V913

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change log
 
+## 9.1.3.0 (2019-07-19)
+
+* Updated to MQ version 9.1.3.0
+* Allow generation of TLS certificate with given hostname
+* Fixes for the following issues:
+  * `MQ_EPHEMERAL_PREFIX` UNIX sockets fix
+  * Fix Makefile for Windows
+  * Use -a option on crtmqdir
+  * Remove check for certificate environment variable
+
 ## 9.1.2.0-UBI (2019-06-21)
 
 **Breaking changes**:
@@ -13,6 +23,7 @@
 
 ## 9.1.2.0 (2019-03-21)
 
+* Updated to MQ version 9.1.2.0
 * Now runs using the "mqm" user instead of root.  See new [security doc](https://github.com/ibm-messaging/mq-container/blob/master/docs/security.md)
 * New [IGNSTATE](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q132310_.htm#q132310___ignstateparm) parameter used in default developer config
 * Termination log moved from `/dev/termination-log` to `/run/termination-log`, to make permissions easier to handle

Makefile

@@ -17,9 +17,9 @@
 # the command line
 ###############################################################################
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.2.0
+MQ_VERSION ?= 9.1.3.0
 # RELEASE shows what release of the container code has been built
-RELEASE ?= 3
+RELEASE ?= 1
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -68,7 +68,7 @@ IMAGE_REVISION=$(shell git rev-parse HEAD)
 IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.3 instead of 9.1.3.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
 
 # Set variable if running on a Red Hat Enterprise Linux host
@@ -102,6 +102,7 @@ endif
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
+MQ_ARCHIVE_DEV_9.1.3.0=mqadv_dev913_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 
 ###############################################################################
 # Build targets

README.md

@@ -44,8 +44,8 @@ For issues relating specifically to the container image or Helm chart, please us
 The Dockerfiles and associated code and scripts are licensed under the [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0.html).
 Licenses for the products installed within the images are as follows:
 
-- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-AVCJ4S) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
-- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-AZYF4X) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BBZHCQ) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BBSHJL) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
 - License information for Ubuntu packages may be found in `/usr/share/doc/${package}/copyright`
 
 Note: The IBM MQ Advanced for Developers license does not permit further distribution and the terms restrict usage to a developer machine.

cmd/runmqserver/main.go

@@ -117,29 +117,6 @@ func doMain() error {
 		return err
 	}
 
-	// handle /var/mqm/ permissions in upgrade to UBI
-	if *initFlag {
-		varMqmDirs := []string{
-			"/var/mqm/config",
-			"/var/mqm/conv",
-			"/var/mqm/errors",
-			"/var/mqm/exits",
-			"/var/mqm/exits64",
-			"/var/mqm/log",
-			"/var/mqm/mqft",
-			"/var/mqm/qmgrs",
-			"/var/mqm/shared",
-			"/var/mqm/sockets",
-			"/var/mqm/trace",
-			"/var/mqm/web",
-		}
-		err = configureOwnership(varMqmDirs)
-		if err != nil {
-			logTermination(err)
-			return err
-		}
-	}
-
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil

cmd/runmqserver/qmgr.go

@@ -24,8 +24,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"golang.org/x/sys/unix"
-
 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntime "github.com/ibm-messaging/mq-container/internal/containerruntime"
 	"github.com/ibm-messaging/mq-container/internal/mqscredact"
@@ -34,7 +32,7 @@ import (
 
 // createDirStructure creates the default MQ directory structure under /var/mqm
 func createDirStructure() error {
-	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-s")
+	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-a")
 	if err != nil {
 		log.Printf("Error creating directory structure: %v\n", string(out))
 		return err
@@ -43,47 +41,6 @@ func createDirStructure() error {
 	return nil
 }
 
-// configureOwnership recursively handles ownership of files within the given filepath
-func configureOwnership(paths []string) error {
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	var fileInfo *unix.Stat_t
-	fileInfo = new(unix.Stat_t)
-	for _, root := range paths {
-		_, err = os.Stat(root)
-		if err != nil {
-			if os.IsNotExist(err) {
-				continue
-			}
-			return err
-		}
-		err = filepath.Walk(root, func(from string, info os.FileInfo, err error) error {
-			if err != nil {
-				return err
-			}
-			to := fmt.Sprintf("%v%v", root, from[len(root):])
-			err = unix.Stat(to, fileInfo)
-			if err != nil {
-				return err
-			}
-			fileUID := fmt.Sprint(fileInfo.Uid)
-			if strings.Compare(fileUID, "999") == 0 {
-				err = os.Chown(to, uid, gid)
-				if err != nil {
-					return err
-				}
-			}
-			return nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // createQueueManager creates a queue manager, if it doesn't already exist.
 // It returns true if one was created (or a standby was created), or false if one already existed
 func createQueueManager(name string) (bool, error) {

cmd/runmqserver/tls.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )
@@ -38,7 +39,7 @@ const trustDir = "/etc/mqm/pki/trust"
 // configureWebTLS configures TLS for Web Console
 func configureWebTLS(label string) error {
 	// Return immediately if we have no certificate to use as identity
-	if label == "" {
+	if label == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") == "" {
 		return nil
 	}
 
@@ -129,8 +130,30 @@ func configureSSOTLS(p12TrustStore tls.KeyStoreData) (string, error) {
 	// Check keystore exists
 	ks := filepath.Join(keyStoreDir, webKeyStoreName)
 	_, err := os.Stat(ks)
-	if err != nil {
-		return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+	// Now we know if the file exists let's check whether we should have it or not.
+	// Check if we're being told to generate the certificate
+	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
+	if genHostName != "" {
+		// We've got to generate the certificate with the hostname given
+		if err == nil {
+			log.Printf("Replacing existing keystore %s - generating new certificate", ks)
+		}
+		// Keystore doesn't exist so create it and populate a certificate
+		newKS := keystore.NewPKCS12KeyStore(ks, p12TrustStore.Password)
+		err = newKS.Create()
+		if err != nil {
+			return "", fmt.Errorf("Failed to create keystore %s: %v", ks, err)
+		}
+
+		err = newKS.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
+		if err != nil {
+			return "", fmt.Errorf("Failed to generate certificate in keystore %s with DN of 'CN=%s': %v", ks, genHostName, err)
+		}
+	} else {
+		// Keystore should already exist
+		if err != nil {
+			return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+		}
 	}
 
 	// Check truststore exists

cmd/runmqserver/version.go

@@ -38,11 +38,11 @@ func logDateStamp() {
 }
 
 func logGitRepo() {
-	log.Printf("Image revision: %v", ImageRevision)
+	// log.Printf("Image revision: %v", ImageRevision)
 }
 
 func logGitCommit() {
-	log.Printf("Image source: %v", ImageSource)
+	// log.Printf("Image source: %v", ImageSource)
 }
 
 func logImageTag() {

cmd/runmqserver/webserver.go

@@ -92,7 +92,6 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 		"MQ_OIDC_TOKEN_ENDPOINT",
 		"MQ_OIDC_JWK_ENDPOINT",
 		"MQ_OIDC_ISSUER_IDENTIFIER",
-		"MQ_OIDC_CERTIFICATE",
 	}
 	for _, envVar := range requiredEnvVars {
 		if len(os.Getenv(envVar)) == 0 {

docs/building.md

@@ -14,7 +14,7 @@ If you are working in the Windows Subsystem for Linux, follow [this guide by Mic
 This procedure works for building the MQ Continuous Delivery release, on `amd64`, `ppc64le` and `s390x` architectures.
 
 1. Create a `downloads` directory in the root of this repository
-2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/) or [IBM Fix Central](https://www.ibm.com/support/fixcentral), and place the downloaded file (for example, `IBM_MQ_9.1.2_UBUNTU_X86-64.tar.gz`) in the `downloads` directory
+2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/) or [IBM Fix Central](https://www.ibm.com/support/fixcentral), and place the downloaded file (for example, `IBM_MQ_9.1.3_LINUX_X86-64.tar.gz`) in the `downloads` directory
 3. Run `make build-advancedserver`
 
 > **Warning**: Note that MQ offers two different sets of packaging on Linux: one is called "MQ for Linux" and contains RPM files for installing on Red Hat Enterprise Linux and SUSE Linux Enterprise Server.  The MQ container build uses a Red Hat Universal Base Image, so you need the "MQ for Linux" RPM files.

docs/security.md

@@ -16,7 +16,7 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server:9.1.2.0-amd64
+  mqadvanced-server:9.1.3.0-amd64
 ```
 
 The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
@@ -31,7 +31,7 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server-dev:9.1.2.0-amd64
+  mqadvanced-server-dev:9.1.3.0-amd64
 ```
 
