Release Apache CouchDB 3.0.0

[wohali]

3.0.0 releases tomorrow. If acceptable, this PR may be merged anytime after 2020-02-26 12:00 UTC.

[yosifkit]

Diff:

diff --git a/_bashbrew-arches b/_bashbrew-arches
index 6cea9c7..58ee6e0 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -1,2 +1,6 @@
 couchdb:2 @ amd64
-couchdb:2.3.0 @ amd64
+couchdb:2 @ arm64v8
+couchdb:2 @ ppc64le
+couchdb:3 @ amd64
+couchdb:3 @ arm64v8
+couchdb:3 @ ppc64le
diff --git a/_bashbrew-list b/_bashbrew-list
index d20b15e..490c561 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,5 +1,7 @@
 couchdb:2
 couchdb:2.3
-couchdb:2.3.0
 couchdb:2.3.1
+couchdb:3
+couchdb:3.0
+couchdb:3.0.0
 couchdb:latest
diff --git a/couchdb_2/Dockerfile b/couchdb_2/Dockerfile
index da02869..f8ad0c9 100644
--- a/couchdb_2/Dockerfile
+++ b/couchdb_2/Dockerfile
@@ -112,17 +112,25 @@ RUN set -xe; \
     chmod 777 /opt/couchdb/data /opt/couchdb/var/log; \
 # Remove file that sets logging to a file
     rm /opt/couchdb/etc/default.d/10-filelog.ini; \
-        rm -rf /var/lib/apt/lists/*
+# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh
+    find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \
+# Setup directories and permissions for config. Technically these could be 555 and 444 respectively
+# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh.
+    find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
+    find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
+# only local.d needs to be writable for the docker_entrypoint.sh
+    chmod -f 0777 /opt/couchdb/etc/local.d; \
+# apt clean-up
+    rm -rf /var/lib/apt/lists/*;
 
 # Add configuration
-COPY 10-docker-default.ini /opt/couchdb/etc/default.d/
-COPY vm.args /opt/couchdb/etc/
+COPY --chown=couchdb:couchdb 10-docker-default.ini /opt/couchdb/etc/default.d/
+COPY --chown=couchdb:couchdb vm.args /opt/couchdb/etc/
+
 COPY docker-entrypoint.sh /usr/local/bin
 RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
 
-# Setup directories and permissions
-RUN chown -R couchdb:couchdb /opt/couchdb/etc/default.d/ /opt/couchdb/etc/vm.args
 VOLUME /opt/couchdb/data
 
 # 5984: Main CouchDB endpoint
diff --git a/couchdb_2/docker-entrypoint.sh b/couchdb_2/docker-entrypoint.sh
index 7fdb04b..be9e099 100755
--- a/couchdb_2/docker-entrypoint.sh
+++ b/couchdb_2/docker-entrypoint.sh
@@ -25,6 +25,16 @@ if [ "$1" = 'couchdb' ]; then
 fi
 
 if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
+	# this is where runtime configuration changes will be written.
+	# we need to explicitly touch it here in case /opt/couchdb/etc has
+	# been mounted as an external volume, in which case it won't exist.
+	# If running as the couchdb user (i.e. container starts as root),
+	# write permissions will be granted below.
+	touch /opt/couchdb/etc/local.d/docker.ini
+
+	# if user is root, assume running under the couchdb user (default)
+	# and ensure it is able to access files and directories that may be mounted externally
+	if [ "$(id -u)" = '0' ]; then
 		# Check that we own everything in /opt/couchdb and fix if necessary. We also
 		# add the `-f` flag in all the following invocations because there may be
 		# cases where some of these ownership and permissions issues are non-fatal
@@ -47,14 +57,12 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		# for the sake of consistency.
 		find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
 		find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+	fi
 
 	if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then
 		echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args
 	fi
 
-	# Ensure that CouchDB will write custom settings in this file
-	touch /opt/couchdb/etc/local.d/docker.ini
-
 	if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
 		# Create admin only if not already present
 		if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
@@ -69,7 +77,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		fi
 	fi
 
+	if [ "$(id -u)" = '0' ]; then
 		chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true
+	fi
 
 	# if we don't find an [admins] section followed by a non-comment, display a warning
         if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini; then
@@ -88,8 +98,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		EOWARN
 	fi
 
-
+	if [ "$(id -u)" = '0' ]; then
 		exec gosu couchdb "$@"
+	fi
 fi
 
 exec "$@"
diff --git a/couchdb_2.3.0/10-docker-default.ini b/couchdb_3/10-docker-default.ini
similarity index 89%
rename from couchdb_2.3.0/10-docker-default.ini
rename to couchdb_3/10-docker-default.ini
index c1bac9e..1aa633c 100644
--- a/couchdb_2.3.0/10-docker-default.ini
+++ b/couchdb_3/10-docker-default.ini
@@ -6,6 +6,3 @@
 
