Base images bump

deploy/Dockerfile.all-in-one

@@ -1,5 +1,5 @@
 # Docker build for all-in-one Stratos
-FROM splatform/stratos-aio-base:opensuse as builder
+FROM splatform/stratos-aio-base:leap15_1 as builder
 
 # Ensure that we copy the custom-src folder
 COPY --chown=stratos:users . ./
@@ -17,7 +17,7 @@ RUN CERTS_PATH=/home/stratos/dev-certs ./generate_cert.sh \
     && chmod +x jetstream
 
 # use --target=aio to build All-in-one image
-FROM splatform/stratos-bk-base:opensuse
+FROM splatform/stratos-bk-base:leap15_1
 ARG CANARY_BUILD
 COPY --from=builder /home/stratos/deploy/db /src/deploy/db
 COPY --from=builder /home/stratos/dev-certs /srv/dev-certs

deploy/Dockerfile.bk

@@ -1,4 +1,4 @@
-FROM splatform/stratos-bk-build-base:opensuse as builder
+FROM splatform/stratos-bk-build-base:leap15_1 as builder
 ARG stratos_version
 RUN mkdir -p /home/stratos
 WORKDIR /home/stratos
@@ -7,12 +7,12 @@ RUN go version
 RUN npm install
 RUN npm run build-backend
 
-FROM splatform/stratos-bk-base:opensuse as common-build
+FROM splatform/stratos-bk-base:leap15_1 as common-build
 COPY --from=builder /home/stratos/src/jetstream/jetstream /srv/
 RUN chmod +x /srv/jetstream
 
 # use --target=db-migrator to build db-migrator image
-FROM splatform/stratos-bk-base:opensuse as db-migrator
+FROM splatform/stratos-bk-base:leap15_1 as db-migrator
 WORKDIR /src
 COPY deploy/db/dbconf.yml db/dbconf.yml
 COPY deploy/db/scripts/development.sh .
@@ -23,15 +23,15 @@ RUN chmod +x development.sh
 CMD bash /src/wait-for-it.sh -t 90 mariadb:3306 && bash /src/development.sh
 
 # use --target=postflight-job to build prod postflight-job
-FROM splatform/stratos-bk-base:opensuse as postflight-job
+FROM splatform/stratos-bk-base:leap15_1 as postflight-job
 RUN zypper -n in mariadb-client
 COPY --from=common-build /srv/jetstream /usr/local/bin/jetstream
 COPY deploy/db/dbconf.yml db/dbconf.yml
 COPY deploy/db/scripts/run-postflight-job.k8s.sh /run-postflight-job.sh
 CMD ["/run-postflight-job.sh"]
 
 # use --target=prod-build to build a backend image for Kubernetes
-FROM splatform/stratos-bk-base:opensuse as prod-build
+FROM splatform/stratos-bk-base:leap15_1 as prod-build
 RUN zypper in -y curl
 COPY deploy/containers/proxy/entrypoint.sh /entrypoint.sh
 COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh

deploy/Dockerfile.ui

@@ -1,4 +1,4 @@
-FROM splatform/stratos-ui-build-base:opensuse as base-build
+FROM splatform/stratos-ui-build-base:leap15_1 as base-build
 ARG project
 ARG branch
 ARG commit
@@ -13,7 +13,7 @@ RUN npm install && \
     mkdir -p /usr/dist && \
     cp -R dist/* /usr/dist
 
-FROM splatform/stratos-nginx-base:opensuse as prod-build
+FROM splatform/stratos-nginx-base:leap15_1 as prod-build
 RUN mkdir -p /usr/share/doc/suse
 COPY  deploy/containers/nginx/LICENSE.txt /usr/share/doc/suse/LICENSE.txt
 COPY  deploy/containers/nginx/conf/nginx.k8s.conf /etc/nginx/nginx.conf
@@ -22,7 +22,7 @@ COPY deploy/containers/nginx/run-nginx.sh/ /run-nginx.sh
 EXPOSE 80 443
 CMD [ "/run-nginx.sh" ]
 
-FROM splatform/stratos-nginx-base:opensuse as dev-build
+FROM splatform/stratos-nginx-base:leap15_1 as dev-build
 RUN mkdir -p /etc/secrets/ && \
   openssl req -batch -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/secrets/server.key -out /etc/secrets/server.crt && \
   chmod 0600 /etc/secrets && \

deploy/ci/scripts/Dockerfile.stratos-ci

@@ -6,7 +6,7 @@
 # Default Image used to run tasks - contains Helm
 
 # Builder for the github release tool
-FROM splatform/stratos-go-build-base:opensuse as go-base
+FROM splatform/stratos-go-build-base:leap15_1 as go-base
 RUN export GOPATH=/home/stratos/go && \
     mkdir -p ${GOPATH} && \
     go get github.com/aktau/github-release

