Merge pull request #89 from EyeSeeTea/development

Development

setup.py

@@ -4,7 +4,7 @@
 
 setuptools.setup(
     name="d2_docker",
-    version="1.6.0",
+    version="1.7.0",
     description="Dockers for DHIS2 instances",
     long_description=open("README.md", encoding="utf-8").read(),
     keywords=["python"],

src/d2_docker/config/dhis2-core-entrypoint.sh

@@ -1,51 +1,34 @@
-#!/bin/sh
+#!/bin/bash
 #
-# Taken from https://github.com/dhis2/dhis2-core/blob/master/docker-entrypoint.sh.
+# Based on the current latest tagged version of dhis2-core entrypoint:
+# https://github.com/dhis2/dhis2-core/blob/2.36.11.1/docker/tomcat-debian/docker-entrypoint.sh
 #
-# We need our custom entrypoint to perform the following extra tasks:
-#  - Make files in TOMCATDIR group-writable (so we can change tomcat files in pre/post scripts)
-#  - Install some dependencies: curl, postgresql-client
+# We need our custom entrypoint to perform the following different tasks:
+#  - Make files in TOMCATDIR be of user tomcat (so we can change tomcat files in pre/post scripts)
 #
-set -e -u -o pipefail
+set -e  # exit on errors
 
 WARFILE=/usr/local/tomcat/webapps/ROOT.war
 TOMCATDIR=/usr/local/tomcat
 DHIS2HOME=/DHIS2_home
-PACKAGES="curl postgresql-client"
-
-# Custom
-install_packages() {
-    if test "$(apk list -I $PACKAGES | wc -l)" -ne 2; then
-        # Previous core images did not have package pre-installed, install from static files
-        echo "Packages not found, installing"
-        apk add --no-network /config/apk/*.apk
-    else
-        echo "Packages found"
-    fi
-}
+DATA_DIR=/data
 
 if [ "$(id -u)" = "0" ]; then
-    install_packages
-
     if [ -f $WARFILE ]; then
-        # Custom: mkdir + add -q to avoid noise in the console
-        mkdir -p $TOMCATDIR/webapps/ROOT
-        unzip -n -q $WARFILE -d $TOMCATDIR/webapps/ROOT
-        rm $WARFILE
+        unzip -q $WARFILE -d $TOMCATDIR/webapps/ROOT
+        rm -v $WARFILE  # just to save space
     fi
 
-    # dhis2/core 2.31 images do not have user tomcat, don't fail in this case
+    chown -R tomcat:tomcat $TOMCATDIR $DATA_DIR $DHIS2HOME
+    chmod -R u=rwX,g=rX,o-rwx $TOMCATDIR $DATA_DIR $DHIS2HOME
 
-    if getent group tomcat; then
-        chown -R root:tomcat $TOMCATDIR
-        # Custom. Before: u+rwX,g+rX,o-rwx
-        chmod -R u+rwX,g+rwX,o-rwx $TOMCATDIR
-        chown -R tomcat:tomcat $TOMCATDIR/temp \
-            $TOMCATDIR/work \
-            $TOMCATDIR/logs
-        chown -R tomcat:tomcat $DHIS2HOME
-        chmod +x "$0" || true
+    # Launch the given command as tomcat, in two ways for backwards compatibility:
+    if [ "$(grep '^ID=' /etc/os-release)" = "ID=alpine" ]; then
+        # The alpine linux way (for old images).
         exec su-exec tomcat "$0" "$@"
+    else
+        # The ubuntu way (for new images).
+        exec setpriv --reuid=tomcat --regid=tomcat --init-groups "$0" "$@"
     fi
 fi
 

src/d2_docker/config/server.xml

@@ -31,7 +31,8 @@
             protocol="AJP/1.3"
             port="8009"
             redirectPort="8443"
-        />
+	    secretRequired="false"
+	/>
 
