MQ V9.1.3.0 (#348)

* MQ 9.1.3 changes

* Use crtmqdir -a

* Allow generation of TLS certificate with given hostname

* Remove check for certificate env variable

* Updated manifests and changelog for 913

* Use MQ externals to configure console frame ancestors

* Create /run/mqm

* Go sec fixes

* Set SAN when generating certificates

* Remove image source and commit

Author: LPowlett

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change log
 
+## 9.1.3.0 (2019-07-19)
+
+* Updated to MQ version 9.1.3.0
+* Allow generation of TLS certificate with given hostname
+* Fixes for the following issues:
+  * `MQ_EPHEMERAL_PREFIX` UNIX sockets fix
+  * Fix Makefile for Windows
+  * Use -a option on crtmqdir
+  * Remove check for certificate environment variable
+
 ## 9.1.2.0-UBI (2019-06-21)
 
 **Breaking changes**:
@@ -13,6 +23,7 @@
 
 ## 9.1.2.0 (2019-03-21)
 
+* Updated to MQ version 9.1.2.0
 * Now runs using the "mqm" user instead of root.  See new [security doc](https://github.com/ibm-messaging/mq-container/blob/master/docs/security.md)
 * New [IGNSTATE](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q132310_.htm#q132310___ignstateparm) parameter used in default developer config
 * Termination log moved from `/dev/termination-log` to `/run/termination-log`, to make permissions easier to handle

Makefile

@@ -17,9 +17,9 @@
 # the command line
 ###############################################################################
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.2.0
+MQ_VERSION ?= 9.1.3.0
 # RELEASE shows what release of the container code has been built
-RELEASE ?= 3
+RELEASE ?= 1
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -68,7 +68,7 @@ IMAGE_REVISION=$(shell git rev-parse HEAD)
 IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.3 instead of 9.1.3.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
 
 # Set variable if running on a Red Hat Enterprise Linux host
@@ -102,6 +102,7 @@ endif
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
+MQ_ARCHIVE_DEV_9.1.3.0=mqadv_dev913_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 
 ###############################################################################
 # Build targets

README.md

@@ -44,8 +44,8 @@ For issues relating specifically to the container image or Helm chart, please us
 The Dockerfiles and associated code and scripts are licensed under the [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0.html).
 Licenses for the products installed within the images are as follows:
 
-- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-AVCJ4S) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
-- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-AZYF4X) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BBZHCQ) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BBSHJL) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
 - License information for Ubuntu packages may be found in `/usr/share/doc/${package}/copyright`
 
 Note: The IBM MQ Advanced for Developers license does not permit further distribution and the terms restrict usage to a developer machine.

cmd/runmqserver/main.go

@@ -117,29 +117,6 @@ func doMain() error {
 		return err
 	}
 
-	// handle /var/mqm/ permissions in upgrade to UBI
-	if *initFlag {
-		varMqmDirs := []string{
-			"/var/mqm/config",
-			"/var/mqm/conv",
-			"/var/mqm/errors",
-			"/var/mqm/exits",
-			"/var/mqm/exits64",
-			"/var/mqm/log",
-			"/var/mqm/mqft",
-			"/var/mqm/qmgrs",
-			"/var/mqm/shared",
-			"/var/mqm/sockets",
-			"/var/mqm/trace",
-			"/var/mqm/web",
-		}
-		err = configureOwnership(varMqmDirs)
-		if err != nil {
-			logTermination(err)
-			return err
-		}
-	}
-
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil

cmd/runmqserver/qmgr.go

@@ -24,8 +24,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"golang.org/x/sys/unix"
-
 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntime "github.com/ibm-messaging/mq-container/internal/containerruntime"
 	"github.com/ibm-messaging/mq-container/internal/mqscredact"
@@ -34,7 +32,7 @@ import (
 
 // createDirStructure creates the default MQ directory structure under /var/mqm
 func createDirStructure() error {
-	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-s")
+	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-a")
 	if err != nil {
 		log.Printf("Error creating directory structure: %v\n", string(out))
 		return err
@@ -43,47 +41,6 @@ func createDirStructure() error {
 	return nil
 }
 