deploy/common-build.sh

@@ -43,7 +43,7 @@ function buildAndPublishImage {
 
 # Proxy support
 # Remove intermediate containers after a successful build
-BUILD_ARGS="--rm=true"
+BUILD_ARGS="--rm=true --squash"
 RUN_ARGS=""
 if [ -n "${http_proxy:-}" -o -n "${HTTP_PROXY:-}" ]; then
   BUILD_ARGS="${BUILD_ARGS} --build-arg http_proxy=${http_proxy:-${HTTP_PROXY}}"

deploy/containers/nginx/Dockerfile.dc

@@ -1,4 +1,4 @@
-FROM splatform/stratos-nginx-base:opensuse
+FROM splatform/stratos-nginx-base:leap15_1
 
 RUN mkdir -p /etc/secrets/ && \
   openssl req -batch -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/secrets/server.key -out /etc/secrets/server.crt && \

deploy/db/Dockerfile.mariadb

@@ -1,6 +1,13 @@
-FROM splatform/stratos-db-base:opensuse
+FROM splatform/stratos-db-base:leap15_1
+
+# See: https://github.com/docker-library/mariadb/blob/master/10.2/Dockerfile
+RUN \
+	find /etc/ -name 'my*.cnf' -print0 \
+		| xargs -0 grep -lZE '^(bind-address|log)' \
+		| xargs -rt -0 sed -Ei 's/^(bind-address|log)/#&/'; 
 
 COPY mariadb-entrypoint.sh /docker-entrypoint.sh
+COPY mariadb-ping.sh /dbping.sh
 
 # ENTRYPOINT
 ENTRYPOINT ["/docker-entrypoint.sh"]

deploy/db/mariadb-entrypoint.sh

@@ -1,49 +1,214 @@
 #!/bin/bash
-set -e
-
-MYSQL_DATADIR="/var/lib/mysql"
-
-if [ ! -d "$MYSQL_DATADIR/mysql" ]; then
-  # if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" ]; then
-  #   echo >&2 'error: database is uninitialized and MYSQL_ROOT_PASSWORD not set'
-  #   echo >&2 '  Did you forget to add -e MYSQL_ROOT_PASSWORD=... ?'
-  #   exit 1
-  # fi
-
-  echo 'Running mysql_install_db ...'
-  mysql_install_db --user=mysql --datadir="$MYSQL_DATADIR"
-  echo 'Finished mysql_install_db'
-
-  # These statements _must_ be on individual lines, and _must_ end with
-  # semicolons (no line breaks or comments are permitted).
-  # TODO proper SQL escaping on ALL the things D:
-
- tempSqlFile='/tmp/mysql-first-time.sql'
-  cat > "$tempSqlFile" <<-EOSQL
-DELETE FROM mysql.user ;
-CREATE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
-GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;
-DROP DATABASE IF EXISTS test ;
-EOSQL
-
-  if [ "$MYSQL_DATABASE" ]; then
-    echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" >> "$tempSqlFile"
-  fi
-
-  if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
-    echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" >> "$tempSqlFile"
-
-    if [ "$MYSQL_DATABASE" ]; then
-      echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" >> "$tempSqlFile"
-    fi
-  fi
-
-  echo 'FLUSH PRIVILEGES ;' >> "$tempSqlFile"
-  set -- "$@" --init-file="$tempSqlFile"
+
+###########################################################################################################
+#
+# This is the entrypoint script taken from here: https://github.com/docker-library/mariadb/tree/master/10.2
+#
+# There is one change - which is clearly marked below
+#
+###########################################################################################################
+
+set -eo pipefail
+shopt -s nullglob
+
+# if command starts with an option, prepend mysqld
+if [ "${1:0:1}" = '-' ]; then
+	set -- mysqld "$@"
 fi
 