 [chttpd]
 bind_address = any
-
-[httpd]
-bind_address = any
diff --git a/couchdb_2.3.0/Dockerfile b/couchdb_3/Dockerfile
similarity index 31%
rename from couchdb_2.3.0/Dockerfile
rename to couchdb_3/Dockerfile
index ad1d3d3..74d1c46 100644
--- a/couchdb_2.3.0/Dockerfile
+++ b/couchdb_3/Dockerfile
@@ -10,7 +10,7 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 
-FROM debian:stretch-slim
+FROM debian:buster-slim
 
 LABEL maintainer="CouchDB Developers dev@couchdb.apache.org"
 
@@ -44,6 +44,7 @@ RUN set -ex; \
     wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$dpkgArch"; \
     wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
     export GNUPGHOME="$(mktemp -d)"; \
+    echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \
     for server in $(shuf -e pgpkeys.mit.edu \
         ha.pool.sks-keyservers.net \
         hkp://p80.pool.sks-keyservers.net:80 \
@@ -59,6 +60,7 @@ RUN set -ex; \
     wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch"; \
     wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch.asc"; \
     export GNUPGHOME="$(mktemp -d)"; \
+    echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \
     for server in $(shuf -e pgpkeys.mit.edu \
         ha.pool.sks-keyservers.net \
         hkp://p80.pool.sks-keyservers.net:80 \
@@ -77,6 +79,7 @@ ENV GPG_COUCH_KEY \
     8756C4F765C9AC3CB6B85D62379CE192D401AB61
 RUN set -xe; \
     export GNUPGHOME="$(mktemp -d)"; \
+    echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \
     for server in $(shuf -e pgpkeys.mit.edu \
         ha.pool.sks-keyservers.net \
         hkp://p80.pool.sks-keyservers.net:80 \
@@ -88,9 +91,9 @@ RUN set -xe; \
     rm -rf "$GNUPGHOME"; \
     apt-key list
 
-ENV COUCHDB_VERSION 2.3.0
+ENV COUCHDB_VERSION 3.0.0
 
-RUN echo "deb https://apache.bintray.com/couchdb-deb stretch main" > /etc/apt/sources.list.d/couchdb.list
+RUN echo "deb https://apache.bintray.com/couchdb-deb buster main" > /etc/apt/sources.list.d/couchdb.list
 
 # https://github.com/apache/couchdb-pkg/blob/master/debian/README.Debian
 RUN set -xe; \
@@ -99,7 +102,7 @@ RUN set -xe; \
     echo "couchdb couchdb/mode select none" | debconf-set-selections; \
 # we DO want recommends this time
     DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
-                couchdb="$COUCHDB_VERSION"~stretch \
+            couchdb="$COUCHDB_VERSION"~buster \
     ; \
 # Undo symlinks to /var/log and /var/lib
     rmdir /var/lib/couchdb /var/log/couchdb; \
@@ -109,17 +112,25 @@ RUN set -xe; \
     chmod 777 /opt/couchdb/data /opt/couchdb/var/log; \
 # Remove file that sets logging to a file
     rm /opt/couchdb/etc/default.d/10-filelog.ini; \
-        rm -rf /var/lib/apt/lists/*
+# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh
+    find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \
+# Setup directories and permissions for config. Technically these could be 555 and 444 respectively
+# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh.
+    find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
+    find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
+# only local.d needs to be writable for the docker_entrypoint.sh
+    chmod -f 0777 /opt/couchdb/etc/local.d; \
+# apt clean-up
+    rm -rf /var/lib/apt/lists/*;
 
 # Add configuration
-COPY 10-docker-default.ini /opt/couchdb/etc/default.d/
-COPY vm.args /opt/couchdb/etc/
+COPY --chown=couchdb:couchdb 10-docker-default.ini /opt/couchdb/etc/default.d/
+COPY --chown=couchdb:couchdb vm.args /opt/couchdb/etc/
+
 COPY docker-entrypoint.sh /usr/local/bin
 RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
 
-# Setup directories and permissions
-RUN chown -R couchdb:couchdb /opt/couchdb/etc/default.d/ /opt/couchdb/etc/vm.args
 VOLUME /opt/couchdb/data
 
