Merge remote-tracking branch 'origin/release-31.x' into develop

.circleci/main/commands/maven/restore-maven-cache.yml

@@ -7,5 +7,5 @@ commands:
             command: find . -type f -name "pom.xml" | grep -v /target/ | sort -u | xargs cat > maven-dependency-pom-cache.key
         - restore_cache:
             keys:
-              - maven-dependencies-v4-{{ checksum "pom-version-cache.key" }}-{{ checksum "maven-dependency-pom-cache.key" }}
-              - maven-dependencies-v4-{{ checksum "pom-version-cache.key" }}-
+              - maven-dependencies-v5-{{ checksum "pom-version-cache.key" }}-{{ checksum "maven-dependency-pom-cache.key" }}
+              - maven-dependencies-v5-{{ checksum "pom-version-cache.key" }}-

.circleci/main/commands/maven/save-maven-cache.yml

@@ -6,6 +6,6 @@ commands:
           name: Remove old artifacts to keep workspace size down
           command: .circleci/scripts/clean-m2.sh
       - save_cache:
-          key: maven-dependencies-v4-{{ checksum "pom-version-cache.key" }}-{{ checksum "maven-dependency-pom-cache.key" }}
+          key: maven-dependencies-v5-{{ checksum "pom-version-cache.key" }}-{{ checksum "maven-dependency-pom-cache.key" }}
           paths:
             - ~/.m2

.circleci/scripts/publish-azure.sh

@@ -30,7 +30,7 @@ for TYPE in minion; do
   export DOCKER_REPO="${DOCKER_SERVER}/opennms/${TYPE}"
 
   # in Azure, only push the "branchname-arch" version of the individual ones
-  find /tmp/artifacts/oci -name "${TYPE}-*.oci" | while read -r _file; do
+  find /tmp/artifacts/oci -name "${TYPE}-linux-*.oci" | while read -r _file; do
     echo "* processing ${TYPE} image: ${_file}"
     _file_tag="$(basename "${_file}" | sed -e 's,\.oci$,,')"
     _internal_tag="opennms/${_file_tag}"

.circleci/scripts/publish-cloudsmith.sh

@@ -61,7 +61,7 @@ export DOCKER_CONTENT_TRUST=0
 for TYPE in horizon minion sentinel; do
   export DOCKER_REPO="${DOCKER_SERVER}/opennms/${REPO}/${TYPE}"
 
-  find /tmp/artifacts/oci -name "${TYPE}-*.oci" | while read -r _file; do
+  find /tmp/artifacts/oci -name "${TYPE}-linux-*.oci" | while read -r _file; do
     echo "* processing ${TYPE} image: ${_file}"
     _file_tag="$(basename "${_file}" | sed -e 's,\.oci$,,')"
     _internal_tag="opennms/${_file_tag}"

.circleci/scripts/publish-dockerhub.sh

@@ -28,16 +28,16 @@ for TYPE in horizon minion sentinel; do
   export DOCKER_REPO="${DOCKER_SERVER}/opennms/${TYPE}"
 
   # figure out DCT environment variables for $TYPE
-  _key_contents_variable="$(printf 'DCT_REPO_%s_KEY' "${TYPE}" | tr '[:lower:]' '[:upper:]')"
-  _key_name_variable="$(printf 'DCT_REPO_%s_KEY_NAME' "${TYPE}" | tr '[:lower:]' '[:upper:]')"
-  _key_passphrase_variable="$(printf 'DCT_REPO_%s_KEY_PASSPHRASE' "${TYPE}" | tr '[:lower:]' '[:upper:]')"
+  _key_contents_variable="$(printf 'DCT_REPO_%s_KEY' "${TYPE}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
+  _key_name_variable="$(printf 'DCT_REPO_%s_KEY_NAME' "${TYPE}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
+  _key_passphrase_variable="$(printf 'DCT_REPO_%s_KEY_PASSPHRASE' "${TYPE}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
 
   # save $TYPE's key
   printf '%s' "${!_key_contents_variable}" | base64 -d > "${PRIVATE_KEY_FOLDER}/${!_key_name_variable}.key"
   chmod 600 "${PRIVATE_KEY_FOLDER}/${!_key_name_variable}.key"
 
