Skip to content

GitLab

D
docker-image
Commit 05474b5e authored by caiyanming's avatar caiyanming
Browse files
Options

update java.security and gerrity-entrypoint.sh

parent 5477db32
Expand all Show whitespace changes
Inline Side-by-side
Showing with 1189 additions and 0 deletions
gerrit/Dockerfile
View file @ 05474b5e
......@@ -2,6 +2,9 @@ FROM openfrontier/gerrit:latest
MAINTAINER xt <caiym@schbrain.com>
COPY jre/java.security /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security
COPY gerrit-entrypoint.sh /
COPY gerrit-create-user.sh /usr/local/bin/gerrit-create-user.sh
COPY gerrit-upload-ssh-key.sh /usr/local/bin/gerrit-upload-ssh-key.sh
COPY gerrit-init.nohup /docker-entrypoint-init.d/gerrit-init.nohup
......
gerrit/gerrit-entrypoint.sh 0 → 100755
View file @ 05474b5e
#!/usr/bin/env sh
set -e
set_gerrit_config() {
su-exec ${GERRIT_USER} git config -f "${GERRIT_SITE}/etc/gerrit.config" "$@"
}
set_secure_config() {
su-exec ${GERRIT_USER} git config -f "${GERRIT_SITE}/etc/secure.config" "$@"
}
wait_for_database() {
echo "Waiting for database connection $1:$2 ..."
until nc -z $1 $2; do
sleep 1
done
# Wait to avoid "panic: Failed to open sql connection pq: the database system is starting up"
sleep 1
}
if [ -n "${JAVA_HEAPLIMIT}" ]; then
JAVA_MEM_OPTIONS="-Xmx${JAVA_HEAPLIMIT}"
fi
if [ "$1" = "/gerrit-start.sh" ]; then
# If you're mounting ${GERRIT_SITE} to your host, you this will default to root.
# This obviously ensures the permissions are set correctly for when gerrit starts.
find "${GERRIT_SITE}/" ! -user `id -u ${GERRIT_USER}` -exec chown ${GERRIT_USER} {} \;
# Initialize Gerrit if ${GERRIT_SITE}/git is empty.
if [ -z "$(ls -A "$GERRIT_SITE/git")" ]; then
echo "First time initialize gerrit..."
su-exec ${GERRIT_USER} java ${JAVA_OPTIONS} ${JAVA_MEM_OPTIONS} -jar "${GERRIT_WAR}" init --batch --no-auto-start -d "${GERRIT_SITE}" ${GERRIT_INIT_ARGS}
#All git repositories must be removed when database is set as postgres or mysql
#in order to be recreated at the secondary init below.
#Or an execption will be thrown on secondary init.
[ ${#DATABASE_TYPE} -gt 0 ] && rm -rf "${GERRIT_SITE}/git"
fi
# Install external plugins
su-exec ${GERRIT_USER} cp -f ${GERRIT_HOME}/delete-project.jar ${GERRIT_SITE}/plugins/delete-project.jar
su-exec ${GERRIT_USER} cp -f ${GERRIT_HOME}/events-log.jar ${GERRIT_SITE}/plugins/events-log.jar
su-exec ${GERRIT_USER} cp -f ${GERRIT_HOME}/importer.jar ${GERRIT_SITE}/plugins/importer.jar
# Provide a way to customise this image
echo
for f in /docker-entrypoint-init.d/*; do
case "$f" in
*.sh) echo "$0: running $f"; source "$f" ;;
*.nohup) echo "$0: running $f"; nohup "$f" & ;;
*) echo "$0: ignoring $f" ;;
esac
echo
done
#Customize gerrit.config
#Section gerrit
[ -z "${WEBURL}" ] || set_gerrit_config gerrit.canonicalWebUrl "${WEBURL}"
[ -z "${GITHTTPURL}" ] || set_gerrit_config gerrit.gitHttpUrl "${GITHTTPURL}"
#Section sshd
[ -z "${LISTEN_ADDR}" ] || set_gerrit_config sshd.listenAddress "${LISTEN_ADDR}"
#Section database
if [ "${DATABASE_TYPE}" = 'postgresql' ]; then
set_gerrit_config database.type "${DATABASE_TYPE}"
