Merge pull request #70 from cryptoya/master

Fix security risks and optimize docker scripts
apache · Feb 17, 2023 · 260e6a3 · 260e6a3
2 parents 6caf9c7 + 15ceb4f
commit 260e6a3
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 53 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 stages/
 
-.idea/
+.idea/
+*.py
diff --git a/image-build-ci/Dockerfile-alpine b/image-build-ci/Dockerfile-alpine
@@ -18,18 +18,9 @@
 ARG BASE_IMAGE
 FROM $BASE_IMAGE
 
-RUN apk add --no-cache bash gettext nmap-ncat openssl busybox-extras libc6-compat
-
-ARG user=rocketmq
-ARG group=rocketmq
-ARG uid=3000
-ARG gid=3000
+USER root
 
-# RocketMQ is run with user `rocketmq`, uid = 3000
-# If you bind mount a volume from the host or a data container,
-# ensure you use the same uid
-RUN addgroup --gid ${gid} ${group} \
-    && adduser --uid ${uid} -G ${group} ${user} -s /bin/bash -D
+RUN apk add --no-cache bash gettext nmap-ncat openssl busybox-extras libc6-compat
 
 ARG version
 
@@ -58,6 +49,7 @@ RUN chown -R ${uid}:${gid} ${ROCKETMQ_HOME}
 EXPOSE 9876 8080 8081 7001
 
 RUN mv ${ROCKETMQ_HOME}/bin/runserver-customize.sh ${ROCKETMQ_HOME}/bin/runserver.sh \
+ && mv ${ROCKETMQ_HOME}/bin/tools-customize.sh ${ROCKETMQ_HOME}/bin/tools.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/runserver.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqadmin \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqnamesrv \
@@ -76,6 +68,4 @@ RUN export JAVA_OPT=" -Duser.home=/opt"
 # Add ${JAVA_HOME}/lib/ext as java.ext.dirs
 RUN sed -i 's/${JAVA_HOME}\/jre\/lib\/ext/${JAVA_HOME}\/jre\/lib\/ext:${JAVA_HOME}\/lib\/ext/' ${ROCKETMQ_HOME}/bin/tools.sh
 
-USER ${user}
-
 WORKDIR ${ROCKETMQ_HOME}/bin
diff --git a/image-build-ci/Dockerfile-centos b/image-build-ci/Dockerfile-centos
@@ -18,25 +18,11 @@
 ARG BASE_IMAGE
 FROM $BASE_IMAGE
 
+USER root
+
 RUN yum install -y java-1.8.0-openjdk-devel.x86_64 unzip gettext nmap-ncat openssl, which gnupg, telnet \
  && yum clean all -y
 
-# FROM openjdk:8-jdk
-# RUN apt-get update && apt-get install -y --no-install-recommends \
-#		bash libapr1 unzip telnet wget gnupg ca-certificates \
-#	&& rm -rf /var/lib/apt/lists/*
-
-ARG user=rocketmq
-ARG group=rocketmq
-ARG uid=3000
-ARG gid=3000
-
-# RocketMQ is run with user `rocketmq`, uid = 3000
-# If you bind mount a volume from the host or a data container,
-# ensure you use the same uid
-RUN groupadd -g ${gid} ${group} \
-    && useradd -u ${uid} -g ${gid} -m -s /bin/bash ${user}
-
 ARG version
 
 # Rocketmq version
@@ -64,6 +50,7 @@ RUN chown -R ${uid}:${gid} ${ROCKETMQ_HOME}
 EXPOSE 9876 8080 8081 7001
 
 RUN mv ${ROCKETMQ_HOME}/bin/runserver-customize.sh ${ROCKETMQ_HOME}/bin/runserver.sh \
+ && mv ${ROCKETMQ_HOME}/bin/tools-customize.sh ${ROCKETMQ_HOME}/bin/tools.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/runserver.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqadmin \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqnamesrv \
@@ -82,6 +69,4 @@ RUN export JAVA_OPT=" -Duser.home=/opt"
 # Add ${JAVA_HOME}/lib/ext as java.ext.dirs
 RUN sed -i 's/${JAVA_HOME}\/jre\/lib\/ext/${JAVA_HOME}\/jre\/lib\/ext:${JAVA_HOME}\/lib\/ext/' ${ROCKETMQ_HOME}/bin/tools.sh
 
-USER ${user}
-
 WORKDIR ${ROCKETMQ_HOME}/bin
diff --git a/image-build-ci/Dockerfile-ubuntu b/image-build-ci/Dockerfile-ubuntu
@@ -18,27 +18,18 @@
 ARG BASE_IMAGE
 FROM $BASE_IMAGE
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-		bash unzip telnet wget gnupg ca-certificates
-
-ARG user=rocketmq
-ARG group=rocketmq
-ARG uid=3000
-ARG gid=3000
+USER root
 
