From 4f8772e08df1d0522673c02647d7157dd5db7cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Alejandro=20Tovar=20Casta=C3=B1eda?= <20290570+Alejandro-Tovar@users.noreply.github.com> Date: Tue, 16 Jul 2024 09:26:24 -0500 Subject: [PATCH 1/8] Bump openssl to a non vulnerable version (#209) NEXUS-43508-openssl-policy-violation --- Dockerfile.alpine.java11 | 3 +++ Dockerfile.alpine.java17 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/Dockerfile.alpine.java11 b/Dockerfile.alpine.java11 index 3edcae26..d6768561 100644 --- a/Dockerfile.alpine.java11 +++ b/Dockerfile.alpine.java11 @@ -55,6 +55,9 @@ RUN apk add openjdk11 tar procps gzip curl shadow \ && groupadd --gid 200 -r nexus \ && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' +RUN apk del --no-cache openssl || true +RUN apk update && apk add --no-cache openssl + WORKDIR ${SONATYPE_DIR} # Download nexus & setup directories diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 index 23dc7ee0..fdd82ca9 100644 --- a/Dockerfile.alpine.java17 +++ b/Dockerfile.alpine.java17 @@ -55,6 +55,9 @@ RUN apk add openjdk17 tar procps gzip curl shadow \ && groupadd --gid 200 -r nexus \ && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' +RUN apk del --no-cache openssl || true +RUN apk update && apk add --no-cache openssl + WORKDIR ${SONATYPE_DIR} # Download nexus & setup directories From 4ce1ddf211e8571a01335b2a2f917ea97255096a Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:22:09 -0400 Subject: [PATCH 2/8] Nexus 43520 docker tags (#210) * Added alias * Testing branch * Added new docker tag * Added new docker tag --------- Co-authored-by: mburkert3 --- Jenkinsfile-Internal-Release | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index f3daf0a2..f685719a 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -127,6 +127,9 @@ node('ubuntu-zion') { if (params.java_version == OPENJDK8) { sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + // Create alias for the UBI image without the suffix + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" } // Push Alpine images From 51a85ef7a522c398a15b73376132f279f5e8708b Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:02:39 -0400 Subject: [PATCH 3/8] NEXUS-43823-java17 (#211) * Changed Release Jenkinsfiles to Java17 --------- Co-authored-by: mburkert3 --- Jenkinsfile-Internal-Release | 92 ++++++++----------- Jenkinsfile-Release | 169 ++++++++++++----------------------- 2 files changed, 93 insertions(+), 168 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index f685719a..718f456f 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -6,10 +6,8 @@ @Library(['private-pipeline-library', 'jenkins-shared']) _ import com.sonatype.jenkins.pipeline.OsTools -String OPENJDK8 = 'OpenJDK 8' -String OPENJDK11 = 'OpenJDK 11' String OPENJDK17 = 'OpenJDK 17' -List javaVersions = [OPENJDK8, OPENJDK11, OPENJDK17] +List javaVersions = [OPENJDK17] properties([ parameters([ @@ -25,22 +23,13 @@ node('ubuntu-zion') { def imageName = 'sonatype/nexus3', archiveName = 'docker-nexus3' - def JAVA_8 = 'java8' - def JAVA_11 = 'java11' def JAVA_17 = 'java17' - - def DOCKERFILE_JAVA_8 = 'Dockerfile' - def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' - def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' def dockerfileMap = [ - (OPENJDK8) : [DOCKERFILE_JAVA_8], - (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] ] - try { stage('Preparation') { deleteDir() @@ -60,17 +49,15 @@ node('ubuntu-zion') { if (params.nexus_repository_manager_version) { stage('Update Repository Manager Version') { OsTools.runSafe(this, "git checkout ${branch}") - dockerfileMap.each { javaVersion, dockerfiles -> - dockerfiles.each { dockerfile -> - updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) + dockerfileMap[OPENJDK17].each { dockerfile -> + updateRepositoryManagerVersion("${pwd()}/${dockerfile}", JAVA_17) } - } version = getShortVersion(params.nexus_repository_manager_version) } } } - def dockerfilePath = dockerfileMap[params.java_version][0] - def alpineDockerfilePath = params.java_version == OPENJDK8 ? null : dockerfileMap[params.java_version][1] + def dockerfilePath = dockerfileMap[OPENJDK17][0] + def alpineDockerfilePath = dockerfileMap[OPENJDK17][1] stage('Build UBI Image') { def baseImage = extractBaseImage(dockerfilePath) @@ -80,26 +67,31 