[bitnami/ejbca] Release 7.11.0-debian-11-r3 (#22065)

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

bitnami/ejbca/7/debian-11/Dockerfile

@@ -6,7 +6,7 @@ ARG TARGETARCH
 LABEL org.opencontainers.image.authors="https://bitnami.com/contact" \
       org.opencontainers.image.description="Application packaged by Bitnami" \
       org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.ref.name="7.11.0-debian-11-r2" \
+      org.opencontainers.image.ref.name="7.11.0-debian-11-r3" \
       org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/ejbca" \
       org.opencontainers.image.title="ejbca" \
       org.opencontainers.image.vendor="VMware, Inc." \

bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca-env.sh

@@ -22,6 +22,8 @@ export BITNAMI_DEBUG="${BITNAMI_DEBUG:-false}"
 # By setting an environment variable matching *_FILE to a file path, the prefixed environment
 # variable will be overridden with the value specified in that file
 ejbca_env_vars=(
+    EJBCA_WILDFLY_ADMIN_USER
+    EJBCA_WILDFLY_ADMIN_PASSWORD
     EJBCA_SERVER_CERT_FILE
     EJBCA_SERVER_CERT_PASSWORD
     EJBCA_HTTP_PORT_NUMBER
@@ -58,7 +60,7 @@ unset ejbca_env_vars
 
 # Paths
 export BITNAMI_VOLUME_DIR="/bitnami"
-export EJBCA_BASE_DIR="/opt/bitnami/ejbca"
+export EJBCA_BASE_DIR="${BITNAMI_ROOT_DIR}/ejbca"
 export EJBCA_BIN_DIR="${EJBCA_BASE_DIR}/bin"
 export EJBCA_TMP_DIR="${EJBCA_BASE_DIR}/tmp"
 export EJBCA_INITSCRIPTS_DIR="/docker-entrypoint-initdb.d"
@@ -77,17 +79,19 @@ export EJBCA_DB_SCRIPT_TABLES="${EJBCA_DATABASE_SCRIPTS_DIR}/create-tables-ejbca
 export EJBCA_EAR_FILE="${EJBCA_BASE_DIR}/dist/ejbca.ear"
 
 # Wildfly
-export EJBCA_WILDFLY_BASE_DIR="/opt/bitnami/wildfly"
+export EJBCA_WILDFLY_BASE_DIR="${BITNAMI_ROOT_DIR}/wildfly"
 export EJBCA_WILDFLY_TMP_DIR="${EJBCA_WILDFLY_BASE_DIR}/tmp"
 export EJBCA_WILDFLY_BIN_DIR="${EJBCA_WILDFLY_BASE_DIR}/bin"
+export EJBCA_WILDFLY_CONF_DIR="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration"
 export EJBCA_WILDFLY_PID_DIR="${EJBCA_TMP_DIR}"
 export EJBCA_WILDFLY_PID_FILE="${EJBCA_WILDFLY_PID_DIR}/wildfly.pid"
 export EJBCA_WILDFLY_DEPLOY_DIR="${EJBCA_WILDFLY_BASE_DIR}/standalone/deployments"
-export EJBCA_WILDFLY_ADMIN_USER="admin"
-export EJBCA_WILDFLY_TRUSTSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/truststore.jks"
-export EJBCA_WILDFLY_KEYSTORE_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/keystore.jks"
+export EJBCA_WILDFLY_ADMIN_USER="${EJBCA_WILDFLY_ADMIN_USER:-admin}"
+export EJBCA_WILDFLY_ADMIN_PASSWORD="${EJBCA_WILDFLY_ADMIN_PASSWORD:-}"
+export EJBCA_WILDFLY_TRUSTSTORE_FILE="${EJBCA_WILDFLY_CONF_DIR}/truststore.jks"
+export EJBCA_WILDFLY_KEYSTORE_FILE="${EJBCA_WILDFLY_CONF_DIR}/keystore.jks"
 export EJBCA_WILDFLY_STANDALONE_CONF_FILE="${EJBCA_WILDFLY_BIN_DIR}/standalone.conf"
-export EJBCA_WILDFLY_STANDALONE_XML_FILE="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration/standalone.xml"
+export EJBCA_WILDFLY_STANDALONE_XML_FILE="${EJBCA_WILDFLY_CONF_DIR}/standalone.xml"
 
