From 9ba83828f74d3954509573ad97e8d115d7d9995e Mon Sep 17 00:00:00 2001 From: Benedikt Kruse Date: Fri, 2 May 2025 08:53:10 +0200 Subject: [PATCH 1/5] fix reload docker by setting "LINUX_PASSWORD", "PAYARA_ADMIN_PASSWORD", "DOMAIN_PASSWORD" --- .../src/main/docker/scripts/init_1_change_passwords.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh index 0bf9d0b80fb..3847f16666c 100644 --- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -euo pipefail +set -uo pipefail # NOTE: ALL PASSWORD ENV VARS WILL BE SCRAMBLED IN startInForeground.sh FOR SECURITY! # This is to avoid possible attack vectors where someone could extract the sensitive information From 25bec63cc7114465321e6917a71a780e62880b01 Mon Sep 17 00:00:00 2001 From: Benedikt Kruse <149382667+BenediktMeierUIT@users.noreply.github.com> Date: Fri, 2 May 2025 17:03:31 +0200 Subject: [PATCH 2/5] Update init_1_change_passwords.sh --- .../main/docker/scripts/init_1_change_passwords.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh index 3847f16666c..62bdb8849ff 100644 --- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -uo pipefail +set -euo pipefail # NOTE: ALL PASSWORD ENV VARS WILL BE SCRAMBLED IN startInForeground.sh FOR SECURITY! # This is to avoid possible attack vectors where someone could extract the sensitive information @@ -8,7 +8,9 @@ set -uo pipefail # Someone set the env var for passwords - get the new password in. Otherwise print warning. # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords if [ "$LINUX_PASSWORD" != "payara" ]; then - echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd + echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { + echo "Linux password unchanged!" + } else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')" echo " To change the password, set the LINUX_PASSWORD env var." @@ -19,7 +21,9 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then PASSWORD_FILE=$(mktemp) echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE" echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE" - asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" + asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { + echo "Payara password unchanged!" + } rm "$PASSWORD_FILE" else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')" @@ -35,7 +39,9 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then PASSWORD_FILE=$(mktemp) echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE" echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE" - asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" + asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { + echo "Domain password unchanged!" + } rm "$PASSWORD_FILE" else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')" From bd45e318dde5182c92bc81a9a5f266b33e7b6a0d Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 4 Jun 2025 09:27:03 +0200 Subject: [PATCH 3/5] style(ct): simplify password change scripts by removing unnecessary newlines in error handling blocks --- .../main/docker/scripts/init_1_change_passwords.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh index 62bdb8849ff..b640e4d1fc1 100644 --- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh @@ -8,9 +8,7 @@ set -euo pipefail # Someone set the env var for passwords - get the new password in. Otherwise print warning. # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords if [ "$LINUX_PASSWORD" != "payara" ]; then - echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { - echo "Linux password unchanged!" - } + echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; } else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')" echo " To change the password, set the LINUX_PASSWORD env var." @@ -21,9 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then PASSWORD_FILE=$(mktemp) echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE" echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE" - asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { - echo "Payara password unchanged!" - } + asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; } rm "$PASSWORD_FILE" else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')" @@ -39,9 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then PASSWORD_FILE=$(mktemp) echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE" echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE" - asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { - echo "Domain password unchanged!" - } + asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; } rm "$PASSWORD_FILE" else echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')" From fa17e9fabab21d17d126cbeacf304e26813dd3be Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 4 Jun 2025 09:27:59 +0200 Subject: [PATCH 4/5] fix(ct): backport error handling to password change operations Ensure password-related commands properly handle failures and print warnings if changes cannot be applied. Backported changes to v6.4, v6.5, and v6.6. --- .../v6.4/001-fix-password-script.patch | 31 +++++++++++++++++++ .../v6.5/001-fix-password-script.patch | 31 +++++++++++++++++++ .../v6.6/001-fix-password-script.patch | 31 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 modules/container-base/src/backports/v6.4/001-fix-password-script.patch create mode 100644 modules/container-base/src/backports/v6.5/001-fix-password-script.patch