 # 5984: Main CouchDB endpoint
diff --git a/couchdb_2.3.0/docker-entrypoint.sh b/couchdb_3/docker-entrypoint.sh
similarity index 43%
rename from couchdb_2.3.0/docker-entrypoint.sh
rename to couchdb_3/docker-entrypoint.sh
index 7fdb04b..d7353f2 100755
--- a/couchdb_2.3.0/docker-entrypoint.sh
+++ b/couchdb_3/docker-entrypoint.sh
@@ -25,6 +25,16 @@ if [ "$1" = 'couchdb' ]; then
 fi
 
 if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
+	# this is where runtime configuration changes will be written.
+	# we need to explicitly touch it here in case /opt/couchdb/etc has
+	# been mounted as an external volume, in which case it won't exist.
+	# If running as the couchdb user (i.e. container starts as root),
+	# write permissions will be granted below.
+	touch /opt/couchdb/etc/local.d/docker.ini
+
+	# if user is root, assume running under the couchdb user (default)
+	# and ensure it is able to access files and directories that may be mounted externally
+	if [ "$(id -u)" = '0' ]; then
 		# Check that we own everything in /opt/couchdb and fix if necessary. We also
 		# add the `-f` flag in all the following invocations because there may be
 		# cases where some of these ownership and permissions issues are non-fatal
@@ -47,14 +57,12 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		# for the sake of consistency.
 		find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
 		find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+	fi
 
 	if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then
 		echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args
 	fi
 
-	# Ensure that CouchDB will write custom settings in this file
-	touch /opt/couchdb/etc/local.d/docker.ini
-
 	if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
 		# Create admin only if not already present
 		if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
@@ -69,27 +77,30 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		fi
 	fi
 
+	if [ "$(id -u)" = '0' ]; then
 		chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true
+	fi
 
 	# if we don't find an [admins] section followed by a non-comment, display a warning
         if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOWARN'
-			****************************************************
-			WARNING: CouchDB is running in Admin Party mode.
-			         This will allow anyone with access to the
-			         CouchDB port to access your database. In
-			         Docker's default configuration, this is
-			         effectively any other container on the same
-			         system.
-			         Use "-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password"
-			         to set it in "docker run".
-			****************************************************
-		EOWARN
+*************************************************************
+ERROR: CouchDB 3.0+ will no longer run in "Admin Party"
+       mode. You *MUST* specify an admin user and
+       password, either via your own .ini file mapped
+       into the container at /opt/couchdb/etc/local.ini
+       or inside /opt/couchdb/etc/local.d, or with
+       "-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password"
+       to set it via "docker run".
+*************************************************************
+EOWARN
+		exit 1
 	fi
 
-
+	if [ "$(id -u)" = '0' ]; then
 		exec gosu couchdb "$@"
+	fi
 fi
 
 exec "$@"
diff --git a/couchdb_2.3.0/vm.args b/couchdb_3/vm.args
similarity index 100%
rename from couchdb_2.3.0/vm.args
rename to couchdb_3/vm.args

[yosifkit]

Build test of #7524; 72659f6; amd64 (couchdb):

$ bashbrew build couchdb:latest
Building bashbrew/cache:7a8e4f3585854540284edc693df3d2b8d9d8bfd2b84a6c7d67f9f6da597de962 (couchdb:latest)
Tagging couchdb:latest
Tagging couchdb:3.0.0
Tagging couchdb:3.0
Tagging couchdb:3

$ test/run.sh couchdb:latest
testing couchdb:latest
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build couchdb:2.3.1
Building bashbrew/cache:b105c1922d19fac4e7a95a910604951e93a8351c5e650b17efff47903c354b35 (couchdb:2.3.1)
Tagging couchdb:2.3.1
Tagging couchdb:2.3
Tagging couchdb:2

$ test/run.sh couchdb:2.3.1
testing couchdb:2.3.1
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed

[tianon]

... anytime after 2020-02-26 12:00 UTC

I want to clarify, did you mean noon or midnight UTC here?
(aka, 4pm PST in ~3 minutes vs 4am PST in ~12 hours)

It builds successfully now (as seen in the build test above), so the artifacts are already available and we're happy to merge whenever you're ready (changes look good), but we don't want to do so too early if there's an official announcement or something you wanted to wait for. 👍

[wohali]

I want to clarify, did you mean noon or midnight UTC here?

In ~12 hours from now, 12:00 not 00:00 UTC. Yes please hold this for another half a day :)

[wohali]

@tianon hey, sorry, we're holding the release for another 24h, can you hold this until 2020-02-27 12:00 UTC or until we let us know if it can go sooner? Thanks. Sorry about that, Windows binary signing problems: https://issues.apache.org/jira/browse/INFRA-19888

[tianon]

Yep, no worries! (and good luck! 😬)

[janl]

Thanks @tianon! Unfortunately, we found a blocker in another part of the release cycle. The fix for that is unrelated to the Docker image, but it’d be great if you could hold this until further notice. Tentative ETA is 2020-02-27 09:00 UTC, but we can’t quite confirm that just yet.

[wohali]

@tianon Scratch that, release now - or whenever is convenient for you. We're good to go!

[tianon]

Glad you got it worked out! 👍