Bug #13537: Backport fixes for container deployment.

Jenkinsfile.containers

@@ -16,6 +16,7 @@ pipeline {
         SERVICE_DOCKER_PUSH_URL=credentials("SERVICE_DOCKER_PUSH_URL")
         SERVICE_REPOSITORY_URL=credentials("service-repository-url")
         GITHUB_ACCOUNT_TOKEN = credentials("vitam-prg-token")
+        JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"
     }
 
     stages {
@@ -25,7 +26,7 @@ pipeline {
                 [$class: 'UsernamePasswordMultiBinding', credentialsId: 'app-jenkins',usernameVariable: 'CI_USR', passwordVariable: 'CI_PSW'],
                 string(credentialsId: "service-nexus-url", variable: 'SERVICE_NEXUS_URL')
                 ]) {
-                sh 'mvn --settings .ci/settings.xml install -Djib.skip=false -DskipTests=true --show-version --batch-mode --errors -fn -DinstallAtEnd=true -DdeployAtEnd=true package -Pvitam -Djacoco.skip=true -DskipAllFrontend=true -DskipAllFrontendTests=true -Dlicense.skip=true -Djib.to.auth.username=$CI_USR -Djib.to.auth.password=$CI_PSW -pl "!cots/vitamui-mongo-express" -Denv.SERVICE_NEXUS_URL=$SERVICE_NEXUS_URL -DsendCredentialsOverHttp=true'
+                sh 'mvn --settings .ci/settings.xml install -U -Djib.skip=false -DskipTests=true --show-version --batch-mode --errors -fn -DinstallAtEnd=true -DdeployAtEnd=true package -Pvitam -Djacoco.skip=true -DskipAllFrontend=true -DskipAllFrontendTests=true -Dlicense.skip=true -Djib.to.auth.username=$CI_USR -Djib.to.auth.password=$CI_PSW -pl "!cots/vitamui-mongo-express" -Denv.SERVICE_NEXUS_URL=$SERVICE_NEXUS_URL -DsendCredentialsOverHttp=true'
                 }
             }
         }
@@ -79,7 +80,7 @@ pipeline {
                         sh "docker pull $image"
 
                         // Run Trivy scan
-                        sh "trivy image $image --ignore-unfixed --vuln-type os,library --format template --template '@html.tpl' -o reports/${imageName}-scan.html"
+                        sh "trivy image $image --ignore-unfixed --vuln-type os,library --format template --template '@html.tpl' -o reports/${imageName}-scan.html || true"
 
                         // Publish HTML report
                         publishHTML target: [

deployment/roles/consul/templates/vitam-container-consul.service.j2

@@ -5,7 +5,7 @@ Requires=docker.service
 After=docker.service
 
 [Service]
-ExecStartPre=-/usr/bin/docker pull {{ container_repository.registry_url }}/vitam-external/hashicorp/consul:{{ consul_version }}
+ExecStartPre=-/usr/bin/docker pull {{ container_repository.registry_url }}/vitam-external/hashicorp/consul:{{ consul_version }}-ubi
 ExecStartPre=-/usr/bin/docker stop vitam-consul
 ExecStartPre=-/usr/bin/docker rm vitam-consul
 ExecStart=/usr/bin/docker run --rm --net=host -e 'CONSUL_ALLOW_PRIVILEGED_PORTS=' --name vitam-consul \
@@ -16,11 +16,11 @@ ExecStart=/usr/bin/docker run --rm --net=host -e 'CONSUL_ALLOW_PRIVILEGED_PORTS=
         -v "/vitam/script/consul:/vitam/script/consul" \
         -v "/vitam/data/consul:/consul/data" \
         -v "/vitam/tmp/consul:/vitam/tmp/consul" \
-        {{ container_repository.registry_url }}/vitam-external/hashicorp/consul:{{ consul_version }}
+        {{ container_repository.registry_url }}/vitam-external/hashicorp/consul:{{ consul_version }}-ubi agent
 
 ExecStop=/usr/bin/docker stop -t 85 vitam-consul
 ExecRestart=/usr/bin/docker restart -t 85 vitam-consul
-ExecReload=/usr/bin/docker exec vitam-consul sh -c 'kill -HUP $(pidof consul)'
+ExecReload=/usr/bin/docker exec vitam-consul sh -c 'for pid in $(ls /proc | grep -E "^[0-9]+$"); do if [ "$(cat /proc/$pid/comm 2>/dev/null)" = "consul" ]; then kill -HUP $pid; fi; done'
 TimeoutStartSec=60
 TimeoutStopSec=30
 StartLimitBurst=6

deployment/roles/docker/tasks/Debian.yml

@@ -23,6 +23,11 @@
   environment:
     https_proxy: "{{ http_proxy_environnement }}"
     http_proxy:  "{{ http_proxy_environnement }}"
+  when: http_proxy_environnement is defined and http_proxy_environnement != ""
+
+- name: add GPG docker repo key
+  shell: "curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -"
+  when: http_proxy_environnement is not defined or http_proxy_environnement == ""
 