         <Engine name="Catalina" defaultHost="localhost">
             <Realm className="org.apache.catalina.realm.LockOutRealm">

src/d2_docker/docker-compose.yml

@@ -18,13 +18,13 @@ services:
             LOAD_FROM_DATA: "${LOAD_FROM_DATA}"
             DEPLOY_PATH: "${DEPLOY_PATH}"
             DHIS2_AUTH: "${DHIS2_AUTH}"
-        entrypoint: sh /config/dhis2-core-entrypoint.sh
-        command: sh /config/dhis2-core-start.sh
+        entrypoint: bash /config/dhis2-core-entrypoint.sh
+        command: bash /config/dhis2-core-start.sh
         restart: unless-stopped
         depends_on:
             - "db"
     db:
-        image: "postgis/postgis:${POSTGIS_VERSION:-10-2.5-alpine}"
+        image: "postgis/postgis:${POSTGIS_VERSION:-14-3.2-alpine}"
         labels:
             - "com.eyeseetea.image-name=${DHIS2_DATA_IMAGE}"
         volumes:
@@ -33,7 +33,7 @@ services:
             POSTGRES_DB: dhis2
             POSTGRES_USER: dhis
             POSTGRES_PASSWORD: dhis
-        command: "postgres -c max_locks_per_transaction=100"
+        command: "postgres -c max_locks_per_transaction=100 -c max_connections=200"
         restart: unless-stopped
         ports:
             - "${DB_PORT}"

src/d2_docker/images/dhis2-core/Dockerfile

@@ -1,22 +1,31 @@
-FROM tomcat:9.0.20-jre8-alpine
+FROM tomcat:9.0.64-jre11-openjdk-slim-bullseye
 
 ENV DHIS2_HOME=/DHIS2_home
+ENV DHIS2_CERT=/DHIS2_home/who_pub_cert.cert
+ENV DATA_DIR=/data
 
 COPY docker-entrypoint.sh /usr/local/bin/
-
 RUN rm -rf /usr/local/tomcat/webapps/* && \
-    mkdir /usr/local/tomcat/webapps/ROOT && \
+    mkdir -p /usr/local/tomcat/webapps/ROOT && \
     chmod +rx /usr/local/bin/docker-entrypoint.sh && \
     mkdir $DHIS2_HOME && \
-    addgroup -S tomcat && \
+    mkdir $DATA_DIR && \
+    addgroup --system tomcat && \
     addgroup root tomcat && \
-    adduser -S -D -G tomcat tomcat
+    useradd --shell /bin/bash --uid 101 --gid tomcat tomcat
+
+COPY who_pub_cert.cert $DHIS2_CERT
+RUN  chmod +rx $DHIS2_CERT
+RUN keytool -importcert -alias who_mail_ichigoout -file $DHIS2_CERT -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit -noprompt
 
-RUN apk add --update --no-cache bash su-exec curl postgresql-client fontconfig ttf-dejavu
+
+RUN apt-get update
+RUN echo 'You can disregard the warning in noninteractive installations:' \
+         '"debconf: delaying package configuration, since apt-utils is not installed"'
+RUN apt-get install --no-install-recommends -y \
+        unzip curl postgresql-client fonts-dejavu fontconfig util-linux
 
 COPY dhis.war /usr/local/tomcat/webapps/ROOT.war
 COPY dhis2-home-files /dhis2-home-files
 
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
-
 CMD ["catalina.sh", "run"]

src/d2_docker/images/dhis2-core/docker-entrypoint.sh

@@ -1,27 +1,31 @@
 #!/bin/bash
-set -e
+#
+# This file should be basically the same as config/dhis2-core-entrypoint.sh
+#
+set -e  # exit on errors
 
 WARFILE=/usr/local/tomcat/webapps/ROOT.war
 TOMCATDIR=/usr/local/tomcat
 DHIS2HOME=/DHIS2_home
-DATA_DIR="/data/"
+DATA_DIR=/data
 
 if [ "$(id -u)" = "0" ]; then
     if [ -f $WARFILE ]; then
-        unzip $WARFILE -d $TOMCATDIR/webapps/ROOT
-        rm $WARFILE
+        unzip -q $WARFILE -d $TOMCATDIR/webapps/ROOT
+        rm -v $WARFILE  # just to save space
+    fi
+
+    chown -R tomcat:tomcat $TOMCATDIR $DATA_DIR $DHIS2HOME
+    chmod -R u=rwX,g=rX,o-rwx $TOMCATDIR $DATA_DIR $DHIS2HOME
+
+    # Launch the given command as tomcat, in two ways for backwards compatibility:
+    if [ "$(grep '^ID=' /etc/os-release)" = "ID=alpine" ]; then
+        # The alpine linux way (for old images).
+        exec su-exec tomcat "$0" "$@"
+    else
+        # The ubuntu way (for new images).
+        exec setpriv --reuid=tomcat --regid=tomcat --init-groups "$0" "$@"
     fi
-
-    chown -R tomcat:tomcat $DATA_DIR $TOMCATDIR
-    chmod -R u+rwX,g+rX,o-rwx $DATA_DIR $TOMCATDIR
-    chown -R tomcat:tomcat \
-    $DATA_DIR \
-    $TOMCATDIR/temp \
-    $TOMCATDIR/work \
-    $TOMCATDIR/logs
-
-    chown -R tomcat:tomcat $DHIS2HOME
-    exec su-exec tomcat "$0" "$@"
 fi
 
