Update 22.0.0.8

Author: kabicin

ga/22.0.0.12/kernel/helpers/build/configuration_snippets/sessioncache-features.xml

@@ -2,4 +2,4 @@
   <featureManager>
     <feature>sessionCache-1.0</feature>
   </featureManager>
-</server>
+</server>

ga/22.0.0.12/kernel/helpers/runtime/configure-liberty.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# If the Liberty server name is not defaultServer and defaultServer still exists migrate the contents
+if [ "$SERVER_NAME" != "defaultServer" ] && [ -d "/opt/ibm/wlp/usr/servers/defaultServer" ]; then
+  # Create new Liberty server
+  /opt/ibm/wlp/bin/server create >/tmp/serverOutput
+  rc=$?
+  if [ $rc -ne 0 ]; then
+    cat /tmp/serverOutput
+    rm /tmp/serverOutput
+    exit $rc
+  fi
+  rm /tmp/serverOutput
+
+  # Verify server creation
+  if [ ! -d "/opt/ibm/wlp/usr/servers/$SERVER_NAME" ]; then
+    echo "The server name contains a character that is not valid."
+    exit 1
+  fi
+  chmod -R g+w /opt/ibm/wlp/usr/servers/$SERVER_NAME
+
+  # Delete old symlinks
+  rm /opt/ibm/links/output
+  rm /opt/ibm/links/config
+
+  # Add new output folder symlink and resolve group write permissions
+  mkdir -p $WLP_OUTPUT_DIR/$SERVER_NAME
+  ln -s $WLP_OUTPUT_DIR/$SERVER_NAME /opt/ibm/links/output
+  chmod g+w $WLP_OUTPUT_DIR/$SERVER_NAME
+  mkdir -p $WLP_OUTPUT_DIR/$SERVER_NAME/resources
+  mkdir -p $WLP_OUTPUT_DIR/$SERVER_NAME/workarea
+  mkdir -p $WLP_OUTPUT_DIR/$SERVER_NAME/logs
+  chmod -R g+w $WLP_OUTPUT_DIR/$SERVER_NAME/workarea
+  chmod -R g+w,o-rwx $WLP_OUTPUT_DIR/$SERVER_NAME/resources
+  chmod -R g+w,o-rwx $WLP_OUTPUT_DIR/$SERVER_NAME/logs
+
+  # Hand over the SCC
+  if [ "$OPENJ9_SCC" = "true" ] && [ -d "/opt/ibm/wlp/output/defaultServer/.classCache" ]; then
+    mv /opt/ibm/wlp/output/defaultServer/.classCache $WLP_OUTPUT_DIR/$SERVER_NAME/
+  fi
+  rm -rf /opt/ibm/wlp/output/defaultServer
+
+  # Add new server symlink and populate folder
+  mv /opt/ibm/wlp/usr/servers/defaultServer/* /opt/ibm/wlp/usr/servers/$SERVER_NAME/
+  ln -s /opt/ibm/wlp/usr/servers/$SERVER_NAME /opt/ibm/links/config
+  mkdir -p /config/configDropins/defaults
+  mkdir -p /config/configDropins/overrides
+  chmod -R g+w /config
+
+  rm -rf /opt/ibm/wlp/usr/servers/defaultServer
+fi
+
+echo "configure-liberty.sh script has been run" > /opt/ibm/wlp/configure-liberty.log
+exit 0

ga/22.0.0.12/kernel/helpers/runtime/docker-server.sh

@@ -84,6 +84,12 @@ function importKeyCert() {
   fi
 }
 
+# Resolve liberty server symlinks and creation for server name changes
+/opt/ibm/helpers/runtime/configure-liberty.sh
+if [ $? -ne 0 ]; then
+    exit
+fi
+
 case "${LICENSE,,}" in
   "accept" ) # Suppress license message in logs
     grep -s -F "com.ibm.ws.logging.hideMessage" /config/bootstrap.properties \
@@ -140,6 +146,8 @@ if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
  echo "INFINISPAN_PASS: ${INFINISPAN_PASS}"
 fi
 