 ### SELinux

docs/testing.md

@@ -24,7 +24,7 @@ make test-advancedserver
 You can specify the image to use directly by using the `MQ_IMAGE_ADVANCEDSERVER` or `MQ_IMAGE_DEVSERVER` variables, for example:
 
 ```
-MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.2.0-amd64 make test-advancedserver
+MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.3.0-amd64 make test-advancedserver
 ```
 
 You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command::
@@ -33,10 +33,10 @@ You can pass parameters to `go test` with an environment variable.  For example,
 TEST_OPTS_DOCKER="-run TestGoldenPath" make test-advancedserver
 ```
 
-You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.2.0-amd64`:
+You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.3.0-amd64`:
 
 ```
-MQ_VERSION=9.1.2.0 make test-advancedserver
+MQ_VERSION=9.1.3.0 make test-advancedserver
 ```
 
 ### Running the Docker tests with code coverage

install-mq.sh

@@ -84,6 +84,9 @@ install --directory --mode 0775 --owner mqm --group root /mnt/mqm-data/qmgrs
 # Create the directory for MQ configuration files
 install --directory --mode 0775 --owner mqm --group root /etc/mqm
 
+# Create the directory for MQ runtime files
+install --directory --mode 0775 --owner mqm --group root /run/mqm
+
 # Create a symlink for /var/mqm -> /mnt/mqm/data
 ln -s /mnt/mqm/data /var/mqm
 

internal/keystore/keystore.go

@@ -151,8 +151,8 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 }
 
 // CreateSelfSignedCertificate creates a self-signed certificate in the keystore
-func (ks *KeyStore) CreateSelfSignedCertificate(label, dn string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn)
+func (ks *KeyStore) CreateSelfSignedCertificate(label, dn, hostname string) error {
+	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn, "-san_dnsname", hostname)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
 	}
@@ -203,6 +203,8 @@ func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
 func (ks *KeyStore) RenameCertificate(from, to string) error {
 	if ks.command == "/opt/mqm/bin/runmqakm" {
 		// runmqakm can't handle certs with ' in them so just use capicmd
+		// Overriding gosec here as this function is in an internal package and only callable by our internal functions.
+		// #nosec G204
 		cmd := exec.Command("/opt/mqm/gskit8/bin/gsk8capicmd_64", "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
 		cmd.Env = append(os.Environ(), "LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64/:/opt/mqm/gskit8/lib")
 		out, _, err := command.RunCmd(cmd)
@@ -219,7 +221,7 @@ func (ks *KeyStore) RenameCertificate(from, to string) error {
 	return nil
 }
 
-// ListCertificates Lists all certificates in the keystore
+// ListAllCertificates Lists all certificates in the keystore
 func (ks *KeyStore) ListAllCertificates() ([]string, error) {
 	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
 	if err != nil {

manifests/dockerhub/manifest-9.1.3.yaml

@@ -0,0 +1,28 @@
+# © Copyright IBM Corporation 2019
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image: ibmcom/mq:9.1.3.0
+manifests:
+  - image: ibmcom/mq:9.1.3.0-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: ibmcom/mq:9.1.3.0-ppc64le
+    platform:
+      architecture: ppc64le
+      os: linux
+  - image: ibmcom/mq:9.1.3.0-s390x
+    platform:
+      architecture: s390x
+      os: linux

manifests/dockerhub/manifest-latest.yaml

@@ -14,15 +14,15 @@
 
 image: ibmcom/mq:latest
 manifests:
-  - image: ibmcom/mq:9.1.2.0-UBI-amd64
+  - image: ibmcom/mq:9.1.3.0-amd64
     platform:
       architecture: amd64
       os: linux
-  - image: ibmcom/mq:9.1.2.0-UBI-ppc64le
+  - image: ibmcom/mq:9.1.3.0-ppc64le
     platform:
       architecture: ppc64le
       os: linux
-  - image: ibmcom/mq:9.1.2.0-UBI-s390x
+  - image: ibmcom/mq:9.1.3.0-s390x
     platform:
       architecture: s390x
       os: linux

manifests/dockerstore/manifest-9.1.3.yaml

@@ -0,0 +1,28 @@
+# © Copyright IBM Corporation 2019
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image: ibmcorp/mqadvanced-server-dev:9.1.3.0
+manifests:
+  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-ppc64le
+    platform:
+      architecture: ppc64le
+      os: linux
+  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-s390x
+    platform:
+      architecture: s390x
+      os: linux