rh-openjdk · jmtd · Sep 4, 2025 · Mar 5, 2025 · Mar 5, 2025 · Mar 25, 2025
diff --git a/.github/workflows/gendocs.yml b/.github/workflows/gendocs.yml
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0 # all branches and tags
 
       - name: Install CEKit
-        uses: cekit/[email protected].5
+        uses: cekit/[email protected].7
 
       - name: Setup required packages for docs
         run: |

diff --git a/.github/workflows/jiralabels.yml b/.github/workflows/jiralabels.yml
@@ -0,0 +1,46 @@
+name: Ensure GH PRs have a corresponding JIRA issue
+
+on:
+  pull_request:
+    types: [opened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  GH_REPO: ${{ github.repository }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  NUM: ${{ github.event.pull_request.number }}
+
+jobs:
+  check-jira-uri:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for required URI pattern
+        id: check_uri
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+          URIPAT:  "https://issues.redhat.com/browse/OPENJDK-"
+        run: |
+          if echo "$PR_BODY" | grep -q "$URIPAT"; then
+            echo "missing=false" >> $GITHUB_OUTPUT
+          else
+            echo "missing=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Apply label if URI missing
+        if: steps.check_uri.outputs.missing == 'true'
+        run: | 
+          gh pr edit "$NUM" --add-label "needs-jira-issue"
+          exit 1 # fail workflow; must be resolved to green-light PR
+
+      - name: Remove label if URI present
+        if: steps.check_uri.outputs.missing == 'false'
+        run: gh pr edit "$NUM" --remove-label "needs-jira-issue"
+
+  label-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add branch label if missing
+        run: gh pr edit "$NUM" --add-label "$GITHUB_BASE_REF"
diff --git a/modules/jdk/21/configure.sh b/modules/jdk/21/configure.sh
@@ -5,13 +5,7 @@ set -e
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/openjdk/jdk/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/openjdk/jdk/jvm-options
 
 # Update securerandom.source for quicker starts (must be done after removing jdk 8, or it will hit the wrong files)
 JAVA_SECURITY_FILE=/usr/lib/jvm/java/conf/security/java.security

diff --git a/modules/jre/21/configure.sh b/modules/jre/21/configure.sh
@@ -1,16 +1,7 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
-echo $SCRIPT_DIR
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
-echo $ARTIFACTS_DIR
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/openjdk/jre/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/openjdk/jre/jvm-options
diff --git a/modules/jvm/artifacts/opt/jboss/container/java/jvm/debug-options b/modules/jvm/artifacts/opt/jboss/container/java/jvm/debug-options
diff --git a/modules/jvm/artifacts/opt/jboss/container/java/jvm/java-default-options b/modules/jvm/artifacts/opt/jboss/container/java/jvm/java-default-options
diff --git a/modules/jvm/configure.sh b/modules/jvm/configure.sh
@@ -1,14 +1,8 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/jvm/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -D -t /opt/jboss/container/java/jvm \
+    ${ARTIFACTS_DIR}/opt/jboss/container/java/jvm/*
diff --git a/modules/jvm/module.yaml b/modules/jvm/module.yaml
@@ -8,6 +8,9 @@ description: ^
 execute:
 - script: configure.sh
 
+execute:
+- script: configure.sh
+
 modules:
   install:
   - name: jboss.container.user

diff --git a/modules/jvm/tests/features/files.feature b/modules/jvm/tests/features/files.feature
@@ -0,0 +1,9 @@
+Feature: test file properties for JVM module
+
+  @ubi9
+  Scenario: Ensure image scripts are executable (OPENJDK-3935)
+    When container is started with args
+    | arg     | value                                                        |
+    | command | find /opt/jboss/container/java/ -type f -printf "%h/%f %M\n" |
+    Then available container log should contain /opt/jboss/container/java/jvm/debug-options -rwxr-xr-x
+    And  available container log should contain /opt/jboss/container/java/jvm/java-default-options -rwxr-xr-x
diff --git a/modules/maven/default/configure.sh b/modules/maven/default/configure.sh
@@ -1,19 +1,12 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-# configure artifact permissions
-chown -R $USER:root $ARTIFACTS_DIR
-chmod -R ug+rwX $ARTIFACTS_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/maven/default/maven.sh
-
-# install artifacts
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/maven/default/maven.sh
+# 0664: OPENJDK-4024
+install -m 0664 -D {${ARTIFACTS_DIR},}/opt/jboss/container/maven/default/jboss-settings.xml
 
