kong 2.0.4

[hutchic]

No description provided.

[yosifkit]

Unfortunately our build systems cannot handle variables in COPY statements.

[yosifkit]

Diff:

diff --git a/_bashbrew-list b/_bashbrew-list
index 75a48c9..37e7aba 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -37,10 +37,10 @@ kong:1.5.1-ubuntu
 kong:2.0
 kong:2.0-centos
 kong:2.0-ubuntu
-kong:2.0.3
-kong:2.0.3-alpine
-kong:2.0.3-centos
-kong:2.0.3-ubuntu
+kong:2.0.4
+kong:2.0.4-alpine
+kong:2.0.4-centos
+kong:2.0.4-ubuntu
 kong:alpine
 kong:centos
 kong:latest
diff --git a/kong_alpine/Dockerfile b/kong_alpine/Dockerfile
index a244604..3717bef 100644
--- a/kong_alpine/Dockerfile
+++ b/kong_alpine/Dockerfile
@@ -1,29 +1,44 @@
-FROM alpine:3.10
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
+FROM alpine:3.11
 
-ENV KONG_VERSION 2.0.3
-ENV KONG_SHA256 db6a8ac847c347fb4d49c4763181c529bb9584187cdccdcc657ce00d605c99ac
+LABEL maintainer="Kong <support@konghq.com>"
 
+ARG ASSET=ce
+ENV ASSET $ASSET
 
-RUN adduser -S kong \
+COPY empty-kong.tar.gz /tmp/kong.tar.gz
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
+
+ARG KONG_SHA256="457dd0172ae2de2e0b71ce625f78e06449faf38fd734dd6825eb7782d74cb77e"
+ENV KONG_SHA256 $KONG_SHA256
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        apk add --no-cache --virtual .build-deps curl wget tar ca-certificates && \
+        curl -L "https://bintray.com/kong/kong-alpine-tar/download_file?file_path=kong-$KONG_VERSION.amd64.apk.tar.gz" -o /tmp/kong.tar.gz && \
+        echo "$KONG_SHA256  /tmp/kong.tar.gz" | sha256sum -c -; \
+        apk del .build-deps; \
+    fi
+
+RUN mkdir /kong; \
+	tar -C /kong -xzf /tmp/kong.tar.gz && \
+	mv /kong/usr/local/* /usr/local && \
+	mv /kong/etc/* /etc && \
+	rm -rf /kong
+
+RUN apk add --no-cache libgcc openssl pcre perl tzdata libcap zip bash \
+    && adduser -S kong \
     && mkdir -p "/usr/local/kong" \
-	&& apk add --no-cache --virtual .build-deps curl wget tar ca-certificates \
-	&& apk add --no-cache libgcc openssl pcre perl tzdata libcap su-exec zip \
-	&& wget -O kong.tar.gz "https://bintray.com/kong/kong-alpine-tar/download_file?file_path=kong-$KONG_VERSION.amd64.apk.tar.gz" \
-	&& echo "$KONG_SHA256 *kong.tar.gz" | sha256sum -c - \
-	&& tar -xzf kong.tar.gz -C /tmp \
-	&& rm -f kong.tar.gz \
-	&& cp -R /tmp/usr / \
-	&& rm -rf /tmp/usr \
-	&& cp -R /tmp/etc / \
-	&& rm -rf /tmp/etc \
 	&& chown -R kong:0 /usr/local/kong \
+	&& chown kong:0 /usr/local/bin/kong \
 	&& chmod -R g=u /usr/local/kong
 