-// configureOwnership recursively handles ownership of files within the given filepath
-func configureOwnership(paths []string) error {
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	var fileInfo *unix.Stat_t
-	fileInfo = new(unix.Stat_t)
-	for _, root := range paths {
-		_, err = os.Stat(root)
-		if err != nil {
-			if os.IsNotExist(err) {
-				continue
-			}
-			return err
-		}
-		err = filepath.Walk(root, func(from string, info os.FileInfo, err error) error {
-			if err != nil {
-				return err
-			}
-			to := fmt.Sprintf("%v%v", root, from[len(root):])
-			err = unix.Stat(to, fileInfo)
-			if err != nil {
-				return err
-			}
-			fileUID := fmt.Sprint(fileInfo.Uid)
-			if strings.Compare(fileUID, "999") == 0 {
-				err = os.Chown(to, uid, gid)
-				if err != nil {
-					return err
-				}
-			}
-			return nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // createQueueManager creates a queue manager, if it doesn't already exist.
 // It returns true if one was created (or a standby was created), or false if one already existed
 func createQueueManager(name string) (bool, error) {

cmd/runmqserver/tls.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )
@@ -38,7 +39,7 @@ const trustDir = "/etc/mqm/pki/trust"
 // configureWebTLS configures TLS for Web Console
 func configureWebTLS(label string) error {
 	// Return immediately if we have no certificate to use as identity
-	if label == "" {
+	if label == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") == "" {
 		return nil
 	}
 
@@ -129,8 +130,30 @@ func configureSSOTLS(p12TrustStore tls.KeyStoreData) (string, error) {
 	// Check keystore exists
 	ks := filepath.Join(keyStoreDir, webKeyStoreName)
 	_, err := os.Stat(ks)
-	if err != nil {
-		return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+	// Now we know if the file exists let's check whether we should have it or not.
+	// Check if we're being told to generate the certificate
+	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
+	if genHostName != "" {
+		// We've got to generate the certificate with the hostname given
+		if err == nil {
+			log.Printf("Replacing existing keystore %s - generating new certificate", ks)
+		}
+		// Keystore doesn't exist so create it and populate a certificate
+		newKS := keystore.NewPKCS12KeyStore(ks, p12TrustStore.Password)
+		err = newKS.Create()
+		if err != nil {
+			return "", fmt.Errorf("Failed to create keystore %s: %v", ks, err)
+		}
+
+		err = newKS.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
+		if err != nil {
+			return "", fmt.Errorf("Failed to generate certificate in keystore %s with DN of 'CN=%s': %v", ks, genHostName, err)
+		}
+	} else {
+		// Keystore should already exist
+		if err != nil {
+			return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+		}
 	}
 
 	// Check truststore exists

cmd/runmqserver/version.go

@@ -38,11 +38,11 @@ func logDateStamp() {
 }
 
 func logGitRepo() {
-	log.Printf("Image revision: %v", ImageRevision)
+	// log.Printf("Image revision: %v", ImageRevision)
 }
 
 func logGitCommit() {
-	log.Printf("Image source: %v", ImageSource)
+	// log.Printf("Image source: %v", ImageSource)
 }
 
 func logImageTag() {

cmd/runmqserver/webserver.go

@@ -92,7 +92,6 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 		"MQ_OIDC_TOKEN_ENDPOINT",
 		"MQ_OIDC_JWK_ENDPOINT",
 		"MQ_OIDC_ISSUER_IDENTIFIER",
-		"MQ_OIDC_CERTIFICATE",
 	}
 	for _, envVar := range requiredEnvVars {
 		if len(os.Getenv(envVar)) == 0 {

docs/building.md

@@ -14,7 +14,7 @@ If you are working in the Windows Subsystem for Linux, follow [this guide by Mic
 This procedure works for building the MQ Continuous Delivery release, on `amd64`, `ppc64le` and `s390x` architectures.
 
 1. Create a `downloads` directory in the root of this repository
-2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/) or [IBM Fix Central](https://www.ibm.com/support/fixcentral), and place the downloaded file (for example, `IBM_MQ_9.1.2_UBUNTU_X86-64.tar.gz`) in the `downloads` directory
+2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/) or [IBM Fix Central](https://www.ibm.com/support/fixcentral), and place the downloaded file (for example, `IBM_MQ_9.1.3_LINUX_X86-64.tar.gz`) in the `downloads` directory
 3. Run `make build-advancedserver`
 
 > **Warning**: Note that MQ offers two different sets of packaging on Linux: one is called "MQ for Linux" and contains RPM files for installing on Red Hat Enterprise Linux and SUSE Linux Enterprise Server.  The MQ container build uses a Red Hat Universal Base Image, so you need the "MQ for Linux" RPM files.

docs/security.md

@@ -16,7 +16,7 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server:9.1.2.0-amd64
+  mqadvanced-server:9.1.3.0-amd64
 ```
 
 The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
@@ -31,7 +31,7 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server-dev:9.1.2.0-amd64
+  mqadvanced-server-dev:9.1.3.0-amd64
 ```
 
 ### SELinux