[ -z "${DB_PORT_5432_TCP_ADDR}" ] || set_gerrit_config database.hostname "${DB_PORT_5432_TCP_ADDR}"
[ -z "${DB_PORT_5432_TCP_PORT}" ] || set_gerrit_config database.port "${DB_PORT_5432_TCP_PORT}"
[ -z "${DB_ENV_POSTGRES_DB}" ] || set_gerrit_config database.database "${DB_ENV_POSTGRES_DB}"
[ -z "${DB_ENV_POSTGRES_USER}" ] || set_gerrit_config database.username "${DB_ENV_POSTGRES_USER}"
[ -z "${DB_ENV_POSTGRES_PASSWORD}" ] || set_secure_config database.password "${DB_ENV_POSTGRES_PASSWORD}"
fi
#Section database
if [ "${DATABASE_TYPE}" = 'mysql' ]; then
set_gerrit_config database.type "${DATABASE_TYPE}"
[ -z "${DB_PORT_3306_TCP_ADDR}" ] || set_gerrit_config database.hostname "${DB_PORT_3306_TCP_ADDR}"
[ -z "${DB_PORT_3306_TCP_PORT}" ] || set_gerrit_config database.port "${DB_PORT_3306_TCP_PORT}"
[ -z "${DB_ENV_MYSQL_DB}" ] || set_gerrit_config database.database "${DB_ENV_MYSQL_DB}"
[ -z "${DB_ENV_MYSQL_USER}" ] || set_gerrit_config database.username "${DB_ENV_MYSQL_USER}"
[ -z "${DB_ENV_MYSQL_PASSWORD}" ] || set_secure_config database.password "${DB_ENV_MYSQL_PASSWORD}"
fi
#Section auth
[ -z "${AUTH_TYPE}" ] || set_gerrit_config auth.type "${AUTH_TYPE}"
[ -z "${AUTH_HTTP_HEADER}" ] || set_gerrit_config auth.httpHeader "${AUTH_HTTP_HEADER}"
[ -z "${AUTH_EMAIL_FORMAT}" ] || set_gerrit_config auth.emailFormat "${AUTH_EMAIL_FORMAT}"
if [ -z "${AUTH_GIT_BASIC_AUTH_POLICY}" ]; then
case "${AUTH_TYPE}" in
LDAP|LDAP_BIND)
set_gerrit_config auth.gitBasicAuthPolicy "LDAP"
;;
HTTP|HTTP_LDAP)
set_gerrit_config auth.gitBasicAuthPolicy "${AUTH_TYPE}"
;;
*)
esac
else
set_gerrit_config auth.gitBasicAuthPolicy "${AUTH_GIT_BASIC_AUTH_POLICY}"
fi
# Set OAuth provider
if [ "${AUTH_TYPE}" = 'OAUTH' ]; then
[ -z "${AUTH_GIT_OAUTH_PROVIDER}" ] || set_gerrit_config auth.gitOAuthProvider "${AUTH_GIT_OAUTH_PROVIDER}"
fi
if [ -z "${AUTH_TYPE}" ] || [ "${AUTH_TYPE}" = 'OpenID' ] || [ "${AUTH_TYPE}" = 'OpenID_SSO' ]; then
[ -z "${AUTH_ALLOWED_OPENID}" ] || set_gerrit_config auth.allowedOpenID "${AUTH_ALLOWED_OPENID}"
[ -z "${AUTH_TRUSTED_OPENID}" ] || set_gerrit_config auth.trustedOpenID "${AUTH_TRUSTED_OPENID}"
[ -z "${AUTH_OPENID_DOMAIN}" ] || set_gerrit_config auth.openIdDomain "${AUTH_OPENID_DOMAIN}"
fi
#Section ldap
if [ "${AUTH_TYPE}" = 'LDAP' ] || [ "${AUTH_TYPE}" = 'LDAP_BIND' ] || [ "${AUTH_TYPE}" = 'HTTP_LDAP' ]; then
[ -z "${LDAP_SERVER}" ] || set_gerrit_config ldap.server "${LDAP_SERVER}"
[ -z "${LDAP_SSLVERIFY}" ] || set_gerrit_config ldap.sslVerify "${LDAP_SSLVERIFY}"
[ -z "${LDAP_GROUPSVISIBLETOALL}" ] || set_gerrit_config ldap.groupsVisibleToAll "${LDAP_GROUPSVISIBLETOALL}"
[ -z "${LDAP_USERNAME}" ] || set_gerrit_config ldap.username "${LDAP_USERNAME}"
[ -z "${LDAP_PASSWORD}" ] || set_secure_config ldap.password "${LDAP_PASSWORD}"
[ -z "${LDAP_REFERRAL}" ] || set_gerrit_config ldap.referral "${LDAP_REFERRAL}"
[ -z "${LDAP_READTIMEOUT}" ] || set_gerrit_config ldap.readTimeout "${LDAP_READTIMEOUT}"
[ -z "${LDAP_ACCOUNTBASE}" ] || set_gerrit_config ldap.accountBase "${LDAP_ACCOUNTBASE}"
[ -z "${LDAP_ACCOUNTSCOPE}" ] || set_gerrit_config ldap.accountScope "${LDAP_ACCOUNTSCOPE}"
