Skip to content

Commit

Permalink
style(ct-base): upgrade Dockerfile with heredocs IQSS#8932
Browse files Browse the repository at this point in the history 
Instead of using "&& \" style continuation of a RUN layer,
newer Docker versions (since 2021) allow usage of heredocs.
Also move some ARG to more suitable places
  • Loading branch information
@poikilotherm
poikilotherm committed Sep 14, 2022
1 parent 3bf2a8d commit 4aa2c01
Showing 1 changed file with 85 additions and 73 deletions.
158 changes: 85 additions & 73 deletions modules/container-base/src/main/docker/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,43 +67,47 @@ ENV PATH="${PATH}:${PAYARA_DIR}/bin" \
ENABLE_JDWP=0 \
ENABLE_RELOAD=0

ARG JATTACH_VERSION="v2.1"
ARG JATTACH_CHECKSUM="07885fdc782e02e7302c6d190f54c3930afa10a38140365adf54076ec1086a8e"
ARG PKGS="jq imagemagick curl unzip wget acl dirmngr gpg lsof procps netcat tini"
ARG ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE}"

### PART 1: SYSTEM ###
ARG UID=1000
ARG GID=1000
USER root
WORKDIR /
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
RUN true && \
RUN <<EOF
# Create pathes
mkdir -p "${HOME_DIR}" "${PAYARA_DIR}" "${DEPLOY_DIR}" "${CONFIG_DIR}" "${SCRIPT_DIR}" && \
mkdir -p "${DOCROOT_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}" && \
mkdir -p "${HOME_DIR}" "${PAYARA_DIR}" "${DEPLOY_DIR}" "${CONFIG_DIR}" "${SCRIPT_DIR}"
mkdir -p "${DOCROOT_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
# Create user
addgroup --gid ${GID} payara && \
adduser --system --uid ${UID} --no-create-home --shell /bin/bash --home "${HOME_DIR}" --gecos "" --ingroup payara payara && \
echo payara:payara | chpasswd && \
addgroup --gid ${GID} payara
adduser --system --uid ${UID} --no-create-home --shell /bin/bash --home "${HOME_DIR}" --gecos "" --ingroup payara payara
echo payara:payara | chpasswd
# Set permissions
chown -R payara: "${HOME_DIR}" && \
chown -R payara: "${HOME_DIR}"
chown -R payara: "${DOCROOT_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
EOF

ARG JATTACH_VERSION="v2.1"
ARG JATTACH_CHECKSUM="07885fdc782e02e7302c6d190f54c3930afa10a38140365adf54076ec1086a8e"
ARG PKGS="jq imagemagick curl unzip wget acl dirmngr gpg lsof procps netcat tini"

# Installing the packages in an extra container layer for better caching
RUN true && \
RUN <<EOF
# Install packages
apt-get update -q && \
apt-get install -qqy --no-install-recommends ${PKGS} && \
apt-get update -q
apt-get install -qqy --no-install-recommends ${PKGS}
# Install jattach
curl -sSfL -o /usr/bin/jattach "https://github.com/apangin/jattach/releases/download/${JATTACH_VERSION}/jattach" && \
echo "${JATTACH_CHECKSUM} /usr/bin/jattach" | sha256sum -c - && \
chmod +x /usr/bin/jattach && \
curl -sSfL -o /usr/bin/jattach "https://github.com/apangin/jattach/releases/download/${JATTACH_VERSION}/jattach"
echo "${JATTACH_CHECKSUM} /usr/bin/jattach" | sha256sum -c -
chmod +x /usr/bin/jattach
# Cleanup
rm -rf "/var/lib/apt/lists/*"
EOF

### PART 2: PAYARA ###
# After setting up system, now configure Payara

ARG ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE}"

USER payara
WORKDIR ${HOME_DIR}

Expand All @@ -114,92 +118,100 @@ COPY --chown=payara:payara maven/appserver ${PAYARA_DIR}/
COPY --chown=payara:payara maven/scripts ${SCRIPT_DIR}/

# Configure the domain to be container and production ready
# -- This is mostly inherited from the "production domain template", experience with Dataverse and https://blog.payara.fish/fine-tuning-payara-server-5-in-production
RUN true && \
# -- This is mostly inherited from the "production domain template", experience with Dataverse and
# https://blog.payara.fish/fine-tuning-payara-server-5-in-production
RUN <<EOF
# Set admin password
echo "AS_ADMIN_PASSWORD=" > /tmp/password-change-file.txt && \
echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> /tmp/password-change-file.txt && \
echo "AS_ADMIN_PASSWORD=${ADMIN_PASSWORD}" >> ${PASSWORD_FILE} && \
asadmin --user=${ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME} && \
echo "AS_ADMIN_PASSWORD=" > /tmp/password-change-file.txt
echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> /tmp/password-change-file.txt
echo "AS_ADMIN_PASSWORD=${ADMIN_PASSWORD}" >> ${PASSWORD_FILE}
asadmin --user=${ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME}
# Start domain for configuration
${ASADMIN} start-domain ${DOMAIN_NAME} && \
${ASADMIN} start-domain ${DOMAIN_NAME}
# Allow access to admin with password only
${ASADMIN} enable-secure-admin && \
${ASADMIN} enable-secure-admin

### CONTAINER USAGE ENABLEMENT
# List & delete memory settings from domain
for MEMORY_JVM_OPTION in $(${ASADMIN} list-jvm-options | grep "Xm[sx]\|Xss\|NewRatio"); \
do \
${ASADMIN} delete-jvm-options $(echo $MEMORY_JVM_OPTION | sed -e 's/:/\\:/g'); \
done && \
for MEMORY_JVM_OPTION in $(${ASADMIN} list-jvm-options | grep "Xm[sx]\|Xss\|NewRatio");
do
${ASADMIN} delete-jvm-options $(echo $MEMORY_JVM_OPTION | sed -e 's/:/\\:/g');
done
# Tweak memory settings for containers
${ASADMIN} create-jvm-options "-XX\:+UseContainerSupport" && \
${ASADMIN} create-jvm-options "-XX\:MaxRAMPercentage=\${ENV=MEM_MAX_RAM_PERCENTAGE}" && \
${ASADMIN} create-jvm-options "-Xss\${ENV=MEM_XSS}" && \
${ASADMIN} create-jvm-options "-XX\:MinHeapFreeRatio=\${ENV=MEM_MIN_HEAP_FREE_RATIO}" && \
${ASADMIN} create-jvm-options "-XX\:MaxHeapFreeRatio=\${ENV=MEM_MAX_HEAP_FREE_RATIO}" && \
${ASADMIN} create-jvm-options "-XX\:HeapDumpPath=\${ENV=DUMPS_DIR}" && \
${ASADMIN} create-jvm-options "-XX\:+UseContainerSupport"
${ASADMIN} create-jvm-options "-XX\:MaxRAMPercentage=\${ENV=MEM_MAX_RAM_PERCENTAGE}"
${ASADMIN} create-jvm-options "-Xss\${ENV=MEM_XSS}"
${ASADMIN} create-jvm-options "-XX\:MinHeapFreeRatio=\${ENV=MEM_MIN_HEAP_FREE_RATIO}"
${ASADMIN} create-jvm-options "-XX\:MaxHeapFreeRatio=\${ENV=MEM_MAX_HEAP_FREE_RATIO}"
${ASADMIN} create-jvm-options "-XX\:HeapDumpPath=\${ENV=DUMPS_DIR}"
# Set logging to console only for containers
${ASADMIN} set-log-attributes com.sun.enterprise.server.logging.GFFileHandler.logtoFile=false && \
${ASADMIN} set-log-attributes com.sun.enterprise.server.logging.GFFileHandler.logtoFile=false \

### PRODUCTION READINESS
${ASADMIN} create-jvm-options '-XX\:+UseG1GC' && \
${ASADMIN} create-jvm-options '-XX\:+UseStringDeduplication' && \
${ASADMIN} create-jvm-options '-XX\:+DisableExplicitGC' && \
${ASADMIN} create-jvm-options '-XX\:MaxGCPauseMillis=${ENV=MEM_MAX_GC_PAUSE_MILLIS}' && \
${ASADMIN} create-jvm-options '-XX\:MetaspaceSize=${ENV=MEM_METASPACE_SIZE}' && \
${ASADMIN} create-jvm-options '-XX\:MaxMetaspaceSize=${ENV=MEM_MAX_METASPACE_SIZE}' && \
${ASADMIN} create-jvm-options '-XX\:+IgnoreUnrecognizedVMOptions' && \
${ASADMIN} create-jvm-options '-XX\:+UseG1GC'
${ASADMIN} create-jvm-options '-XX\:+UseStringDeduplication'
${ASADMIN} create-jvm-options '-XX\:+DisableExplicitGC'
${ASADMIN} create-jvm-options '-XX\:MaxGCPauseMillis=${ENV=MEM_MAX_GC_PAUSE_MILLIS}'
${ASADMIN} create-jvm-options '-XX\:MetaspaceSize=${ENV=MEM_METASPACE_SIZE}'
${ASADMIN} create-jvm-options '-XX\:MaxMetaspaceSize=${ENV=MEM_MAX_METASPACE_SIZE}'
${ASADMIN} create-jvm-options '-XX\:+IgnoreUnrecognizedVMOptions'
# Disable autodeploy and hot reload
${ASADMIN} set configs.config.server-config.admin-service.das-config.dynamic-reload-enabled="false" && \
${ASADMIN} set configs.config.server-config.admin-service.das-config.autodeploy-enabled="false" && \
${ASADMIN} set configs.config.server-config.admin-service.das-config.dynamic-reload-enabled="false"
${ASADMIN} set configs.config.server-config.admin-service.das-config.autodeploy-enabled="false"
# Enlarge thread pools
${ASADMIN} set server-config.thread-pools.thread-pool.http-thread-pool.max-thread-pool-size="50" && \
${ASADMIN} set server-config.thread-pools.thread-pool.http-thread-pool.max-queue-size="" && \
${ASADMIN} set default-config.thread-pools.thread-pool.thread-pool-1.max-thread-pool-size="250" && \
${ASADMIN} set server-config.thread-pools.thread-pool.http-thread-pool.max-thread-pool-size="50"
${ASADMIN} set server-config.thread-pools.thread-pool.http-thread-pool.max-queue-size=""
${ASADMIN} set default-config.thread-pools.thread-pool.thread-pool-1.max-thread-pool-size="250"
# Enable file caching
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true" && \
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true" && \
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true" && \
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true" && \
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true"
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true"
${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
# Disable the HTTPS listener (we are always fronting our appservers with a reverse proxy handling SSL)
${ASADMIN} set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled="false" && \
# Enlarge and tune EJB pools (cannot do this for server-config as set does not create new entries) \
${ASADMIN} set default-config.ejb-container.pool-resize-quantity="2" && \
${ASADMIN} set default-config.ejb-container.max-pool-size="128" && \
${ASADMIN} set default-config.ejb-container.steady-pool-size="10" && \
${ASADMIN} set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled="false"
# Enlarge and tune EJB pools (cannot do this for server-config as set does not create new entries)
${ASADMIN} set default-config.ejb-container.pool-resize-quantity="2"
${ASADMIN} set default-config.ejb-container.max-pool-size="128"
${ASADMIN} set default-config.ejb-container.steady-pool-size="10"
# Misc settings
${ASADMIN} create-system-properties fish.payara.classloading.delegate="false" && \
${ASADMIN} create-system-properties jersey.config.client.readTimeout="300000" && \
${ASADMIN} create-system-properties jersey.config.client.connectTimeout="300000" && \
${ASADMIN} create-system-properties fish.payara.classloading.delegate="false"
${ASADMIN} create-system-properties jersey.config.client.readTimeout="300000"
${ASADMIN} create-system-properties jersey.config.client.connectTimeout="300000" \