 # Users
 export EJBCA_DAEMON_USER="wildfly"
@@ -127,6 +131,6 @@ export JAVA_HOME="/opt/bitnami/java"
 export JBOSS_HOME="${EJBCA_WILDFLY_BASE_DIR}"
 export LAUNCH_JBOSS_IN_BACKGROUND="true"
 export JBOSS_PIDFILE="${EJBCA_WILDFLY_PID_FILE}"
-export EJBCA_WILDFLY_DATA_TO_PERSIST="${EJBCA_WILDFLY_BASE_DIR}/standalone/configuration,${EJBCA_WILDFLY_ADMIN_PASSWORD_FILE},${EJBCA_WILDFLY_BASE_DIR}/standalone/data,${EJBCA_WILDFLY_KEYSTORE_PASSWORD_FILE},${EJBCA_WILDFLY_TRUSTSTORE_PASSWORD_FILE}"
+export EJBCA_WILDFLY_DATA_TO_PERSIST="${EJBCA_WILDFLY_CONF_DIR},${EJBCA_WILDFLY_ADMIN_PASSWORD_FILE},${EJBCA_WILDFLY_BASE_DIR}/standalone/data,${EJBCA_WILDFLY_KEYSTORE_PASSWORD_FILE},${EJBCA_WILDFLY_TRUSTSTORE_PASSWORD_FILE}"
 
 # Custom environment variables may be defined below

bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/ejbca/postunpack.sh

@@ -12,15 +12,17 @@ set -o pipefail
 . /opt/bitnami/scripts/libfs.sh
 . /opt/bitnami/scripts/libos.sh
 
-
 # Load ejbca environment variables
 . /opt/bitnami/scripts/ejbca-env.sh
 
+ensure_user_exists "$EJBCA_DAEMON_USER" --group "$EJBCA_DAEMON_GROUP" --system
+
 for dir in "$EJBCA_BASE_DIR" "$EJBCA_WILDFLY_BASE_DIR"  "$EJBCA_TMP_DIR" "$EJBCA_VOLUME_DIR" \
            "$EJBCA_WILDFLY_VOLUME_DIR" "${EJBCA_WILDFLY_BASE_DIR}/standalone" \
            "${EJBCA_WILDFLY_BASE_DIR}/domain" "$EJBCA_WILDFLY_TMP_DIR"; do
     ensure_dir_exists "$dir"
     chmod -R g+rwX "$dir"
+    chown -R "${EJBCA_DAEMON_USER}:root" "$dir"
 done
 
 chmod g+rw "$EJBCA_WILDFLY_STANDALONE_CONF_FILE"

bitnami/ejbca/7/debian-11/rootfs/opt/bitnami/scripts/libejbca.sh

@@ -59,6 +59,25 @@ ejbca_validate() {
     [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }
 
+########################
+# Run wildfly CLI and print output
+# Globals:
+#   EJBCA_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ejbca_wildfly_command_print_output() {
+    local -r cmd="${EJBCA_WILDFLY_BIN_DIR}/jboss-cli.sh"
+    local -r -a args=("--connect" "-u=${EJBCA_WILDFLY_ADMIN_USER}" "-p=${EJBCA_WILDFLY_ADMIN_PASSWORD}" "$@")
+    if am_i_root; then
+        gosu "$EJBCA_DAEMON_USER" "$cmd" "${args[@]}"
+    else
+        "$cmd" "${args[@]}"
+    fi
+}
+
 ########################
 # Run wildfly CLI
 # Globals:
@@ -69,7 +88,7 @@ ejbca_validate() {
 #   None
 #########################
 ejbca_wildfly_command() {
-    "$EJBCA_WILDFLY_BIN_DIR"/jboss-cli.sh --connect -u="$EJBCA_WILDFLY_ADMIN_USER" -p="$EJBCA_WILDFLY_ADMIN_PASSWORD" "$1"
+    debug_execute ejbca_wildfly_command_print_output "$@"
 }
 
 ########################
@@ -82,7 +101,13 @@ ejbca_wildfly_command() {
 #   None
 #########################
 wait_for_wildfly() {
-    retry_while wildfly_not_ready
+    local -r retries="30"
+    local -r sleep_time="5"
+
+    if ! retry_while wildfly_not_ready "$retries" "$sleep_time"; then
+        error "Timeout waiting for Wildfly to be ready"
+        return 1
+    fi
 }
 
 ########################
@@ -97,7 +122,7 @@ wait_for_wildfly() {
 wildfly_not_ready() {
     local status
 
-    status=$(ejbca_wildfly_command ":read-attribute(name=server-state)" | grep "result")
+    status=$(ejbca_wildfly_command_print_output ":read-attribute(name=server-state)" | grep "result")
     [[ "$status" =~ "running" ]] && return 0 || return 1
 }
 
@@ -229,10 +254,10 @@ ejbca_start_wildfly_bg() {
     info "Starting wildfly..."
 
     if ! is_wildfly_running; then
-        if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then
-            "${exec}" "${args[@]}" &
+        if am_i_root; then
+            debug_execute gosu "$EJBCA_DAEMON_USER" "${exec}" "${args[@]}" &
         else
-            "${exec}" "${args[@]}" >/dev/null 2>&1 &
+            debug_execute "${exec}" "${args[@]}" &
         fi
     fi
 }
@@ -270,8 +295,14 @@ ejbca_stop_wildfly() {
 #########################
 ejbca_create_management_user() {
     info "Creating wildfly management user..."
+    local -r cmd="${EJBCA_WILDFLY_BIN_DIR}/add-user.sh"
+    local -r -a args=("-u" "$EJBCA_WILDFLY_ADMIN_USER" "-p" "$EJBCA_WILDFLY_ADMIN_PASSWORD" "-s")
 
-    "$EJBCA_WILDFLY_BIN_DIR"/add-user.sh -u "$EJBCA_WILDFLY_ADMIN_USER" -p "$EJBCA_WILDFLY_ADMIN_PASSWORD" -s
+    if am_i_root; then
+        debug_execute gosu "$EJBCA_DAEMON_USER" "$cmd" "${args[@]}"
+    else
+        debug_execute "$cmd" "${args[@]}"
+    fi
 }
 
 #######################
@@ -286,10 +317,15 @@ ejbca_create_management_user() {
 ejbca_wildfly_deploy() {
     local -r file_to_deploy="${1:?Missing file to deploy}"
     deployed_file="${EJBCA_WILDFLY_DEPLOY_DIR}/$(basename "$file_to_deploy").deployed"
+    local -r retries="30"
+    local -r sleep_time="5"
 
     if [[ ! -f "$deployed_file" ]]; then
         cp "$file_to_deploy" "$EJBCA_WILDFLY_DEPLOY_DIR"/
-        retry_while "ls ${deployed_file}" 2>/dev/null
+        if ! retry_while "test -f ${deployed_file}" "$retries" "$sleep_time" 2>/dev/null; then
+            error "Timeout deploying ${file_to_deploy} to WildFly: File ${deployed_file} was not generated"
+            return 1
+        fi
         info "Deployment done"
     else
         info "Already deployed"
@@ -310,7 +346,10 @@ wait_for_mysql_connection() {
         echo "select 1" | debug_execute mysql -u"$EJBCA_DATABASE_USERNAME" -p"$EJBCA_DATABASE_PASSWORD" -h"$EJBCA_DATABASE_HOST" -P"$EJBCA_DATABASE_PORT" "$EJBCA_DATABASE_NAME"
     }
 
-    retry_while database_not_ready
+    if ! retry_while database_not_ready; then
+        error "Timeout waiting for database to be ready"
+        return 1
+    fi
 }
 
 ########################
@@ -346,7 +385,7 @@ ejbca_generate_ca() {
     local -r instance_hostname="$(hostname --fqdn)"
 
     info "Generating CA"
-    ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)"
+    ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)"
     if ! grep -q 'CA Name: ' <<<"$ejbca_ca"; then
         info "Init CA"
         ejbca_execute_command ca init \
@@ -371,7 +410,7 @@ ejbca_generate_ca() {
             --password "$EJBCA_ADMIN_PASSWORD"
     fi
 
-    ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)"
+    ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)"
     if grep -q "CA Name: $EJBCA_CA_NAME" <<<"$ejbca_ca"; then
         existing_management_ca="$(grep "CA Name: $EJBCA_CA_NAME" <<<"$ejbca_ca" | sed 's/.*CA Name: //g')"
 
@@ -422,6 +461,23 @@ ejbca_generate_ca() {
     fi
 }
 
+########################
+# EJBCA CLI and print output
+# Globals:
+#   EJBCA_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ejbca_execute_command_print_output() {
+    if am_i_root; then
+        gosu "$EJBCA_DAEMON_USER" "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1
+    else
+        "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1
+    fi
+}
+
 ########################
 # EJBCA CLI
 # Globals:
@@ -432,7 +488,7 @@ ejbca_generate_ca() {
 #   None
 #########################
 ejbca_execute_command() {
-    "$EJBCA_BIN_DIR"/ejbca.sh "$@" 2>&1
+    debug_execute ejbca_execute_command_print_output "$@"
 }
 
 ########################
@@ -463,7 +519,7 @@ ejbca_create_truststore() {
     local ca_list
 
     info "Load the CAs in the trustkeystore"
-    ejbca_ca="$(ejbca_execute_command ca listcas 2>&1)"
+    ejbca_ca="$(ejbca_execute_command_print_output ca listcas 2>&1)"
     if grep -q 'CA Name: ' <<<"$ejbca_ca"; then
         ca_list=("$(grep 'CA Name: ' <<<"$ejbca_ca" | sed 's/.*CA Name: //g')")
         for line in "${ca_list[@]}"; do
@@ -498,7 +554,7 @@ ejbca_custom_init_scripts() {
     if [[ -n $(find "${EJBCA_INITSCRIPTS_DIR}/" -type f -regex ".*\.sh") ]]; then
         info "Loading user's custom files from $EJBCA_INITSCRIPTS_DIR ..."
         local -r tmp_file="/tmp/filelist"
-        ejbca_start_bg
+        ejbca_start_wildfly_bg
         find "${EJBCA_INITSCRIPTS_DIR}/" -type f -regex ".*\.sh" | sort >"$tmp_file"
         while read -r f; do
             case "$f" in
@@ -552,8 +608,8 @@ ejbca_initialize() {
     info "Initializing EJBCA..."
 
     # Configuring permissions for tmp, logs and data folders
-    am_i_root && configure_permissions_ownership "$EJBCA_TMP_DIR $EJBCA_LOG_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP"
-    am_i_root && configure_permissions_ownership "$EJBCA_DATA_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP" -d "755" -f "644"
+    am_i_root && configure_permissions_ownership "$EJBCA_TMP_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP"
+    am_i_root && configure_permissions_ownership "$EJBCA_DATA_DIR" -u "$EJBCA_DAEMON_USER" -g "$EJBCA_DAEMON_GROUP"
 
     # Note we need to use wildfly instead of ejbca as directory since the persist_app function relativizes them to /opt/bitnami/wildfly
     if ! is_app_initialized "wildfly"; then
@@ -654,3 +710,27 @@ is_wildfly_running() {
         false
     fi
 }
+
+########################
+# Check if WildFly is not running
+# Arguments:
+#   None
+# Returns:
+#   Boolean
+#########################
+is_wildfly_not_running() {
+    ! is_wildfly_running
+}
+
+########################
+# Stop WildFly
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+wildfly_stop() {
+    is_wildfly_not_running && return
+    info "Stopping ejbca"
+    stop_service_using_pid "$EJBCA_WILDFLY_PID_FILE"
+}