diff --git a/.github/workflows/gendocs.yml b/.github/workflows/gendocs.yml index 597e546e..23e57c9c 100644 --- a/.github/workflows/gendocs.yml +++ b/.github/workflows/gendocs.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 # all branches and tags - name: Install CEKit - uses: cekit/actions-setup-cekit@v1.1.5 + uses: cekit/actions-setup-cekit@v1.1.7 - name: Setup required packages for docs run: | diff --git a/.github/workflows/jiralabels.yml b/.github/workflows/jiralabels.yml new file mode 100644 index 00000000..41220aeb --- /dev/null +++ b/.github/workflows/jiralabels.yml @@ -0,0 +1,46 @@ +name: Ensure GH PRs have a corresponding JIRA issue + +on: + pull_request: + types: [opened, edited] + +permissions: + contents: read + pull-requests: write + +env: + GH_REPO: ${{ github.repository }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NUM: ${{ github.event.pull_request.number }} + +jobs: + check-jira-uri: + runs-on: ubuntu-latest + steps: + - name: Check for required URI pattern + id: check_uri + env: + PR_BODY: ${{ github.event.pull_request.body }} + URIPAT: "https://issues.redhat.com/browse/OPENJDK-" + run: | + if echo "$PR_BODY" | grep -q "$URIPAT"; then + echo "missing=false" >> $GITHUB_OUTPUT + else + echo "missing=true" >> $GITHUB_OUTPUT + fi + + - name: Apply label if URI missing + if: steps.check_uri.outputs.missing == 'true' + run: | + gh pr edit "$NUM" --add-label "needs-jira-issue" + exit 1 # fail workflow; must be resolved to green-light PR + + - name: Remove label if URI present + if: steps.check_uri.outputs.missing == 'false' + run: gh pr edit "$NUM" --remove-label "needs-jira-issue" + + label-branch: + runs-on: ubuntu-latest + steps: + - name: Add branch label if missing + run: gh pr edit "$NUM" --add-label "$GITHUB_BASE_REF" diff --git a/modules/jdk/21/configure.sh b/modules/jdk/21/configure.sh index f0450b47..de1c7d0a 100755 --- a/modules/jdk/21/configure.sh +++ b/modules/jdk/21/configure.sh @@ -5,13 +5,7 @@ set -e SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/openjdk/jdk/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/openjdk/jdk/jvm-options # Update securerandom.source for quicker starts (must be done after removing jdk 8, or it will hit the wrong files) JAVA_SECURITY_FILE=/usr/lib/jvm/java/conf/security/java.security diff --git a/modules/jre/21/configure.sh b/modules/jre/21/configure.sh index fdc8f6c2..ac25e85c 100755 --- a/modules/jre/21/configure.sh +++ b/modules/jre/21/configure.sh @@ -1,16 +1,7 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) -echo $SCRIPT_DIR ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -echo $ARTIFACTS_DIR -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/openjdk/jre/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/openjdk/jre/jvm-options diff --git a/modules/jvm/artifacts/opt/jboss/container/java/jvm/debug-options b/modules/jvm/artifacts/opt/jboss/container/java/jvm/debug-options old mode 100644 new mode 100755 diff --git a/modules/jvm/artifacts/opt/jboss/container/java/jvm/java-default-options b/modules/jvm/artifacts/opt/jboss/container/java/jvm/java-default-options old mode 100644 new mode 100755 diff --git a/modules/jvm/configure.sh b/modules/jvm/configure.sh old mode 100755 new mode 100644 index 79e86ecc..f9ebe210 --- a/modules/jvm/configure.sh +++ b/modules/jvm/configure.sh @@ -1,14 +1,8 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/jvm/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -D -t /opt/jboss/container/java/jvm \ + ${ARTIFACTS_DIR}/opt/jboss/container/java/jvm/* diff --git a/modules/jvm/module.yaml