From 097a50e1be027b2689516ba1fbde8dccc65a5225 Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Fri, 16 May 2025 16:13:28 -0700 Subject: [PATCH 1/6] add ARM dockerfile variant POC and options to build it --- Jenkinsfile | 2 +- Makefile | 17 ++- dockerFiles/marklogic-deps-ubi-arm:base | 31 +++++ dockerFiles/marklogic-server-ubi-arm:base | 149 ++++++++++++++++++++++ test/keywords.resource | 2 + 5 files changed, 197 insertions(+), 4 deletions(-) create mode 100644 dockerFiles/marklogic-deps-ubi-arm:base create mode 100644 dockerFiles/marklogic-server-ubi-arm:base diff --git a/Jenkinsfile b/Jenkinsfile index 5823c67..67cc6a8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -441,7 +441,7 @@ pipeline { parameters { string(name: 'emailList', defaultValue: emailList, description: 'List of email for build notification', trim: true) string(name: 'dockerVersion', defaultValue: '2.1.2', description: 'ML Docker version. This version along with ML rpm package version will be the image tag as {ML_Version}_{dockerVersion}', trim: true) - choice(name: 'dockerImageType', choices: 'ubi-rootless\nubi\nubi9-rootless\nubi9', description: 'Platform type for Docker image. Will be made part of the docker image tag') + choice(name: 'dockerImageType', choices: 'ubi-rootless\nubi\nubi9-rootless\nubi9\nubi-arm', description: 'Platform type for Docker image. Will be made part of the docker image tag') string(name: 'upgradeDockerImage', defaultValue: '', description: 'Docker image for testing upgrades. Defaults to ubi image if left blank.\n Currently upgrading to ubi-rotless is not supported hence the test is skipped when ubi-rootless image is provided.', trim: true) choice(name: 'marklogicVersion', choices: '11\n12\n10', description: 'MarkLogic Server Branch. used to pick appropriate rpm') string(name: 'ML_RPM', defaultValue: '', description: 'URL for RPM to be used for Image creation. \n If left blank nightly ML rpm will be used.\n Please provide Jenkins accessible path e.g. /project/engineering or /project/qa', trim: true) diff --git a/Makefile b/Makefile index 1bc5009..cec99e4 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ dockerTag?=internal package?=MarkLogic.rpm repo_dir=marklogic -docker_build_options=--compress --platform linux/amd64 +docker_build_options=--compress build_branch?=local docker_image_type?=ubi upgrade_docker_image_type?=ubi @@ -10,6 +10,17 @@ upgrade_image?=${repo_dir}/marklogic-server-${upgrade_docker_image_type}:${docke current_image?=${repo_dir}/marklogic-server-${docker_image_type}:${dockerTag} open_scap_version?=0.1.74 +#*************************************************************************** +# set docker platform based on the docker image type +#*************************************************************************** +ifeq ($(findstring arm,$(docker_image_type)),arm) + docker_build_options += --platform linux/arm64 + export DOCKER_PLATFORM=linux/arm64 +else + docker_build_options += --platform linux/amd64 + export DOCKER_PLATFORM=linux/amd64 +endif + #*************************************************************************** # build docker image #*************************************************************************** @@ -29,7 +40,7 @@ endif # retrieve and copy open scap hardening script ifeq ($(findstring rootless,$(docker_image_type)),rootless) - [ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lo scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip + [ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lso scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip #UBI9 needs a different version of the remediation script ifeq ($(findstring ubi9,$(docker_image_type)),ubi9) unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/bash/rhel9-script-cis.sh > src/rhel-script-cis.sh @@ -120,7 +131,7 @@ endif #*************************************************************************** scap-scan: mkdir -p scap - [ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lo scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip + [ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lso scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip #UBI9 needs a different version of the evaluation profile ifeq ($(findstring ubi9,$(current_image)),ubi9) unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/ssg-rhel9-ds.xml > scap/ssg-rhel-ds.xml diff --git a/dockerFiles/marklogic-deps-ubi-arm:base b/dockerFiles/marklogic-deps-ubi-arm:base new file mode 100644 index 0000000..64114bb --- /dev/null +++ b/dockerFiles/marklogic-deps-ubi-arm:base @@ -0,0 +1,31 @@ +############################################################### +# +# Copyright © 2018-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +# +############################################################### + +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest +LABEL "com.marklogic.maintainer"="docker@marklogic.com" + +############################################################### +# install libnsl rpm package +############################################################### + +RUN microdnf -y update \ + && curl -Lso libnsl.rpm https://download.rockylinux.org/pub/rocky/8/BaseOS/aarch64/os/Packages/l/libnsl-2.28-251.el8_10.16.aarch64.rpm \ + && rpm -i libnsl.rpm \ + && rm -f libnsl.rpm + +############################################################### +# install networking, base deps and tzdata for timezone +############################################################### +# hadolint ignore=DL3006 +RUN echo "NETWORKING=yes" > /etc/sysconfig/network \ + && microdnf -y install --setopt install_weak_deps=0 gdb redhat-lsb-core initscripts tzdata glibc libstdc++ hostname \ + && microdnf clean all + + +############################################################### +# Enable FIPS Mode +############################################################### +RUN update-crypto-policies --set FIPS \ No newline at end of file diff --git a/dockerFiles/marklogic-server-ubi-arm:base b/dockerFiles/marklogic-server-ubi-arm:base new file mode 100644 index 0000000..2398cff --- /dev/null +++ b/dockerFiles/marklogic-server-ubi-arm:base @@ -0,0 +1,149 @@ +############################################################### +# +# Copyright © 2018-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved. +# +############################################################### + +ARG BASE_IMAGE=marklogic-ubi/marklogic-deps-ubi-arm:11-internal +FROM ${BASE_IMAGE} AS builder + +############################################################### +# set build args +############################################################### + +ARG ML_RPM=marklogic.rpm +ARG ML_USER="marklogic_user" +ARG ML_VERSION=11-internal +ARG ML_CONVERTERS=marklogic.converters +#################################################### +# inject init, start and clustering scripts +############################################################### + +COPY scripts/start-marklogic.sh /usr/local/bin/start-marklogic.sh + +############################################################### +# install MarkLogic server, sudo, and remove mlcmd packages +############################################################### +COPY ${ML_RPM} /tmp/marklogic-server.rpm +RUN rpm -i --nodeps /tmp/marklogic-server.rpm \ + && rm /tmp/marklogic-server.rpm \ + && microdnf -y install --setopt install_weak_deps=0 sudo \ + && microdnf -y clean all \ + && rm -rf ./opt/MarkLogic/mlcmd/lib/* \ + && rm -rf ./opt/MarkLogic/mlcmd/ext/* + +############################################################### +# Add TINI to serve as PID 1 process +############################################################### +ENV TINI_VERSION=v0.19.0 +ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-arm64 /tini +RUN chmod +x /tini + +############################################################### +# Copy converters package +############################################################### +WORKDIR / +COPY ${ML_CONVERTERS} converters.rpm +############################################################### +# create system user +############################################################### + +RUN adduser --gid users --uid 1000 ${ML_USER} \ + && echo ${ML_USER}" ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +############################################################### +# second stage for flattening layers +############################################################### +FROM ${BASE_IMAGE} + +COPY --from=builder / / + +ARG ML_USER="marklogic_user" +ARG ML_VERSION=11-internal +ARG ML_DOCKER_VERSION=local +ARG BUILD_BRANCH=local +ARG ML_DOCKER_TYPE=ubi +############################################################### +# define