Update CouchDB for 2.2.0 #4703
Merged
Update CouchDB for 2.2.0 #4703
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Nice! Any particular reason to keep them listed? Removing them here will remove them from the "Supported" section on the Hub readme (and will prevent us from spending cycles rebuilding it on the official build server), but the tags will still be available to users who want them. (See https://github.com/docker-library/official-images#library-definition-files for more detail on this.)
Just FYI, our build servers use a solution similar to docker-library/php#666 to help with this problem as well. 👍 Edit: see #4252 for even more discussion around this. 👍 Diff:diff --git a/_bashbrew-list b/_bashbrew-list
index 5ca15fb..d169730 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -5,6 +5,6 @@ couchdb:1.7-couchperuser
couchdb:1.7.2
couchdb:1.7.2-couchperuser
couchdb:2
-couchdb:2.1
-couchdb:2.1.2
+couchdb:2.2
+couchdb:2.2.0
couchdb:latest
diff --git a/couchdb_2/Dockerfile b/couchdb_2/Dockerfile
index 9520b6c..5d1d17f 100644
--- a/couchdb_2/Dockerfile
+++ b/couchdb_2/Dockerfile
@@ -10,21 +10,34 @@
# License for the specific language governing permissions and limitations under
# the License.
-FROM debian:jessie
+FROM debian:stretch
MAINTAINER CouchDB Developers dev@couchdb.apache.org
# Add CouchDB user account
RUN groupadd -g 5984 -r couchdb && useradd -u 5984 -d /opt/couchdb -g couchdb couchdb
-RUN apt-get update -y && apt-get install -y --no-install-recommends \
+RUN apt-get update -y && apt-get install -y \
+ apt-transport-https \
ca-certificates \
curl \
- erlang-nox \
- erlang-reltool \
- libicu52 \
- libmozjs185-1.0 \
+ dirmngr \
+ gnupg \
+ libicu57 \
+ libssl1.1 \
openssl \
+ python \
+ && echo "deb https://apache.bintray.com/couchdb-deb stretch main" \
+ | tee /etc/apt/sources.list.d/couchdb.list \
+ && cat /etc/apt/sources.list.d/couchdb.list \
+ && for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys 379CE192D401AB61 && break || : ; \
+ done \
+ && gpg -a --export 379CE192D401AB61 | apt-key add - \
+ && apt-get update -y && apt-get install -y --no-install-recommends couch-libmozjs185-1.0 \
&& rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root and tini for signal handling
@@ -43,9 +56,14 @@ RUN set -ex; \
wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$dpkgArch"; \
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
+ done; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
- rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
chmod +x /usr/local/bin/gosu; \
gosu nobody true; \
\
@@ -53,9 +71,14 @@ RUN set -ex; \
wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch"; \
wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
+ done; \
gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini; \
- rm -r "$GNUPGHOME" /usr/local/bin/tini.asc; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/tini.asc; \
chmod +x /usr/local/bin/tini; \
tini --version; \
\
@@ -76,21 +99,28 @@ ENV GPG_KEYS \
2EC788AE3F239FA13E82D215CDE711289384AE37
RUN set -xe \
&& for key in $GPG_KEYS; do \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys "$key" && break || : ; \
+ done; \
done
-ENV COUCHDB_VERSION 2.1.2
+ENV COUCHDB_VERSION 2.2.0
# Download dev dependencies
RUN buildDeps=' \
apt-transport-https \
- gcc \
- g++ \
+ build-essential \
+ couch-libmozjs185-dev \
erlang-dev \
+ erlang-nox \
+ erlang-reltool \
libcurl4-openssl-dev \
libicu-dev \
- libmozjs185-dev \
make \
+ libssl-dev \
' \
&& apt-get update -y -qq && apt-get install -y --no-install-recommends $buildDeps \
# Acquire CouchDB source code
@@ -101,7 +131,7 @@ RUN buildDeps=' \
&& tar -xzf couchdb.tar.gz -C couchdb --strip-components=1 \
&& cd couchdb \
# Build the release and install into /opt
- && ./configure --disable-docs \
+ && ./configure \
&& make release \
&& mv /usr/src/couchdb/rel/couchdb /opt/ \
# Cleanup build detritus
@@ -113,8 +143,7 @@ RUN buildDeps=' \
# Add configuration
COPY 10-docker-default.ini /opt/couchdb/etc/default.d/
COPY vm.args /opt/couchdb/etc/
-
-COPY ./docker-entrypoint.sh /
+COPY docker-entrypoint.sh /
# Setup directories and permissions
RUN chown -R couchdb:couchdb /opt/couchdb/etc/default.d/ /opt/couchdb/etc/vm.args
diff --git a/couchdb_2/docker-entrypoint.sh b/couchdb_2/docker-entrypoint.sh
index c60c957..4ba69b4 100755
--- a/couchdb_2/docker-entrypoint.sh
+++ b/couchdb_2/docker-entrypoint.sh
@@ -43,14 +43,14 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
# Create admin only if not already present
if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
- printf "[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini
+ printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini
fi
fi
if [ "$COUCHDB_SECRET" ]; then
# Set secret only if not already present
if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then
- printf "[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini
+ printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini
fi
fi
|
This really ought to use the full fingerprint, so |
|
Also, instead of doing |
|
Hey @tianon, thank you for the help as usual!
