From 2484a312eae82b9a5a87c493bbfa7b8a5c7d3d03 Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 15 Dec 2023 11:36:24 -0800 Subject: [PATCH 1/4] update csp var consumption to match new server settings (#56) --- Dockerfile | 4 ++-- docker-compose.yml | 4 ++-- entrypoint.sh | 19 ++++++++++--------- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6a9f472..c4e8577 100644 --- a/Dockerfile +++ b/Dockerfile @@ -86,8 +86,8 @@ ENV CERT_C="US" \ CERT_OU="IT" \ CERT_CN="localhost" \ \ - CSP_DISPOSITION= \ - CSP_POLICY= \ + CSP_REPORT= \ + CSP_ENFORCE= \ \ SMTP_HOST="localhost" \ SMTP_USER="root" \ diff --git a/docker-compose.yml b/docker-compose.yml index ac545b9..a257efb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -373,8 +373,8 @@ services: - MAX_JVM_RAM_PERCENT=${MAX_JVM_RAM_PERCENT:-75.0} - JAVA_PRE_JAR_EXTRA=-XX:+UseSerialGC -Xss512k - - CSP_DISPOSITION=${CSP_DISPOSITION:-} - - CSP_POLICY=${CSP_POLICY:-} + - CSP_REPORT=${CSP_REPORT:-} + - CSP_ENFORCE=${CSP_ENFORCE:-} # - SMTP_HOST=mailhog # - SMTP_PORT=1025 diff --git a/entrypoint.sh b/entrypoint.sh index 334a017..8a6b4c6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -21,8 +21,8 @@ LOG4J_CONFIG_FILE="${LOG4J_CONFIG_FILE:=log4j2.xml}" JSON_OUTPUT="${JSON_OUTPUT:-false}" # Content Security Policy settings -CSP_DISPOSITION="${CSP_DISPOSITION:-}" -CSP_POLICY="${CSP_POLICY:-}" +CSP_REPORT="${CSP_REPORT:-}" +CSP_ENFORCE="${CSP_ENFORCE:-}" # for ecs/datadog, optionally enable APM metrics DD_COLLECT_APM="${DD_COLLECT_APM:-false}" @@ -208,12 +208,13 @@ main() { sed -i "s/@@jdbcUser@@/${POSTGRES_USER:-postgres}/" config/application.properties sed -i "s/@@jdbcPassword@@/${POSTGRES_PASSWORD:-}/" config/application.properties - # only set up CSP if both vars are defined, otherwise ignore - # note: newlines in CSP_POLICY must be double-escaped (or can leave out entirely). - # ex: "default-src 'self' https: ;\\\nconnect-src 'self' https: ;\\\n... - if [ -n "$CSP_DISPOSITION" ] && [ -n "$CSP_POLICY" ]; then - echo "csp.disposition=$CSP_DISPOSITION\n" >> config/application.properties - echo "csp.policy=$CSP_POLICY\n" >> config/application.properties + # note: leave newlines out of CSP_REPORT/ENFORCE env vars + # ex: "default-src 'self' https: ; connect-src 'self' https: ; ..."" + if [ -n "$CSP_REPORT" ]; then + echo "csp.report=$CSP_REPORT\n" >> config/application.properties + fi + if [ -n "$CSP_ENFORCE" ]; then + echo "csp.enforce=$CSP_ENFORCE\n" >> config/application.properties fi sed -i "s/@@smtpHost@@/${SMTP_HOST}/" config/application.properties @@ -227,7 +228,7 @@ main() { sed -i "s/@@encryptionKey@@/${LABKEY_EK}/" config/application.properties echo "Purging secrets and other bits from environment variables..." - unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS CSP_DISPOSITION CSP_POLICY + unset POSTGRES_USER POSTGRES_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_DB POSTGRES_PARAMETERS CSP_REPORT CSP_ENFORCE unset SMTP_HOST SMTP_USER SMTP_PORT SMTP_PASSWORD SMTP_AUTH SMTP_FROM SMTP_STARTTLS unset LABKEY_CREATE_INITIAL_USER LABKEY_CREATE_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_APIKEY LABKEY_INITIAL_USER_EMAIL LABKEY_INITIAL_USER_GROUP LABKEY_INITIAL_USER_ROLE unset LABKEY_EK SLEEP From 0a8a91ceba66b727d6fcbabf96b20c2028e73c24 Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:13:33 -0800 Subject: [PATCH 2/4] bump postgres version to 15 to match current deployments (#57) --- docker-compose.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index a257efb..7a155cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -87,7 +87,7 @@ services: - SLEEP=${SLEEP:-0} pg-community: - image: postgres:13 + image: postgres:15 # deploy: # resources: # limits: @@ -198,7 +198,7 @@ services: - SLEEP=${SLEEP:-0} pg-allpg: - image: postgres:13 + image: postgres:15 # deploy: # resources: # limits: @@ -307,7 +307,7 @@ services: - SLEEP=${SLEEP:-0} pg-enterprise: - image: postgres:13 + image: postgres:15 # deploy: # resources: # limits: @@ -419,7 +419,7 @@ services: - SLEEP=${SLEEP:-0} pg-lims_starter: - image: postgres:13 + image: postgres:15 # deploy: # resources: # limits: From a5652a799961818ad0a94d789d02699d60ea9cda Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Mon, 5 Feb 2024 15:27:19 -0800 Subject: [PATCH 3/4] bump openssl to 3.0.2-0ubuntu1.14 (#58) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c4e8577..3aaecd6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -149,7 +149,7 @@ RUN [ -n "${DEBUG}" ] && set -x; \ apt-get update; \ apt-get -yq --no-install-recommends install \ libtcnative-1=1.2.31-1build1 \ - openssl=3.0.2-0ubuntu1.12 \ + openssl=3.0.2-0ubuntu1.14 \ gettext-base=0.21-4ubuntu4 \ unzip=6.0-26ubuntu3.1 \ ; \ From 1e26e0747d3b062e46d72a37662d1d15416c425a Mon Sep 17 00:00:00 2001 From: labkey-stuartm <32204841+labkey-stuartm@users.noreply.github.com> Date: Wed, 7 Feb 2024 07:35:28 -0800 Subject: [PATCH 4/4] update application.props to disable shutdown actuator (#59) --- application.properties | 1 + 1 file changed, 1 insertion(+) diff --git a/application.properties b/application.properties index a4b6a05..6a811eb 100644 --- a/application.properties +++ b/application.properties @@ -151,6 +151,7 @@ management.endpoints.web.base-path=/ management.endpoints.enabled-by-default=false management.endpoint.health.enabled=true +management.endpoint.shutdown.enabled=false management.endpoints.web.exposure.include=health management.endpoints.jmx.exposure.exclude=*