docker labels +############################################################### + +LABEL "com.marklogic.maintainer"="docker@marklogic.com" +LABEL "com.marklogic.name"="MarkLogic Server ${ML_VERSION}" +LABEL "com.marklogic.docker-version"="${ML_DOCKER_VERSION}" +LABEL "com.marklogic.release-version"="${ML_VERSION}" +LABEL "com.marklogic.build-branch"="${BUILD_BRANCH}" +LABEL "com.marklogic"="MarkLogic" +LABEL "com.marklogic.release-type"="production" +LABEL "com.marklogic.license"="MarkLogic EULA" +LABEL "com.marklogic.license.description"="By subscribing to this product, you agree to the terms and conditions outlined in MarkLogic's End User License Agreement (EULA) here https://developer.marklogic.com/eula " +LABEL "com.marklogic.license.url"="https://developer.marklogic.com/eula" +LABEL "com.marklogic.description"="MarkLogic is the only Enterprise NoSQL database. It is a new generation database built with a flexible data model to store, manage, and search JSON, XML, RDF, and more - without sacrificing enterprise features such as ACID transactions, certified security, backup, and recovery. With these capabilities, MarkLogic is ideally suited for making heterogeneous data integration simpler and faster, and for delivering dynamic content at massive scale. The current release of the MarkLogic Server Developer Docker image includes all features and is limited to developer use." +LABEL docker.cmd="docker run -it -p 7997-8010:7997-8010 -e MARKLOGIC_INIT=true -e MARKLOGIC_ADMIN_USERNAME= -e MARKLOGIC_ADMIN_PASSWORD= --mount src=MarkLogic,dst=/var/opt/MarkLogic progressofficial/marklogic-db:${ML_VERSION}" + +############################################################### +# copy notice file +############################################################### +COPY --chown=${ML_USER}:users NOTICE.txt /home/${ML_USER}/NOTICE.txt + +############################################################### +# set env vars +############################################################### + +ENV MARKLOGIC_INSTALL_DIR=/opt/MarkLogic \ + MARKLOGIC_DATA_DIR=/var/opt/MarkLogic \ + MARKLOGIC_USER=${ML_USER} \ + MARKLOGIC_PID_FILE=/var/run/MarkLogic.pid \ + MARKLOGIC_UMASK=022 \ + LD_LIBRARY_PATH=/lib64:$LD_LIBRARY_PATH:/opt/MarkLogic/lib \ + MARKLOGIC_VERSION="${ML_VERSION}" \ + MARKLOGIC_DOCKER_VERSION="${ML_DOCKER_VERSION}" \ + MARKLOGIC_IMAGE_TYPE="$ML_DOCKER_TYPE" \ + MARKLOGIC_BOOTSTRAP_HOST=bootstrap \ + MARKLOGIC_ADMIN_USERNAME_FILE=mldb_admin_user \ + MARKLOGIC_ADMIN_PASSWORD_FILE=mldb_password_user \ + MARKLOGIC_WALLET_PASSWORD_FILE=mldb_wallet_password \ + BUILD_BRANCH=${BUILD_BRANCH} \ + MARKLOGIC_JOIN_TLS_ENABLED=false + +################################################################ +# Set Timezone +################################################################ + +RUN microdnf -y reinstall tzdata + +############################################################### +# Remove optional packages that have known vulnerabilities +############################################################### +RUN for package in vim-minimal cups-client cups-libs tar python3-pip-wheel platform-python python3-libs platform-python-setuptools avahi-libs binutils expat libarchive python3 python3-libs python-unversioned-command; \ + do rpm -e --nodeps $package || true; \ + done; + +############################################################### +# expose MarkLogic server ports +############################################################### + +EXPOSE 25 7997-8010 + +############################################################### +# set system user +############################################################### + +USER ${ML_USER} + +#################################################### +# Set Linux Language Settings +############################################################### + +ENV LANG=en_US.UTF-8 +ENV LC_ALL=C.UTF-8 + +############################################################### +# define volume for persistent MarkLogic server data +############################################################### + +VOLUME /var/opt/MarkLogic + +############################################################### +# set entrypoint +############################################################### +ENTRYPOINT ["/tini", "--", "/usr/local/bin/start-marklogic.sh"] diff --git a/test/keywords.resource b/test/keywords.resource index b3d472b..4e81e99 100644 --- a/test/keywords.resource +++ b/test/keywords.resource @@ -8,6 +8,8 @@ Library Collections Library DateTime *** Variables *** +${DOCKER_PLATFORM} %{DOCKER_PLATFORM=linux/amd64} +@{DOCKER DEFAULTS} -it -d -p 8000:8000 -p 8001:8001 -p 8002:8002 -p7997:7997 --platform ${DOCKER_PLATFORM} @{DOCKER DEFAULTS} -it -d -p 8000:8000 -p 8001:8001 -p 8002:8002 -p7997:7997 --platform linux/amd64 ${DEFAULT ADMIN USER} test_admin ${DEFAULT ADMIN PASS} test_admin_pass From c356d85326b53bf947cc2336d11797e76bb9a5ee Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Fri, 16 May 2025 16:33:16 -0700 Subject: [PATCH 2/6] switch to locally served libnsl --- dockerFiles/marklogic-deps-ubi-arm:base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerFiles/marklogic-deps-ubi-arm:base b/dockerFiles/marklogic-deps-ubi-arm:base index 64114bb..3d1f6a3 100644 --- a/dockerFiles/marklogic-deps-ubi-arm:base +++ b/dockerFiles/marklogic-deps-ubi-arm:base @@ -12,7 +12,7 @@ LABEL "com.marklogic.maintainer"="docker@marklogic.com" ############################################################### RUN microdnf -y update \ - && curl -Lso libnsl.rpm https://download.rockylinux.org/pub/rocky/8/BaseOS/aarch64/os/Packages/l/libnsl-2.28-251.el8_10.16.aarch64.rpm \ + && curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.28-251.el8_10.16.aarch64.rpm \ && rpm -i libnsl.rpm \ && rm -f libnsl.rpm From 8e8f8dc22599aa07975c2983f79e5c06cba5f791 Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Sat, 17 May 2025 20:13:56 -0700 Subject: [PATCH 3/6] switch to temp jenkins node --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 67cc6a8..e0a9c32 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -413,7 +413,7 @@ void scapScan() { pipeline { agent { label { - label 'cld-docker' + label 'cld-docker-temp' } } options { From 9634bf673aa3f890c6b30ea5a4956316bc0f9011 Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Sun, 18 May 2025 15:00:02 -0700 Subject: [PATCH 4/6] add arm emulation workaround --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index cec99e4..290f4f9 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,7 @@ ifeq ($(findstring arm,$(docker_image_type)),arm) else docker_build_options += --platform linux/amd64 export DOCKER_PLATFORM=linux/amd64 + docker run --privileged --rm tonistiigi/binfmt --install arm64 endif #*************************************************************************** From df247de4a3ad957542d5453b1f4f0d3a89225c6e Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Sun, 18 May 2025 17:23:19 -0700 Subject: [PATCH 5/6] fix pipeline syntax --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 290f4f9..19d5e70 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,6 @@ ifeq ($(findstring arm,$(docker_image_type)),arm) else docker_build_options += --platform linux/amd64 export DOCKER_PLATFORM=linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install arm64 endif #*************************************************************************** @@ -29,6 +28,10 @@ build: # NOTICE file need to be in the build context to be included in the built image cp NOTICE.txt src/NOTICE.txt + ifeq ($(findstring arm,$(docker_image_type)),arm) + docker run --privileged --rm tonistiigi/binfmt --install arm64 + endif + # rootless images use the same dependencies as ubi image so we copy the file ifeq ($(docker_image_type),ubi9) cp dockerFiles/marklogic-server-ubi\:base dockerFiles/marklogic-server-ubi9\:base From 0a43aaaa3ab47631c997d007005a65abd37d9e66 Mon Sep 17 00:00:00 2001 From: Vitaly Korolev Date: Sun, 18 May 2025 17:27:57 -0700 Subject: [PATCH 6/6] syntax fix --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 19d5e70..788c6ef 100644 --- a/Makefile +++ b/Makefile @@ -28,9 +28,9 @@ build: # NOTICE file need to be in the build context to be included in the built image cp NOTICE.txt src/NOTICE.txt - ifeq ($(findstring arm,$(docker_image_type)),arm) - docker run --privileged --rm tonistiigi/binfmt --install arm64 - endif +ifeq ($(findstring arm,$(docker_image_type)),arm) + docker run --privileged --rm tonistiigi/binfmt --install arm64 +endif # rootless images use the same dependencies as ubi image so we copy the file ifeq ($(docker_image_type),ubi9)