+# Remove generated metadata
+rm /opt/ibm/wlp/configure-liberty.log
 
 # Pass on to the real server run
 exec "$@"

ga/22.0.0.8/kernel/helpers/build/configure.sh

@@ -0,0 +1,156 @@
+#!/bin/bash
+# (C) Copyright IBM Corporation 2022.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Determine if featureUtility ran in an earlier build step
+if [ -f "/opt/ibm/wlp/configure-liberty.log" ]; then
+  FEATURES_INSTALLED=true
+else
+  FEATURES_INSTALLED=false
+  >&2 echo "WARNING: This is not an optimal build configuration. Although features in server.xml will continue to be installed correctly, the 'RUN features.sh' command should be added to the Dockerfile prior to configure.sh. See https://github.com/WASdev/ci.docker#building-an-application-image for a sample application image template."
+fi
+
+if [ "$VERBOSE" != "true" ]; then
+  exec &>/dev/null
+fi
+
+set -Eeox pipefail
+
+function main() {
+  if [ "$FEATURES_INSTALLED" == "false" ]; then
+    # Resolve liberty server symlinks and creation for server name changes
+    /opt/ibm/helpers/runtime/configure-liberty.sh
+    if [ $? -ne 0 ]; then
+      exit
+    fi
+  fi
+
+  ##Define variables for XML snippets source and target paths
+  WLP_INSTALL_DIR=/opt/ibm/wlp
+  SHARED_CONFIG_DIR=${WLP_INSTALL_DIR}/usr/shared/config
+  SHARED_RESOURCE_DIR=${WLP_INSTALL_DIR}/usr/shared/resources
+
+  SNIPPETS_SOURCE=/opt/ibm/helpers/build/configuration_snippets
+  SNIPPETS_TARGET=/config/configDropins/overrides
+  SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
+  mkdir -p ${SNIPPETS_TARGET}
+  mkdir -p ${SNIPPETS_TARGET_DEFAULTS}
+
+  #Check for each Liberty value-add functionality
+
+  # Infinispan Session Caching
+  if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
+    cp ${SNIPPETS_SOURCE}/infinispan-client-sessioncache.xml ${SNIPPETS_TARGET}/infinispan-client-sessioncache.xml
+    chmod g+rw $SNIPPETS_TARGET/infinispan-client-sessioncache.xml
+  fi
+
+  # Hazelcast Session Caching
+  if [ "${HZ_SESSION_CACHE}" == "client" ] || [ "${HZ_SESSION_CACHE}" == "embedded" ]; then
+    cp ${SNIPPETS_SOURCE}/hazelcast-sessioncache.xml ${SNIPPETS_TARGET}/hazelcast-sessioncache.xml
+    mkdir -p ${SHARED_CONFIG_DIR}/hazelcast
+    cp ${SNIPPETS_SOURCE}/hazelcast-${HZ_SESSION_CACHE}.xml ${SHARED_CONFIG_DIR}/hazelcast/hazelcast.xml
+  fi
+
+  # Key Store
+  keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
+  if [ "$SSL" != "false" ] && [ "$TLS" != "false" ]
+  then
+    if [ ! -e $keystorePath ]
+    then
+      # Generate the keystore.xml
+      export KEYSTOREPWD=$(openssl rand -base64 32)
+      sed "s|REPLACE|$KEYSTOREPWD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+      chmod g+w $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+    fi
+  fi
+
+  # SSO
+  if [[ -n "$SEC_SSO_PROVIDERS" ]]; then
+    parseProviders $SEC_SSO_PROVIDERS
+  fi
+
+  if [ "$SKIP_FEATURE_INSTALL" != "true" ]; then
+    # Install needed features
+    if [ "$FEATURE_REPO_URL" ]; then
+      curl -k --fail $FEATURE_REPO_URL > /tmp/repo.zip
+      installUtility install --acceptLicense defaultServer --from=/tmp/repo.zip || rc=$?; if [ $rc -ne 22 ]; then exit $rc; fi
+      rm -rf /tmp/repo.zip
+    # Otherwise, if features.sh did not run, install server features.
+    elif [ "$FEATURES_INSTALLED" == "false" ]; then
+      featureUtility installServerFeatures --acceptLicense defaultServer --noCache
+      find /opt/ibm/wlp/lib /opt/ibm/wlp/bin ! -perm -g=rw -print0 | xargs -0 -r chmod g+rw 
+    fi
+  fi
+
+  # Apply interim fixes found in /opt/ibm/fixes
+  # Fixes recommended by IBM, such as to resolve security vulnerabilities, are also included in /opt/ibm/fixes
+  # Note: This step should be done once needed features are enabled and installed using installUtility.
+
+  # Do not create a SCC
+  if [ -n "${IBM_JAVA_OPTIONS}" ]; then
+    IBM_JAVA_OPTIONS="${IBM_JAVA_OPTIONS} -Xshareclasses:none"
+  fi
+
+  if [ -n "${OPENJ9_JAVA_OPTIONS}" ]; then
+    OPENJ9_JAVA_OPTIONS="${OPENJ9_JAVA_OPTIONS} -Xshareclasses:none"
+  fi
+
+  find /opt/ibm/fixes -type f -name "*.jar"  -print0 | sort -z | xargs -0 -n 1 -r -I {} java -jar {} --installLocation $WLP_INSTALL_DIR
+  #Make sure that group write permissions are set correctly after installing new features
+  find /opt/ibm/wlp ! -perm -g=rw -print0 | xargs -r -0 chmod g+rw
+
+  # Create a new SCC layer
+  if [ "$OPENJ9_SCC" == "true" ]
+  then
+    populate_scc.sh -i 1
+  fi
+}
+
+## parse provider list to generate files into configDropins
+function parseProviders() {
+  while [ $# -gt 0 ]; do
+    case "$1" in
+    oidc:*)
+      parseCommaList oidc "${1#*:}"
+      ;;
+    oauth2:*)
+      parseCommaList oauth2 "${1#*:}"
+      ;;
+    *)
+      if [[ $(ls $SNIPPETS_SOURCE | grep "$1") ]]; then
+        cp $SNIPPETS_SOURCE/sso-${1}.xml $SNIPPETS_TARGET_DEFAULTS
+      fi
+      ;;
+    esac
+    shift
+  done
+}
+
+## process the comma delimitted oauth2/oidc source lists
+function parseCommaList() {
+  local type="$1"
+  local list=$(echo "$2" | tr , " ")
+
+  for current in ${list}; do
+    if [[ "${type}" = "oidc" ]]; then
+      # replace oidc identifiers with custom name
+      sed -e 's/=\"oidc/=\"'${current}'/g' -e 's/_OIDC_/_'${current^^}'_/g' $SNIPPETS_SOURCE/sso-oidc.xml > $SNIPPETS_TARGET_DEFAULTS/sso-${current}.xml
+    else
+      # replace oauth2 identifiers with custom name
+      sed -e 's/=\"oauth2/=\"'${current}'/g' -e 's/_OAUTH2_/_'${current^^}'_/g' $SNIPPETS_SOURCE/sso-oauth2.xml > $SNIPPETS_TARGET_DEFAULTS/sso-${current}.xml
+    fi
+  done
+}
+
+main "$@"

