Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
6 changed files
with
250 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| ; CouchDB Configuration Settings | ||
|
|
||
| ; Custom settings should be made in this file. They will override settings | ||
| ; in default.ini, but unlike changes made to default.ini, this file won't be | ||
| ; overwritten on server upgrade. | ||
|
|
||
| [chttpd] | ||
| bind_address = any |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
| # use this file except in compliance with the License. You may obtain a copy of | ||
| # the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
| # License for the specific language governing permissions and limitations under | ||
| # the License. | ||
|
|
||
| FROM debian:buster-slim | ||
|
|
||
| LABEL maintainer="CouchDB Developers dev@couchdb.apache.org" | ||
|
|
||
| # Add CouchDB user account to make sure the IDs are assigned consistently | ||
| RUN groupadd -g 5984 -r couchdb && useradd -u 5984 -d /opt/couchdb -g couchdb couchdb | ||
|
|
||
| # be sure GPG and apt-transport-https are available and functional | ||
| RUN set -ex; \ | ||
| apt-get update; \ | ||
| apt-get install -y --no-install-recommends \ | ||
| apt-transport-https \ | ||
| ca-certificates \ | ||
| dirmngr \ | ||
| gnupg \ | ||
| ; \ | ||
| rm -rf /var/lib/apt/lists/* | ||
|
|
||
| # grab gosu for easy step-down from root and tini for signal handling and zombie reaping | ||
| # see https://github.com/apache/couchdb-docker/pull/28#discussion_r141112407 | ||
| RUN set -eux; \ | ||
| apt-get update; \ | ||
| apt-get install -y --no-install-recommends gosu tini; \ | ||
| rm -rf /var/lib/apt/lists/*; \ | ||
| gosu nobody true; \ | ||
| tini --version | ||
|
|
||
| # http://docs.couchdb.org/en/latest/install/unix.html#installing-the-apache-couchdb-packages | ||
| ENV GPG_COUCH_KEY \ | ||
| # gpg: rsa8192 205-01-19 The Apache Software Foundation (Package repository signing key) <root@apache.org> | ||
| 390EF70BB1EA12B2773962950EE62FB37A00258D | ||
| RUN set -eux; \ | ||
| apt-get update; \ | ||
| apt-get install -y curl; \ | ||
| export GNUPGHOME="$(mktemp -d)"; \ | ||
| curl -fL -o keys.asc https://couchdb.apache.org/repo/keys.asc; \ | ||
| gpg --batch --import keys.asc; \ | ||
| gpg --batch --export "${GPG_COUCH_KEY}" > /usr/share/keyrings/couchdb-archive-keyring.gpg; \ | ||
| command -v gpgconf && gpgconf --kill all || :; \ | ||
| rm -rf "$GNUPGHOME"; \ | ||
| apt-key list; \ | ||
| apt purge -y --autoremove curl; \ | ||
| rm -rf /var/lib/apt/lists/* | ||
|
|
||
| ENV COUCHDB_VERSION 3.2.0 | ||
|
|
||
| RUN . /etc/os-release; \ | ||
| echo "deb [signed-by=/usr/share/keyrings/couchdb-archive-keyring.gpg] https://apache.jfrog.io/artifactory/couchdb-deb/ ${VERSION_CODENAME} main" | \ | ||
| tee /etc/apt/sources.list.d/couchdb.list >/dev/null | ||
|
|
||
| # https://github.com/apache/couchdb-pkg/blob/master/debian/README.Debian | ||
| RUN set -eux; \ | ||
| apt-get update; \ | ||
| \ | ||
| echo "couchdb couchdb/mode select none" | debconf-set-selections; \ | ||
| # we DO want recommends this time | ||
| DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \ | ||
| couchdb="$COUCHDB_VERSION"~buster \ | ||
| ; \ | ||
| # Undo symlinks to /var/log and /var/lib | ||
| rmdir /var/lib/couchdb /var/log/couchdb; \ | ||
| rm /opt/couchdb/data /opt/couchdb/var/log; \ | ||
| mkdir -p /opt/couchdb/data /opt/couchdb/var/log; \ | ||
| chown couchdb:couchdb /opt/couchdb/data /opt/couchdb/var/log; \ | ||
| chmod 777 /opt/couchdb/data /opt/couchdb/var/log; \ | ||
| # Remove file that sets logging to a file | ||
| rm /opt/couchdb/etc/default.d/10-filelog.ini; \ | ||
| # Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh | ||
| find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \ | ||
| # Setup directories and permissions for config. Technically these could be 555 and 444 respectively | ||
| # but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh. | ||
| find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \ | ||
| find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \ | ||
| # only local.d needs to be writable for the docker_entrypoint.sh | ||
| chmod -f 0777 /opt/couchdb/etc/local.d; \ | ||
| # apt clean-up | ||
| rm -rf /var/lib/apt/lists/*; | ||
|
|
||
| # Add configuration | ||
| COPY --chown=couchdb:couchdb 10-docker-default.ini /opt/couchdb/etc/default.d/ | ||
| COPY --chown=couchdb:couchdb vm.args /opt/couchdb/etc/ | ||
|
|
||
| COPY docker-entrypoint.sh /usr/local/bin | ||
| RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat | ||
| ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] | ||
|
|
||
| VOLUME /opt/couchdb/data | ||
|
|
||
| # 5984: Main CouchDB endpoint | ||
| # 4369: Erlang portmap daemon (epmd) | ||
| # 9100: CouchDB cluster communication port | ||
| EXPOSE 5984 4369 9100 | ||
| CMD ["/opt/couchdb/bin/couchdb"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| #!/bin/bash | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
| # use this file except in compliance with the License. You may obtain a copy of | ||
| # the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
| # License for the specific language governing permissions and limitations under | ||