-USER kong
-
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_alpine/docker-entrypoint.sh b/kong_alpine/docker-entrypoint.sh
index 326eef5..2e4bb9f 100755
--- a/kong_alpine/docker-entrypoint.sh
+++ b/kong_alpine/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/sh
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     ln -sf /dev/stdout $PREFIX/logs/access.log
     ln -sf /dev/stdout $PREFIX/logs/admin_access.log
diff --git a/_bashbrew-shared-tags b/kong_alpine/empty-kong.tar.gz
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_alpine/empty-kong.tar.gz
diff --git a/kong_centos/Dockerfile b/kong_centos/Dockerfile
index d43f3e3..622653e 100644
--- a/kong_centos/Dockerfile
+++ b/kong_centos/Dockerfile
@@ -1,23 +1,41 @@
 FROM centos:7
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
+LABEL maintainer="Kong <support@konghq.com>"
 
-ENV KONG_VERSION 2.0.3
+ARG ASSET=ce
+ENV ASSET $ASSET
 
-RUN yum install -y -q unzip \
+COPY empty-kong.rpm /tmp/kong.rpm
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
+
+ARG KONG_SHA256="16a934a7bc2e182f00f03bd75b67f4bdb483150b3820d33cab9b0c95539dd353"
+ENV KONG_SHA256 $KONG_SHA256
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        curl -L "https://bintray.com/kong/kong-rpm/download_file?file_path=centos/7/kong-$KONG_VERSION.el7.amd64.rpm" -o /tmp/kong.rpm && \
+        echo "$KONG_SHA256  /tmp/kong.rpm" | sha256sum -c -; \
+    fi
+
+RUN yum install -y -q unzip shadow-utils \
 	&& yum clean all -q \
 	&& rm -fr /var/cache/yum/* /tmp/yum_save*.yumtx /root/.pki
 
 RUN useradd kong \
 	&& mkdir -p "/usr/local/kong" \
-	&& yum install -y https://bintray.com/kong/kong-rpm/download_file?file_path=centos/7/kong-$KONG_VERSION.el7.amd64.rpm \
+	&& yum install -y /tmp/kong.rpm \
 	&& yum clean all \
+	&& rm /tmp/kong.rpm \
 	&& chown -R kong:0 /usr/local/kong \
+	&& chown kong:0 /usr/local/bin/kong \
 	&& chmod -R g=u /usr/local/kong
 
-USER kong
-
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_centos/docker-entrypoint.sh b/kong_centos/docker-entrypoint.sh
index 326eef5..2e4bb9f 100755
--- a/kong_centos/docker-entrypoint.sh
+++ b/kong_centos/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/sh
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     ln -sf /dev/stdout $PREFIX/logs/access.log
     ln -sf /dev/stdout $PREFIX/logs/admin_access.log
diff --git a/_bashbrew-shared-tags b/kong_centos/empty-kong.rpm
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_centos/empty-kong.rpm
diff --git a/kong_ubuntu/Dockerfile b/kong_ubuntu/Dockerfile
index 9f6ac7b..3e2ea3e 100644
--- a/kong_ubuntu/Dockerfile
+++ b/kong_ubuntu/Dockerfile
@@ -1,18 +1,40 @@
 FROM ubuntu:xenial
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
 
-ENV KONG_VERSION 2.0.3
+ARG ASSET=ce
+ENV ASSET $ASSET
+
+COPY empty-kong.deb /tmp/kong.deb
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        apt-get update && \
+        apt-get install -y curl && \
+        curl -L "https://bintray.com/kong/kong-deb/download_file?file_path=kong-$KONG_VERSION.xenial.$(dpkg --print-architecture).deb" -o /tmp/kong.deb && \
+        apt-get purge -y curl; \
+    fi
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends ca-certificates curl perl unzip \
+    && apt-get install -y --no-install-recommends perl unzip \
     && rm -rf /var/lib/apt/lists/* \
-    && curl -fsSLo kong.deb https://bintray.com/kong/kong-deb/download_file?file_path=kong-${KONG_VERSION}.xenial.$(dpkg --print-architecture).deb \
-    && apt-get purge -y --auto-remove ca-certificates curl \
-	&& dpkg -i kong.deb \
-	&& rm -rf kong.deb
+	&& dpkg -i /tmp/kong.deb \
+	&& rm -rf /tmp/kong.deb
+
+RUN useradd -ms /bin/bash kong \
+    && mkdir -p "/usr/local/kong" \
+	&& chown -R kong:0 /usr/local/kong \
+	&& chown kong:0 /usr/local/bin/kong \
+	&& chmod -R g=u /usr/local/kong
 