   # in dockerhub, only push the "branchname-arch" version of the individual ones
-  find /tmp/artifacts/oci -name "${TYPE}-*.oci" | while read -r _file; do
+  find /tmp/artifacts/oci -name "${TYPE}-linux-*.oci" | while read -r _file; do
     echo "* processing ${TYPE} image: ${_file}"
     _file_tag="$(basename "${_file}" | sed -e 's,\.oci$,,')"
     _internal_tag="opennms/${_file_tag}"

docs/modules/operation/pages/deep-dive/notifications/configuration.adoc

@@ -13,7 +13,8 @@ Configuring a path outage lets you suppress notifications for nodes that appear
 For example, if a WAN link fails, all nodes at the remote site served by the WAN link will appear to be down.
 Because you get a notification that the router on the far end of the WAN link is not responding, you don't need notifications for all devices that sit behind that router.
 
-See xref:operation:deep-dive/service-assurance/path-outages.adoc[Use Path Outages to Suppress Notifications] for additional information.
+See xref:operation:deep-dive/service-assurance/path-outages.adoc[Use Path Outages to Suppress Notifications] for information on enabling this feature.
+Path outage checking is disabled by default.
 
 You can configure a path outage for an individual node by setting a parent on the node in a requisition:
 

docs/modules/operation/pages/deep-dive/service-assurance/path-outages.adoc

@@ -2,10 +2,18 @@
 [[ga-service-assurance-path-outage]]
 = Use Path Outages to Suppress Notifications
 
-An outage of a central network component can cause a lot of node outages.
+An outage of a core network component can cause a lot of node outages.
 You can use path outages to suppress notifications based on how nodes depend on each other in the network, as defined by a critical path.
 The critical path needs to be configured from the network perspective of the monitoring system.
-By default, the path outage feature is disabled and has to be enabled in `poller-configuration.xml`.
+
+== Enable path outages
+
+By default, the path outage feature is disabled and has to be enabled for pollerd to check if notifications should be suppresed for an outage.
+Edit the `$\{OPENNMS_HOME}/etc/poller-configuration.xml` file to set `pathOutageEnabled` to `true` at the top of the file.
+A service restart is required after changing this setting.
+
+
+== Example: Configure parent nodes
 
 The following image shows a sample network topology:
 
@@ -17,9 +25,12 @@ If `default-gw-01` is down, it is not possible to reach any node in the two netw
 In this case, an administrator would like to receive just one notification for `default-gw-01`; notifications for the other nodes behind it should not be generated.
 Building this configuration in {page-component-title} requires the following information:
 
-* *Parent Foreign Source:* the foreign source where the parent node is defined.
-* *Parent Foreign ID:* the foreign ID of the parent node this node depends on.
-* *IP Interface:* the primary IP interface is used as the critical IP.
+Parent Foreign Source:: The foreign source where the parent node is defined.
+If the parent node is in the same requisition as the child node, this field can be left blank.
+Parent Foreign ID:: The foreign ID of the parent node this node depends on.
+It is possible to define the parent node based on the label, though using the ID is more reliable in case the node label changes in the future.
+IP Interface:: The primary IP interface is used as the critical IP.
+While you do not need to provide the IP interface when configuring the path on the node in a requisition, it is important to make sure the node has the correct IP interface set as the primary for the path calculation.
 
 In this example, we have created all nodes in a requisition named `Network-ACME` and we use the node label value as the foreign ID:
 

opennms-base-assembly/src/main/filtered/bin/opennms

@@ -395,7 +395,8 @@ doStart(){
 	fi
 
 	# make sure the directory exists for writing a pidfile
-	local _piddir="$(dirname "${OPENNMS_PIDFILE}")"
+	local _piddir
+	_piddir="$(dirname "${OPENNMS_PIDFILE}")"
 	if [ ! -e "${_piddir}" ]; then
 		mkdir -p "${_piddir}"
 	fi
@@ -1025,6 +1026,7 @@ fi
 if [ "$SYSTEMD" -ne 1 ]; then
 	SYSTEMCTL="$(command -v systemctl 2>/dev/null || which systemctl 2>/dev/null || :)"
 	if [ -x "$SYSTEMCTL" ]; then
+		# shellcheck disable=SC2016
 		echo 'WARNING: `systemctl` was found, but OpenNMS is not being run in Systemd mode.'
 		echo 'You will not be able to use systemctl to manage an OpenNMS started manually from the CLI.'
 	fi