create mode 100644 modules/container-base/src/backports/v6.6/001-fix-password-script.patch diff --git a/modules/container-base/src/backports/v6.4/001-fix-password-script.patch b/modules/container-base/src/backports/v6.4/001-fix-password-script.patch new file mode 100644 index 00000000000..3169d924084 --- /dev/null +++ b/modules/container-base/src/backports/v6.4/001-fix-password-script.patch @@ -0,0 +1,31 @@ +diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +index 0bf9d0b80f..b640e4d1fc 100644 +--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh ++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +@@ -8,7 +8,7 @@ set -euo pipefail + # Someone set the env var for passwords - get the new password in. Otherwise print warning. + # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords + if [ "$LINUX_PASSWORD" != "payara" ]; then +- echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd ++ echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; } + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')" + echo " To change the password, set the LINUX_PASSWORD env var." +@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE" + echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')" +@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE" + echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')" diff --git a/modules/container-base/src/backports/v6.5/001-fix-password-script.patch b/modules/container-base/src/backports/v6.5/001-fix-password-script.patch new file mode 100644 index 00000000000..3169d924084 --- /dev/null +++ b/modules/container-base/src/backports/v6.5/001-fix-password-script.patch @@ -0,0 +1,31 @@ +diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +index 0bf9d0b80f..b640e4d1fc 100644 +--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh ++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +@@ -8,7 +8,7 @@ set -euo pipefail + # Someone set the env var for passwords - get the new password in. Otherwise print warning. + # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords + if [ "$LINUX_PASSWORD" != "payara" ]; then +- echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd ++ echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; } + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')" + echo " To change the password, set the LINUX_PASSWORD env var." +@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE" + echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')" +@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE" + echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')" diff --git a/modules/container-base/src/backports/v6.6/001-fix-password-script.patch b/modules/container-base/src/backports/v6.6/001-fix-password-script.patch new file mode 100644 index 00000000000..3169d924084 --- /dev/null +++ b/modules/container-base/src/backports/v6.6/001-fix-password-script.patch @@ -0,0 +1,31 @@ +diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +index 0bf9d0b80f..b640e4d1fc 100644 +--- a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh ++++ b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh +@@ -8,7 +8,7 @@ set -euo pipefail + # Someone set the env var for passwords - get the new password in. Otherwise print warning. + # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords + if [ "$LINUX_PASSWORD" != "payara" ]; then +- echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd ++ echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd || { echo "Linux password unchanged!"; } + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')" + echo " To change the password, set the LINUX_PASSWORD env var." +@@ -19,7 +19,7 @@ if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE" + echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}" || { echo "Payara password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')" +@@ -35,7 +35,7 @@ if [ "$DOMAIN_PASSWORD" != "changeit" ]; then + PASSWORD_FILE=$(mktemp) + echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE" + echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE" +- asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" ++ asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}" || { echo "Domain password unchanged!"; } + rm "$PASSWORD_FILE" + else + echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')" From 955c760555a5b6036805690192a4caafccd830eb Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 4 Jun 2025 09:46:34 +0200 Subject: [PATCH 5/5] docs(ct): clarify restrictions on Payara Linux User password changes with ro rootfs Added a note about incompatibility with read-only root filesystems when modifying `/etc/shadow`. --- doc/sphinx-guides/source/container/base-image.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/sphinx-guides/source/container/base-image.rst b/doc/sphinx-guides/source/container/base-image.rst index a0852a5465f..662952a09ba 100644 --- a/doc/sphinx-guides/source/container/base-image.rst +++ b/doc/sphinx-guides/source/container/base-image.rst @@ -289,6 +289,7 @@ provides. These are mostly based on environment variables (very common with cont - ``payara`` - String - Set to secret string to change the Payara Linux User ("payara", default UID=1000) password. + *Note: changes /etc/shadow, usually incompatible with a read-only rootfs!* * - ``DOMAIN_PASSWORD`` - ``changeit`` - String