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
+RUN kong version
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_ubuntu/docker-entrypoint.sh b/kong_ubuntu/docker-entrypoint.sh
index 52c9ca2..9281a7e 100755
--- a/kong_ubuntu/docker-entrypoint.sh
+++ b/kong_ubuntu/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/bash
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     exec /usr/local/openresty/nginx/sbin/nginx \
       -p "$PREFIX" \
diff --git a/_bashbrew-shared-tags b/kong_ubuntu/empty-kong.deb
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_ubuntu/empty-kong.deb

[yosifkit]

The downloading of the tar, extracting the tar, and chowning the result need to happen in a single RUN line. Since it is impossible to change/delete things in a previous layer, the image is about 80 MB larger than it could be (kong.tar.gz in first RUN layer and the copy of /usr/local/kong caused by the chown in the third RUN)

Can be addressed later: If used, image label names should adhere to the image spec: https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md.

[hutchic]

updated to merge some of the RUN commands

[yosifkit]

RUN ... \
	&& chown -R kong:0 /usr/local/kong \
	&& chown kong:0 /usr/local/bin/kong \
	&& chmod -R g=u /usr/local/kong

These three chown commands are modifying files from the previous layer and thus making a copy of them. Perhaps the user could be created in a RUN before downloading and then the files can be chowned in the layer that they are downloaded+extracted/installed in.

The centos version still downloads the /tmp/kong.rpm and then removes it in a later RUN (no space will be saved by the rm).

[tianon]

A few notes:

1. invocations of curl should include -f so they fail appropriately if the server returns an error code

2. downloading of the .deb doesn't appear to have a SHA256 like the RPM and Alpine builds do -- is that just an oversight?

3. if you update beyond Ubuntu Xenial, you could use apt-get install -y /tmp/kong.deb instead of the fragile logic around dpkg -i

Given the Ubuntu-based variants were intended to be a stop-gap, I'd love to revisit #6661 (comment) -- any luck resolving that?

[hutchic]

1. invocations of curl should include -f so they fail appropriately if the server returns an error code

I'll update

2. downloading of the .deb doesn't appear to have a SHA256 like the RPM and Alpine builds do -- is that just an oversight?

this is not an oversight. Our build process automatically updated our Dockerfile's and handling arm and amd was difficult / fragile so we opted to go without the sha check

Given the Ubuntu-based variants were intended to be a stop-gap, I'd love to revisit #6661 (comment) -- any luck resolving that?

The arm variants have been well received as such I'll make sure we circle back and revisit this soon

[yosifkit]

Diff:

diff --git a/_bashbrew-list b/_bashbrew-list
index 75a48c9..37e7aba 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -37,10 +37,10 @@ kong:1.5.1-ubuntu
 kong:2.0
 kong:2.0-centos
 kong:2.0-ubuntu
-kong:2.0.3
-kong:2.0.3-alpine
-kong:2.0.3-centos
-kong:2.0.3-ubuntu
+kong:2.0.4
+kong:2.0.4-alpine
+kong:2.0.4-centos
+kong:2.0.4-ubuntu
 kong:alpine
 kong:centos
 kong:latest
diff --git a/kong_alpine/Dockerfile b/kong_alpine/Dockerfile
index a244604..f13ad07 100644
--- a/kong_alpine/Dockerfile
+++ b/kong_alpine/Dockerfile
@@ -1,29 +1,42 @@
-FROM alpine:3.10
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
-
-ENV KONG_VERSION 2.0.3
-ENV KONG_SHA256 db6a8ac847c347fb4d49c4763181c529bb9584187cdccdcc657ce00d605c99ac
-
-
-RUN adduser -S kong \
-	&& mkdir -p "/usr/local/kong" \
-	&& apk add --no-cache --virtual .build-deps curl wget tar ca-certificates \
-	&& apk add --no-cache libgcc openssl pcre perl tzdata libcap su-exec zip \
-	&& wget -O kong.tar.gz "https://bintray.com/kong/kong-alpine-tar/download_file?file_path=kong-$KONG_VERSION.amd64.apk.tar.gz" \
-	&& echo "$KONG_SHA256 *kong.tar.gz" | sha256sum -c - \
-	&& tar -xzf kong.tar.gz -C /tmp \
-	&& rm -f kong.tar.gz \
-	&& cp -R /tmp/usr / \
-	&& rm -rf /tmp/usr \
-	&& cp -R /tmp/etc / \
-	&& rm -rf /tmp/etc \
-	&& chown -R kong:0 /usr/local/kong \
-	&& chmod -R g=u /usr/local/kong
-
-USER kong
+FROM alpine:3.11
+
+LABEL maintainer="Kong <support@konghq.com>"
+
+ARG ASSET=ce
+ENV ASSET $ASSET
+
+COPY empty-kong.tar.gz /tmp/kong.tar.gz
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
+
+ARG KONG_SHA256="457dd0172ae2de2e0b71ce625f78e06449faf38fd734dd6825eb7782d74cb77e"
+ENV KONG_SHA256 $KONG_SHA256
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        apk add --no-cache --virtual .build-deps curl wget tar ca-certificates && \
+        curl -fL "https://bintray.com/kong/kong-alpine-tar/download_file?file_path=kong-$KONG_VERSION.amd64.apk.tar.gz" -o /tmp/kong.tar.gz && \
+        echo "$KONG_SHA256  /tmp/kong.tar.gz" | sha256sum -c -; \
+        apk del .build-deps; \
+    fi; \
+    mkdir /kong; \
+	tar -C /kong -xzf /tmp/kong.tar.gz && \
+	mv /kong/usr/local/* /usr/local && \
+	mv /kong/etc/* /etc && \
+	rm -rf /kong && \
+	apk add --no-cache libgcc openssl pcre perl tzdata libcap zip bash && \
+	adduser -S kong && \
+	mkdir -p "/usr/local/kong" && \
+	chown -R kong:0 /usr/local/kong && \
+	chown kong:0 /usr/local/bin/kong && \
+	chmod -R g=u /usr/local/kong
 
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_alpine/docker-entrypoint.sh b/kong_alpine/docker-entrypoint.sh
index 326eef5..2e4bb9f 100755
--- a/kong_alpine/docker-entrypoint.sh
+++ b/kong_alpine/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/sh
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     ln -sf /dev/stdout $PREFIX/logs/access.log
     ln -sf /dev/stdout $PREFIX/logs/admin_access.log
diff --git a/_bashbrew-shared-tags b/kong_alpine/empty-kong.tar.gz
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_alpine/empty-kong.tar.gz
diff --git a/kong_centos/Dockerfile b/kong_centos/Dockerfile
index d43f3e3..5d78c84 100644
--- a/kong_centos/Dockerfile
+++ b/kong_centos/Dockerfile
@@ -1,23 +1,39 @@
 FROM centos:7
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
+LABEL maintainer="Kong <support@konghq.com>"
 
-ENV KONG_VERSION 2.0.3
+ARG ASSET=ce
+ENV ASSET $ASSET
 
-RUN yum install -y -q unzip \
-	&& yum clean all -q \
-	&& rm -fr /var/cache/yum/* /tmp/yum_save*.yumtx /root/.pki
+COPY empty-kong.rpm /tmp/kong.rpm
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
 