ga/22.0.0.8/kernel/helpers/build/features.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# (C) Copyright IBM Corporation 2022.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+if [ "$VERBOSE" != "true" ]; then
+  exec &>/dev/null
+fi
+
+set -Eeox pipefail 
+
+# Resolve liberty server symlinks and creation for server name changes
+/opt/ibm/helpers/runtime/configure-liberty.sh
+if [ $? -ne 0 ]; then
+  exit
+fi
+
+##Define variables for XML snippets source and target paths
+SNIPPETS_SOURCE=/opt/ibm/helpers/build/configuration_snippets
+SNIPPETS_TARGET=/config/configDropins/overrides
+SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
+mkdir -p ${SNIPPETS_TARGET}
+mkdir -p ${SNIPPETS_TARGET_DEFAULTS}
+
+# Session Caching
+if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || [ "${HZ_SESSION_CACHE}" == "embedded" ]; then
+  cp ${SNIPPETS_SOURCE}/sessioncache-features.xml ${SNIPPETS_TARGET}/sessioncache-features.xml
+  chmod g+rw $SNIPPETS_TARGET/sessioncache-features.xml
+fi
+
+# SSO
+if [[ -n "$SEC_SSO_PROVIDERS" ]]; then
+  cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS
+fi
+
+# Key Store
+if [ "$SSL" == "true" ] || [ "$TLS" == "true" ]; then
+  cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET/tls.xml
+fi
+
+# Install necessary features using featureUtility
+featureUtility installServerFeatures --acceptLicense defaultServer --noCache
+find /opt/ibm/wlp/lib /opt/ibm/wlp/bin ! -perm -g=rw -print0 | xargs -0 -r chmod g+rw

ga/23.0.0.5/kernel/Dockerfile.ubi.ibmjava8

@@ -20,6 +20,8 @@ ARG EN_SHA=16669604ed86a6ad4bd60b99ca85fad2a819ae3ff3e68d5585a64f3d51504ee3
 ARG NON_IBM_SHA=89faf793b9e068a80bda72d6c1cbf9b4e1362c699525710ae3247a6c135a0b11
 ARG NOTICES_SHA=f02cefd8eb429cd471b9f494c2ac7f3df10ef042f1b7e8271895afd2a46ae997
 
