Merge pull request #141 from geoserver/renovate/github-codeql-action-digest

chore(deps): update github/codeql-action digest to dd74661

.github/workflows/trivy.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Build image
         run: docker build -t geoserver-docker.osgeo.org/geoserver:${{ github.sha }} .
       - name: Run trivy
@@ -22,6 +22,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
           vuln-type: 'os,library'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3
         with:
           sarif_file: 'trivy-results.sarif'

BUILD.md

@@ -65,14 +65,14 @@ Override these arguments to make use of build.geoserver.org nightly releases:
 * ``--build-arg STABLE_PLUGIN_URL=https://build.geoserver.org/geoserver/${GS_VERSION}/ext-latest/``
 * ``--build-arg COMMUNITY_PLUGIN_URL=https://build.geoserver.org/geoserver/${GS_VERSION}/community-latest/``
 
-Here is a working example for building 2.25.x nightly build::
+Here is a working example for building 2.26.x nightly build::
 ```
 docker build --no-cache-filter download,install \
-  --build-arg WAR_ZIP_URL=https://build.geoserver.org/geoserver/2.25.x/geoserver-2.25.x-latest-war.zip \
-  --build-arg STABLE_PLUGIN_URL=https://build.geoserver.org/geoserver/2.25.x/ext-latest/ \
-  --build-arg COMMUNITY_PLUGIN_URL=https://build.geoserver.org/geoserver/2.25.x/community-latest/ \
+  --build-arg WAR_ZIP_URL=https://build.geoserver.org/geoserver/2.26.x/geoserver-2.26.x-latest-war.zip \
+  --build-arg STABLE_PLUGIN_URL=https://build.geoserver.org/geoserver/2.26.x/ext-latest/ \
+  --build-arg COMMUNITY_PLUGIN_URL=https://build.geoserver.org/geoserver/2.26.x/community-latest/ \
   --build-arg GS_VERSION=2.24-SNAPSHOT \
-  -t 2.25.x .
+  -t 2.26.x .
 ```
 
 When running both stable extensions and community modules can be included:
@@ -82,7 +82,7 @@ docker run -it -p 80:8080 \
   --env INSTALL_EXTENSIONS=true \
   --env STABLE_EXTENSIONS="ysld" \
   --env COMMUNITY_EXTENSIONS="ogcapi" \
-  -t 2.25.x
+  -t 2.26.x
 ```
 
 Community modules are only available for nightly builds as they have not yet met the requirements for production use. Developers have shared these to attract participation, feedback and funding.
@@ -96,7 +96,7 @@ The build.geoserver.org output for the ``main`` branch requires the following:
 * ``--build-arg COMMUNITY_PLUGIN_URL=https://build.geoserver.org/geoserver/main/community-latest/``
 
 
-Here is a working example for building main branch as 2.25.x build:
+Here is a working example for building main branch as 2.26.x build:
 
 ```
 docker build --no-cache-filter download,install \
@@ -104,7 +104,7 @@ docker build --no-cache-filter download,install \
   --build-arg STABLE_PLUGIN_URL=https://build.geoserver.org/geoserver/main/ext-latest/ \
   --build-arg COMMUNITY_PLUGIN_URL=https://build.geoserver.org/geoserver/main/community-latest/ \
   --build-arg GS_VERSION=2.24-SNAPSHOT \
-  -t 2.25.x .
+  -t 2.26.x .
 ```
 
 When running both [stable extensions](https://build.geoserver.org/geoserver/main/ext-latest/) and [community modules](https://build.geoserver.org/geoserver/main/community-latest/) can be included:
@@ -114,6 +114,6 @@ docker run -it -p 80:8080 \
   --env INSTALL_EXTENSIONS=true \
   --env STABLE_EXTENSIONS="wps,css" \
   --env COMMUNITY_EXTENSIONS="ogcapi-coverages,ogcapi-dggs,ogcapi-features,ogcapi-images,ogcapi-maps,ogcapi-styles,ogcapi-tiled-features,ogcapi-tiles" \
-  -t 2.25.x
+  -t 2.26.x
 ```
 