 - name: install apt-transport-https as Docker repository is https
   package:

deployment/roles/docker/tasks/main.yml

@@ -44,3 +44,9 @@
   when:
     - install_mode == "container"
     - container_repository is defined
+
+- name: Make sure net.ipv4.ip_unprivileged_port_start is disabled
+  sysctl:
+    name: net.ipv4.ip_unprivileged_port_start
+    sysctl_set: yes
+    value: '0'

deployment/roles/filebeat/defaults/main.yml

@@ -1,5 +1,8 @@
 ---
 
+filebeat_version: "{{ filebeat.version | default('7.17.23') }}"
+filebeat_package: "filebeat{{ '=' if ansible_os_family == 'Debian' else '-' }}{{ filebeat_version }}"
+
 filebeat_processors:
   processors:
     - add_host_metadata:

deployment/roles/filebeat/tasks/add_inputs.yml

@@ -1,10 +1,10 @@
 ---
 
-- name: Create input.d folder
+- name: Create inputs.d folder
   file:
     path: /etc/filebeat/inputs.d
     state: directory
-    mode: 0755
+    mode: "{{ vitam_defaults.folder.folder_permission }}"
   notify: "filebeat - restart service"
 
 - set_fact:

deployment/roles/filebeat/tasks/add_modules.yml

@@ -1,5 +1,13 @@
 ---
 
+- name: Create modules.d folder
+  file:
+    path: "/etc/filebeat/modules.d"
+    state: directory
+    mode: "{{ vitam_defaults.folder.folder_permission }}"
+  notify: "filebeat - restart service"
+  when: install_mode == "container"
+
 - name: Add reverse filebeat module
   template:
     src: modules/{{ reverse | default('nginx') | lower }}.yml.j2

deployment/roles/filebeat/tasks/install.yml

@@ -1,10 +1,29 @@
 ---
 
-- name: Install Filebeat
+- name: "Install {{ filebeat_package }} package"
   package:
-    name: filebeat
+    name: "{{ filebeat_package }}"
     state: latest
   notify: "filebeat - restart service"
+  when: install_mode != "container"
+
+- name: Ensure Filebeat directory exist
+  file:
+    path: "/etc/filebeat"
+    state: directory
+    mode: "{{ vitam_defaults.folder.folder_permission }}"
+  notify: "filebeat - restart service"
+  when: install_mode == "container"
+
+- name: "Deploy systemd service file for filebeat"
+  template:
+    src: "filebeat.service.j2"
+    dest: "{{ '/lib/systemd/system' if ansible_os_family == 'Debian' else '/usr/lib/systemd/system' }}/filebeat.service"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: "filebeat - restart service"
+  when: install_mode == "container"
 
 - name: Add Filebeat config file
   template:

deployment/roles/filebeat/templates/filebeat.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=filebeat
+Documentation=http://www.elastic.co
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Restart=always
+Environment="CONTAINER_NAME=filebeat"
+ExecStartPre=-/usr/bin/docker rm -f filebeat
+ExecStart=/usr/bin/docker run --rm \
+  --name filebeat \
+  --user=root \
+  --volume="/etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:rw" \
+  --volume="/etc/filebeat/modules.d:/usr/share/filebeat/modules.d:rw" \
+  --volume="/etc/filebeat/inputs.d:/usr/share/filebeat/inputs.d:rw" \
+  --volume="/vitam:/vitam:rw" \
+  --volume="/vitamui:/vitamui:rw" \
+  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
+  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
+  {{ container_repository.registry_url }}/vitam-external/elastic/filebeat:{{ filebeat_version }} \
+  -e --strict.perms=false
+
+ExecStop=/usr/bin/docker stop filebeat
+
+[Install]
+WantedBy=multi-user.target

deployment/roles/mongo/templates/vitamui-container-mongod.service.j2

@@ -21,8 +21,8 @@ ExecStart=/usr/bin/docker run --rm --net=host --name vitamui-mongod --user 1003:
 
 ExecStop=/usr/bin/docker stop -t 85 vitamui-mongod
 ExecReload=/usr/bin/docker restart -t 85 vitamui-mongod
-TimeoutStartSec=60
-TimeoutStopSec=30
+TimeoutStartSec=120
+TimeoutStopSec=60
 StartLimitBurst=6
 
 [Install]