Thanks for the pointer. That script's a bit dense for me to want to import it today. I'm afraid to make big changes for 2.2.0 since it's also a security release for us and time is of the essence. I think our loop over a few servers in Dockerfile should be sufficient for now. At least, since the change I've not seen a key-retrieval-related failure to build in ~hundreds of attempts.
Done.
Done.
Good call, I've removed them from the file and our README as well to make things extra clear. We'll leave the files in the repo for now, for reference, and remove them when 3.0 comes out (not too far off now!) |
Oh yeah, totally fair -- it's not something we import into the images themselves, but rather we run it on Travis so that build environment transparently hijacks common PGP server DNS names and redirects them to our "happy eyeballs" inspired server that adds a layer of reliability by making multiple requests and returning the first successful one. You don't need to do anything to get that advantage on our build servers (it'll happen whether you want it to or not), and if this Diff:diff --git a/_bashbrew-arches b/_bashbrew-arches
index 653470f..e30fd5f 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -1,3 +1 @@
-couchdb:1 @ amd64
-couchdb:1-couchperuser @ amd64
couchdb:2 @ amd64
diff --git a/_bashbrew-list b/_bashbrew-list
index 5ca15fb..8a5aa8b 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,10 +1,4 @@
-couchdb:1
-couchdb:1-couchperuser
-couchdb:1.7
-couchdb:1.7-couchperuser
-couchdb:1.7.2
-couchdb:1.7.2-couchperuser
couchdb:2
-couchdb:2.1
-couchdb:2.1.2
+couchdb:2.2
+couchdb:2.2.0
couchdb:latest
diff --git a/couchdb_1-couchperuser/Dockerfile b/couchdb_1-couchperuser/Dockerfile