+ENV SERVER_NAME=defaultServer
+
 LABEL org.opencontainers.image.authors="Leo Christy Jesuraj, Arthur De Magalhaes, Chris Potter" \
       org.opencontainers.image.vendor="IBM" \
       org.opencontainers.image.url="http://wasdev.net" \
@@ -83,32 +85,50 @@ RUN mkdir /logs \
     && mkdir /etc/wlp \
     && mkdir -p /opt/ibm/wlp/usr/shared/resources/lib.index.cache \
     && mkdir -p /home/default \
-    && mkdir /output \
-    && chmod -t /output \
-    && rm -rf /output \
-    && ln -s $WLP_OUTPUT_DIR/defaultServer /output \
-    && ln -s /opt/ibm/wlp/usr/servers/defaultServer /config \
     && ln -s /opt/ibm /liberty \
     && ln -s /opt/ibm/fixes /fixes \
     && ln -s /opt/ibm/wlp/usr/shared/resources/lib.index.cache /lib.index.cache \
-    && mkdir -p /config/configDropins/defaults \
-    && mkdir -p /config/configDropins/overrides \
-    && chown -R 1001:0 /config \
-    && chmod -R g+rw /config \
     && chown -R 1001:0 /opt/ibm/helpers \
     && chmod -R g+rwx /opt/ibm/helpers \
     && chown -R 1001:0 /opt/ibm/fixes \
     && chmod -R g+rwx /opt/ibm/fixes \
     && chown -R 1001:0 /opt/ibm/wlp/usr \
     && chmod -R g+rw /opt/ibm/wlp/usr \
-    && chown -R 1001:0 /opt/ibm/wlp/output \
-    && chmod -R g+rw /opt/ibm/wlp/output \
     && chown -R 1001:0 /logs \
     && chmod -R g+rw /logs \
     && chown -R 1001:0 /etc/wlp \
     && chmod -R g+rw /etc/wlp \
     && chown -R 1001:0 /home/default \
-    && chmod -R g+rw /home/default
+    && chmod -R g+rw /home/default \
+    && mkdir -p /opt/ibm/links \
+    && chown -R 1001:0 /opt/ibm/links \
+    && chmod -R g+rw /opt/ibm/links
+
+# Create second-level symlinks as non-root user
+USER 1001
+
+RUN mkdir -p $WLP_OUTPUT_DIR/defaultServer \
+    && ln -s $WLP_OUTPUT_DIR/defaultServer /opt/ibm/links/output \
+    && ln -s /opt/ibm/wlp/usr/servers/defaultServer /opt/ibm/links/config \
+    && mkdir -p /opt/ibm/links/config/configDropins/defaults \
+    && mkdir -p /opt/ibm/links/config/configDropins/overrides
+
+# Create first-level symlinks as root user
+USER 0
+
+RUN mkdir /output \
+    && chmod -t /output \
+    && rm -rf /output \
+    && ln -s /opt/ibm/links/output /output \
+    && ln -s /opt/ibm/links/config /config \
+    && chown -R 1001:0 /opt/ibm/links/output \
+    && chmod -R g+rw /opt/ibm/links/output \
+    && chown -R 1001:0 /opt/ibm/links/config \
+    && chmod -R g+rw /opt/ibm/links/config \
+    && chown -R 1001:0 /config \
+    && chmod -R g+rw /config \
+    && chown -R 1001:0 /output \
+    && chmod -R g+rw /output
 
 # Create a new SCC layer
 RUN if [ "$OPENJ9_SCC" = "true" ]; then populate_scc.sh; fi \
@@ -125,4 +145,4 @@ USER 1001
 EXPOSE 9080 9443
 
 ENTRYPOINT ["/opt/ibm/helpers/runtime/docker-server.sh"]
-CMD ["/opt/ibm/wlp/bin/server", "run", "defaultServer"]
+CMD ["/opt/ibm/wlp/bin/server", "run"]