diff --git a/bitnami/ejbca/7/debian-11/Dockerfile b/bitnami/ejbca/7/debian-11/Dockerfile index 5dee2b2ac9b5..7800266eedf3 100644 --- a/bitnami/ejbca/7/debian-11/Dockerfile +++ b/bitnami/ejbca/7/debian-11/Dockerfile @@ -6,7 +6,7 @@ ARG TARGETARCH LABEL org.opencontainers.image.authors="https://bitnami.com/contact" \ org.opencontainers.image.description="Application packaged by Bitnami" \ org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.ref.name="7.11.0-debian-11-r2" \ + org.opencontainers.image.ref.name="7.11.0-debian-11-r3" \ org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/ejbca" \ org.opencontainers.image.title="ejbca" \ org.opencontainers.image.vendor="VMware, Inc." \ diff --git a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca-env.sh b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca-env.sh index 0e2948c6ebaf..07087020b4c0 100644 --- a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca-env.sh +++ b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca-env.sh @@ -22,6 +22,8 @@ export BITNAMI_DEBUG="${BITNAMI_DEBUG:-false}" # By setting an environment variable matching *_FILE to a file path, the prefixed environment # variable will be overridden with the value specified in that file ejbca_env_vars=( + EJBCA_WILDFLY_ADMIN_USER + EJBCA_WILDFLY_ADMIN_PASSWORD EJBCA_SERVER_CERT_FILE EJBCA_SERVER_CERT_PASSWORD EJBCA_HTTP_PORT_NUMBER @@ -58,7 +60,7 @@ unset ejbca_env_vars # Paths export BITNAMI_VOLUME_DIR="/bitnami" -export EJBCA_BASE_DIR="/opt/bitnami/ejbca" +export EJBCA_BASE_DIR="${BITNAMI_ROOT_DIR}/ejbca" export EJBCA_BIN_DIR="${EJBCA_BASE_DIR}/bin" export EJBCA_TMP_DIR="${EJBCA_BASE_DIR}/tmp" export EJBCA_INITSCRIPTS_DIR="/docker-entrypoint-initdb.d" @@ -77,17 +79,19 @@ export EJBCA_DB_SCRIPT_TABLES="${EJBCA_DATABASE_SCRIPTS_DIR}/create-tables-ejbca export EJBCA_EAR_FILE="${EJBCA_BASE_DIR}/dist/ejbca.ear" # Wildfly -export EJBCA_WILDFLY_BASE_DIR="/opt/bitnami/wildfly" +export EJBCA_WILDFLY_BASE_DIR="${BITNAMI_ROOT_DIR}/wildfly" export EJBCA_WILDFLY_TMP_DIR="${EJBCA_WILDFLY_BASE_DIR}/tmp" export EJBCA_WILDFLY_BIN_DIR="${EJBCA_WILDFLY_BASE_DIR}/bin" +export EJBCA_WILDFLY_CONF_DIR="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration" export EJBCA_WILDFLY_PID_DIR="${EJBCA_TMP_DIR}" export EJBCA_WILDFLY_PID_FILE="${EJBCA_WILDFLY_PID_DIR}/wildfly.pid" export EJBCA_WILDFLY_DEPLOY_DIR="${EJBCA_WILDFLY_BASE_DIR}/standalone/deployments" -export EJBCA_WILDFLY_ADMIN_USER="admin" -export EJBCA_WILDFLY_TRUSTSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/truststore.jks" -export EJBCA_WILDFLY_KEYSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/keystore.jks" +export EJBCA_WILDFLY_ADMIN_USER="${EJBCA_WILDFLY_ADMIN_USER:-admin}" +export EJBCA_WILDFLY_ADMIN_PASSWORD="${EJBCA_WILDFLY_ADMIN_PASSWORD:-}" +export EJBCA_WILDFLY_TRUSTSTORE_FILE="${EJBCA_WILDFLY_CONF_DIR}/truststore.jks" +export EJBCA_WILDFLY_KEYSTORE_FILE="${EJBCA_WILDFLY_CONF_DIR}/keystore.jks" export EJBCA_WILDFLY_STANDALONE_CONF_FILE="${EJBCA_WILDFLY_BIN_DIR}/standalone.conf" -export EJBCA_WILDFLY_STANDALONE_XML_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/standalone.xml" +export EJBCA_WILDFLY_STANDALONE_XML_FILE="${EJBCA_WILDFLY_CONF_DIR}/standalone.xml" # Users export EJBCA_DAEMON_USER="wildfly" @@ -127,6 +131,6 @@ export JAVA_HOME="/opt/bitnami/java" export JBOSS_HOME="${EJBCA_WILDFLY_BASE_DIR}" export LAUNCH_JBOSS_IN_BACKGROUND="true" export JBOSS_PIDFILE="${EJBCA_WILDFLY_PID_FILE}" -export EJBCA_WILDFLY_DATA_TO_PERSIST="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration,${EJBCA_WILDFLY_ADMIN_PASSWORD_FILE},${EJBCA_WILDFLY_BASE_DIR}/standalone/data,${EJBCA_WILDFLY_KEYSTORE_PASSWORD_FILE},${EJBCA_WILDFLY_TRUSTSTORE_PASSWORD_FILE}" +export EJBCA_WILDFLY_DATA_TO_PERSIST="${EJBCA_WILDFLY_CONF_DIR},${EJBCA_WILDFLY_ADMIN_PASSWORD_FILE},${EJBCA_WILDFLY_BASE_DIR}/standalone/data,${EJBCA_WILDFLY_KEYSTORE_PASSWORD_FILE},${EJBCA_WILDFLY_TRUSTSTORE_PASSWORD_FILE}" # Custom environment variables may be defined below diff --git a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh index 2998b67231a6..bd847d70782e 100755 --- a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh +++ b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh @@ -12,15 +12,17 @@ set -o pipefail . /opt/bitnami/scripts/libfs.sh . /opt/bitnami/scripts/libos.sh - # Load ejbca environment variables . /opt/bitnami/scripts/ejbca-env.sh +ensure_user_exists "$EJBCA_DAEMON_USER" --group "$EJBCA_DAEMON_GROUP" --system + for dir in "$EJBCA_BASE_DIR" "$EJBCA_WILDFLY_BASE_DIR" "$EJBCA_TMP_DIR" "$EJBCA_VOLUME_DIR" \ "$EJBCA_WILDFLY_VOLUME_DIR" "${EJBCA_WILDFLY_BASE_DIR}/standalone" \ "${EJBCA_WILDFLY_BASE_DIR}/domain" "$EJBCA_WILDFLY_TMP_DIR"; do ensure_dir_exists "$dir" chmod -R g+rwX "$dir" + chown -R "${EJBCA_DAEMON_USER}:root" "$dir" done chmod g+rw "$EJBCA_WILDFLY_STANDALONE_CONF_FILE" diff --git a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/libejbca.sh b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/libejbca.sh index 657ee3904541..7f7edb8d742a 100644 --- a/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/libejbca.sh +++ b/bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/libejbca.sh @@ -59,6 +59,25 @@ ejbca_validate() { [[ "$error_code" -eq 0 ]] || exit "$error_code" } +######################## +# Run wildfly CLI and print output +# Globals: +# EJBCA_* +# Arguments: +# None +# Returns: +# None +######################### +ejbca_wildfly_command_print_output() { + local -r cmd="${EJBCA_WILDFLY_BIN_DIR}/jboss-cli.sh" + local -r -a args=("--connect" "-u=${EJBCA_WILDFLY_ADMIN_USER}" "-p=${EJBCA_WILDFLY_ADMIN_PASSWORD}" "$@") + if am_i_root; then + gosu "$EJBCA_DAEMON_USER" "$cmd" "${args[@]}" + else + "$cmd" "${args[@]}" + fi +} + ######################## # Run wildfly CLI # Globals: @@ -69,7 +88,7 @@ ejbca_validate() { # None ######################### ejbca_wildfly_command() { - "$EJBCA_WILDFLY_BIN_DIR"/jboss-cli.sh --connect -u="$EJBCA_WILDFLY_ADMIN_USER" -p="$EJBCA_WILDFLY_ADMIN_PASSWORD" "$1" + debug_execute ejbca_wildfly_command_print_output "$@" } ######################## @@ -82,7 +101,13 @@ ejbca_wildfly_command() { # None ######################### wait_for_wildfly() { - retry_while wildfly_not_ready + local -r retries="30" + local -r sleep_time="5" + + if ! retry_while wildfly_not_ready "$retries" "$sleep_time"; then + error "Timeout waiting for Wildfly to be ready" + return 1 + fi } ######################## @@ -97,7 +122,7 @@ wait_for_wildfly() { wildfly_not_ready() { local status - status=$(ejbca_wildfly_command ":read-attribute(name=server-state)" | grep "result") + status=$(ejbca_wildfly_command_print_output ":read-attribute(name=server-state)" | grep "result") [[ "$status" =~ "running" ]] && return 0 || return 1 } @@ -229,10 +254,10 @@ ejbca_start_wildfly_bg() { info "Starting wildfly..." if ! is_wildfly_running; then - if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then - "${exec}" "${args[@]}" & + if am_i_root; then + debug_execute gosu "$EJBCA_DAEMON_USER" "${exec}" "${args[@]}" & else - "${exec}" "${args[@]}" >/dev/null 2>&1 & + debug_execute "${exec}" "${args[@]}" & fi fi } @@ -270,8 +295,14 @@ ejbca_stop_wildfly() { ######################### ejbca_create_management_user() { info "Creating wildfly management user..." + local -r cmd="${EJBCA_WILDFLY_BIN_DIR}/add-user.sh" + local -r -a args=("-u" "$EJBCA_WILDFLY_ADMIN_USER" "-p" "$EJBCA_WILDFLY_ADMIN_PASSWORD" "-s") - "$EJBCA_WILDFLY_BIN_DIR"/add-user.sh -u "$EJBCA_WILDFLY_ADMIN_USER" -p "$EJBCA_WILDFLY_ADMIN_PASSWORD" -s + if am_i_root; then + debug_execute gosu "$EJBCA_DAEMON_USER" "$cmd" "${args[@]}" + else + debug_execute "$cmd" "${args[@]}" + fi } ####################### @@ -286,10 +317,15 @@ ejbca_create_management_user() { ejbca_wildfly_deploy() { local -r file_to_deploy="${1:?Missing file to deploy}" deployed_file="${EJBCA_WILDFLY_DEPLOY_DIR}/$(basename "$file_to_deploy").deployed" + local -r retries="30" + local -r sleep_time="5" if [[ ! -f "$deployed_file" ]]; then cp "$file_to_deploy" "$EJBCA_WILDFLY_DEPLOY_DIR"/ - retry_while "ls ${deployed_file}" 2>/dev/null + if ! retry_while "test -f ${deployed_file}" "$retries" "$sleep_time" 2>/dev/null; then + error "Timeout deploying ${file_to_deploy} to WildFly: File ${deployed_file} was not generated" + return 1 + fi info "Deployment done" else info "Already deployed" @@ -310,7 +346,10 @@ wait_for_mysql_connection() { echo "select 1" | debug_execute mysql -u"$EJBCA_DATABASE_USERNAME" -p"$EJBCA_DATABASE_PASSWORD" -h"$EJBCA_DATABASE_HOST" -P"$EJBCA_DATABASE_PORT" "$EJBCA_DATABASE_NAME" } - retry_while database_not_ready + if ! retry_while database_not_ready; then + error "Timeout waiting for database to be ready" + return 1 + fi } ######################## @@ -346,7 +385,7 @@ ejbca_generate_ca() { local -r instance_hostname="$(hostname --fqdn)" info "Generating CA" - ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)" + ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)" if ! grep -q 'CA Name: ' <<<"$ejbca_ca"; then info "Init CA" ejbca_execute_command ca init \ @@ -371,7 +410,7 @@ ejbca_generate_ca() { --password "$EJBCA_ADMIN_PASSWORD" fi - ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)" + ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)" if grep -q "CA Name: $EJBCA_CA_NAME" <<<"$ejbca_ca"; then existing_management_ca="$(grep "CA Name: $EJBCA_CA_NAME" <<<"$ejbca_ca" | sed 's/.*CA Name: //g')" @@ -422,6 +461,23 @@ ejbca_generate_ca() { fi } +######################## +# EJBCA CLI and print output +# Globals: +# EJBCA_* +# Arguments: +# None +# Returns: +# None +######################### +ejbca_execute_command_print_output() { + if am_i_root; then + gosu "$EJBCA_DAEMON_USER" "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1 + else + "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1 + fi +} + ######################## # EJBCA CLI # Globals: @@ -432,7 +488,7 @@ ejbca_generate_ca() { # None ######################### ejbca_execute_command() { - "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1 + debug_execute ejbca_execute_command_print_output "$@" } ######################## @@ -463,7 +519,7 @@ ejbca_create_truststore() { local ca_list info "Load the CAs in the trustkeystore" - ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)" + ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)" if grep -q 'CA Name: ' <<<"$ejbca_ca"; then ca_list=("$(grep 'CA Name: ' <<<"$ejbca_ca" | sed 's/.*CA Name: //g')") for line in "${ca_list[@]}"; do @@ -498,7 +554,7 @@ ejbca_custom_init_scripts() { if [[ -n $(find "${EJBCA_INITSCRIPTS_DIR}/" -type f -regex ".*\.sh") ]]; then info "Loading user's custom files from $EJBCA_INITSCRIPTS_DIR ..." local -r tmp_file="/tmp/filelist" - ejbca_start_bg + ejbca_start_wildfly_bg find "${EJBCA_INITSCRIPTS_DIR}/" -type f -regex ".*\.sh" | sort >"$tmp_file" while read -r f; do case "$f" in @@ -552,8 +608,8 @@ ejbca_initialize() { info "Initializing EJBCA..." # Configuring permissions for tmp, logs and data folders - am_i_root && configure_permissions_ownership "$EJBCA_TMP_DIR $EJBCA_LOG_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" - am_i_root && configure_permissions_ownership "$EJBCA_DATA_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" -d "755" -f "644" + am_i_root && configure_permissions_ownership "$EJBCA_TMP_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" + am_i_root && configure_permissions_ownership "$EJBCA_DATA_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" # Note we need to use wildfly instead of ejbca as directory since the persist_app function relativizes them to /opt/bitnami/wildfly if ! is_app_initialized "wildfly"; then @@ -654,3 +710,27 @@ is_wildfly_running() { false fi } + +######################## +# Check if WildFly is not running +# Arguments: +# None +# Returns: +# Boolean +######################### +is_wildfly_not_running() { + ! is_wildfly_running +} + +######################## +# Stop WildFly +# Arguments: +# None +# Returns: +# None +######################### +wildfly_stop() { + is_wildfly_not_running && return + info "Stopping ejbca" + stop_service_using_pid "$EJBCA_WILDFLY_PID_FILE" +}