-RUN useradd kong \
+ARG KONG_SHA256="16a934a7bc2e182f00f03bd75b67f4bdb483150b3820d33cab9b0c95539dd353"
+ENV KONG_SHA256 $KONG_SHA256
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        curl -fL "https://bintray.com/kong/kong-rpm/download_file?file_path=centos/7/kong-$KONG_VERSION.el7.amd64.rpm" -o /tmp/kong.rpm && \
+        echo "$KONG_SHA256  /tmp/kong.rpm" | sha256sum -c -; \
+    fi; \
+    yum install -y -q unzip shadow-utils \
+	&& yum clean all -q \
+	&& rm -fr /var/cache/yum/* /tmp/yum_save*.yumtx /root/.pki \
+	&& useradd kong \
 	&& mkdir -p "/usr/local/kong" \
-	&& yum install -y https://bintray.com/kong/kong-rpm/download_file?file_path=centos/7/kong-$KONG_VERSION.el7.amd64.rpm \
+	&& yum install -y /tmp/kong.rpm \
 	&& yum clean all \
+	&& rm /tmp/kong.rpm \
 	&& chown -R kong:0 /usr/local/kong \
+	&& chown kong:0 /usr/local/bin/kong \
 	&& chmod -R g=u /usr/local/kong
 
-USER kong
-
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_centos/docker-entrypoint.sh b/kong_centos/docker-entrypoint.sh
index 326eef5..2e4bb9f 100755
--- a/kong_centos/docker-entrypoint.sh
+++ b/kong_centos/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/sh
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     ln -sf /dev/stdout $PREFIX/logs/access.log
     ln -sf /dev/stdout $PREFIX/logs/admin_access.log
diff --git a/_bashbrew-shared-tags b/kong_centos/empty-kong.rpm
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_centos/empty-kong.rpm
diff --git a/kong_ubuntu/Dockerfile b/kong_ubuntu/Dockerfile
index 9f6ac7b..281f838 100644
--- a/kong_ubuntu/Dockerfile
+++ b/kong_ubuntu/Dockerfile
@@ -1,18 +1,38 @@
 FROM ubuntu:xenial
-LABEL maintainer="Kong Core Team <team-core@konghq.com>"
 
-ENV KONG_VERSION 2.0.3
+ARG ASSET=ce
+ENV ASSET $ASSET
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends ca-certificates curl perl unzip \
+COPY empty-kong.deb /tmp/kong.deb
+
+ARG KONG_VERSION=2.0.4
+ENV KONG_VERSION $KONG_VERSION
+
+RUN set -ex; \
+    if [ "$ASSET" = "local" ] ; then exit 0 ; \
+    elif [ "$ASSET" = "ce" ] ; then \
+        apt-get update && \
+        apt-get install -y curl && \
+        curl -fL "https://bintray.com/kong/kong-deb/download_file?file_path=kong-$KONG_VERSION.xenial.$(dpkg --print-architecture).deb" -o /tmp/kong.deb && \
+        apt-get purge -y curl; \
+    fi; \
+    apt-get update \
+    && apt-get install -y --no-install-recommends perl unzip \
     && rm -rf /var/lib/apt/lists/* \
-    && curl -fsSLo kong.deb https://bintray.com/kong/kong-deb/download_file?file_path=kong-${KONG_VERSION}.xenial.$(dpkg --print-architecture).deb \
-    && apt-get purge -y --auto-remove ca-certificates curl \
-	&& dpkg -i kong.deb \
-	&& rm -rf kong.deb
+	&& dpkg -i /tmp/kong.deb \
+	&& rm -rf /tmp/kong.deb \
+	&& useradd -ms /bin/bash kong \
+    && mkdir -p "/usr/local/kong" \
+	&& chown -R kong:0 /usr/local/kong \
+	&& chown kong:0 /usr/local/bin/kong \
+	&& chmod -R g=u /usr/local/kong
 