Dockerfile

@@ -1,18 +1,18 @@
-FROM tomcat:9.0.95-jdk17-temurin-jammy@sha256:4ac5245eb0de6361774a8e3b2cd57d368bdec614028d945e51530072a791b84c
+FROM tomcat:9.0.98-jdk17-temurin-jammy@sha256:4cce4376204e1b73ec6864988d6a7da3f7648fd5209442323fabaa00fbe6c335
 LABEL vendor="osgeo.org"
 
 # Build arguments
 ARG ADDITIONAL_FONTS_PATH=./additional_fonts/
 ARG ADDITIONAL_LIBS_PATH=./additional_libs/
 ARG COMMUNITY_PLUGIN_URL=''
-ARG CORS_ALLOWED_HEADERS=*
+ARG CORS_ALLOWED_HEADERS=Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers
 ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS
 ARG CORS_ALLOWED_ORIGINS=*
 ARG CORS_ALLOW_CREDENTIALS=false
 ARG CORS_ENABLED=false
 ARG GS_BUILD=release
 ARG GS_DATA_PATH=./geoserver_data/
-ARG GS_VERSION=2.25.2
+ARG GS_VERSION=2.26.2
 ARG STABLE_PLUGIN_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/extensions
 ARG WAR_ZIP_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/geoserver-${GS_VERSION}-war.zip
 
@@ -33,20 +33,43 @@ ENV EXTRA_JAVA_OPTS="-Xms256m -Xmx1g"
 ENV GEOSERVER_BUILD=$GS_BUILD
 ENV GEOSERVER_DATA_DIR=/opt/geoserver_data/
 ENV GEOSERVER_LIB_DIR=$CATALINA_HOME/webapps/geoserver/WEB-INF/lib/
-ENV GEOSERVER_REQUIRE_FILE=$GEOSERVER_DATA_DIR/global.xml
+ENV SET_GEOSERVER_REQUIRE_FILE=true
 ENV GEOSERVER_VERSION=$GS_VERSION
 ENV HEALTHCHECK_URL=''
 ENV INSTALL_EXTENSIONS=false
 ENV POSTGRES_JNDI_ENABLED=false
 ENV ROOT_WEBAPP_REDIRECT=false
+ENV RUN_UNPRIVILEGED=false
+ENV RUN_WITH_USER_UID=
+ENV RUN_WITH_USER_GID=
+ENV CHANGE_OWNERSHIP_ON_FOLDERS="/opt $GEOSERVER_DATA_DIR"
 ENV SKIP_DEMO_DATA=false
 ENV STABLE_EXTENSIONS=''
 ENV STABLE_PLUGIN_URL=$STABLE_PLUGIN_URL
 ENV WAR_ZIP_URL=$WAR_ZIP_URL
 ENV WEBAPP_CONTEXT=geoserver
 
+# ENV JDK_JAVA_OPTIONS=--add-exports=java.desktop/sun.awt.image=ALL-UNNAMED \
+#    --add-opens=java.base/java.lang=ALL-UNNAMED \
+#    --add-opens=java.base/java.util=ALL-UNNAMED \
+#    --add-opens=java.base/java.lang.reflect=ALL-UNNAMED \
+#    --add-opens=java.base/java.text=ALL-UNNAMED \
+#    --add-opens=java.desktop/java.awt.font=ALL-UNNAMED \
+#    --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED \
+#    --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED \
+#    --add-opens=java.desktop/sun.java2d.pipe=ALL-UNNAMED
+
 # see https://docs.geoserver.org/stable/en/user/production/container.html
 ENV CATALINA_OPTS="\$EXTRA_JAVA_OPTS \
+    --add-exports=java.desktop/sun.awt.image=ALL-UNNAMED \
+    --add-opens=java.base/java.lang=ALL-UNNAMED \
+    --add-opens=java.base/java.util=ALL-UNNAMED \
+    --add-opens=java.base/java.lang.reflect=ALL-UNNAMED \
+    --add-opens=java.base/java.text=ALL-UNNAMED \
+    --add-opens=java.desktop/java.awt.font=ALL-UNNAMED \
+    --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED \
+    --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED \
+    --add-opens=java.desktop/sun.java2d.pipe=ALL-UNNAMED \
     -Djava.awt.headless=true -server \
     -Dfile.encoding=UTF-8 \
     -Djavax.servlet.request.encoding=UTF-8 \
@@ -58,19 +81,23 @@ ENV CATALINA_OPTS="\$EXTRA_JAVA_OPTS \
 
 WORKDIR /tmp
 
-# Install dependencies and download geoserver
+# Install dependencies
 RUN set -eux \
     && export DEBIAN_FRONTEND=noninteractive \
     && apt-get update \
-    && apt-get install -y --no-install-recommends openssl unzip curl locales gettext \
+    && apt-get install -y --no-install-recommends openssl unzip curl locales gettext gosu \
     && apt-get clean \
     && rm -rf /var/cache/apt/* \
-    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download geoserver
+RUN set -eux \
     && echo "Downloading GeoServer ${GS_VERSION} ${GS_BUILD}" \
     && wget -q -O /tmp/geoserver.zip $WAR_ZIP_URL \
     && unzip geoserver.zip geoserver.war -d /tmp/ \
     && unzip -q /tmp/geoserver.war -d /tmp/geoserver \
     && rm /tmp/geoserver.war \
+    && rm geoserver.zip \
     && echo "Installing GeoServer $GS_VERSION $GS_BUILD" \
     && mv /tmp/geoserver $CATALINA_HOME/webapps/geoserver \
     && mv $CATALINA_HOME/webapps/geoserver/WEB-INF/lib/marlin-*.jar $CATALINA_HOME/lib/marlin.jar \
@@ -116,6 +143,14 @@ RUN apt purge -y  \
 
 RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh
 
+# # Create a non-privileged tomcat user
+# ARG USER_GID=999
+# ARG USER_UID=999
+# RUN addgroup --gid ${USER_GID} tomcat && \
+#     adduser --system  -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
+#     chown -R tomcat:tomcat /opt && \
+#     chown tomcat:tomcat $GEOSERVER_DATA_DIR
+
 ENTRYPOINT ["bash", "/opt/startup.sh"]
 
 WORKDIR /opt

README.md

@@ -21,20 +21,20 @@ This README.md file covers use of official docker image, additional [build](BUIL
 To pull an official image use ``docker.osgeo.org/geoserver:{{VERSION}}``, e.g.:
 
 ```shell
-docker pull docker.osgeo.org/geoserver:2.25.2
+docker pull docker.osgeo.org/geoserver:2.26.2
 ```
 All the images can be found at: [https://repo.osgeo.org](https://repo.osgeo.org/#browse/browse:geoserver-docker:v2/geoserver/tags) and the latest stable and maintenance version numbers can be obtained from [https://geoserver.org/download/](https://geoserver.org/download/)
 
 Afterwards you can run the pulled image locally with:
 
 ```shell
-docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.25.2
+docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.26.2
 ```
 
 Or if you want to start the container daemonized, use e.g.:
 
 ```shell
-docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.25.2
+docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.26.2
 ```
 
 Check <http://localhost/geoserver> to see the geoserver page,
@@ -51,7 +51,7 @@ To use an external folder as your geoserver data directory.
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/absolute/path/on/host",target=/opt/geoserver_data/,type=bind \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 An empty data directory will be populated on first use. You can easily update GeoServer while
@@ -66,7 +66,7 @@ The environment variable `SKIP_DEMO_DATA` can be set to `true` to create an empt
 ```shell
 docker run -it -p 80:8080 \
   --env SKIP_DEMO_DATA=true \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 ## How to set the application context path?
@@ -79,14 +79,14 @@ The following will serve GeoServer from the root (<http://localhost/>):
 ```shell
 docker run -it -p 80:8080 \
   --env WEBAPP_CONTEXT="" \
-  docker.osgeo.org/geoserver:2.25.1
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 The following will serve GeoServer from <http://localhost/my_context_path>:
 ```shell
 docker run -it -p 80:8080 \
   --env WEBAPP_CONTEXT="my_context_path" \
-  docker.osgeo.org/geoserver:2.25.1
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 ## How to issue a redirect from the root ("/") to GeoServer web interface ("/geoserver/web")?
@@ -103,7 +103,7 @@ The ``startup.sh`` script allows some customization on startup:
 * ``CORS_ENABLED`` to ``true`` to enable CORS support. The following environment variables can be used to customize the CORS configuration.
   * ``CORS_ALLOWED_ORIGINS`` (default ``*``)
   * ``CORS_ALLOWED_METHODS`` (default ``GET,POST,PUT,DELETE,HEAD,OPTIONS``)
-  * ``CORS_ALLOWED_HEADERS`` (default ``*``)
+  * ``CORS_ALLOWED_HEADERS`` (default ``Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers``)
   * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)**
 * ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``.
 
@@ -116,7 +116,7 @@ Example installing wps and ysld extensions:
 ```shell
 docker run -it -p 80:8080 \
   --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS="wps,ysld" \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 The list of extensions (taken from SourceForge download page):
@@ -141,7 +141,7 @@ If you want to add geoserver extensions/libs, place the respective jar files in
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/libs/on/host",target=/opt/additional_libs,type=bind \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 ## How to add additional fonts to the docker image (e.g. for SLD styling)?
@@ -151,7 +151,7 @@ If you want to add custom fonts (the base image only contains 26 fonts) by using
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/fonts/on/host",target=/opt/additional_fonts,type=bind \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 **Note:** Do not change the target value!
@@ -171,12 +171,15 @@ To enable a PostgreSQL JNDI resource, provide the following environment variable
 
 In geoserver, you can then reference this JNDI resource using the name `java:comp/env/jdbc/postgres` (if using default).
 
+Note: previously you could tweak the JNDI settings in a custom `context.xml` (see below), but its contents are now included in `server.xml`.
+
+
 ## How to use custom (tomcat) configuration files
 
 This image provides default (tomcat) configurations that are located in the `./config/` subdir.
 
-* `context.xml` (see/compare JNDI feature from above)
 * `server.xml` (security hardened version by default)
+* ~context.xml~ (now included into `server.xml`, previously used for JNDI settings)
 
 In case you want to fully overwrite such a config file, you can do so by mounting it to the `/opt/config_overrides/` directory of a container.
 The `startup.sh` script will then copy (and overwrite) these files to the catalina conf directory before starting tomcat.
@@ -186,7 +189,7 @@ Example:
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/path/to/my/server.xml",target=/opt/config_overrides/server.xml,type=bind \
-  docker.osgeo.org/geoserver:2.25.2
+  docker.osgeo.org/geoserver:2.26.2
 ```
 
 ## How to enable HTTPS?
@@ -199,6 +202,15 @@ variables:
 * ``HTTPS_KEYSTORE_PASSWORD`` (defaults to `changeit`)
 * ``HTTPS_KEY_ALIAS`` (defaults to `server`)
 
+## How to run it as a non-privileged user ?
+
+It is usually considered a good practice to run the containers as a non-privileged user (not `root`).
+While it runs by default as root, for backwards compatibility reasons, several environment variables allow you to change this behaviour:
+- `RUN_UNPRIVILEGED=true`: run as unprivileged user `tomcat`. Default uid:gid are 999:999
+- `RUN_WITH_USER_UID` allows you to set `tomcat`'s uid. By default this is 999.
+- `RUN_WITH_USER_GID` allows you to set `tomcat`'s gid. By default this is the same as the uid.
+- `CHANGE_OWNERSHIP_ON_FOLDERS` sets a space-separated list of folders on which a `chmod -R` will be run, changing the ownership of those folders to the `tomcat` user (defaults to `"/opt $GEOSERVER_DATA_DIR"`).
+
 ## How to use the docker-compose demo?
 
 The ``docker-compose-demo.yml`` to build with your own data directory and extensions.
@@ -221,24 +233,31 @@ Following is the list of the all the environment variables that can be passed do
 | CORS_ENABLED | CORS enabled configuration | `false` |
 | CORS_ALLOWED_ORIGINS | CORS origins configuration | `*` |
 | CORS_ALLOWED_METHODS | CORS method configuration | `GET,POST,PUT,DELETE,HEAD,OPTIONS` |
-| CORS_ALLOWED_HEADERS | CORS headers configuration | `*` |
+| CORS_ALLOWED_HEADERS | CORS headers configuration | `Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers` |
 | DEBIAN_FRONTEND | Configures the Debian package manager frontend | `noninteractive`|
 | CATALINA_OPTS | Catalina options. Check [ref](https://www.baeldung.com/tomcat-catalina_opts-vs-java_opts) | `-Djava.awt.headless=true` |
 | GEOSERVER_DATA_DIR | Geoserver data directory location | `/opt/geoserver_data/` |
-| GEOSERVER_REQUIRE_FILE | Geoserver configuration used interally | `/opt/geoserver_data/global.xml` |
+| GEOSERVER_REQUIRE_FILE | Path to a file that will be passed to GeoServer. If this file does not exist, GeoServer won't start. |  |
+| SET_GEOSERVER_REQUIRE_FILE | If set to true, the GEOSERVER_REQUIRE_FILE will be automatically set to `$GEOSERVER_DATA_DIR/global.xml` on startup. If GEOSERVER_REQUIRE_FILE is set it will take precedence. | `true` |
 | INSTALL_EXTENSIONS | Indicates whether additional GeoServer extensions should be installed | `false` |
 | WAR_ZIP_URL | Specifies the URL for a GeoServer Web Archive (WAR) file | |
 | STABLE_EXTENSIONS | Specifies stable GeoServer extensions | |
-| STABLE_PLUGIN_URL | Specifies the URL for downloading the latest stable GeoServer plugins | `https://build.geoserver.org/geoserver/2.25.x/ext-latest` |
+| STABLE_PLUGIN_URL | Specifies the URL for downloading the latest stable GeoServer plugins | `https://build.geoserver.org/geoserver/2.26.x/ext-latest` |
 | COMMUNITY_EXTENSIONS | Specifies community-contributed GeoServer extensions | |
-| COMMUNITY_PLUGIN_URL | Specifies the URL for downloading the latest community-contributed GeoServer plugins | `https://build.geoserver.org/geoserver/2.25.x/community-latest` |
+| COMMUNITY_PLUGIN_URL | Specifies the URL for downloading the latest community-contributed GeoServer plugins | `https://build.geoserver.org/geoserver/2.26.x/community-latest` |
 | ADDITIONAL_LIBS_DIR | Sets the directory for additional libraries used by GeoServer | `/opt/additional_libs/` |
 | ADDITIONAL_FONTS_DIR | Sets the directory for additional fonts used by GeoServer | `/opt/additional_fonts/` |
-| SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` |
+| SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer. GEOSERVER_REQUIRE_FILE will be ignored if set to true. | `false` |
 | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` |
 | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` |
 | GEOSERVER_ADMIN_USER | Admin username |   |
 | GEOSERVER_ADMIN_PASSWORD | Admin password |  |
+| RUN_UNPRIVILEGED | If set to `true`, runs as an unprivileged user `tomcat` instead of `root`. | `true` |
+| RUN_WITH_USER_UID | When running as unprivileged user, sets the uid of this user. Defaults to `999` | `999` |
+| RUN_WITH_USER_GID | When running as unprivileged user, sets the gid of this user. Defaults to the same as the uid | `999` |
+| CHANGE_OWNERSHIP_ON_FOLDERS | When running as unprivileged user, changes the ownership to this user to these folders | `"/opt /opt/geoserver_data/ /mnt/geoserver_geodata"` |
+
+After the initial setup, it's recommended to remove the `GEOSERVER_ADMIN_USER` and `GEOSERVER_ADMIN_PASSWORD` variable. Otherwise, newly added roles and users may be overwritten by the next time the container is restarted.
 
 The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up).
 | VAR NAME | DESCRIPTION | SAMPLE VALUE |

RELEASE.md

@@ -7,7 +7,7 @@ OSGeo maintains geoserver-docker.osgeo.org repository for publishing. The result
 Build locally:
 
 ```shell
-docker build -t geoserver-docker.osgeo.org/geoserver:2.25.2 .
+docker build -t geoserver-docker.osgeo.org/geoserver:2.26.2 .
 ```
 
 Login using with osgeo user id:
@@ -19,7 +19,7 @@ docker login geoserver-docker.osgeo.org
 Push to osgeo repository:
 
 ```shell
-docker push geoserver-docker.osgeo.org/geoserver:2.25.2
+docker push geoserver-docker.osgeo.org/geoserver:2.26.2
 ```
 
 ## How to automate release?
@@ -34,10 +34,10 @@ The third, optional, is used to supply the jenkins build number - triggering a n
 
 Examples:
 
-`./release.sh build 2.25.2`
+`./release.sh build 2.26.2`
 
-`./release.sh publish 2.25.2`
+`./release.sh publish 2.26.2`
 
-`./release.sh buildandpublish 2.25.2`
+`./release.sh buildandpublish 2.26.2`
 
-`./release.sh buildandpublish 2.25-SNAPSHOT 1234`
+`./release.sh buildandpublish 2.26-SNAPSHOT 1234`

SECURITY.md

@@ -0,0 +1,6 @@
+# Security Policy
+
+Please see the [Security Policy](https://github.com/geoserver/geoserver/security/policy) or our main project for supported versions and procedures.
+
+You may also [find pubished security advisories](https://github.com/geoserver/geoserver/security/advisories) there.
+

build/release.sh

@@ -3,13 +3,13 @@
 # error out if any statements fail
 set -e
 
-MAIN="2.26"
+MAIN="2.27"
 
 function usage() {
   echo "$0 <mode> <version> [<build>]"
   echo ""
   echo " mode : The mode. Choose one of 'build', 'publish' or 'buildandpublish'"
-  echo " version : The released version to build an docker image for (eg: 2.25.2, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
+  echo " version : The released version to build an docker image for (eg: 2.25.3, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
   echo " build : Build number (optional)"
 }
 
@@ -49,6 +49,9 @@ else
   fi
 fi
 
+# Prerequisite for Multi-Arch via QEM
+# docker run --privileged --rm tonistiigi/binfmt --install all
+
 echo "Release from branch $BRANCH GeoServer $VERSION as $TAG"
 
 # Go up one level to the Dockerfile

docker-compose-demo.yml

@@ -4,7 +4,7 @@ services:
     build:
       context: .
       args:
-        - GEOSERVER_VERSION=2.25.2
+        - GEOSERVER_VERSION=2.26.2
         - CORS_ENABLED=true
         - CORS_ALLOWED_METHODS=GET,POST,PUT,HEAD,OPTIONS
     ports:
@@ -29,7 +29,7 @@ services:
       retries: 3
       timeout: 20s
   postgis:
-    image: postgis/postgis:16-3.4-alpine@sha256:ccf26626865d7521eb900ab4181730cffa975433fda6c892b8a81dc6b54142e7
+    image: postgis/postgis:17-3.4-alpine@sha256:5a1dbedac34e0e6663f8b7190d393339571f1cb3ecb2ab2f724524b4f3c7956e
     ports:
       - "5555:5432"
     environment:

startup.sh

@@ -21,11 +21,6 @@ function copy_custom_config() {
   fi
 }
 
-## Skip demo data
-if [ "${SKIP_DEMO_DATA}" = "true" ]; then
-  unset GEOSERVER_REQUIRE_FILE
-fi
-
 ## Add a permanent redirect (HTTP 301) from the root webapp ("/") to geoserver web interface ("/geoserver/web")
 if [ "${ROOT_WEBAPP_REDIRECT}" = "true" ] && [ "${WEBAPP_CONTEXT}" != "" ]; then
   if [ ! -d $CATALINA_HOME/webapps/ROOT ]; then
@@ -48,11 +43,42 @@ DEFAULT_HEALTHCHECK_URL="http://${DEFAULT_HEALTHCHECK_URL}"
 # write the healthcheck URL to a file that geoserver user has access to but is not served by tomcat
 echo "${HEALTHCHECK_URL:-$DEFAULT_HEALTHCHECK_URL}" > $CATALINA_HOME/conf/healthcheck_url.txt
 
+# ensure that GEOSERVER_DATA_DIR exists as a directory
+if [ ! -e "$GEOSERVER_DATA_DIR" ]; then
+  mkdir -p $GEOSERVER_DATA_DIR
+  echo "Created new GeoServer data directory $GEOSERVER_DATA_DIR as it did not exist."
+fi
+
+if [ "${SKIP_DEMO_DATA}" = "true" ]; then
+  # skipping demo data
+
+  if [ "$SET_GEOSERVER_REQUIRE_FILE" = true ]; then
+    echo "SET_GEOSERVER_REQUIRE_FILE will be ignored because SKIP_DEMO_DATA is set to true"
+  fi
+
+  # unset geoserver require file
+  if [ ! -z "$GEOSERVER_REQUIRE_FILE" ]; then
+    echo "GEOSERVER_REQUIRE_FILE will be ignored because SKIP_DEMO_DATA is set to true"
+    unset GEOSERVER_REQUIRE_FILE
+  fi
+else
+  # using demo data if data dir does not contain geoserver require file
+
+  # set geoserver require file to the correct value
+  if [ "$SET_GEOSERVER_REQUIRE_FILE" = true ]; then
+    if [ -z "$GEOSERVER_REQUIRE_FILE" ]; then
+      export GEOSERVER_REQUIRE_FILE="$GEOSERVER_DATA_DIR/global.xml"
+    else
+      echo "SET_GEOSERVER_REQUIRE_FILE is ignored because GEOSERVER_REQUIRE_FILE is set to a value"
+    fi
+  fi
+
   ## install release data directory if needed before starting tomcat
-if [ ! -z "$GEOSERVER_REQUIRE_FILE" ] && [ ! -f "$GEOSERVER_REQUIRE_FILE" ]; then
+  if [ ! -f "$GEOSERVER_REQUIRE_FILE" ]; then
     echo "Initialize $GEOSERVER_DATA_DIR from data directory included in geoserver.war"
     cp -r $CATALINA_HOME/webapps/geoserver/data/* $GEOSERVER_DATA_DIR
   fi
+fi
 
 ## install GeoServer extensions before starting the tomcat
 /opt/install-extensions.sh
@@ -167,4 +193,25 @@ if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then
     /bin/sh /opt/update_credentials.sh
 fi
 
+# Run as non-privileged user
+if [ "${RUN_UNPRIVILEGED}" = "true" ]
+then
+  echo "The server will be run as non-privileged user 'tomcat'"
+
+  RUN_WITH_USER_UID=${RUN_WITH_USER_UID:=999}
+  RUN_WITH_USER_GID=${RUN_WITH_USER_GID:=${RUN_WITH_USER_UID} }
+
+  echo "creating user tomcat (${RUN_WITH_USER_UID}:${RUN_WITH_USER_GID})"
+  addgroup --gid ${RUN_WITH_USER_GID} tomcat && \
+    adduser --system -u ${RUN_WITH_USER_UID} --gid ${RUN_WITH_USER_GID} \
+            --no-create-home tomcat
+
+  if [ -n "$CHANGE_OWNERSHIP_ON_FOLDERS" ]; then
+    echo "Changing ownership accordingly ($CHANGE_OWNERSHIP_ON_FOLDERS)"
+    chown -R tomcat:tomcat $CHANGE_OWNERSHIP_ON_FOLDERS
+  fi
+
+  exec gosu tomcat $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
+else
   exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
+fi