deleted file mode 100644
index 510a458..0000000
diff --git a/couchdb_1/Dockerfile b/couchdb_1/Dockerfile
deleted file mode 100644
index 95b49be..0000000
diff --git a/couchdb_1/docker-entrypoint.sh b/couchdb_1/docker-entrypoint.sh
deleted file mode 100755
index db5a60e..0000000
diff --git a/couchdb_2/Dockerfile b/couchdb_2/Dockerfile
index 9520b6c..6d52272 100644
--- a/couchdb_2/Dockerfile
+++ b/couchdb_2/Dockerfile
@@ -10,21 +10,34 @@
# License for the specific language governing permissions and limitations under
# the License.
-FROM debian:jessie
+FROM debian:stretch
MAINTAINER CouchDB Developers dev@couchdb.apache.org
# Add CouchDB user account
RUN groupadd -g 5984 -r couchdb && useradd -u 5984 -d /opt/couchdb -g couchdb couchdb
-RUN apt-get update -y && apt-get install -y --no-install-recommends \
+RUN apt-get update -y && apt-get install -y \
+ apt-transport-https \
ca-certificates \
curl \
- erlang-nox \
- erlang-reltool \
- libicu52 \
- libmozjs185-1.0 \
+ dirmngr \
+ gnupg \
+ libicu57 \
+ libssl1.1 \
openssl \
+ python \
+ && echo "deb https://apache.bintray.com/couchdb-deb stretch main" \
+ | tee /etc/apt/sources.list.d/couchdb.list \
+ && cat /etc/apt/sources.list.d/couchdb.list \
+ && for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys 8756C4F765C9AC3CB6B85D62379CE192D401AB61 && break || : ; \
+ done \
+ && gpg -a --export 8756C4F765C9AC3CB6B85D62379CE192D401AB61 > /etc/apt/trusted.gpg.d/couchdb.gpg.asc \
+ && apt-get update -y && apt-get install -y --no-install-recommends couch-libmozjs185-1.0 \
&& rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root and tini for signal handling
@@ -43,9 +56,14 @@ RUN set -ex; \
wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$dpkgArch"; \
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
+ done; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
- rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
chmod +x /usr/local/bin/gosu; \
gosu nobody true; \
\
@@ -53,9 +71,14 @@ RUN set -ex; \
wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch"; \
wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
+ done; \
gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini; \
- rm -r "$GNUPGHOME" /usr/local/bin/tini.asc; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/tini.asc; \
chmod +x /usr/local/bin/tini; \
tini --version; \
\
@@ -76,21 +99,28 @@ ENV GPG_KEYS \
2EC788AE3F239FA13E82D215CDE711289384AE37
RUN set -xe \
&& for key in $GPG_KEYS; do \
- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+ for server in $(shuf -e pgpkeys.mit.edu \
+ ha.pool.sks-keyservers.net \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu) ; do \
+ gpg --keyserver $server --recv-keys "$key" && break || : ; \
+ done; \
done
-ENV COUCHDB_VERSION 2.1.2
+ENV COUCHDB_VERSION 2.2.0
# Download dev dependencies
RUN buildDeps=' \
apt-transport-https \
- gcc \
- g++ \
+ build-essential \
+ couch-libmozjs185-dev \
erlang-dev \
+ erlang-nox \
+ erlang-reltool \
libcurl4-openssl-dev \
libicu-dev \
- libmozjs185-dev \
make \
+ libssl-dev \
' \
&& apt-get update -y -qq && apt-get install -y --no-install-recommends $buildDeps \
# Acquire CouchDB source code
@@ -101,7 +131,7 @@ RUN buildDeps=' \
&& tar -xzf couchdb.tar.gz -C couchdb --strip-components=1 \
&& cd couchdb \
# Build the release and install into /opt
- && ./configure --disable-docs \
+ && ./configure \
&& make release \
&& mv /usr/src/couchdb/rel/couchdb /opt/ \
# Cleanup build detritus
@@ -113,8 +143,7 @@ RUN buildDeps=' \
# Add configuration
COPY 10-docker-default.ini /opt/couchdb/etc/default.d/
COPY vm.args /opt/couchdb/etc/
-
-COPY ./docker-entrypoint.sh /
+COPY docker-entrypoint.sh /
# Setup directories and permissions
RUN chown -R couchdb:couchdb /opt/couchdb/etc/default.d/ /opt/couchdb/etc/vm.args
diff --git a/couchdb_2/docker-entrypoint.sh b/couchdb_2/docker-entrypoint.sh
index c60c957..4ba69b4 100755
--- a/couchdb_2/docker-entrypoint.sh
+++ b/couchdb_2/docker-entrypoint.sh
@@ -43,14 +43,14 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
# Create admin only if not already present
if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
- printf "[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini
+ printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini
fi
fi
if [ "$COUCHDB_SECRET" ]; then
# Set secret only if not already present
if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then
- printf "[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini
+ printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini
fi
fi
|
|
LGTM Build test of #4703; 20197f7; $ bashbrew build couchdb:latest
Building bashbrew/cache:dbe7eec9995eb1c61861fc4a1daeefedd5240ab9d84e0eafc41bb02bf3a9b885 (couchdb:latest)
Tagging couchdb:latest
Tagging couchdb:2.2.0
Tagging couchdb:2.2
Tagging couchdb:2
$ test/run.sh couchdb:latest
testing couchdb:latest
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apache CouchDB have released version 2.2.0. This is an update for the official Docker image.
We've improved the Dockerfile with a few minor changes intended to make the resultant image smaller and for it to build more reliably in the event some PGP key servers are down.
1.x builds have not changed, FYI 1.x is now officially end-of-life.