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER kong
+
+RUN kong version
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
diff --git a/kong_ubuntu/docker-entrypoint.sh b/kong_ubuntu/docker-entrypoint.sh
index 52c9ca2..9281a7e 100755
--- a/kong_ubuntu/docker-entrypoint.sh
+++ b/kong_ubuntu/docker-entrypoint.sh
@@ -1,13 +1,36 @@
-#!/bin/bash
-set -e
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
 
 export KONG_NGINX_DAEMON=off
 
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
+  file_env KONG_PG_PASSWORD
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p "$PREFIX"
+    kong prepare -p "$PREFIX" "$@"
 
     exec /usr/local/openresty/nginx/sbin/nginx \
       -p "$PREFIX" \
diff --git a/_bashbrew-shared-tags b/kong_ubuntu/empty-kong.deb
similarity index 100%
copy from _bashbrew-shared-tags
copy to kong_ubuntu/empty-kong.deb

[yosifkit]

Build test of #7880; c87bc93; amd64 (kong):

$ bashbrew build kong:2.0.4-alpine
Building bashbrew/cache:400bd00993c541747ff8b357b3270bba6ced0996cb620e371d82a77e9b3d186c (kong:2.0.4-alpine)
Tagging kong:2.0.4-alpine
Tagging kong:2.0.4
Tagging kong:2.0
Tagging kong:latest
Tagging kong:alpine

$ test/run.sh kong:2.0.4-alpine
testing kong:2.0.4-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:2.0.4-ubuntu
Building bashbrew/cache:20e8731b6ddbed22947604dcab8afd10696d2a09193d7182c6f28dac3296d061 (kong:2.0.4-ubuntu)
Tagging kong:2.0.4-ubuntu
Tagging kong:2.0-ubuntu
Tagging kong:ubuntu

$ test/run.sh kong:2.0.4-ubuntu
testing kong:2.0.4-ubuntu
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:2.0.4-centos
Building bashbrew/cache:30721ef1b561c0f430509733f55a11829c2502c38b593dc526bed2c8c544df82 (kong:2.0.4-centos)
Tagging kong:2.0.4-centos
Tagging kong:2.0-centos
Tagging kong:centos

$ test/run.sh kong:2.0.4-centos
testing kong:2.0.4-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.5.1-alpine
Using bashbrew/cache:02db3bb0cb346eb05930e549a114e5f41629591382e1563905ed263e16558d9d (kong:1.5.1-alpine)
Tagging kong:1.5.1-alpine
Tagging kong:1.5.1
Tagging kong:1.5

$ test/run.sh kong:1.5.1-alpine
testing kong:1.5.1-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.5.1-ubuntu
Using bashbrew/cache:e75fa744de79d56eecaab4e079dec3ba471b02957bdacd11a22a5bceaaa5ea3f (kong:1.5.1-ubuntu)
Tagging kong:1.5.1-ubuntu
Tagging kong:1.5-ubuntu

$ test/run.sh kong:1.5.1-ubuntu
testing kong:1.5.1-ubuntu
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.5.1-centos
Using bashbrew/cache:53b020aaac70df79820d2bda719fc24782ad7b14d121d87853601759461c7c88 (kong:1.5.1-centos)
Tagging kong:1.5.1-centos
Tagging kong:1.5-centos

$ test/run.sh kong:1.5.1-centos
testing kong:1.5.1-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.4.3-alpine
Using bashbrew/cache:0b5db616f14117b2b48ea49b1c829c283a25943afa3ae1881813f650d8a8bfb6 (kong:1.4.3-alpine)
Tagging kong:1.4.3-alpine
Tagging kong:1.4.3
Tagging kong:1.4

$ test/run.sh kong:1.4.3-alpine
testing kong:1.4.3-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.4.3-ubuntu
Using bashbrew/cache:b9ae92d3948b2d1877fbd8abae170c257d51607c119664dd86c9f839b81d79f0 (kong:1.4.3-ubuntu)
Tagging kong:1.4.3-ubuntu
Tagging kong:1.4-ubuntu

