Merge pull request #11547 from poikilotherm/10998-ct-fix-password-script

ofahimIQSS · web-flow · commit 2ce695567603 · 2025-06-04T12:52:50.000-04:00
Fix password script in base container image
diff --git a/doc/sphinx-guides/source/container/base-image.rst b/doc/sphinx-guides/source/container/base-image.rst
@@ -289,6 +289,7 @@ provides. These are mostly based on environment variables (very common with cont
       - ``payara``
       - String
       - Set to secret string to change the Payara Linux User ("payara", default UID=1000) password.
+        *Note: changes /etc/shadow, usually incompatible with a read-only rootfs!*
     * - ``DOMAIN_PASSWORD``
       - ``changeit``
       - String
diff --git a/modules/container-base/src/backports/v6.4/001-fix-password-script.patch b/modules/container-base/src/backports/v6.4/001-fix-password-script.patch
@@ -0,0 +1,31 @@
+diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+index 0bf9d0b80f..b640e4d1fc 100644
+--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+@@ -8,7 +8,7 @@ set -euo pipefail
+ # Someone set the env var for passwords - get the new password in. Otherwise print warning.
+ # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
+ if [ "$LINUX_PASSWORD" != "payara" ]; then
+-  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
++  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; }
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
+   echo "           To change the password, set the LINUX_PASSWORD env var."
+@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
+@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
diff --git a/modules/container-base/src/backports/v6.5/001-fix-password-script.patch b/modules/container-base/src/backports/v6.5/001-fix-password-script.patch
@@ -0,0 +1,31 @@
+diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+index 0bf9d0b80f..b640e4d1fc 100644
+--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+@@ -8,7 +8,7 @@ set -euo pipefail
+ # Someone set the env var for passwords - get the new password in. Otherwise print warning.
+ # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
+ if [ "$LINUX_PASSWORD" != "payara" ]; then
+-  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
++  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; }
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
+   echo "           To change the password, set the LINUX_PASSWORD env var."
+@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
+@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
diff --git a/modules/container-base/src/backports/v6.6/001-fix-password-script.patch b/modules/container-base/src/backports/v6.6/001-fix-password-script.patch
@@ -0,0 +1,31 @@
+diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+index 0bf9d0b80f..b640e4d1fc 100644
+--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
+@@ -8,7 +8,7 @@ set -euo pipefail
+ # Someone set the env var for passwords - get the new password in. Otherwise print warning.
+ # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
+ if [ "$LINUX_PASSWORD" != "payara" ]; then
+-  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
++  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; }
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
+   echo "           To change the password, set the LINUX_PASSWORD env var."
+@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
+@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
+   PASSWORD_FILE=$(mktemp)
+   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
+   echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
+-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
++  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; }
+   rm "$PASSWORD_FILE"
+ else
+   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
@@ -8,7 +8,7 @@ set -euo pipefail
 # Someone set the env var for passwords - get the new password in. Otherwise print warning.
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
 if [ "$LINUX_PASSWORD" != "payara" ]; then
-  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
+  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; }
 else
   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
   echo "           To change the password, set the LINUX_PASSWORD env var."
@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
   echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; }
   rm "$PASSWORD_FILE"
 else
   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
   echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; }
   rm "$PASSWORD_FILE"
 else
   echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