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] } - if (params.java_version != OPENJDK8) { - stage('Build Alpine Image') { - def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = hash.split(':')[1] - } + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] } + if (params.scan_for_policy_violations) { stage('Evaluate Policies') { + def imagesToScan = [ + [name: 'docker-nexus3', image: imageName], + [name: 'docker-nexus3-alpine', image: "${imageName}-alpine"] + ] + + imagesToScan.each { imageConfig -> runEvaluation({ stage -> - def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') - def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' - def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + def iqApplicationName = imageConfig.name + def imageToScan = imageConfig.image nexusPolicyEvaluation( iqStage: stage, iqApplication: iqApplicationName, iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], - failBuildOnNetworkError: true, - ) - }, 'release') + failBuildOnNetworkError: false, + ) + }, 'release') + } } } if (currentBuild.result == 'FAILURE') { @@ -114,33 +106,19 @@ node('ubuntu-zion') { if (branch == 'main') { stage('Push image to RSC') { withSonatypeDockerRegistry() { - def javaVersionSuffixesMap = [ - (OPENJDK8): JAVA_8, - (OPENJDK11): JAVA_11, - (OPENJDK17): JAVA_17 - ] - def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) - - // Push UBI images - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - if (params.java_version == OPENJDK8) { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - // Create alias for the UBI image without the suffix - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" - } - - // Push Alpine images - if (params.java_version != OPENJDK8) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - if (params.java_version == OPENJDK11) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - } - } + // Tag Images + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-ubi" + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-alpine" + + // Push Images + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-alpine" } } } @@ -152,7 +130,7 @@ node('ubuntu-zion') { } def readVersion() { - def content = readFile 'Dockerfile' + def content = readFile 'Dockerfile.java17' for (line in content.split('\n')) { if (line.startsWith('ARG NEXUS_VERSION=')) { return getShortVersion(line.substring(18)) diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index e79b2a8e..1bfc7a92 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -8,11 +8,8 @@ import com.sonatype.jenkins.pipeline.GitHub import com.sonatype.jenkins.pipeline.OsTools import com.sonatype.jenkins.shared.Expectation -String OPENJDK8 = 'OpenJDK 8' -String OPENJDK11 = 'OpenJDK 11' String OPENJDK17 = 'OpenJDK 17' -List javaVersions = [OPENJDK8, OPENJDK11, OPENJDK17] - +List javaVersions = [OPENJDK17] properties([ parameters([ string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'), @@ -25,7 +22,7 @@ properties([ ]) node('ubuntu-zion') { - def commitId, commitDate, version, imageId, alpineImageId, branch, dockerFileLocations, dockerJava11FileLocations, dockerJava17FileLocations + def commitId, commitDate, version, imageId, alpineImageId, branch def organization = 'sonatype', gitHubRepository = 'docker-nexus3', credentialsId = 'jenkins-github', @@ -34,37 +31,18 @@ node('ubuntu-zion') { dockerHubRepository = 'nexus3' GitHub gitHub - def JAVA_8 = 'java8' - def JAVA_11 = 'java11' def JAVA_17 = 'java17' - def alpineDockerfilePath - + dockerFileLocations = [ + "${pwd()}/Dockerfile.java17", + "${pwd()}/Dockerfile.rh.ubi.java17", + "${pwd()}/Dockerfile.alpine.java17" + ] try { stage('Preparation') { deleteDir() OsTools.runSafe(this, "docker system prune -a -f") - def checkoutDetails = checkout scm - dockerFileLocations = [ - "${pwd()}/Dockerfile", - "${pwd()}/Dockerfile.rh.centos", - "${pwd()}/Dockerfile.rh.el", - "${pwd()}/Dockerfile.rh.ubi" - ] - - dockerJava11FileLocations = [ - "${pwd()}/Dockerfile.java11", - "${pwd()}/Dockerfile.rh.ubi.java11", - "${pwd()}/Dockerfile.alpine.java11" - ] - - dockerJava17FileLocations = [ - "${pwd()}/Dockerfile.java17", - "${pwd()}/Dockerfile.rh.ubi.java17", - "${pwd()}/Dockerfile.alpine.java17" - ] - branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH commitId = checkoutDetails.GIT_COMMIT commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") @@ -83,35 +61,24 @@ node('ubuntu-zion') { } gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken) - def dockerfileLocationsMap = [ - (OPENJDK8): dockerFileLocations, - (OPENJDK11): dockerJava11FileLocations, - (OPENJDK17): dockerJava17FileLocations - ] - def chosenDockerfileLocations = dockerfileLocationsMap.get(params.java_version) - if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) { stage('Update Repository Manager Version') { OsTools.runSafe(this, "git checkout ${branch}") - chosenDockerfileLocations.each { updateRepositoryManagerVersion(it) } + dockerFileLocations.each { updateRepositoryManagerVersion(it) } version = getShortVersion(params.nexus_repository_manager_version) } } if (params.nexus_repository_manager_cookbook_version) { stage('Update Repository Manager Cookbook Version') { OsTools.runSafe(this, "git checkout ${branch}") - chosenDockerfileLocations.each { updateRepositoryCookbookVersion(it) } + dockerFileLocations.each { updateRepositoryCookbookVersion(it) } } } } - stage('Build') { + + stage('Build Images') { gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running' - def dockerfilesMap = [ - (OPENJDK8): 'Dockerfile', - (OPENJDK11): 'Dockerfile.java11', - (OPENJDK17): 'Dockerfile.java17' - ] - def dockerfilePath = dockerfilesMap.get(params.java_version) + def dockerfilePath = 'Dockerfile.java17' def baseImage = extractBaseImage(dockerfilePath) def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' def baseImageReference = baseImageRefFactory.build(this, baseImage as String) @@ -119,12 +86,10 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] - // Build Alpine Image if not Java 8 - if (params.java_version != OPENJDK8) { - alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") - def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = alpineHash.split(':')[1] - } + // Build Alpine Image + def alpineDockerfilePath = 'Dockerfile.alpine.java17' + def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = alpineHash.split(':')[1] if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed' @@ -133,16 +98,15 @@ node('ubuntu-zion') { gitHub.statusUpdate commitId, 'success', 'build', 'Build succeeded' } } + stage('Test') { gitHub.statusUpdate commitId, 'pending', 'test', 'Tests are running' - validateExpectations([ new Expectation('Has user nexus in group nexus present', 'id', '-ng nexus', 'nexus'), new Expectation('Has nexus user java process present', 'ps', '-e -o command,user | grep -q ^/usr/lib/jvm/java.*nexus$ | echo $?', '0') ]) - if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'test', 'Tests failed' return @@ -152,23 +116,29 @@ node('ubuntu-zion') { } stage('Evaluate Policies') { - runEvaluation({ stage -> - def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') - def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' - def imageToScan = isAlpine ? "${imageName}-alpine" : imageName - - nexusPolicyEvaluation( - iqStage: stage, - iqApplication: iqApplicationName, - iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], - failBuildOnNetworkError: true, - ) - }, 'release') - } + def imagesToScan = [ + [name: 'docker-nexus3', image: imageName], + [name: 'docker-nexus3-alpine', image: "${imageName}-alpine"] + ] + imagesToScan.each { imageConfig -> + runEvaluation({ stage -> + def iqApplicationName = imageConfig.name + def imageToScan = imageConfig.image + + nexusPolicyEvaluation( + iqStage: stage, + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], + failBuildOnNetworkError: true, + ) + }, 'release') + } + } if (currentBuild.result == 'FAILURE') { - return + return } + if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha || params.nexus_repository_manager_cookbook_version) { stage('Commit Automated Code Update') { @@ -206,49 +176,22 @@ node('ubuntu-zion') { credentialsId: 'docker-hub-credentials', usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) { - def javaVersionSuffixesMap = [ - (OPENJDK8): JAVA_8, - (OPENJDK11): JAVA_11, - (OPENJDK17): JAVA_17 - ] - def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) // Push UBI image - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-ubi") - if (params.java_version == OPENJDK8) { - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-ubi") - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}") - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest") - } + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}") + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-ubi") + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-java17-ubi") + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest") + + // Push Alpine Image + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-java17-alpine") OsTools.runSafe(this, """ docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD} """) - def dockerPushCmdsMap = [ - (OPENJDK8): "docker push --all-tags ${organization}/${dockerHubRepository}", - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-ubi", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-ubi" - ] - def dockerPushCmd = dockerPushCmdsMap.get(params.java_version) - - OsTools.runSafe(this, dockerPushCmd) - - // Push Alpine image if not Java 8 - if (params.java_version != OPENJDK8) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") - if (params.java_version == OPENJDK11) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") - } - - def alpineDockerPushCmdsMap = [ - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" - ] - def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) - - OsTools.runSafe(this, alpineDockerPushCmd) - } + OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}") response = OsTools.runSafe(this, """ curl -X POST https://hub.docker.com/v2/users/login/ \ @@ -269,13 +212,17 @@ node('ubuntu-zion') { // push to internal repos withSonatypeDockerRegistry() { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-${javaVersionSuffix}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-${javaVersionSuffix}" - - if (params.java_version == OPENJDK8) { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}" - } + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}" + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi" + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi" + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine" + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine" + + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal${dockerHubRepository}:${version}-java17-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine" } } } @@ -316,7 +263,7 @@ node('ubuntu-zion') { } def readVersion() { - def content = readFile 'Dockerfile' + def content = readFile 'Dockerfile.java17' for (line in content.split('\n')) { if (line.startsWith('ARG NEXUS_VERSION=')) { return getShortVersion(line.substring(18)) From 0fcb0417561c1cbe0da1d802fb5b4cdee41daa9b Mon Sep 17 00:00:00 2001 From: Michael Martz Date: Thu, 8 Aug 2024 14:16:39 -0500 Subject: [PATCH 4/8] Remove choice of java version --- Dockerfile | 3 +-- Dockerfile.alpine.java17 | 3 +-- Dockerfile.java17 | 3 +-- Jenkinsfile-Release | 1 - 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 147ad079..8a2d9756 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,7 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.70.1-02 -ARG JAVA_VERSION=java8 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz ARG NEXUS_DOWNLOAD_SHA256_HASH=29952f663982bd9781d5bc352471727826943452cfe8e9aa0e9b60ad01531d1b # configure nexus runtime diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 index fdd82ca9..2beb0cad 100644 --- a/Dockerfile.alpine.java17 +++ b/Dockerfile.alpine.java17 @@ -37,8 +37,7 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.70.1-02 -ARG JAVA_VERSION=java17 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz ARG NEXUS_DOWNLOAD_SHA256_HASH=6878fab6416b86fe73b799d34afce2b0a91446d602edc892ed71efbb205be01b # configure nexus runtime diff --git a/Dockerfile.java17 b/Dockerfile.java17 index b2d9708b..fe4bc9a5 100644 --- a/Dockerfile.java17 +++ b/Dockerfile.java17 @@ -37,8 +37,7 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.70.1-02 -ARG JAVA_VERSION=java17 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz ARG NEXUS_DOWNLOAD_SHA256_HASH=6878fab6416b86fe73b799d34afce2b0a91446d602edc892ed71efbb205be01b # configure nexus runtime diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 1bfc7a92..a854a77b 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -15,7 +15,6 @@ properties([ string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'), string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'), string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'), - choice(name: 'java_version', choices: javaVersions, description: 'Java version to run Nexus Repository Manager'), booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'), booleanParam(defaultValue: false, description: 'Only update the latest tag', name: 'update_latest_only') ]) From b5f1fa9d928ac6bf15a36a75c299be260e1c90a9 Mon Sep 17 00:00:00 2001 From: Sonatype Date: Thu, 8 Aug 2024 20:04:49 +0000 Subject: [PATCH 5/8] Update Repository Manager to 3.71.0-06. --- Dockerfile.alpine.java17 | 8 ++++---- Dockerfile.java17 | 8 ++++---- Dockerfile.rh.ubi.java17 | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 index 2beb0cad..3e43c090 100644 --- a/Dockerfile.alpine.java17 +++ b/Dockerfile.alpine.java17 @@ -17,8 +17,8 @@ FROM alpine LABEL name="Nexus Repository Manager" \ maintainer="Sonatype " \ vendor=Sonatype \ - version="3.70.1-02" \ - release="3.70.1" \ + version="3.71.0-06" \ + release="3.71.0" \ url="https://sonatype.com" \ summary="The Nexus Repository Manager server \ with universal support for popular component formats." \ @@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \ io.openshift.expose-services="8081:8081" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" -ARG NEXUS_VERSION=3.70.1-02 +ARG NEXUS_VERSION=3.71.0-06 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=6878fab6416b86fe73b799d34afce2b0a91446d602edc892ed71efbb205be01b +ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype diff --git a/Dockerfile.java17 b/Dockerfile.java17 index fe4bc9a5..541b2da1 100644 --- a/Dockerfile.java17 +++ b/Dockerfile.java17 @@ -17,8 +17,8 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal LABEL name="Nexus Repository Manager" \ maintainer="Sonatype " \ vendor=Sonatype \ - version="3.70.1-02" \ - release="3.70.1" \ + version="3.71.0-06" \ + release="3.71.0" \ url="https://sonatype.com" \ summary="The Nexus Repository Manager server \ with universal support for popular component formats." \ @@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \ io.openshift.expose-services="8081:8081" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" -ARG NEXUS_VERSION=3.70.1-02 +ARG NEXUS_VERSION=3.71.0-06 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=6878fab6416b86fe73b799d34afce2b0a91446d602edc892ed71efbb205be01b +ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype diff --git a/Dockerfile.rh.ubi.java17 b/Dockerfile.rh.ubi.java17 index 0a3bbd4b..fea2cd01 100644 --- a/Dockerfile.rh.ubi.java17 +++ b/Dockerfile.rh.ubi.java17 @@ -17,8 +17,8 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal LABEL name="Nexus Repository Manager" \ vendor=Sonatype \ maintainer="Sonatype " \ - version="3.70.1-02" \ - release="3.70.1" \ + version="3.71.0-06" \ + release="3.71.0" \ url="https://sonatype.com" \ summary="The Nexus Repository Manager server \ with universal support for popular component formats." \ @@ -36,10 +36,10 @@ LABEL name="Nexus Repository Manager" \ io.openshift.expose-services="8081:8081" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" -ARG NEXUS_VERSION=3.70.1-02 +ARG NEXUS_VERSION=3.71.0-06 ARG JAVA_VERSION=java17 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=6878fab6416b86fe73b799d34afce2b0a91446d602edc892ed71efbb205be01b +ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype From f8db577c365ac1c4d59ea3f6c56c425cbece34af Mon Sep 17 00:00:00 2001 From: Michael Martz Date: Thu, 8 Aug 2024 15:13:49 -0500 Subject: [PATCH 6/8] Fix missing / --- Jenkinsfile-Release | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index a854a77b..44825b1f 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -219,7 +219,7 @@ node('ubuntu-zion') { sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}" sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal${dockerHubRepository}:${version}-java17-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi" sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine" sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine" } From 6a231b1bd6735611657c2a0e56022ad65c38486b Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Thu, 8 Aug 2024 21:53:33 -0400 Subject: [PATCH 7/8] Remove java versions --- Dockerfile.rh.ubi.java17 | 13 ++++++------- Jenkinsfile.rh | 22 +--------------------- 2 files changed, 7 insertions(+), 28 deletions(-) diff --git a/Dockerfile.rh.ubi.java17 b/Dockerfile.rh.ubi.java17 index fea2cd01..d03c0f98 100644 --- a/Dockerfile.rh.ubi.java17 +++ b/Dockerfile.rh.ubi.java17 @@ -37,8 +37,7 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.71.0-06 -ARG JAVA_VERSION=java17 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 # configure nexus runtime @@ -70,11 +69,11 @@ RUN usermod -a -G root nexus \ WORKDIR ${SONATYPE_DIR} # Download nexus & setup directories -RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ - && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ - && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ - && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ - && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ && chown -R nexus:nexus ${SONATYPE_WORK} \ && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ diff --git a/Jenkinsfile.rh b/Jenkinsfile.rh index ca22c14c..7417bebf 100644 --- a/Jenkinsfile.rh +++ b/Jenkinsfile.rh @@ -5,29 +5,17 @@ */ @Library(['private-pipeline-library', 'jenkins-shared']) _ -String OPENJDK8 = 'OpenJDK 8' -String OPENJDK11 = 'OpenJDK 11' -String OPENJDK17 = 'OpenJDK 17' -List javaVersions = [OPENJDK8, OPENJDK11, OPENJDK17] - properties([ parameters([ string(name: 'version', description: 'Version tag to apply to the image, like 3.41.0-ubi-1.'), - choice(name: 'java_version', choices: javaVersions, description: 'Java version to run Nexus Repository Manager') ]), ]) node('ubuntu-zion') { - def JAVA_8 = 'java8' - def JAVA_11 = 'java11' - def JAVA_17 = 'java17' - try { stage('Preparation') { deleteDir() - checkout scm - sh 'docker system prune -a -f' sh ''' wget -q -O preflight \ @@ -45,13 +33,7 @@ node('ubuntu-zion') { credentialsId: 'red-hat-api-token', variable: 'API_TOKEN') ]) { - def javaVersionsMap = [ - (OPENJDK8): JAVA_8, - (OPENJDK11): JAVA_11, - (OPENJDK17): JAVA_17 - ] - def javaVersion = javaVersionsMap.get(params.java_version) - def dockerfilePath = 'Dockerfile.rh.ubi' + def dockerfilePath = 'Dockerfile.rh.ubi.java17' def baseImage = extractBaseImage(dockerfilePath) def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' @@ -59,7 +41,6 @@ node('ubuntu-zion') { def baseImageReferenceStr = baseImageReference.getReference() def buildRedhatImageShCmd = 'PATH="$PATH:." VERSION=$version ' + - "JAVA_VERSION=${javaVersion} " + "DOCKERFILE='${dockerfilePath}' " + "BASE_IMG_REF='${baseImageReferenceStr}' " + './build_red_hat_image.sh' @@ -77,6 +58,5 @@ def extractBaseImage (dockerFileLocation) { def dockerFile = readFile(file: dockerFileLocation) def baseImageRegex = "FROM\\s+([^\\s]+)" def usedImages = dockerFile =~ baseImageRegex - return usedImages[0][1] } From 5e9876abcea6d5c1c6013820387937ae4d631f8f Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Fri, 9 Aug 2024 10:42:21 -0400 Subject: [PATCH 8/8] Fix rh script with java version (#216) Co-authored-by: mburkert3 --- build_red_hat_image.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/build_red_hat_image.sh b/build_red_hat_image.sh index 70069700..79ac81f6 100755 --- a/build_red_hat_image.sh +++ b/build_red_hat_image.sh @@ -29,13 +29,10 @@ # * REGISTRY_LOGIN from Red Hat config page for image # * REGISTRY_PASSWORD from Red Hat config page for image # * API_TOKEN from red hat token/account page for API access -# * JAVA_VERSION java version to version docker images (e.g.: "java8", "java11", "java17") set -x # log commands as they execute set -e # stop execution on the first failed command -JAVA_8="java8" - # from config/scanning page at red hat CERT_PROJECT_ID=5e61d90a38776799eb517bd2 @@ -43,11 +40,6 @@ REPOSITORY="quay.io" IMAGE_LATEST="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:latest" IMAGE_TAG="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:${VERSION}" -if [[ $JAVA_VERSION != $JAVA_8 ]]; then - DOCKERFILE="${DOCKERFILE}.${JAVA_VERSION}" - IMAGE_TAG="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:${VERSION}-${JAVA_VERSION}" -fi - AUTHFILE="${HOME}/.docker/config.json" docker build -f "${DOCKERFILE}" --label base-image-ref=${BASE_IMG_REF} -t "${IMAGE_TAG}" . @@ -58,10 +50,7 @@ docker login "${REPOSITORY}" \ --password "${REGISTRY_PASSWORD}" docker push "${IMAGE_TAG}" - -if [[ $JAVA_VERSION == $JAVA_8 ]]; then - docker push "${IMAGE_LATEST}" -fi +docker push "${IMAGE_LATEST}" preflight check container \ "${IMAGE_TAG}" \