-
Notifications
You must be signed in to change notification settings - Fork 31
/
Dockerfile
124 lines (107 loc) · 5.33 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#
# Copyright (c) 2017-present Sonatype, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# hadolint ignore=DL3026
FROM registry.access.redhat.com/ubi9/openjdk-17:1.20-2
# Build parameters
ARG IQ_SERVER_VERSION=1.184.0-01
ARG IQ_SERVER_SHA256=92698a3b49378bd387b1bcff1ac64e1340c1f241a3eb918b5794a562185a68bd
ARG TEMP="/tmp/work"
ARG IQ_HOME="/opt/sonatype/nexus-iq-server"
ARG SONATYPE_WORK="/sonatype-work"
ARG CONFIG_HOME="/etc/nexus-iq-server"
ARG LOGS_HOME="/var/log/nexus-iq-server"
ARG GID=1000
ARG UID=1000
ARG TIMEOUT=600
LABEL name="Nexus IQ Server image" \
maintainer="Sonatype <[email protected]>" \
vendor=Sonatype \
version="${IQ_SERVER_VERSION}" \
release="1.184.0" \
url="https://www.sonatype.com" \
summary="The Nexus IQ Server" \
description="Nexus IQ Server is a policy engine powered by precise intelligence on open source components. \
It provides a number of tools to improve component usage in your software supply chain, allowing you to \
automate your processes and achieve accelerated speed to delivery while also increasing product quality" \
com.sonatype.license="Apache License, Version 2.0" \
com.sonatype.name="Nexus IQ Server image" \
run="docker run -d -p 8070:8070 -p 8071:8071 IMAGE" \
io.k8s.description="Nexus IQ Server is a policy engine powered by precise intelligence on open source components. \
It provides a number of tools to improve component usage in your software supply chain, allowing you to \
automate your processes and achieve accelerated speed to delivery while also increasing product quality" \
io.k8s.display-name="Nexus IQ Server" \
io.openshift.expose-services="8071:8071" \
io.openshift.tags="Sonatype,Nexus,IQ Server"
USER root
# For testing
# hadolint ignore=DL3041
RUN microdnf update -y \
&& microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y procps gzip unzip tar shadow-utils findutils util-linux less rsync git which \
&& microdnf clean all
# Create folders & set permissions
RUN mkdir -p ${TEMP} \
&& mkdir -p ${IQ_HOME} \
&& mkdir -p ${SONATYPE_WORK} \
&& mkdir -p ${CONFIG_HOME} \
&& mkdir -p ${LOGS_HOME} \
&& chmod 0755 ${TEMP} \
&& chmod 0755 "/opt/sonatype" ${IQ_HOME} \
&& chmod 0755 ${CONFIG_HOME} \
&& chmod 0755 ${LOGS_HOME}
# Copy config.yml and set sonatypeWork to the correct value
COPY config.yml ${TEMP}
# hadolint ignore=DL4006,SC3060
RUN cat ${TEMP}/config.yml | sed -r "s/\s*sonatypeWork\s*:\s*\"?[-0-9a-zA-Z_/\\]+\"?/sonatypeWork: ${SONATYPE_WORK//\//\\/}/" > ${CONFIG_HOME}/config.yml \
&& chmod 0644 ${CONFIG_HOME}/config.yml
# Create start script
RUN echo "trap 'kill -TERM \`cut -f1 -d@ ${SONATYPE_WORK}/lock\`; timeout ${TIMEOUT} tail --pid=\`cut -f1 -d@ ${SONATYPE_WORK}/lock\` -f /dev/null' SIGTERM" > ${IQ_HOME}/start.sh \
&& echo "/usr/bin/java \${JAVA_OPTS} -jar nexus-iq-server-${IQ_SERVER_VERSION}.jar server ${CONFIG_HOME}/config.yml 2> ${LOGS_HOME}/stderr.log & " >> ${IQ_HOME}/start.sh \
&& echo "wait" >> ${IQ_HOME}/start.sh \
&& chmod 0755 ${IQ_HOME}/start.sh
# Download the server bundle, verify its checksum, and extract the server jar to the install directory
WORKDIR ${TEMP}
RUN curl -L https://download.sonatype.com/clm/server/nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz --output nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz \
&& echo "${IQ_SERVER_SHA256} nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz" > nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz.sha256 \
&& sha256sum -c nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz.sha256 \
&& tar -xvf nexus-iq-server-${IQ_SERVER_VERSION}-bundle.tar.gz \
&& mv nexus-iq-server-${IQ_SERVER_VERSION}.jar ${IQ_HOME}
WORKDIR ${IQ_HOME}
RUN rm -rf ${TEMP} \
# Add group and user
&& groupadd -g ${GID} nexus \
&& adduser -u ${UID} -d ${IQ_HOME} -c "Nexus IQ user" -g nexus -s /bin/false nexus \
\
# Change owner to nexus user
&& chown -R nexus:nexus ${IQ_HOME} \
&& chown -R nexus:nexus ${SONATYPE_WORK} \
&& chown -R nexus:nexus ${CONFIG_HOME} \
&& chown -R nexus:nexus ${LOGS_HOME}
# enabling back support for SHA1 signed certificates
RUN update-crypto-policies --set DEFAULT:SHA1
# This is where we will store persistent data
VOLUME ${SONATYPE_WORK}
VOLUME ${LOGS_HOME}
# Expose the ports
EXPOSE 8070
EXPOSE 8071
# Wire up health check
HEALTHCHECK CMD curl --fail --silent --show-error http://localhost:8071/healthcheck || exit 1
# Change to nexus user
USER nexus
ENV JAVA_OPTS="--add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xerces.internal.jaxp.datatype=ALL-UNNAMED -Djava.util.prefs.userRoot=${SONATYPE_WORK}/javaprefs"
ENV SONATYPE_INTERNAL_HOST_SYSTEM=Docker
WORKDIR ${IQ_HOME}
CMD [ "sh", "./start.sh" ]