opennms-container/common.mk

@@ -25,7 +25,7 @@ DOCKER_FLAGS            :=
 DOCKER_OUTPUT           :=
 DOCKER_OUTPUT_OCI       := type=docker,dest=$(DOCKER_OCI)
 DOCKER_OUTPUT_IMAGE     := type=image
-DOCKERX_INSTANCE        := env-$(DOCKER_PROJECT)-oci
+DOCKERX_INSTANCE        := opennms-build-env-oci
 SOURCE                  := $(shell git remote get-url origin)
 REVISION                := $(shell git describe --always)
 BUILD_NUMBER            := 0
@@ -98,7 +98,7 @@ test: $(TARBALL)
 	$(info Ready to go, let's light this candle!)
 	@true
 
-$(README): $(TARBALL)
+$(README): $(TARBALL) Dockerfile $(shell find container-fs -type f)
 	@echo "Unpacking tarball for Docker context..."
 	rm -rf tarball-root
 	mkdir -p tarball-root
@@ -195,13 +195,15 @@ uninstall:
 uninstall-all: uninstall
 	-docker image rm `docker image ls --format='{{ .Repository }}:{{ .Tag }}' '$(DOCKER_BASE):buildx-*T*Z'`
 
-clean:
+clean-context:
 	$(info Destroy builder environment: $(DOCKERX_INSTANCE) ...)
 	-docker buildx rm $(DOCKERX_INSTANCE)
 	-docker context rm "$(DOCKERX_INSTANCE)-context"
 
-clean-all: clean
+clean: clean-context
 	$(info Delete tarball and artifacts ...)
 	rm -rf images/*.oci
 	rm -rf tarball-root
 	rm -rf $(ADDITIONAL_TARGETS)
+
+clean-all: clean

opennms-container/core/Makefile

@@ -3,7 +3,7 @@
 ##
 
 CONTAINER_TYPE_FRIENDLY := Horizon
-DOCKER_PROJECT          := core
+DOCKER_PROJECT          := horizon
 TARBALL                 := ../../opennms-full-assembly/target/*-core.tar.gz
 
 include ../common.mk

opennms-container/core/container-fs/entrypoint.sh

@@ -91,7 +91,7 @@ initConfigWhenEmpty() {
 
   if [ ! "$(ls --ignore .git --ignore .gitignore -A ${OPENNMS_HOME}/etc)"  ]; then
     echo "No existing configuration in ${OPENNMS_HOME}/etc found. Initialize from etc-pristine."
-    cp -r ${OPENNMS_HOME}/share/etc-pristine/* ${OPENNMS_HOME}/etc/ || exit ${E_INIT_CONFIG}
+    rsync -r --out-format="%n %C" ${OPENNMS_HOME}/share/etc-pristine/* ${OPENNMS_HOME}/etc/. || exit ${E_INIT_CONFIG}
   fi
 
   if [[ ! -d /opennms-data/mibs ]]; then
@@ -121,23 +121,23 @@ applyOverlayConfig() {
   if [ -d "${OPENNMS_OVERLAY}" ] && [ -n "$(ls -A ${OPENNMS_OVERLAY})" ]; then
     echo "Apply custom configuration from ${OPENNMS_OVERLAY}."
     # Use rsync so that we can overlay files into directories that are symlinked
-    rsync -K -rl ${OPENNMS_OVERLAY}/* ${OPENNMS_HOME}/ || exit ${E_INIT_CONFIG}
+    rsync -K -rl --out-format="%n %C" ${OPENNMS_OVERLAY}/* ${OPENNMS_HOME}/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom config found in ${OPENNMS_OVERLAY}. Use default configuration."
   fi
 
   # Overlay etc specific config
   if [ -d "${OPENNMS_OVERLAY_ETC}" ] && [ -n "$(ls -A ${OPENNMS_OVERLAY_ETC})" ]; then
     echo "Apply custom etc configuration from ${OPENNMS_OVERLAY_ETC}."
-    cp -r ${OPENNMS_OVERLAY_ETC}/* ${OPENNMS_HOME}/etc || exit ${E_INIT_CONFIG}
+    rsync -r --out-format="%n %C" ${OPENNMS_OVERLAY_ETC}/* ${OPENNMS_HOME}/etc/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom config found in ${OPENNMS_OVERLAY_ETC}. Use default configuration."
   fi
 
   # Overlay jetty specific config
   if [ -d "${OPENNMS_OVERLAY_JETTY_WEBINF}" ] && [ -n "$(ls -A ${OPENNMS_OVERLAY_JETTY_WEBINF})" ]; then
     echo "Apply custom Jetty WEB-INF configuration from ${OPENNMS_OVERLAY_JETTY_WEBINF}."
-    cp -r ${OPENNMS_OVERLAY_JETTY_WEBINF}/* ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF || exit ${E_INIT_CONFIG}
+    rsync -r --out-format="%n %C" ${OPENNMS_OVERLAY_JETTY_WEBINF}/* ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom Jetty WEB-INF config found in ${OPENNMS_OVERLAY_JETTY_WEBINF}. Use default configuration."
   fi

opennms-container/minion/Dockerfile

@@ -29,7 +29,7 @@ RUN chmod -R g-w /opt/minion && \
 ##
 FROM ${BASE_IMAGE}
 
-ARG REQUIRED_DEBS="hostname uuid-runtime"
+ARG REQUIRED_DEBS="hostname uuid-runtime rsync"
 
 # Prevent prompts
 ENV DEBIAN_FRONTEND=noninteractive

opennms-container/minion/container-fs/entrypoint.sh

@@ -62,7 +62,7 @@ setCredentials() {
   ${MINION_HOME}/bin/scvcli set opennms.http ${OPENNMS_HTTP_USER} ${OPENNMS_HTTP_PASS}
   ${MINION_HOME}/bin/scvcli set opennms.broker ${OPENNMS_BROKER_USER} ${OPENNMS_BROKER_PASS}
 
-  cp ${MINION_HOME}/etc/scv.jce /keystore
+  rsync --out-format="%n %C" ${MINION_HOME}/etc/scv.jce /keystore/.
 }
 
 function updateConfig() {
@@ -152,7 +152,7 @@ applyOverlayConfig() {
   # Overlay etc specific config
   if [ -d "${MINION_OVERLAY_ETC}" ] && [ -n "$(ls -A ${MINION_OVERLAY_ETC})" ]; then
     echo "Apply custom etc configuration from ${MINION_OVERLAY_ETC}."
-    cp -Lr ${MINION_OVERLAY_ETC}/* ${MINION_HOME}/etc || exit ${E_INIT_CONFIG}
+    rsync -Lr --out-format="%n %C" ${MINION_OVERLAY_ETC}/* ${MINION_HOME}/etc/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom config found in ${MINION_OVERLAY_ETC}. Use default configuration."
   fi
@@ -211,7 +211,8 @@ configure() {
     done < "$MINION_PROCESS_ENV_CFG"
   fi
   if [[ -f "$MINION_SERVER_CERTS_CFG" ]]; then
-    cp "$JAVA_HOME/lib/security/cacerts" "$CACERTS"
+    # cacerts is a symlink to a file, so *do not* put /. on the target
+    rsync --out-format="%n %C" "$JAVA_HOME/lib/security/cacerts" "$CACERTS"
     export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CACERTS -Djavax.net.ssl.trustStorePassword=changeit"
     while read certid; do
       [[ $certid =~ ^#.* ]] && continue

opennms-container/sentinel/Dockerfile

@@ -22,7 +22,7 @@ RUN chmod -R g-w /opt/usr-share/sentinel && \
 
 FROM ${BASE_IMAGE} as sentinel-base
 
-ARG REQUIRED_DEBS="hostname wget gettext openssh-client uuid-runtime"
+ARG REQUIRED_DEBS="hostname wget gettext openssh-client uuid-runtime rsync"
 
 ARG REPO_KEY_URL="https://debian.opennms.org/OPENNMS-GPG-KEY"
 

opennms-container/sentinel/container-fs/entrypoint.sh

@@ -60,7 +60,7 @@ setCredentials() {
   ${SENTINEL_HOME}/bin/scvcli set opennms.http ${OPENNMS_HTTP_USER} ${OPENNMS_HTTP_PASS}
   ${SENTINEL_HOME}/bin/scvcli set opennms.broker ${OPENNMS_BROKER_USER} ${OPENNMS_BROKER_PASS}
 