b/modules/jvm/module.yaml index c7f381b5..9ab1d08f 100644 --- a/modules/jvm/module.yaml +++ b/modules/jvm/module.yaml @@ -8,6 +8,9 @@ description: ^ execute: - script: configure.sh +execute: +- script: configure.sh + modules: install: - name: jboss.container.user diff --git a/modules/jvm/tests/features/files.feature b/modules/jvm/tests/features/files.feature new file mode 100644 index 00000000..b9b92d37 --- /dev/null +++ b/modules/jvm/tests/features/files.feature @@ -0,0 +1,9 @@ +Feature: test file properties for JVM module + + @ubi10 + Scenario: Ensure image scripts are executable (OPENJDK-3935) + When container is started with args + | arg | value | + | command | find /opt/jboss/container/java/ -type f -printf "%h/%f %M\n" | + Then available container log should contain /opt/jboss/container/java/jvm/debug-options -rwxr-xr-x + And available container log should contain /opt/jboss/container/java/jvm/java-default-options -rwxr-xr-x diff --git a/modules/maven/default/configure.sh b/modules/maven/default/configure.sh index e94230cf..e191ad62 100755 --- a/modules/maven/default/configure.sh +++ b/modules/maven/default/configure.sh @@ -1,19 +1,12 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -# configure artifact permissions -chown -R $USER:root $ARTIFACTS_DIR -chmod -R ug+rwX $ARTIFACTS_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/maven/default/maven.sh - -# install artifacts -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/maven/default/maven.sh +# 0664: OPENJDK-4024 +install -m 0664 -D {${ARTIFACTS_DIR},}/opt/jboss/container/maven/default/jboss-settings.xml # install default settings.xml file in user home mkdir -p $HOME/.m2 diff --git a/modules/maven/module/artifacts/maven.module b/modules/maven/module/artifacts/maven.module index e437f0e5..96bd86fd 100644 --- a/modules/maven/module/artifacts/maven.module +++ b/modules/maven/module/artifacts/maven.module @@ -1,5 +1,5 @@ [maven] name=maven -stream=3.8 +stream=3.9 profiles= state=enabled diff --git a/modules/maven/s2i/configure.sh b/modules/maven/s2i/configure.sh old mode 100755 new mode 100644 index 948c8a6a..a511a4a9 --- a/modules/maven/s2i/configure.sh +++ b/modules/maven/s2i/configure.sh @@ -1,15 +1,9 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/maven/s2i/* -chmod ug+x ${ARTIFACTS_DIR}/usr/libexec/s2i/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -D {${ARTIFACTS_DIR},}/usr/libexec/s2i/save-artifacts +install -m 0644 -D -t /opt/jboss/container/maven/s2i \ + ${ARTIFACTS_DIR}/opt/jboss/container/maven/s2i/* diff --git a/modules/maven/s2i/module.yaml b/modules/maven/s2i/module.yaml index 11c53490..bda76a18 100644 --- a/modules/maven/s2i/module.yaml +++ b/modules/maven/s2i/module.yaml @@ -33,6 +33,9 @@ modules: - name: jboss.container.maven.default - name: jboss.container.util.logging +execute: +- script: configure.sh + packages: install: - tar diff --git a/modules/maven/s2i/tests/features/files.feature b/modules/maven/s2i/tests/features/files.feature new file mode 100644 index 00000000..eef88148 --- /dev/null +++ b/modules/maven/s2i/tests/features/files.feature @@ -0,0 +1,9 @@ +Feature: test file properties for Maven S2I module + + # builder-only test + @ubi10/openjdk-21 + Scenario: Ensure save-artifacts script is executable (OPENJDK-3935) + When container is started with args + | arg | value | + | command | find /usr/local/s2i -type f -printf "%f %M\n" | + Then available container log should contain save-artifacts -rwxr-xr-x diff --git a/modules/proxy/configure.sh b/modules/proxy/configure.sh index 