### DATAVERSE APPLICATION SPECIFICS
# Configure the MicroProfile directory config source to point to /secrets
${ASADMIN} set-config-dir --directory="${SECRETS_DIR}" && \
${ASADMIN} set-config-dir --directory="${SECRETS_DIR}"
# Make request timeouts configurable via MPCONFIG (default to 900 secs = 15 min)
${ASADMIN} set 'server-config.network-config.protocols.protocol.http-listener-1.http.request-timeout-seconds=${MPCONFIG=dataverse.http.timeout:900}' && \
${ASADMIN} set 'server-config.network-config.protocols.protocol.http-listener-1.http.request-timeout-seconds=${MPCONFIG=dataverse.http.timeout:900}'
# TODO: what of the below 3 items can be deleted for container usage?
${ASADMIN} create-network-listener --protocol=http-listener-1 --listenerport=8009 --jkenabled=true jk-connector && \
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.comet-support-enabled=true && \
${ASADMIN} create-system-properties javax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl && \
${ASADMIN} create-network-listener --protocol=http-listener-1 --listenerport=8009 --jkenabled=true jk-connector
${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.comet-support-enabled=true
${ASADMIN} create-system-properties javax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
# Always disable phoning home...
${ASADMIN} disable-phone-home && \
${ASADMIN} disable-phone-home \

### CLEANUP
# Stop domain
${ASADMIN} stop-domain "${DOMAIN_NAME}" && \
# Disable JSP servlet dynamic reloads \
sed -i 's#<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>#<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>\n <init-param>\n <param-name>development</param-name>\n <param-value>false</param-value>\n </init-param>\n <init-param>\n <param-name>genStrAsCharArray</param-name>\n <param-value>true</param-value>\n </init-param>#' "${DOMAIN_DIR}/config/default-web.xml" && \
${ASADMIN} stop-domain "${DOMAIN_NAME}"
# Disable JSP servlet dynamic reloads
sed -i 's#<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>#<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>\n <init-param>\n <param-name>development</param-name>\n <param-value>false</param-value>\n </init-param>\n <init-param>\n <param-name>genStrAsCharArray</param-name>\n <param-value>true</param-value>\n </init-param>#' "${DOMAIN_DIR}/config/default-web.xml"
# Cleanup old CA certificates to avoid unnecessary log clutter during startup
${SCRIPT_DIR}/removeExpiredCaCerts.sh && \
${SCRIPT_DIR}/removeExpiredCaCerts.sh
# Delete generated files
rm -rf \
"/tmp/password-change-file.txt" \
"${PAYARA_DIR}/glassfish/domains/${DOMAIN_NAME}/osgi-cache" \
"${PAYARA_DIR}/glassfish/domains/${DOMAIN_NAME}/logs"
EOF

# Make docroot of Payara reside in higher level directory for easier targeting
# Due to gdcc/dataverse-kubernetes#177: create the generated pathes so they are
# writeable by us. TBR with gdcc/dataverse-kubernetes#178.
RUN rm -rf "${DOMAIN_DIR}"/docroot && \
ln -s "${DOCROOT_DIR}" "${DOMAIN_DIR}"/docroot && \
RUN <<EOF
rm -rf "${DOMAIN_DIR}"/docroot
ln -s "${DOCROOT_DIR}" "${DOMAIN_DIR}"/docroot
mkdir -p "${DOMAIN_DIR}"/generated/jsp/dataverse
EOF

# Set the entrypoint to tini (as a process supervisor)
ENTRYPOINT ["/usr/bin/tini", "--"]
Expand Down

0 comments on commit 4aa2c01

Please sign in to comment.