 # install default settings.xml file in user home
 mkdir -p $HOME/.m2

diff --git a/modules/maven/module/artifacts/maven.module b/modules/maven/module/artifacts/maven.module
@@ -1,5 +1,5 @@
 [maven]
 name=maven
-stream=3.8
+stream=3.9
 profiles=
 state=enabled
diff --git a/modules/maven/s2i/configure.sh b/modules/maven/s2i/configure.sh
@@ -1,15 +1,9 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/maven/s2i/*
-chmod ug+x ${ARTIFACTS_DIR}/usr/libexec/s2i/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -D {${ARTIFACTS_DIR},}/usr/libexec/s2i/save-artifacts
+install -m 0644 -D -t /opt/jboss/container/maven/s2i \
+    ${ARTIFACTS_DIR}/opt/jboss/container/maven/s2i/*
diff --git a/modules/maven/s2i/module.yaml b/modules/maven/s2i/module.yaml
@@ -33,6 +33,9 @@ modules:
   - name: jboss.container.maven.default
   - name: jboss.container.util.logging
 
+execute:
+- script: configure.sh
+
 packages:
   install:
   - tar
diff --git a/modules/maven/s2i/tests/features/files.feature b/modules/maven/s2i/tests/features/files.feature
@@ -0,0 +1,10 @@
+Feature: test file properties for Maven S2I module
+
+  # builder-only test
+  @ubi9/openjdk-17
+  @ubi9/openjdk-21
+  Scenario: Ensure save-artifacts script is executable (OPENJDK-3935)
+    When container is started with args
+    | arg     | value                                         |
+    | command | find /usr/local/s2i -type f -printf "%f %M\n" |
+    Then available container log should contain save-artifacts -rwxr-xr-x
diff --git a/modules/proxy/configure.sh b/modules/proxy/configure.sh
@@ -1,14 +1,8 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/proxy*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -m 0644 -D -t /opt/jboss/container/java/proxy \
+    ${ARTIFACTS_DIR}/opt/jboss/container/java/proxy/*
diff --git a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh
diff --git a/modules/run/configure.sh b/modules/run/configure.sh
@@ -1,17 +1,10 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/run/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -D {${ARTIFACTS_DIR},}/opt/jboss/container/java/run/run-java.sh
 
 mkdir -p /deployments/data \
  && chmod -R "ug+rwX" /deployments/data \
@@ -29,3 +22,6 @@ else
     javasecurity="${JAVA_HOME}/conf/security/java.security"
 fi
 sed -i 's/\(networkaddress.cache.negative.ttl\)=[0-9]\+$/\1=0/' "$javasecurity"
+
+# OPENJDK-3695: force +x for scripts
+chmod 0755 /opt/jboss/container/java/run/run-java.sh
diff --git a/modules/run/tests/features/run.feature b/modules/run/tests/features/run.feature
@@ -6,3 +6,8 @@ Feature: OpenJDK run script tests
       | JAVA_OPTS_APPEND | -Djavax.net.ssl.trustStorePassword=sensitiveString |
     Then container log should not contain sensitiveString
 
+  Scenario: Ensure image scripts are executable (OPENJDK-3935)
+    When container is started with args
+    | arg     | value                                                        |
+    | command | find /opt/jboss/container/java/ -type f -printf "%h/%f %M\n" |
+    Then available container log should contain /opt/jboss/container/java/run/run-java.sh -rwxr-xr-x
diff --git a/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides b/modules/s2i/bash/artifacts/opt/jboss/container/java/s2i/maven-s2i-overrides
@@ -1,5 +1,6 @@
 
 source "${JBOSS_CONTAINER_UTIL_LOGGING_MODULE}/logging.sh"
+source "${JBOSS_CONTAINER_S2I_CORE_MODULE}/s2i-core"
 