-chown -R mysql:mysql "$MYSQL_DATADIR"
-mkdir /var/run/mysql
-chown -R mysql:mysql /var/run/mysql
+# skip setup if they want an option that stops mysqld
+wantHelp=
+for arg; do
+	case "$arg" in
+		-'?'|--help|--print-defaults|-V|--version)
+			wantHelp=1
+			break
+			;;
+	esac
+done
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+_check_config() {
+	toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" )
+	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
+		cat >&2 <<-EOM
+
+			ERROR: mysqld failed while attempting to check config
+			command was: "${toRun[*]}"
+
+			$errors
+		EOM
+		exit 1
+	fi
+}
+
+# Fetch value from server config
+# We use mysqld --verbose --help instead of my_print_defaults because the
+# latter only show values present in config files, and not server defaults
+_get_config() {
+	local conf="$1"; shift
+	"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
+		| awk '$1 == "'"$conf"'" && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
+	# match "datadir      /some/path with/spaces in/it here" but not "--xyz=abc\n     datadir (xyz)"
+}
+
+# allow the container to be started with `--user`
+if [ "$1" = 'mysqld' -a -z "$wantHelp" -a "$(id -u)" = '0' ]; then
+	_check_config "$@"
+	DATADIR="$(_get_config 'datadir' "$@")"
+	mkdir -p "$DATADIR"
+	find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+	exec gosu mysql "$BASH_SOURCE" "$@"
+fi
+
+if [ "$1" = 'mysqld' -a -z "$wantHelp" ]; then
+	# still need to check config, container may have started with --user
+	_check_config "$@"
+	# Get config
+	DATADIR="$(_get_config 'datadir' "$@")"
+
+	echo "Data dir is: ${DATADIR}"
+
+	if [ ! -d "$DATADIR/mysql" ]; then
+		file_env 'MYSQL_ROOT_PASSWORD'
+		if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+			echo >&2 'error: database is uninitialized and password option is not specified '
+			echo >&2 '  You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
+			exit 1
+		fi
+
+		mkdir -p "$DATADIR"
+		# ========================================
+		# Stratos changes
+		chown -R mysql:mysql "$DATADIR"
+		# ========================================
+
+		echo 'Initializing database'
+		installArgs=( --datadir="$DATADIR" --rpm )
+		if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
+			# beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
+			# see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
+			# (this flag doesn't exist in 10.0 and below)
+			installArgs+=( --auth-root-authentication-method=normal )
+		fi
+		# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
+		mysql_install_db "${installArgs[@]}" "${@:2}"
+		echo 'Database initialized'
+
+		SOCKET="$(_get_config 'socket' "$@")"
+		"$@" --skip-networking --socket="${SOCKET}" &
+		pid="$!"
+
+		mysql=( mysql --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" )
+
+		for i in {30..0}; do
+			if echo 'SELECT 1' | "${mysql[@]}" &> /dev/null; then
+				break
+			fi
+			echo 'MySQL init process in progress...'
+			sleep 1
+		done
+		if [ "$i" = 0 ]; then
+			echo >&2 'MySQL init process failed.'
+			exit 1
+		fi
+
+		if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
+			# sed is for https://bugs.mysql.com/bug.php?id=20545
+			mysql_tzinfo_to_sql /usr/share/zoneinfo | sed 's/Local time zone must be set--see zic manual page/FCTY/' | "${mysql[@]}" mysql
+		fi
+
+		if [ ! -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+			export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
+			echo "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+		fi
+
+		rootCreate=
+		# default root to listen for connections from anywhere
+		file_env 'MYSQL_ROOT_HOST' '%'
+		if [ ! -z "$MYSQL_ROOT_HOST" -a "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+			# no, we don't care if read finds a terminating character in this heredoc
+			# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
+			read -r -d '' rootCreate <<-EOSQL || true
+				CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
+				GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
+			EOSQL
+		fi
+
+		"${mysql[@]}" <<-EOSQL
+			-- What's done in this file shouldn't be replicated
+			--  or products like mysql-fabric won't work
+			SET @@SESSION.SQL_LOG_BIN=0;
+
+			DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
+			SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+			GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
+			${rootCreate}
+			DROP DATABASE IF EXISTS test ;
+			FLUSH PRIVILEGES ;
+		EOSQL
+
+		if [ ! -z "$MYSQL_ROOT_PASSWORD" ]; then
+			mysql+=( -p"${MYSQL_ROOT_PASSWORD}" )
+		fi
+
+		file_env 'MYSQL_DATABASE'
+		if [ "$MYSQL_DATABASE" ]; then
+			echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" | "${mysql[@]}"
+			mysql+=( "$MYSQL_DATABASE" )
+		fi
+
+		file_env 'MYSQL_USER'
+		file_env 'MYSQL_PASSWORD'
+		if [ "$MYSQL_USER" -a "$MYSQL_PASSWORD" ]; then
+			echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" | "${mysql[@]}"
+
+			if [ "$MYSQL_DATABASE" ]; then
+				echo "GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+			fi
+		fi
+
+		echo
+		for f in /docker-entrypoint-initdb.d/*; do
+			case "$f" in
+				*.sh)     echo "$0: running $f"; . "$f" ;;
+				*.sql)    echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;;
+				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;;
+				*)        echo "$0: ignoring $f" ;;
+			esac
+			echo
+		done
+
+		if ! kill -s TERM "$pid" || ! wait "$pid"; then
+			echo >&2 'MySQL init process failed.'
+			exit 1
+		fi
+
+		echo
+		echo 'MySQL init process done. Ready for start up.'
+		echo
+	fi
+fi
 
-exec "$@"
+exec "$@"

deploy/db/mariadb-ping.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+mysqladmin --password="$MYSQL_ROOT_PASSWORD" --user=root ping