-# RocketMQ is run with user `rocketmq`, uid = 3000
-# If you bind mount a volume from the host or a data container,
-# ensure you use the same uid
-RUN groupadd -g ${gid} ${group} \
-    && useradd -u ${uid} -g ${gid} -m -s /bin/bash ${user}
+RUN apt-get update && apt-get install -y --no-install-recommends \
+		bash vim unzip telnet openssl wget gnupg ca-certificates
 
 ARG version
 
 # Rocketmq version
 ENV ROCKETMQ_VERSION ${version}
 
 # Rocketmq home
-ENV ROCKETMQ_HOME  /home/rocketmq/rocketmq-${ROCKETMQ_VERSION}
+ENV ROCKETMQ_HOME  /root/rocketmq-${ROCKETMQ_VERSION}
 
 WORKDIR  ${ROCKETMQ_HOME}
 
@@ -64,6 +55,7 @@ unzip jacoco-0.8.8.zip -d jacoco
 ENV JAVA_OPT="-javaagent:${ROCKETMQ_HOME}/jacoco/lib/jacocoagent.jar=includes=*,output=tcpserver,port=2023,address=0.0.0.0"
 
 RUN mv ${ROCKETMQ_HOME}/bin/runserver-customize.sh ${ROCKETMQ_HOME}/bin/runserver.sh \
+ && mv ${ROCKETMQ_HOME}/bin/tools-customize.sh ${ROCKETMQ_HOME}/bin/tools.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/runserver.sh \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqadmin \
  && chmod a+x ${ROCKETMQ_HOME}/bin/mqnamesrv \
@@ -82,6 +74,4 @@ RUN export JAVA_OPT=" -Duser.home=/opt"
 # Add ${JAVA_HOME}/lib/ext as java.ext.dirs
 RUN sed -i 's/${JAVA_HOME}\/jre\/lib\/ext/${JAVA_HOME}\/jre\/lib\/ext:${JAVA_HOME}\/lib\/ext/' ${ROCKETMQ_HOME}/bin/tools.sh
 
-USER ${user}
-
 WORKDIR ${ROCKETMQ_HOME}/bin
diff --git a/image-build-ci/build-image-local.sh b/image-build-ci/build-image-local.sh
@@ -15,24 +15,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if [ $# -lt 6 ]; then
-  echo -e "Usage: sh $0 ROCKETMQ_VERSION BASE_IMAGE JAVA_VERSION IMAGE_REPO IMAGE_REPO_USERNAME IMAGE_REPO_PASSWORD"
+if [ $# -lt 4 ]; then
+  echo -e "Usage: sh $0 ROCKETMQ_VERSION BASE_IMAGE JAVA_VERSION IMAGE_REPO "
   exit -1
 fi
 
 ROCKETMQ_VERSION=$1
 BASE_IMAGE=$2
 JAVA_VERSION=$3
 IMAGE_REPO=$4
-IMAGE_REPO_USERNAME=$5
-IMAGE_REPO_PASSWORD=$6
 
 TAG=${ROCKETMQ_VERSION}-$(echo $BASE_IMAGE | sed -e "s/:/-/g")
 
 cp -r ../../rocketmq ./
 
-docker login --username=$IMAGE_REPO_USERNAME --password=$IMAGE_REPO_PASSWORD ${IMAGE_REPO%%/*}
-
 # Build rocketmq
 case "${BASE_IMAGE}" in
 #alpine)

diff --git a/image-build-ci/scripts/tools-customize.sh b/image-build-ci/scripts/tools-customize.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#===========================================================================================
+# Java Environment Setting
+#===========================================================================================
+error_exit ()
+{
+    echo "ERROR: $1 !!"
+    exit 1
+}
+
+[ ! -e "$JAVA_HOME/bin/java" ] && JAVA_HOME=$HOME/jdk/java
+[ ! -e "$JAVA_HOME/bin/java" ] && JAVA_HOME=/usr/java
+[ ! -e "$JAVA_HOME/bin/java" ] && error_exit "Please set the JAVA_HOME variable in your environment, We need java(x64)!"
+
+export JAVA_HOME
+export JAVA="$JAVA_HOME/bin/java"
+export BASE_DIR=$(dirname $0)/..
+export CLASSPATH=.:${BASE_DIR}/conf:${BASE_DIR}/lib/*:${CLASSPATH}
+
+#===========================================================================================
+# JVM Configuration
+#===========================================================================================
+JAVA_OPTS="${JAVA_OPTS} -server -Xms1g -Xmx1g -Xmn256m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=128m"
+JAVA_OPTS="${JAVA_OPTS} -cp ${CLASSPATH}"
+
+$JAVA ${JAVA_OPTS} "$@"
-Original file line number
+Diff line change
@@ -1,3 +1,4 @@
     stages/
-    .idea/
+    .idea/
+    *.py