 # inject our overridden maven_*() functions
 function maven_s2i_source_maven_overrides() {
@@ -30,11 +31,7 @@ function maven_s2i_custom_binary_build() {
   fi
   log_info "Copying binaries from ${binary_dir} to ${S2I_TARGET_DEPLOYMENTS_DIR} ..."
 
-  ( # OPENJDK-2850: use glob (dotglob to match hidden files) to stop rsync altering
-    # timestamps of S2I_TARGET_DEPLOYMENTS_DIR. Don't alter parent shell's dotglob.
-    shopt -s dotglob
-    rsync --archive --out-format='%n' "${binary_dir}"/* "${S2I_TARGET_DEPLOYMENTS_DIR}"
-  )
+  recursive_copy_files "${binary_dir}" "${S2I_TARGET_DEPLOYMENTS_DIR}"
 }
 
 function maven_s2i_deploy_artifacts_override() {

diff --git a/modules/s2i/bash/configure.sh b/modules/s2i/bash/configure.sh
@@ -1,15 +1,9 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/java/s2i/*
-chmod ug+x ${ARTIFACTS_DIR}/usr/libexec/s2i/*
-
-pushd ${ARTIFACTS_DIR}
-cp -pr * /
-popd
+install -D ${ARTIFACTS_DIR}/usr/libexec/s2i/* /usr/libexec/s2i
+install -m 0644 -D -t /opt/jboss/container/java/s2i \
+    ${ARTIFACTS_DIR}/opt/jboss/container/java/s2i/*
diff --git a/modules/s2i/bash/module.yaml b/modules/s2i/bash/module.yaml
@@ -16,6 +16,7 @@ modules:
   - name: jboss.container.maven.s2i
   - name: jboss.container.java.run
   - name: jboss.container.util.logging
+  - name: jboss.container.s2i.core
 
 packages:
   install:

diff --git a/modules/s2i/bash/tests/features/files.feature b/modules/s2i/bash/tests/features/files.feature
@@ -0,0 +1,12 @@
+# builder-only test
+@ubi9/openjdk-17
+@ubi9/openjdk-21
+Feature: OpenJDK S2I bash module tests
+
+  Scenario: Ensure image scripts are executable (OPENJDK-3935)
+    When container is started with args
+    | arg     | value                                                        |
+    | command | find /usr/local/s2i/ -type f -printf "%h/%f %M\n" |
+    Then available container log should contain run -rwxr-xr-x
+    And available container log should contain assemble -rwxr-xr-x
+    And available container log should contain usage -rwxr-xr-x
diff --git a/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core b/modules/s2i/core/artifacts/opt/jboss/container/s2i/core/s2i-core
@@ -41,6 +41,20 @@ function s2i_core_env_init_hook() {
   : 
 }
 
