[bitnami/neo4j] Release 4.4.34-debian-12-r3 (#68734)

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

bitnami/neo4j/4/debian-12/Dockerfile

@@ -8,11 +8,11 @@ ARG TARGETARCH
 
 LABEL com.vmware.cp.artifact.flavor="sha256:c50c90cfd9d12b445b011e6ad529f1ad3daea45c26d20b00732fae3cd71f6a83" \
       org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
-      org.opencontainers.image.created="2024-06-29T14:38:17Z" \
+      org.opencontainers.image.created="2024-07-03T11:01:34Z" \
       org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
       org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/neo4j/README.md" \
       org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.ref.name="4.4.34-debian-12-r2" \
+      org.opencontainers.image.ref.name="4.4.34-debian-12-r3" \
       org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/neo4j" \
       org.opencontainers.image.title="neo4j" \
       org.opencontainers.image.vendor="Broadcom, Inc." \

bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/libneo4j.sh

@@ -169,6 +169,32 @@ neo4j_conf_set() {
         echo "$entry" >>"$file"
     fi
 }
+
+########################
+# Set the initial password of the native user 'neo4j'
+# Globals:
+#   NEO4J_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+neo4j_create_admin_user() {
+    ## Set initial password
+    ## Source: https://neo4j.com/docs/operations-manual/current/configuration/set-initial-password/
+    info "Configuring initial password"
+    local -a neo4j_admin_args=("set-initial-password")
+    if [ "$(get_neo4j_major_version)" -ge 5 ]; then
+        neo4j_admin_args=("dbms" "set-initial-password")
+    fi
+
+    if am_i_root; then
+        debug_execute run_as_user "$NEO4J_DAEMON_USER" neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD"
+    else
+        debug_execute neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD"
+    fi
+}
+
 #########################
 # Initialize NEO4J
 # Globals:
@@ -183,24 +209,15 @@ neo4j_initialize() {
     ## The logic in this function is based on the sections here https://neo4j.com/docs/operations-manual/current/configuration/
     info "Initializing Neo4j ..."
 
-    find "${NEO4J_TMP_DIR}" -type f -name "neo4j*.pid" -delete
+    find "${NEO4J_RUN_DIR}" -type f -name "neo4j*.pid" -delete
     find "${NEO4J_LOGS_DIR}" -type f -name "neo4j*.log" -delete
 
-    ## Configure permissions for read-write directories
-    ## Source: https://neo4j.com/docs/operations-manual/current/configuration/file-locations/#file-locations-permissions
-    info "Configuring file permissions for Neo4j"
-    if am_i_root; then
-        for dir in "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_TMP_DIR" "$NEO4J_METRICS_DIR"; do
-            configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 755 -f 644
-        done
-    fi
-
-    if ! is_dir_empty "$NEO4J_MOUNTED_CONF_DIR"; then
+    if ! is_mounted_dir_empty "$NEO4J_MOUNTED_CONF_DIR"; then
         info "Copying mounted configuration"
         cp -Lr "${NEO4J_MOUNTED_CONF_DIR}/." "$NEO4J_CONF_DIR"
     fi
 
-    if ! is_dir_empty "$NEO4J_MOUNTED_PLUGINS_DIR"; then
+    if ! is_mounted_dir_empty "$NEO4J_MOUNTED_PLUGINS_DIR"; then
         info "Copying mounted plugins"
         cp -Lr "${NEO4J_MOUNTED_PLUGINS_DIR}/." "$NEO4J_PLUGINS_DIR"
     fi
@@ -221,23 +238,28 @@ neo4j_initialize() {
         info "Found mounted apoc.conf file in ${NEO4J_MOUNTED_CONF_DIR}/apoc.conf. The APOC plugin configuration will be skipped"
     fi
 
-    if is_dir_empty "$NEO4J_DATA_DIR"; then
+    local -r app_name="neo4j"
+    if ! is_app_initialized "$app_name"; then
         info "Deploying Neo4j from scratch"
-        ## Set initial password
-        ## Source: https://neo4j.com/docs/operations-manual/current/configuration/set-initial-password/
-        info "Configuring initial password"
-        local -a neo4j_admin_args=("set-initial-password")
-        if [ "$(get_neo4j_major_version)" -ge 5 ]; then
-            neo4j_admin_args=("dbms" "set-initial-password")
-        fi
-        if am_i_root; then
-            debug_execute run_as_user "$NEO4J_DAEMON_USER" neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD"
-        else
-            debug_execute neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD"
-        fi
+        neo4j_create_admin_user
     else
         info "Deploying Neo4j with persisted data"
     fi
+
+    # When running as 'root' user, ensure the Neo4j user has ownership and minimum permissions are set
+    if am_i_root; then
+        info "Configuring file permissions for Neo4j"
+        ## Directories that should have read-only permissions
+        for dir in "$NEO4J_IMPORT_DIR" "${NEO4J_BASE_DIR}/lib" "$NEO4J_CERTIFICATES_DIR" "$NEO4J_MOUNTED_CONF_DIR" "$NEO4J_MOUNTED_PLUGINS_DIR" "$NEO4J_INITSCRIPTS_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_CONF_DIR"; do
+            ensure_dir_exists "$dir"
+            configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 500 -f 400
+        done
+        ## Directories that should have write permissions
+        for dir in "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_RUN_DIR" "$NEO4J_METRICS_DIR"; do
+            ensure_dir_exists "$dir"
+            configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 700 -f 600
+        done
+    fi
 }
 
 ########################
@@ -304,20 +326,40 @@ configure_neo4j_connector_settings() {
     if [ "$neo4j_major_version" -eq 4 ]; then
         ## Connector configuration
         ## Source: https://neo4j.com/docs/operations-manual/current/configuration/connectors/
+        # Listen address configuration settings
         neo4j_conf_set "dbms.default_listen_address" "$NEO4J_BIND_ADDRESS"
-        neo4j_conf_set "dbms.connector.bolt.advertised_address" ":${NEO4J_BOLT_PORT_NUMBER}"
-        neo4j_conf_set "dbms.connector.http.advertised_address" ":${NEO4J_HTTP_PORT_NUMBER}"
-        neo4j_conf_set "dbms.connector.https.advertised_address" ":${NEO4J_HTTPS_PORT_NUMBER}"
+        neo4j_conf_set "dbms.connector.bolt.listen_address" ":${NEO4J_BOLT_PORT_NUMBER}"
+        neo4j_conf_set "dbms.connector.http.listen_address" ":${NEO4J_HTTP_PORT_NUMBER}"
+        neo4j_conf_set "dbms.connector.https.listen_address" ":${NEO4J_HTTPS_PORT_NUMBER}"
+        # Advertised address configuration settings
         neo4j_conf_set "dbms.default_advertised_address" "$host"
+        neo4j_conf_set "dbms.connector.bolt.advertised_address" ":${NEO4J_BOLT_ADVERTISED_PORT_NUMBER}"
+        neo4j_conf_set "dbms.connector.http.advertised_address" ":${NEO4J_HTTP_ADVERTISED_PORT_NUMBER}"
+        neo4j_conf_set "dbms.connector.https.advertised_address" ":${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER}"
+        # TLS settings
+        neo4j_conf_set "dbms.connector.bolt.tls_level" "${NEO4J_BOLT_TLS_LEVEL}"
+        [[ "$NEO4J_BOLT_TLS_LEVEL" == "REQUIRED" || "$NEO4J_BOLT_TLS_LEVEL" == "OPTIONAL" ]] && neo4j_conf_set "dbms.ssl.policy.bolt.enabled" "true"
+        neo4j_conf_set "dbms.connector.https.enabled" "${NEO4J_HTTPS_ENABLED}"
+        neo4j_conf_set "dbms.ssl.policy.https.enabled" "${NEO4J_HTTPS_ENABLED}"
         ## Upgrade configuration (This is for allowing automatic schema upgrades)
         ## Source: https://neo4j.com/docs/upgrade-migration-guide/current/upgrade/upgrade-4.3/deployment-upgrading/
         neo4j_conf_set "dbms.allow_upgrade" "$NEO4J_ALLOW_UPGRADE"
     elif [ "$neo4j_major_version" -ge 5 ]; then
+        # Listen address configuration settings
         neo4j_conf_set "server.default_listen_address" "$NEO4J_BIND_ADDRESS"
-        neo4j_conf_set "server.bolt.advertised_address" ":${NEO4J_BOLT_PORT_NUMBER}"
-        neo4j_conf_set "server.http.advertised_address" ":${NEO4J_HTTP_PORT_NUMBER}"
-        neo4j_conf_set "server.https.advertised_address" ":${NEO4J_HTTPS_PORT_NUMBER}"
+        neo4j_conf_set "server.bolt.listen_address" ":${NEO4J_BOLT_PORT_NUMBER}"
+        neo4j_conf_set "server.http.listen_address" ":${NEO4J_HTTP_PORT_NUMBER}"
+        neo4j_conf_set "server.https.listen_address" ":${NEO4J_HTTPS_PORT_NUMBER}"
+        # Advertised address configuration settings
         neo4j_conf_set "server.default_advertised_address" "$host"
+        neo4j_conf_set "server.bolt.advertised_address" ":${NEO4J_BOLT_ADVERTISED_PORT_NUMBER}"
+        neo4j_conf_set "server.http.advertised_address" ":${NEO4J_HTTP_ADVERTISED_PORT_NUMBER}"
+        neo4j_conf_set "server.https.advertised_address" ":${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER}"
+        # TLS settings
+        neo4j_conf_set "server.bolt.tls_level" "${NEO4J_BOLT_TLS_LEVEL}"
+        [[ "$NEO4J_BOLT_TLS_LEVEL" == "REQUIRED" || "$NEO4J_BOLT_TLS_LEVEL" == "OPTIONAL" ]] && neo4j_conf_set "dbms.ssl.policy.bolt.enabled" "true"
+        neo4j_conf_set "server.https.enabled" "${NEO4J_HTTPS_ENABLED}"
+        neo4j_conf_set "dbms.ssl.policy.https.enabled" "${NEO4J_HTTPS_ENABLED}"
     else
         error "Neo4j branch ${neo4j_major_version} not supported"
     fi

bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j-env.sh

@@ -33,6 +33,11 @@ neo4j_env_vars=(
     NEO4J_BOLT_PORT_NUMBER
     NEO4J_HTTP_PORT_NUMBER
     NEO4J_HTTPS_PORT_NUMBER
+    NEO4J_BOLT_ADVERTISED_PORT_NUMBER
+    NEO4J_HTTP_ADVERTISED_PORT_NUMBER
+    NEO4J_HTTPS_ADVERTISED_PORT_NUMBER
+    NEO4J_HTTPS_ENABLED
+    NEO4J_BOLT_TLS_LEVEL
 )
 for env_var in "${neo4j_env_vars[@]}"; do
     file_env_var="${env_var}_FILE"
@@ -51,11 +56,12 @@ unset neo4j_env_vars
 export NEO4J_BASE_DIR="${BITNAMI_ROOT_DIR}/neo4j"
 export NEO4J_VOLUME_DIR="/bitnami/neo4j"
 export NEO4J_DATA_DIR="$NEO4J_VOLUME_DIR/data"
-export NEO4J_TMP_DIR="${NEO4J_BASE_DIR}/run"
+export NEO4J_RUN_DIR="${NEO4J_BASE_DIR}/run"
 export NEO4J_LOGS_DIR="${NEO4J_BASE_DIR}/logs"
 export NEO4J_LOG_FILE="${NEO4J_LOGS_DIR}/neo4j.log"
-export NEO4J_PID_FILE="${NEO4J_TMP_DIR}/neo4j.pid"
+export NEO4J_PID_FILE="${NEO4J_RUN_DIR}/neo4j.pid"
 export NEO4J_CONF_DIR="${NEO4J_BASE_DIR}/conf"
+export NEO4J_DEFAULT_CONF_DIR="${NEO4J_BASE_DIR}/conf.default"
 export NEO4J_PLUGINS_DIR="${NEO4J_BASE_DIR}/plugins"
 export NEO4J_METRICS_DIR="${NEO4J_VOLUME_DIR}/metrics"
 export NEO4J_CERTIFICATES_DIR="${NEO4J_VOLUME_DIR}/certificates"
@@ -84,6 +90,11 @@ export NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG="${NEO4J_APOC_IMPORT_FILE_USE_NEO
 export NEO4J_BOLT_PORT_NUMBER="${NEO4J_BOLT_PORT_NUMBER:-7687}"
 export NEO4J_HTTP_PORT_NUMBER="${NEO4J_HTTP_PORT_NUMBER:-7474}"
 export NEO4J_HTTPS_PORT_NUMBER="${NEO4J_HTTPS_PORT_NUMBER:-7473}"
+export NEO4J_BOLT_ADVERTISED_PORT_NUMBER="${NEO4J_BOLT_ADVERTISED_PORT_NUMBER:-$NEO4J_BOLT_PORT_NUMBER}"
+export NEO4J_HTTP_ADVERTISED_PORT_NUMBER="${NEO4J_HTTP_ADVERTISED_PORT_NUMBER:-$NEO4J_HTTP_PORT_NUMBER}"
+export NEO4J_HTTPS_ADVERTISED_PORT_NUMBER="${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER:-$NEO4J_HTTPS_PORT_NUMBER}"
+export NEO4J_HTTPS_ENABLED="${NEO4J_HTTPS_ENABLED:-false}"
+export NEO4J_BOLT_TLS_LEVEL="${NEO4J_BOLT_TLS_LEVEL:-DISABLED}"
 
 # Default JVM configuration
 export JAVA_HOME="${BITNAMI_ROOT_DIR}/java"

bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/entrypoint.sh

@@ -18,6 +18,12 @@ set -o pipefail
 
 print_welcome_page
 
+# We add the copy from default config in the entrypoint to not break users
+# bypassing the setup.sh logic. If the file already exists do not overwrite (in
+# case someone mounts a configuration file in /opt/bitnami/neo4j/config)
+debug "Copying files from $NEO4J_DEFAULT_CONF_DIR to $NEO4J_CONF_DIR"
+cp -nr "$NEO4J_DEFAULT_CONF_DIR"/. "$NEO4J_CONF_DIR"
+
 if [[ "$1" = "/opt/bitnami/scripts/neo4j/run.sh" ]]; then
     /opt/bitnami/scripts/neo4j/setup.sh
     info "** Neo4j setup finished! **"

bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/postunpack.sh

@@ -34,7 +34,7 @@ done
 
 ## Directories that should have write permissions
 ## NOTE: We need the configuration and plugins folder to have write permissions to create or import the configuration file
-for dir in "$NEO4J_CONF_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_TMP_DIR" "$NEO4J_METRICS_DIR"; do
+for dir in "$NEO4J_CONF_DIR" "$NEO4J_DEFAULT_CONF_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_RUN_DIR" "$NEO4J_METRICS_DIR"; do
     ensure_dir_exists "$dir"
     configure_permissions_ownership "$dir" -u "root" -g "root" -d 775 -f 664
 done
@@ -64,3 +64,7 @@ configure_permissions_ownership "$NEO4J_APOC_CONF_FILE" -u "root" -g "root" -f 6
 ## Create a hidden directory where the cypher-shell executable can write cache and history data
 ensure_dir_exists "$NEO4J_BASE_DIR/.home"
 configure_permissions_ownership "$NEO4J_BASE_DIR/.home" -u "root" -g "root" -d 775
+
+# Copy all initially generated configuration files to the default directory
+# (this is to avoid breaking when entrypoint is being overridden)
+cp -r "$NEO4J_CONF_DIR"/* "$NEO4J_DEFAULT_CONF_DIR"