4f485eb5..5f979eca 100755 --- a/modules/proxy/configure.sh +++ b/modules/proxy/configure.sh @@ -1,14 +1,8 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/proxy* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -m 0644 -D -t /opt/jboss/container/java/proxy \ + ${ARTIFACTS_DIR}/opt/jboss/container/java/proxy/* diff --git a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh old mode 100644 new mode 100755 diff --git a/modules/run/configure.sh b/modules/run/configure.sh index 218e0d0e..e8184a38 100755 --- a/modules/run/configure.sh +++ b/modules/run/configure.sh @@ -1,17 +1,10 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/run/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -D {${ARTIFACTS_DIR},}/opt/jboss/container/java/run/run-java.sh mkdir -p /deployments/data \ && chmod -R "ug+rwX" /deployments/data \ @@ -29,3 +22,6 @@ else javasecurity="${JAVA_HOME}/conf/security/java.security" fi sed -i 's/\(networkaddress.cache.negative.ttl\)=[0-9]\+$/\1=0/' "$javasecurity" + +# OPENJDK-3695: force +x for scripts +chmod 0755 /opt/jboss/container/java/run/run-java.sh diff --git a/modules/run/tests/features/run.feature b/modules/run/tests/features/run.feature index bff2a03a..62645f17 100644 --- a/modules/run/tests/features/run.feature +++ b/modules/run/tests/features/run.feature @@ -6,3 +6,8 @@ Feature: OpenJDK run script tests | JAVA_OPTS_APPEND | -Djavax.net.ssl.trustStorePassword=sensitiveString | Then container log should not contain sensitiveString + Scenario: Ensure image scripts are executable (OPENJDK-3935) + When container is started with args + | arg | value | + | command | find /opt/jboss/container/java/ -type f -printf "%h/%f %M\n" | + Then available container log should contain /opt/jboss/container/java/run/run-java.sh -rwxr-xr-x diff --git a/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides b/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides index 69917a8a..2def2413 100644 --- a/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides +++ b/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides @@ -1,5 +1,6 @@ source "${JBOSS_CONTAINER_UTIL_LOGGING_MODULE}/logging.sh" +source "${JBOSS_CONTAINER_S2I_CORE_MODULE}/s2i-core" # inject our overridden maven_*() functions function maven_s2i_source_maven_overrides() { @@ -30,11 +31,7 @@ function maven_s2i_custom_binary_build() { fi log_info "Copying binaries from ${binary_dir} to ${S2I_TARGET_DEPLOYMENTS_DIR} ..." - ( # OPENJDK-2850: use glob (dotglob to match hidden files) to stop rsync altering - # timestamps of S2I_TARGET_DEPLOYMENTS_DIR. Don't alter parent shell's dotglob. - shopt -s dotglob - rsync --archive --out-format='%n' "${binary_dir}"/* "${S2I_TARGET_DEPLOYMENTS_DIR}" - ) + recursive_copy_files "${binary_dir}" "${S2I_TARGET_DEPLOYMENTS_DIR}" } function maven_s2i_deploy_artifacts_override() { diff --git a/modules/s2i/bash/configure.sh b/modules/s2i/bash/configure.sh old mode 100755 new mode 100644 index 9c039677..e5eb983d --- a/modules/s2i/bash/configure.sh +++ b/modules/s2i/bash/configure.sh @@ -1,15 +1,9 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/s2i/* -chmod ug+x ${ARTIFACTS_DIR}/usr/libexec/s2i/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -D ${ARTIFACTS_DIR}/usr/libexec/s2i/* /usr/libexec/s2i +install -m 0644 -D -t /opt/jboss/container/java/s2i \ + ${ARTIFACTS_DIR}/opt/jboss/container/java/s2i/* diff --git a/modules/s2i/bash/module.yaml b/modules/s2i/bash/module.yaml index 3199994c..ffcfbc0b 100644 --- a/modules/s2i/bash/module.yaml +++ b/modules/s2i/bash/module.yaml @@ -16,6 +16,7 @@ modules: - name: jboss.container.maven.s2i - name: jboss.container.java.run - name: jboss.container.util.logging + - name: jboss.container.s2i.core packages: install: diff --git a/modules/s2i/bash/tests/features/files.feature b/modules/s2i/bash/tests/features/files.feature new file mode 100644 index 00000000..5bc28a1f --- /dev/null +++ b/modules/s2i/bash/tests/features/files.feature @@ -0,0 +1,11 @@ +# builder-only test +@ubi10/openjdk-21 +Feature: OpenJDK S2I bash module tests + + Scenario: Ensure image scripts are executable (OPENJDK-3935) + When container is started with args + | arg | value | + | command | find /usr/local/s2i/ -type f -printf "%h/%f %M\n" | + Then available container log should contain run -rwxr-xr-x + And available container log should contain assemble -rwxr-xr-x + And available container log should contain usage -rwxr-xr-x diff --git a/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core b/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core index 3a29525d..47446df2 100644 --- a/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core +++ b/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core @@ -41,6 +41,20 @@ function s2i_core_env_init_hook() { : } +# Copy files from a source path to a destination path +# Do not attempt to change metadata of the destination path, which we +# may not own +function recursive_copy_files() { + src="$1" + dst="$2" + ( # OPENJDK-2850: use glob (dotglob to match hidden files) to stop rsync altering + # timestamps of $dst, which we might not own. Subshell to not alter parent shell's + # dotglob setting. + shopt -s dotglob + rsync --archive --out-format='%n' "${src}"/* "${dst}" + ) +} + # copy configuration files # $1 - the base directory to which $S2I_SOURCE_CONFIGURATION_DIR is appended function s2i_core_copy_configuration() { @@ -53,7 +67,7 @@ function s2i_core_copy_configuration() { mkdir -pm 775 "${S2I_TARGET_CONFIGURATION_DIR}" fi log_info "Copying configuration from $(realpath --relative-to ${S2I_SOURCE_DIR} ${1}/${S2I_SOURCE_CONFIGURATION_DIR}) to ${S2I_TARGET_CONFIGURATION_DIR}..." - rsync --archive --out-format='%n' "${1}/${S2I_SOURCE_CONFIGURATION_DIR}"/ "${S2I_TARGET_CONFIGURATION_DIR}" + recursive_copy_files "${1}/${S2I_SOURCE_CONFIGURATION_DIR}" "${S2I_TARGET_CONFIGURATION_DIR}" fi fi } @@ -70,7 +84,7 @@ function s2i_core_copy_data() { mkdir -pm 775 "${S2I_TARGET_DATA_DIR}" fi log_info "Copying app data from $(realpath --relative-to ${S2I_SOURCE_DIR} ${1}/${S2I_SOURCE_DATA_DIR}) to ${S2I_TARGET_DATA_DIR}..." - rsync --archive --out-format='%n' "${1}/${S2I_SOURCE_DATA_DIR}"/ "${S2I_TARGET_DATA_DIR}" + recursive_copy_files "${1}/${S2I_SOURCE_DATA_DIR}" "${S2I_TARGET_DATA_DIR}" # s2i used to be more forgiving, but the build will fail if this call # fails. emit a warning and allow the build to succeed chmod -R g+rwX "${S2I_TARGET_DATA_DIR}" || log_warning "Errors occurred while adding read/write permissions to S2I_TARGET_DATA_DIR ($S2I_TARGET_DATA_DIR)." diff --git a/modules/s2i/core/configure.sh b/modules/s2i/core/configure.sh index d8cd9934..21081256 100755 --- a/modules/s2i/core/configure.sh +++ b/modules/s2i/core/configure.sh @@ -1,13 +1,10 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/s2i/core/* +install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/s2i/core/s2i-core pushd ${ARTIFACTS_DIR} cp -pr * / diff --git a/modules/s2i/core/tests/features/s2i-core.feature b/modules/s2i/core/tests/features/s2i-core.feature index 690514cc..0194aa07 100644 --- a/modules/s2i/core/tests/features/s2i-core.feature +++ b/modules/s2i/core/tests/features/s2i-core.feature @@ -16,3 +16,21 @@ Feature: Openshift S2I tests Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted And s2i build log should contain appsrc-provided s2i assemble script executed And run stat /var/tmp/spring-boot-sample-simple-1.5.0.BUILD-SNAPSHOT.jar in container and check its output for Access: + + # as above, for OPENJDK-3975: handling configuration + Scenario: Ensure copying custom configuration doesn't fail trying to chmod destination directory (OPENJDK-3975) + Given s2i build https://github.com/rh-openjdk/openjdk-container-test-applications.git from OPENJDK-2408-bin-custom-s2i-assemble with env + | variable | value | + | S2I_TARGET_CONFIGURATION_DIR | /var/tmp | + Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted + And s2i build log should contain appsrc-provided s2i assemble script executed + And run stat /var/tmp/example.ini in container and check its output for Access: + + # as above, for OPENJDK-3975: handling data + Scenario: Ensure copying custom data doesn't fail trying to chmod destination directory (OPENJDK-3975) + Given s2i build https://github.com/rh-openjdk/openjdk-container-test-applications.git from OPENJDK-2408-bin-custom-s2i-assemble with env + | variable | value | + | S2I_TARGET_DATA_DIR | /var/tmp | + Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted + And s2i build log should contain appsrc-provided s2i assemble script executed + And run stat /var/tmp/sample.txt in container and check its output for Access: diff --git a/modules/util/logging/configure.sh b/modules/util/logging/configure.sh index 470528df..7585bb38 100755 --- a/modules/util/logging/configure.sh +++ b/modules/util/logging/configure.sh @@ -1,14 +1,7 @@ -#!/bin/sh -# Configure module -set -e +#!/bin/bash +set -euo pipefail SCRIPT_DIR=$(dirname $0) ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts -chown -R $USER:root $SCRIPT_DIR -chmod -R ug+rwX $SCRIPT_DIR -chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/util/logging/* - -pushd ${ARTIFACTS_DIR} -cp -pr * / -popd +install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/util/logging/logging.sh diff --git a/ubi10-openjdk-21-runtime.yaml b/ubi10-openjdk-21-runtime.yaml index 3683fcd8..9f984289 100644 --- a/ubi10-openjdk-21-runtime.yaml +++ b/ubi10-openjdk-21-runtime.yaml @@ -4,7 +4,7 @@ schema_version: 1 from: "registry.access.redhat.com/ubi10/ubi-minimal" name: &name "ubi10/openjdk-21-runtime" -version: &version "1.21" +version: &version "1.23" description: "Image for Red Hat OpenShift providing OpenJDK 21 runtime" labels: @@ -28,6 +28,10 @@ labels: value: *name - name: "version" value: *version +- name: "org.opencontainers.image.source" + value: "https://github.com/rh-openjdk/redhat-openjdk-containers" +- name: "org.opencontainers.image.revision" + value: "ubi10" envs: # XXX should this move to an s2i module? diff --git a/ubi10-openjdk-21.yaml b/ubi10-openjdk-21.yaml index bf6fe326..a8b9aa97 100644 --- a/ubi10-openjdk-21.yaml +++ b/ubi10-openjdk-21.yaml @@ -4,7 +4,7 @@ schema_version: 1 from: "registry.access.redhat.com/ubi10/ubi-minimal" name: &name "ubi10/openjdk-21" -version: &version "1.21" +version: &version "1.23" description: "Source To Image (S2I) image for Red Hat OpenShift providing OpenJDK 21" labels: @@ -28,6 +28,10 @@ labels: value: *name - name: "version" value: *version +- name: "org.opencontainers.image.source" + value: "https://github.com/rh-openjdk/redhat-openjdk-containers" +- name: "org.opencontainers.image.revision" + value: "ubi10" envs: # XXX should this move to an s2i module?