 exec "$@"

src/d2_docker/images/dhis2-core/who_pub_cert.cert

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJDCCBQygAwIBAgIQJUJnlAcKVsfQ9MMGpFjCBTANBgkqhkiG9w0BAQsFADCB
+jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
+Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
+MB4XDTIyMDMxNjAwMDAwMFoXDTIzMDQxNjIzNTk1OVowFDESMBAGA1UEAwwJKi53
+aG8uaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxSHGIzs9hI1G
+hoQpRqA6AJJHtV5UNU7HYGqewe/g/hO78YKa3GkCr2nXVz42fDrwtKI6qyTL8R4t
+JlqxK7NgorwQK7swZlQq77pj0jGo2NaxqI68oaoz8Itkg361jlk2LJQrrSJBGemc
+2vZC7o1hWZLwcf8PwSBkKTqjZjO7th0ESEUt8ic6YZxEWaWdJeZUc+xDGpM439L+
+mPeZKmwLzKUk41DPe1LBjeVCKOlTnFaGTX8/PescoifgAV+kZ9G+hmu5aZYVx2n+
+w8nVc4aIOiQow1LOtk8CDvBPoDnJMOpKEZobXcqcTDvbFnG4mzUnc6GXDWLaF/kJ
+JMvRKoTsQwIDAQABo4IC9DCCAvAwHwYDVR0jBBgwFoAUjYxexFStiuF36Zv5mwXh
+uAGNYeEwHQYDVR0OBBYEFHTQH+RF7rX7AXEqzVXnkXexoDIEMA4GA1UdDwEB/wQE
+AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
+AjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBz
+Oi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEEeDB2ME8G
+CCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FEb21h
+aW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRw
+Oi8vb2NzcC5zZWN0aWdvLmNvbTAdBgNVHREEFjAUggkqLndoby5pbnSCB3doby5p
+bnQwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3AK33vvp8/xDIi509nB4+GGq0
+Zyldz7EMJMqFhjTr3IKKAAABf5MeKkoAAAQDAEgwRgIhAINPWOeOK9LR1KvwjXy3
+tq+VOtOl2pbxUSGpKb/on/5fAiEAl/zai8TthJdRZGYAQ1AJVY83+VPNlrAmYt4Y
+aATC6GoAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAX+THioV
+AAAEAwBHMEUCIQC5LVSJjK/+axH2ygQBQvZBteFsrpfrjTwlxRUZIOVOegIgfe+9
+UxpopGPMoxAinRvmhV80DC2SjyB5tJ5gxdEwjy0AdQDoPtDaPvUGNTLnVyi8iWvJ
+A9PL0RFr7Otp4Xd9bQa9bgAAAX+THiniAAAEAwBGMEQCIGzDAwbnDDooUiBzsIgx
+qQTH9LWRw/sUP6oPqC/TCy5IAiBv5zoBNQRFF5xL747h+fonfzO29cOTOxII7OOE
+tB5PtDANBgkqhkiG9w0BAQsFAAOCAQEAZoC2S+nrxP2loGfjDvbjo0N9cc7KhCJv
+XPAG3qvc1T4RI4ZCfTKY5vpFYqu6E/TMdGlDTXD3NxheJyScm51x5tXGfvIsnKDc
+//zWyUXvZPnJWLEjP4JKsRb/Gi8hIPfLP0PST1xjk+JlxE+vfbHfH5BUegfpfBgv
+Fu+HiJEFS3ZDE6Im61Hq5BdMdLF84u5khs0smbWOyP4tP9fqD6gnq0RV+gcI2JzU
+LLc0mPIpLqQ87zvj/Re0rMGS/JhXp4cAyvIuwi1AuechGjQR1zeBNgVIkxd+ccnc
+OaI6t3HH7OQ2K8pCNLa4PyoAJL/XnIwq0FwvqSVKW8h3vTdZ4Z0+Jg==
+-----END CERTIFICATE-----

src/d2_docker/images/dhis2-data/run.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -e -u
 
 # Global: VOLUME="/path/to/destination"