-  cp ${SENTINEL_HOME}/etc/scv.jce /keystore
+  rsync --out-format="%n %C" ${SENTINEL_HOME}/etc/scv.jce /keystore/.
 }
 
 initConfig() {
@@ -109,14 +109,14 @@ applyOverlayConfig() {
   # Overlay etc specific config
   if [ -d "${SENTINEL_OVERLAY_ETC}" ] && [ -n "$(ls -A ${SENTINEL_OVERLAY_ETC})" ]; then
     echo "Apply custom etc configuration from ${SENTINEL_OVERLAY_ETC}."
-    cp -r ${SENTINEL_OVERLAY_ETC}/* ${SENTINEL_HOME}/etc || exit ${E_INIT_CONFIG}
+    rsync -r --out-format="%n %C" ${SENTINEL_OVERLAY_ETC}/* ${SENTINEL_HOME}/etc/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom config found in ${SENTINEL_OVERLAY_ETC}. Use default configuration."
   fi
   # Overlay for all of the sentinel dir
   if [ -d "$SENTINEL_OVERLAY" ] && [ -n "$(ls -A ${SENTINEL_OVERLAY})" ]; then
     echo "Apply custom configuration from ${SENTINEL_OVERLAY}."
-    cp -r ${SENTINEL_OVERLAY}/* ${SENTINEL_HOME}/ || exit ${E_INIT_CONFIG}
+    rsync -r --out-format="%n %C" ${SENTINEL_OVERLAY}/* ${SENTINEL_HOME}/. || exit ${E_INIT_CONFIG}
   else
     echo "No custom config found in ${SENTINEL_OVERLAY}. Use default configuration."
   fi 

opennms-jetty/src/main/java/org/opennms/netmgt/jetty/JettyServer.java

@@ -111,6 +111,7 @@ protected void onStart() {
             m_server.start();
         } catch (final Throwable t) {
             LOG.error("Error starting Jetty Server", t);
+            throw new IllegalStateException(t);
         }
     }
 
@@ -121,6 +122,7 @@ protected void onStop() {
             m_server.stop();
         } catch (final Throwable t) {
             LOG.error("Error stopping Jetty Server", t);
+            throw new IllegalStateException(t);
         }
     }
 

opennms-jetty/src/main/java/org/opennms/netmgt/jetty/OpenNMSWebAppProvider.java

@@ -67,6 +67,7 @@ public ContextHandler createContextHandler(final App app) throws Exception {
             context.setAttribute(AnnotationConfiguration.CONTAINER_INITIALIZERS, jspInitializers());
             context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager());
             context.addBean(new ServletContainerInitializersStarter(context), true);
+            context.setThrowUnavailableOnStartupException(true);
         }
 
         return handler;

opennms-webapp/src/main/webapp/admin/snmpConfig.jsp

@@ -32,6 +32,7 @@
 <%@page import="com.google.common.base.Strings"%>
 <%@page import="org.opennms.web.svclayer.model.SnmpInfo"%>
 <%@page import="org.opennms.netmgt.snmp.SnmpConfiguration"%>
+<%@page import="org.opennms.core.utils.WebSecurityUtils" %>
 <%@page language="java" contentType="text/html" session="true"%>
 
 <jsp:include page="/includes/bootstrap.jsp" flush="false">
@@ -496,7 +497,7 @@ if (request.getAttribute("success") != null) {
           Read Community String
           </label>
           <div class="col-sm-8">
-            <input id="readCommunityString" class="form-control" name="readCommunityString" value="<%=readCommunityString%>">
+            <input id="readCommunityString" class="form-control" name="readCommunityString" value="<%=WebSecurityUtils.sanitizeString(readCommunityString)%>">
             <p class="form-text text-muted"><b>Default: </b><%=SnmpConfiguration.DEFAULT_READ_COMMUNITY %></p>
           </div>
         </div>
@@ -506,7 +507,7 @@ if (request.getAttribute("success") != null) {
           Write Community String
           </label>
           <div class="col-sm-8">
-            <input id="writeCommunityString" class="form-control" name="writeCommunityString" value="<%=writeCommunityString%>">
+            <input id="writeCommunityString" class="form-control" name="writeCommunityString" value="<%=WebSecurityUtils.sanitizeString(writeCommunityString)%>">
             <p class="form-text text-muted"><b>Default: </b><%=SnmpConfiguration.DEFAULT_WRITE_COMMUNITY %></p>
           </div>
         </div>