| # the License. | ||
|
|
||
| set -e | ||
|
|
||
| # first arg is `-something` or `+something` | ||
| if [ "${1#-}" != "$1" ] || [ "${1#+}" != "$1" ]; then | ||
| set -- /opt/couchdb/bin/couchdb "$@" | ||
| fi | ||
|
|
||
| # first arg is the bare word `couchdb` | ||
| if [ "$1" = 'couchdb' ]; then | ||
| shift | ||
| set -- /opt/couchdb/bin/couchdb "$@" | ||
| fi | ||
|
|
||
| if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then | ||
| # this is where runtime configuration changes will be written. | ||
| # we need to explicitly touch it here in case /opt/couchdb/etc has | ||
| # been mounted as an external volume, in which case it won't exist. | ||
| # If running as the couchdb user (i.e. container starts as root), | ||
| # write permissions will be granted below. | ||
| touch /opt/couchdb/etc/local.d/docker.ini | ||
|
|
||
| # if user is root, assume running under the couchdb user (default) | ||
| # and ensure it is able to access files and directories that may be mounted externally | ||
| if [ "$(id -u)" = '0' ]; then | ||
| # Check that we own everything in /opt/couchdb and fix if necessary. We also | ||
| # add the `-f` flag in all the following invocations because there may be | ||
| # cases where some of these ownership and permissions issues are non-fatal | ||
| # (e.g. a config file owned by root with o+r is actually fine), and we don't | ||
| # to be too aggressive about crashing here ... | ||
| find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + | ||
|
|
||
| # Ensure that data files have the correct permissions. We were previously | ||
| # preventing any access to these files outside of couchdb:couchdb, but it | ||
| # turns out that CouchDB itself does not set such restrictive permissions | ||
| # when it creates the files. The approach taken here ensures that the | ||
| # contents of the datadir have the same permissions as they had when they | ||
| # were initially created. This should minimize any startup delay. | ||
| find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + | ||
| find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + | ||
|
|
||
| # Do the same thing for configuration files and directories. Technically | ||
| # CouchDB only needs read access to the configuration files as all online | ||
| # changes will be applied to the "docker.ini" file below, but we set 644 | ||
| # for the sake of consistency. | ||
| find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + | ||
| find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + | ||
| fi | ||
|
|
||
| if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then | ||
| echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args | ||
| fi | ||
|
|
||
| if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then | ||
| # Create admin only if not already present | ||
| if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then | ||
| printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini | ||
| fi | ||
| fi | ||
|
|
||
| if [ "$COUCHDB_SECRET" ]; then | ||
| # Set secret only if not already present | ||
| if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then | ||
| printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini | ||
| fi | ||
| fi | ||
|
|
||
| if [ "$(id -u)" = '0' ]; then | ||
| chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true | ||
| fi | ||
|
|
||
| # if we don't find an [admins] section followed by a non-comment, display a warning | ||
| if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then | ||
| # The - option suppresses leading tabs but *not* spaces. :) | ||
| cat >&2 <<-'EOWARN' | ||
| ************************************************************* | ||
| ERROR: CouchDB 3.0+ will no longer run in "Admin Party" | ||
| mode. You *MUST* specify an admin user and | ||
| password, either via your own .ini file mapped | ||
| into the container at /opt/couchdb/etc/local.ini | ||
| or inside /opt/couchdb/etc/local.d, or with | ||
| "-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password" | ||
| to set it via "docker run". | ||
| ************************************************************* | ||
| EOWARN | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [ "$(id -u)" = '0' ]; then | ||
| exec gosu couchdb "$@" | ||
| fi | ||
| fi | ||
|
|
||
| exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
| # use this file except in compliance with the License. You may obtain a copy of | ||
| # the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
| # License for the specific language governing permissions and limitations under | ||
| # the License. | ||
|
|
||
| # Ensure that the Erlang VM listens on a known port | ||
| -kernel inet_dist_listen_min 9100 | ||
| -kernel inet_dist_listen_max 9100 | ||
|
|
||
| # Tell kernel and SASL not to log anything | ||
| -kernel error_logger silent | ||
| -sasl sasl_error_logger false | ||
|
|
||
| # Use kernel poll functionality if supported by emulator | ||
| +K true | ||
|
|
||
| # Start a pool of asynchronous IO threads | ||
| +A 16 | ||
|
|
||
| # Comment this line out to enable the interactive Erlang shell on startup | ||
| +Bd -noinput |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters