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 - -# Postgres -POSTGRES_USER=liferay -POSTGRES_PASSWORD=liferay -POSTGRES_DB=lportal - -# Couchdb -COUCHDB_USER=admin -COUCHDB_PASSWORD=password -COUCHDB_CREATE_DATABASE=yes - -# Proxy -PROXY_ENABLED=false -PROXY_HTTP_HOST=your_http_proxy_ip -PROXY_HTTPS_HOST=your_https_proxy_ip -PROXY_PORT=10 - -# Fossology -FOSSOLOGY_DB_HOST=postgresdb -FOSSOLOGY_DB_USER=fossy -FOSSOLOGY_DB_PASSWORD=fossy -FOSSOLOGY_SCHEDULER_HOST=scheduler diff --git a/scripts/docker-config/pg-init-scripts/fossology.sql b/scripts/docker-config/pg-init-scripts/fossology.sql deleted file mode 100644 index ece15e9709..0000000000 --- a/scripts/docker-config/pg-init-scripts/fossology.sql +++ /dev/null @@ -1,12 +0,0 @@ --- Copyright BMW CarIT GmbH, 2021. --- --- This program and the accompanying materials are made --- available under the terms of the Eclipse Public License 2.0 --- which is available at https://www.eclipse.org/legal/epl-2.0/ --- --- SPDX-License-Identifier: EPL-2.0 - -CREATE USER fossy; -ALTER USER fossy WITH ENCRYPTED PASSWORD 'fossy'; -CREATE DATABASE fossology; -GRANT ALL PRIVILEGES ON DATABASE fossology TO fossy; From ea798093cea0cd90e7f6235d1ba9f2bc22b0bf3a Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Mon, 7 Mar 2022 10:28:51 +0100 Subject: [PATCH 3/4] Update README_DOCKER with typos fixing --- README_DOCKER.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_DOCKER.md b/README_DOCKER.md index 1b85582d05..bf5acd0088 100644 --- a/README_DOCKER.md +++ b/README_DOCKER.md @@ -100,7 +100,7 @@ For docker based approach, is recommended use official [Fossology docker image]( This is the steps to quick perform this: ```sh -# Create Fossology database on ingternal postgres +# Create Fossology database on internal postgres docker exec -it sw360_postgresdb_1 createdb -U liferay -W fossology # Start Fossology container connected to sw360 env From ce57d9b59d98e1dad4d1aa2c89ed72f2ac2cb6a3 Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Tue, 8 Mar 2022 12:07:57 +0100 Subject: [PATCH 4/4] Update information about port redirection --- README_DOCKER.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/README_DOCKER.md b/README_DOCKER.md index bf5acd0088..a7bf448527 100644 --- a/README_DOCKER.md +++ b/README_DOCKER.md @@ -151,16 +151,29 @@ cat "company.default.name=MYCOMPANY" > config/sw360-portal-ext.properties Docker compose with treat config as a bind volume dir and will expose to application. -### CSS layout looks wrong +### Make **HTTPS** default -If you do not use an external web server with redirection ( see below ), you may find the main CSS theme scrambled ( not properly loaded ) +Modify the following line on your custom __portal-sw360.properties__ to https: + +```ini +web.server.protocol=https +``` + +### CSS layout looks wrong or using non standard ports + +If you do not use an external web server with redirection ( see below ), you may find the main CSS theme scrambled ( not properly loaded ) or you are using a different port This happens because current Liferay used version try to access the theme using only canonical hostname, without the port assigned, so leading to an invalid CSS url. -To fix, you will need to change *portal-ext.properties* in data directory ( or your assigned data directory ) with the following extra value: +To fix, you will need to change __portal-sw360.properties__ ( as described above ) with the following extra values: ```ini -web.server.host=: +# For different hostname redirection +web.server.host= +# For HTTP non standard 80 port +web.server.http.port= +# For HTTPS non standard 443 port +web.server.https.port= ``` This will tell liferay where is your real host instead of trying to guess the wrong host. @@ -187,14 +200,6 @@ For nginx, assuming you are using default config for your sw360, this is a simpl ***WARNING*** - X-frame is enabled wide open for development purposes. If you intend to use the above config in production, remember to properly secure the web server. -### Make https only **port 443** default - -Modify the following line on your custom __portal-sw360.properties__ to https: - -```ini -web.server.protocol=https -``` - ### Liferay Redirects Liferay by default for security reasons do not allow redirect for unknown ips/domains, mostly on admin modules, so is necessary to add your domain or ip to the redirect allowed lists in custom __portal-sw360.properties__.