$ test/run.sh kong:1.4.3-ubuntu
testing kong:1.4.3-ubuntu
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.4.3-centos
Using bashbrew/cache:ee28defa8d35573a2833a868c16fcdd02eb1c464d8d6dcd0e2f428fe46c425be (kong:1.4.3-centos)
Tagging kong:1.4.3-centos
Tagging kong:1.4-centos

$ test/run.sh kong:1.4.3-centos
testing kong:1.4.3-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.3.1-alpine
Using bashbrew/cache:5d1ec7c543627ae0d47608118c71e9f7e0d902493f4700ca618fd1739b44248f (kong:1.3.1-alpine)
Tagging kong:1.3.1-alpine
Tagging kong:1.3.1
Tagging kong:1.3

$ test/run.sh kong:1.3.1-alpine
testing kong:1.3.1-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.3.1-ubuntu
Using bashbrew/cache:9123f960721394fd11511c524b3c5758447cc50a4bf19418e2d097de8ce73d54 (kong:1.3.1-ubuntu)
Tagging kong:1.3.1-ubuntu
Tagging kong:1.3-ubuntu

$ test/run.sh kong:1.3.1-ubuntu
testing kong:1.3.1-ubuntu
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.3.1-centos
Using bashbrew/cache:a52ab87fb77150752c321e1df3ad89353a5c0e4d3d6d683e0ca33930e6f80bba (kong:1.3.1-centos)
Tagging kong:1.3.1-centos
Tagging kong:1.3-centos

$ test/run.sh kong:1.3.1-centos
testing kong:1.3.1-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.2.3-alpine
Using bashbrew/cache:94bc09694cca56b1fa437ecad643ecdf659ed2228c3ba815c66e64f89071e40d (kong:1.2.3-alpine)
Tagging kong:1.2.3-alpine
Tagging kong:1.2.3
Tagging kong:1.2

$ test/run.sh kong:1.2.3-alpine
testing kong:1.2.3-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.2.3-centos
Using bashbrew/cache:c261ca753fa208e75459677fec2264a26f225fce0ffe038e5b9fc3b53670334b (kong:1.2.3-centos)
Tagging kong:1.2.3-centos
Tagging kong:1.2-centos

$ test/run.sh kong:1.2.3-centos
testing kong:1.2.3-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.1.3-alpine
Using bashbrew/cache:390a156560f0abaef909bee42cbff29f055be3eb1ba5c4fecb111145287ae367 (kong:1.1.3-alpine)
Tagging kong:1.1.3-alpine
Tagging kong:1.1.3
Tagging kong:1.1

$ test/run.sh kong:1.1.3-alpine
testing kong:1.1.3-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.1.3-centos
Using bashbrew/cache:b7bf72ee1fe48a2701a69f52f6a0ca3bfe6cb5c33f9c2a0fefa38e622ffc214c (kong:1.1.3-centos)
Tagging kong:1.1.3-centos
Tagging kong:1.1-centos

$ test/run.sh kong:1.1.3-centos
testing kong:1.1.3-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.0.4-alpine
Using bashbrew/cache:72651baa444dd0fcd8c8311d5a14367ec4bfda52364cff093b86eba410d4bac5 (kong:1.0.4-alpine)
Tagging kong:1.0.4-alpine
Tagging kong:1.0.4
Tagging kong:1.0

$ test/run.sh kong:1.0.4-alpine
testing kong:1.0.4-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build kong:1.0.4-centos
Using bashbrew/cache:a5f2f9c006ebfc6460c0e3e5da57853519f5e075f8d85c17c75c28d28812a07e (kong:1.0.4-centos)
Tagging kong:1.0.4-centos
Tagging kong:1.0-centos

$ test/run.sh kong:1.0.4-centos
testing kong:1.0.4-centos
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...warning: garbage password detected for 'root': 'locked'
passed
	'override-cmd' [4/4]...passed