+# Copy files from a source path to a destination path
+# Do not attempt to change metadata of the destination path, which we
+# may not own
+function recursive_copy_files() {
+  src="$1"
+  dst="$2"
+  ( # OPENJDK-2850: use glob (dotglob to match hidden files) to stop rsync altering
+    # timestamps of $dst, which we might not own. Subshell to not alter parent shell's
+    # dotglob setting.
+    shopt -s dotglob
+    rsync --archive --out-format='%n' "${src}"/* "${dst}"
+  )
+}
+
 # copy configuration files
 # $1 - the base directory to which $S2I_SOURCE_CONFIGURATION_DIR is appended
 function s2i_core_copy_configuration() {
@@ -53,7 +67,7 @@ function s2i_core_copy_configuration() {
         mkdir -pm 775 "${S2I_TARGET_CONFIGURATION_DIR}"
       fi
       log_info "Copying configuration from $(realpath --relative-to ${S2I_SOURCE_DIR} ${1}/${S2I_SOURCE_CONFIGURATION_DIR}) to ${S2I_TARGET_CONFIGURATION_DIR}..."
-      rsync --archive --out-format='%n' "${1}/${S2I_SOURCE_CONFIGURATION_DIR}"/ "${S2I_TARGET_CONFIGURATION_DIR}"
+      recursive_copy_files "${1}/${S2I_SOURCE_CONFIGURATION_DIR}" "${S2I_TARGET_CONFIGURATION_DIR}"
     fi
   fi 
 }
@@ -70,7 +84,7 @@ function s2i_core_copy_data() {
         mkdir -pm 775 "${S2I_TARGET_DATA_DIR}"
       fi
       log_info "Copying app data from $(realpath --relative-to ${S2I_SOURCE_DIR} ${1}/${S2I_SOURCE_DATA_DIR}) to ${S2I_TARGET_DATA_DIR}..."
-      rsync --archive --out-format='%n' "${1}/${S2I_SOURCE_DATA_DIR}"/ "${S2I_TARGET_DATA_DIR}"
+      recursive_copy_files "${1}/${S2I_SOURCE_DATA_DIR}" "${S2I_TARGET_DATA_DIR}"
       # s2i used to be more forgiving, but the build will fail if this call
       # fails.  emit a warning and allow the build to succeed
       chmod -R g+rwX "${S2I_TARGET_DATA_DIR}" || log_warning "Errors occurred while adding read/write permissions to S2I_TARGET_DATA_DIR ($S2I_TARGET_DATA_DIR)."

diff --git a/modules/s2i/core/configure.sh b/modules/s2i/core/configure.sh
@@ -1,13 +1,10 @@
-#!/bin/sh
-# Configure module
-set -e
+#!/bin/bash
+set -euo pipefail
 
 SCRIPT_DIR=$(dirname $0)
 ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
 
-chown -R $USER:root $SCRIPT_DIR
-chmod -R ug+rwX $SCRIPT_DIR
-chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/s2i/core/*
+install -m 0644 -D {${ARTIFACTS_DIR},}/opt/jboss/container/s2i/core/s2i-core
 
 pushd ${ARTIFACTS_DIR}
 cp -pr * /

diff --git a/modules/s2i/core/tests/features/s2i-core.feature b/modules/s2i/core/tests/features/s2i-core.feature
@@ -16,3 +16,21 @@ Feature: Openshift S2I tests
      Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted
      And  s2i build log should contain appsrc-provided s2i assemble script executed
      And  run stat /var/tmp/spring-boot-sample-simple-1.5.0.BUILD-SNAPSHOT.jar in container and check its output for Access:
+
+  # as above, for OPENJDK-3975: handling configuration
+  Scenario: Ensure copying custom configuration doesn't fail trying to chmod destination directory (OPENJDK-3975)
+    Given s2i build https://github.com/rh-openjdk/openjdk-container-test-applications.git from OPENJDK-2408-bin-custom-s2i-assemble with env
+       | variable                     | value    |
+       | S2I_TARGET_CONFIGURATION_DIR | /var/tmp |
+    Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted
+    And  s2i build log should contain appsrc-provided s2i assemble script executed
+    And  run stat /var/tmp/example.ini in container and check its output for Access:
+
+  # as above, for OPENJDK-3975: handling data
+  Scenario: Ensure copying custom data doesn't fail trying to chmod destination directory (OPENJDK-3975)
+    Given s2i build https://github.com/rh-openjdk/openjdk-container-test-applications.git from OPENJDK-2408-bin-custom-s2i-assemble with env
+       | variable                     | value    |
+       | S2I_TARGET_DATA_DIR          | /var/tmp |
+    Then s2i build log should not contain rsync: [generator] failed to set permissions on "/var/tmp/.": Operation not permitted
+    And  s2i build log should contain appsrc-provided s2i assemble script executed
+    And  run stat /var/tmp/sample.txt in container and check its output for Access: