From 41d2116ee2091e99bf95bf6c21cef416c10effcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mitchell=20B=C3=B6secke?= Date: Wed, 15 Nov 2023 15:47:00 -0700 Subject: [PATCH 01/10] Added basic HTTPS support by mounting a JKS file and providing some environment variables. --- Dockerfile | 6 ++ README.md | 12 +++ config/server-https.xml | 181 ++++++++++++++++++++++++++++++++++++++++ startup.sh | 9 ++ 4 files changed, 208 insertions(+) create mode 100644 config/server-https.xml diff --git a/Dockerfile b/Dockerfile index 27de96d..8d2ffab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -96,7 +96,13 @@ ENV POSTGRES_JNDI_ENABLED=false ENV CONFIG_DIR=/opt/config ENV CONFIG_OVERRIDES_DIR=/opt/config_overrides +ENV HTTPS_ENABLED=false +ENV HTTPS_KEYSTORE_FILE=/opt/keystore.jks +ENV HTTPS_KEYSTORE_PASSWORD=changeit +ENV HTTPS_KEY_ALIAS=server + EXPOSE 8080 +EXPOSE 8443 WORKDIR /tmp diff --git a/README.md b/README.md index 243da2d..c1fba2d 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ This Dockerfile can be used to create images for all geoserver versions since 2. * CORS support * Support extensions * Support additional libraries + * Support for PostgreSQL JNDI + * Support for HTTPS This README.md file covers use of official docker image, additional [build](BUILD.md) and [release](RELEASE.md) instructions are available. @@ -146,6 +148,16 @@ In geoserver, you can then reference this JNDI resource using the name `java:com For advanced customization of the connection pool, you can provide your own customized "context.xml" file to Apache Tomcat by mounting it to the container at ``/opt/config_overrides/context.xml``. +## How to enable HTTPS? + +To enable HTTPS, mount a JKS file to the container (ex. `/opt/keystore.jks`) and provide the following environment +variables: + +* ``HTTPS_ENABLED`` to `true` +* ``HTTPS_KEYSTORE_FILE`` (defaults to `/opt/keystore.jks`) +* ``HTTPS_KEYSTORE_PASSWORD`` (defaults to `changeit`) +* ``HTTPS_KEY_ALIAS`` (defaults to `server`) + ## How to use the docker-compose demo? The ``docker-compose-demo.yml`` to build with your own data directory and extensions. diff --git a/config/server-https.xml b/config/server-https.xml new file mode 100644 index 0000000..23c84cf --- /dev/null +++ b/config/server-https.xml @@ -0,0 +1,181 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/startup.sh b/startup.sh index 9195d26..d0964e1 100755 --- a/startup.sh +++ b/startup.sh @@ -111,5 +111,14 @@ if [ "${POSTGRES_JNDI_ENABLED}" = "true" ]; then fi fi +if [ "${HTTPS_ENABLED}" = "true" ]; then + if [ ! -f "${HTTPS_KEYSTORE_FILE}" ]; then + echo "ERROR: HTTPS was enabled but keystore file was not mounted to container [${HTTPS_KEYSTORE_FILE}]" + exit 1 + fi + echo "Installing [${CATALINA_HOME}/conf/server.xml] with HTTPS support using substituted environment variables" + envsubst < "${CONFIG_DIR}"/server-https.xml > "${CATALINA_HOME}/conf/server.xml" +fi + # start the tomcat exec $CATALINA_HOME/bin/catalina.sh run From a8029b3eba77a18449c39b73b8ce655f5ab41e41 Mon Sep 17 00:00:00 2001 From: Andreas Schmitz Date: Tue, 14 May 2024 15:45:04 +0200 Subject: [PATCH 02/10] fix: allow unicode filenames --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a1b7568..0dc3d34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,7 +32,7 @@ ENV CATALINA_OPTS="\$EXTRA_JAVA_OPTS \ # init RUN apt update \ && apt -y upgrade \ - && apt install -y --no-install-recommends openssl unzip gdal-bin wget curl openjdk-11-jdk gettext \ + && apt install -y --no-install-recommends locales openssl unzip gdal-bin wget curl openjdk-11-jdk gettext \ && apt clean \ && rm -rf /var/cache/apt/* \ && rm -rf /var/lib/apt/lists/* @@ -105,6 +105,8 @@ EXPOSE 8080 WORKDIR /tmp +RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen + RUN echo "Installing GeoServer $GS_VERSION $GS_BUILD" COPY --from=download /tmp/geoserver $CATALINA_HOME/webapps/geoserver From 5857fa382b677297a4dbdba3ad9d6854aae5f882 Mon Sep 17 00:00:00 2001 From: Dirk Mennecke Date: Fri, 24 May 2024 15:06:12 +0200 Subject: [PATCH 03/10] Replace line breaks and run startup script with bash --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a1b7568..867d537 100644 --- a/Dockerfile +++ b/Dockerfile @@ -142,9 +142,9 @@ RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true # GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories # See also CIS Docker benchmark and docker best practices -RUN chmod +x /opt/*.sh +RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh -ENTRYPOINT ["/opt/startup.sh"] +ENTRYPOINT ["bash", "/opt/startup.sh"] WORKDIR /opt From 96e081901bc75d325faeb10c26b082d88b643aae Mon Sep 17 00:00:00 2001 From: Dirk Mennecke Date: Fri, 24 May 2024 15:08:01 +0200 Subject: [PATCH 04/10] Edit startup.sh to handle credentials update --- startup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/startup.sh b/startup.sh index 5e76d30..99f260e 100755 --- a/startup.sh +++ b/startup.sh @@ -142,4 +142,8 @@ if [ ! "${ENABLE_DEFAULT_SHUTDOWN}" = "true" ]; then REPLACEMENT= fi +if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then + /bin/sh /opt/update_credentials.sh +fi + exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true From 119ec88b8fa1fdbf4bea0e0408f4574946b9506e Mon Sep 17 00:00:00 2001 From: Dirk Mennecke Date: Fri, 24 May 2024 15:10:05 +0200 Subject: [PATCH 05/10] Add update_credentials script --- update_credentials.sh | 71 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 update_credentials.sh diff --git a/update_credentials.sh b/update_credentials.sh new file mode 100644 index 0000000..599ae9f --- /dev/null +++ b/update_credentials.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# Credits to https://github.com/meggsimum/geoserver-docker/ and https://github.com/kartoza/docker-geoserver + +echo "Updating GeoServer Credentials ..." + +if [ ${DEBUG} ]; then + set -e + set -x +fi; + +# copy over default security folder to data dir (if not existing) +if [ ! -d "${GEOSERVER_DATA_DIR}security" ]; then + cp -r ${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security" ${GEOSERVER_DATA_DIR} +fi + +GEOSERVER_ADMIN_USER=${GEOSERVER_ADMIN_USER:-admin} +GEOSERVER_ADMIN_PASSWORD=${GEOSERVER_ADMIN_PASSWORD:-geoserver} + +# templates to use as base for replacement +USERS_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/usergroup/default/users.xml" +echo "USING USERS XML ORIGINAL:" $USERS_XML_ORIG +ROLES_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/role/default/roles.xml" +echo "USING ROLES XML ORIGINAL:" $ROLES_XML_ORIG + +# final users.xml file GeoServer data dir +USERS_XML=${USERS_XML:-${GEOSERVER_DATA_DIR}security/usergroup/default/users.xml} +echo "SETTING USERS XML:" $USERS_XML +# final roles.xml file GeoServer data dir +ROLES_XML=${ROLES_XML:-${GEOSERVER_DATA_DIR}security/role/default/roles.xml} +echo "SETTING ROLES XML:" . $ROLES_XML + +CLASSPATH=$CATALINA_HOME/webapps/$APP_PATH_PREFIX"geoserver/WEB-INF/lib/" + +# tmp files +TMP_USERS=/tmp/users.xml +TMP_ROLES=/tmp/roles.xml + +make_hash(){ + NEW_PASSWORD=$1 + (echo "digest1:" && java -classpath $(find $CLASSPATH -regex ".*jasypt-[0-9]\.[0-9]\.[0-9].*jar") org.jasypt.intf.cli.JasyptStringDigestCLI digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="$NEW_PASSWORD" verbose=0) | tr -d '\n' +} + +# create PW hash for given password +PWD_HASH=$(make_hash $GEOSERVER_ADMIN_PASSWORD) + +# USERS.XML SETUP +# +cat $USERS_XML_ORIG | sed -e "s/ name=\".*\" / name=\"${GEOSERVER_ADMIN_USER}\" /" | sed -e "s|password=\".*\"/|password=\"${PWD_HASH}\"\/|" > $TMP_USERS +if [ $? -eq 0 ] +then + mv $TMP_USERS $USERS_XML + echo "Successfully replaced $USERS_XML" +else + echo "CAUTION: Abort update_credentials.sh due to error while creating users.xml. File at $USERS_XML keeps untouched" + exit +fi + +# ROLES.XML SETUP +# +cat $ROLES_XML_ORIG | sed -e "s/ username=\".*\"/ username=\"${GEOSERVER_ADMIN_USER}\"/" > $TMP_ROLES +if [ $? -eq 0 ] +then + mv $TMP_ROLES $ROLES_XML + echo "Successfully replaced $ROLES_XML" +else + echo "CAUTION: Abort update_credentials.sh due to error while creating roles.xml. File at $ROLES_XML keeps untouched" + exit +fi + +echo "... DONE updating GeoServer Credentials ..." \ No newline at end of file From 37362a3c43fafd297e24f60030d994b14c39a292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20B=C3=BChner?= Date: Wed, 29 May 2024 12:54:11 +0200 Subject: [PATCH 06/10] feat: ignore pg data when using compose example --- .dockerignore | 1 + .gitignore | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 567609b..9f878ab 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +1,2 @@ build/ +postgis/ diff --git a/.gitignore b/.gitignore index 92bc551..99ff525 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ *.iml *.idea - +postgis/ From ef8d2afa959de2be189b5d97017714410fd002b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20B=C3=BChner?= Date: Wed, 29 May 2024 13:17:17 +0200 Subject: [PATCH 07/10] chore: use latest tomcat and geoserver versions --- Dockerfile | 6 +++--- README.md | 24 ++++++++++++------------ RELEASE.md | 10 +++++----- build/release.sh | 2 +- docker-compose-demo.yml | 2 +- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0dc3d34..da3f891 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM ubuntu:22.04 as tomcat -ARG TOMCAT_VERSION=9.0.86 +ARG TOMCAT_VERSION=9.0.89 ARG CORS_ENABLED=false ARG CORS_ALLOWED_ORIGINS=* ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS @@ -56,7 +56,7 @@ RUN apt purge -y \ FROM tomcat as download -ARG GS_VERSION=2.24.1 +ARG GS_VERSION=2.25.1 ARG GS_BUILD=release ARG WAR_ZIP_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/geoserver-${GS_VERSION}-war.zip ENV GEOSERVER_VERSION=$GS_VERSION @@ -72,7 +72,7 @@ RUN echo "Downloading GeoServer ${GS_VERSION} ${GS_BUILD}" \ FROM tomcat as install -ARG GS_VERSION=2.24.1 +ARG GS_VERSION=2.25.1 ARG GS_BUILD=release ARG STABLE_PLUGIN_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/extensions ARG COMMUNITY_PLUGIN_URL='' diff --git a/README.md b/README.md index 92afca9..d5ec45e 100644 --- a/README.md +++ b/README.md @@ -18,20 +18,20 @@ This README.md file covers use of official docker image, additional [build](BUIL To pull an official image use ``docker.osgeo.org/geoserver:{{VERSION}}``, e.g.: ```shell -docker pull docker.osgeo.org/geoserver:2.24.1 +docker pull docker.osgeo.org/geoserver:2.25.1 ``` All the images can be found at: [https://repo.osgeo.org](https://repo.osgeo.org/#browse/browse:geoserver-docker:v2/geoserver/tags) and the latest stable and maintenance version numbers can be obtained from [https://geoserver.org/download/](https://geoserver.org/download/) Afterwards you can run the pulled image locally with: ```shell -docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.24.1 +docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.25.1 ``` Or if you want to start the container daemonized, use e.g.: ```shell -docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.24.1 +docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.25.1 ``` Check to see the geoserver page, @@ -48,7 +48,7 @@ To use an external folder as your geoserver data directory. ```shell docker run -it -p 80:8080 \ --mount src="/absolute/path/on/host",target=/opt/geoserver_data/,type=bind \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` An empty data directory will be populated on first use. You can easily update GeoServer while @@ -63,7 +63,7 @@ The environment variable `SKIP_DEMO_DATA` can be set to `true` to create an empt ```shell docker run -it -p 80:8080 \ --env SKIP_DEMO_DATA=true \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` ## How to issue a redirect from the root ("/") to GeoServer web interface ("/geoserver/web")? @@ -84,8 +84,8 @@ The ``startup.sh`` script allows some customization on startup: * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)** * ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``. -The CORS variables customize tomcat's `web.xml` file. If you need more customization, -you can provide your own customized `web.xml` file to tomcat by mounting it into the container +The CORS variables customize tomcat's `web.xml` file. If you need more customization, +you can provide your own customized `web.xml` file to tomcat by mounting it into the container at `/opt/config_overrides/web.xml`. Example installing wps and ysld extensions: @@ -93,7 +93,7 @@ Example installing wps and ysld extensions: ```shell docker run -it -p 80:8080 \ --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS="wps,ysld" \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` The list of extensions (taken from SourceForge download page): @@ -118,7 +118,7 @@ If you want to add geoserver extensions/libs, place the respective jar files in ```shell docker run -it -p 80:8080 \ --mount src="/dir/with/libs/on/host",target=/opt/additional_libs,type=bind \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` ## How to add additional fonts to the docker image (e.g. for SLD styling)? @@ -128,7 +128,7 @@ If you want to add custom fonts (the base image only contains 26 fonts) by using ```shell docker run -it -p 80:8080 \ --mount src="/dir/with/fonts/on/host",target=/opt/additional_fonts,type=bind \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` **Note:** Do not change the target value! @@ -163,7 +163,7 @@ Example: ```shell docker run -it -p 80:8080 \ --mount src="/path/to/my/server.xml",target=/opt/config_overrides/server.xml,type=bind \ - docker.osgeo.org/geoserver:2.24.1 + docker.osgeo.org/geoserver:2.25.1 ``` ## How to use the docker-compose demo? @@ -183,7 +183,7 @@ Following is the list of the all the environment variables that can be passed do | VAR NAME | DESCRIPTION | SAMPLE VALUE | |--------------|-----------|------------| | PATH | Used by geoserver internally to find all the libs | `/usr/local/sbin:/usr/local/bin:` | -| CATALINA_HOME | CATALINA home path | `/opt/apache-tomcat-9.0.86` | +| CATALINA_HOME | CATALINA home path | `/opt/apache-tomcat-9.0.89` | | EXTRA_JAVA_OPTS | Used to pass params to the JAVA environment. Check [ref](https://docs.oracle.com/en/java/javase/11/tools/java.html) | `-Xms256m -Xmx1g` | | CORS_ENABLED | CORS enabled configuration | `false` | | CORS_ALLOWED_ORIGINS | CORS origins configuration | `*` | diff --git a/RELEASE.md b/RELEASE.md index ec50fa8..806b83d 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -7,7 +7,7 @@ OSGeo maintains geoserver-docker.osgeo.org repository for publishing. The result Build locally: ```shell -docker build -t geoserver-docker.osgeo.org/geoserver:2.24.1 . +docker build -t geoserver-docker.osgeo.org/geoserver:2.25.1 . ``` Login using with osgeo user id: @@ -19,7 +19,7 @@ docker login geoserver-docker.osgeo.org Push to osgeo repository: ```shell -docker push geoserver-docker.osgeo.org/geoserver:2.24.1 +docker push geoserver-docker.osgeo.org/geoserver:2.25.1 ``` ## How to automate release? @@ -34,10 +34,10 @@ The third, optional, is used to supply the jenkins build number - triggering a n Examples: -`./release.sh build 2.24.1` +`./release.sh build 2.25.1` -`./release.sh publish 2.24.1` +`./release.sh publish 2.25.1` -`./release.sh buildandpublish 2.24.1` +`./release.sh buildandpublish 2.25.1` `./release.sh buildandpublish 2.24-SNAPSHOT 1234` diff --git a/build/release.sh b/build/release.sh index a946b43..b740716 100755 --- a/build/release.sh +++ b/build/release.sh @@ -9,7 +9,7 @@ function usage() { echo "$0 []" echo "" echo " mode : The mode. Choose one of 'build', 'publish' or 'buildandpublish'" - echo " version : The released version to build an docker image for (eg: 2.24.1, ${MAIN}-SNAPSHOT, ${MAIN}-RC)" + echo " version : The released version to build an docker image for (eg: 2.25.1, ${MAIN}-SNAPSHOT, ${MAIN}-RC)" echo " build : Build number (optional)" } diff --git a/docker-compose-demo.yml b/docker-compose-demo.yml index 8de1fc4..d5f49db 100644 --- a/docker-compose-demo.yml +++ b/docker-compose-demo.yml @@ -4,7 +4,7 @@ services: build: context: . args: - - GEOSERVER_VERSION=2.24.1 + - GEOSERVER_VERSION=2.25.1 - CORS_ENABLED=true - CORS_ALLOWED_METHODS=GET,POST,PUT,HEAD,OPTIONS ports: From c0d6edd74d3bfe79d45f1a17a683adecdaf6a32d Mon Sep 17 00:00:00 2001 From: Dirk Mennecke Date: Thu, 6 Jun 2024 09:41:36 +0200 Subject: [PATCH 08/10] Update readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 92afca9..9c20627 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,8 @@ Following is the list of the all the environment variables that can be passed do | SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` | | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` | | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` | +| GEOSERVER_ADMIN_USER | Admin username | | +| GEOSERVER_ADMIN_PASSWORD | Admin password | | The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up). | VAR NAME | DESCRIPTION | SAMPLE VALUE | From 6d965d2f6104f96fa36254a266cebc2769965a95 Mon Sep 17 00:00:00 2001 From: Dirk Mennecke Date: Thu, 6 Jun 2024 12:55:08 +0200 Subject: [PATCH 09/10] Update README environment variables --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c20627..eb3fb84 100644 --- a/README.md +++ b/README.md @@ -204,7 +204,7 @@ Following is the list of the all the environment variables that can be passed do | SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` | | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` | | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` | -| GEOSERVER_ADMIN_USER | Admin username | | +| GEOSERVER_ADMIN_USER | Admin username | | | GEOSERVER_ADMIN_PASSWORD | Admin password | | The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up). From f22cb29910f77b31c36970e26b58a19b1afe7c5d Mon Sep 17 00:00:00 2001 From: Andre Henn Date: Thu, 27 Jun 2024 14:53:54 +0200 Subject: [PATCH 10/10] adds newline --- update_credentials.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update_credentials.sh b/update_credentials.sh index 599ae9f..2f22081 100644 --- a/update_credentials.sh +++ b/update_credentials.sh @@ -68,4 +68,4 @@ else exit fi -echo "... DONE updating GeoServer Credentials ..." \ No newline at end of file +echo "... DONE updating GeoServer Credentials ..."