[ -z "${LDAP_ACCOUNTPATTERN}" ] || set_gerrit_config ldap.accountPattern "${LDAP_ACCOUNTPATTERN}"
[ -z "${LDAP_ACCOUNTFULLNAME}" ] || set_gerrit_config ldap.accountFullName "${LDAP_ACCOUNTFULLNAME}"
[ -z "${LDAP_ACCOUNTEMAILADDRESS}" ] || set_gerrit_config ldap.accountEmailAddress "${LDAP_ACCOUNTEMAILADDRESS}"
[ -z "${LDAP_ACCOUNTSSHUSERNAME}" ] || set_gerrit_config ldap.accountSshUserName "${LDAP_ACCOUNTSSHUSERNAME}"
[ -z "${LDAP_ACCOUNTMEMBERFIELD}" ] || set_gerrit_config ldap.accountMemberField "${LDAP_ACCOUNTMEMBERFIELD}"
[ -z "${LDAP_FETCHMEMBEROFEAGERLY}" ] || set_gerrit_config ldap.fetchMemberOfEagerly "${LDAP_FETCHMEMBEROFEAGERLY}"
[ -z "${LDAP_GROUPBASE}" ] || set_gerrit_config ldap.groupBase "${LDAP_GROUPBASE}"
[ -z "${LDAP_GROUPSCOPE}" ] || set_gerrit_config ldap.groupScope "${LDAP_GROUPSCOPE}"
[ -z "${LDAP_GROUPPATTERN}" ] || set_gerrit_config ldap.groupPattern "${LDAP_GROUPPATTERN}"
[ -z "${LDAP_GROUPMEMBERPATTERN}" ] || set_gerrit_config ldap.groupMemberPattern "${LDAP_GROUPMEMBERPATTERN}"
[ -z "${LDAP_GROUPNAME}" ] || set_gerrit_config ldap.groupName "${LDAP_GROUPNAME}"
[ -z "${LDAP_LOCALUSERNAMETOLOWERCASE}" ] || set_gerrit_config ldap.localUsernameToLowerCase "${LDAP_LOCALUSERNAMETOLOWERCASE}"
[ -z "${LDAP_AUTHENTICATION}" ] || set_gerrit_config ldap.authentication "${LDAP_AUTHENTICATION}"
[ -z "${LDAP_USECONNECTIONPOOLING}" ] || set_gerrit_config ldap.useConnectionPooling "${LDAP_USECONNECTIONPOOLING}"
[ -z "${LDAP_CONNECTTIMEOUT}" ] || set_gerrit_config ldap.connectTimeout "${LDAP_CONNECTTIMEOUT}"
fi
#Section OAUTH general
if [ "${AUTH_TYPE}" = 'OAUTH' ] ; then
su-exec ${GERRIT_USER} cp -f ${GERRIT_HOME}/gerrit-oauth-provider.jar ${GERRIT_SITE}/plugins/gerrit-oauth-provider.jar
[ -z "${OAUTH_ALLOW_EDIT_FULL_NAME}" ] || set_gerrit_config oauth.allowEditFullName "${OAUTH_ALLOW_EDIT_FULL_NAME}"
[ -z "${OAUTH_ALLOW_REGISTER_NEW_EMAIL}" ] || set_gerrit_config oauth.allowRegisterNewEmail "${OAUTH_ALLOW_REGISTER_NEW_EMAIL}"
# Google
[ -z "${OAUTH_GOOGLE_RESTRICT_DOMAIN}" ] || set_gerrit_config plugin.gerrit-oauth-provider-google-oauth.domain "${OAUTH_GOOGLE_RESTRICT_DOMAIN}"
[ -z "${OAUTH_GOOGLE_CLIENT_ID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-google-oauth.client-id "${OAUTH_GOOGLE_CLIENT_ID}"
[ -z "${OAUTH_GOOGLE_CLIENT_SECRET}" ] || set_gerrit_config plugin.gerrit-oauth-provider-google-oauth.client-secret "${OAUTH_GOOGLE_CLIENT_SECRET}"
[ -z "${OAUTH_GOOGLE_LINK_OPENID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-google-oauth.link-to-existing-openid-accounts "${OAUTH_GOOGLE_LINK_OPENID}"
[ -z "${OAUTH_GOOGLE_USE_EMAIL_AS_USERNAME}" ] || set_gerrit_config plugin.gerrit-oauth-provider-google-oauth.use-email-as-username "${OAUTH_GOOGLE_USE_EMAIL_AS_USERNAME}"
# Github
[ -z "${OAUTH_GITHUB_CLIENT_ID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-github-oauth.client-id "${OAUTH_GITHUB_CLIENT_ID}"
[ -z "${OAUTH_GITHUB_CLIENT_SECRET}" ] || set_gerrit_config plugin.gerrit-oauth-provider-github-oauth.client-secret "${OAUTH_GITHUB_CLIENT_SECRET}"
# GitLab
[ -z "${OAUTH_GITLAB_ROOT_URL}" ] || set_gerrit_config plugin.gerrit-oauth-provider-gitlab-oauth.root-url "${OAUTH_GITLAB_ROOT_URL}"
[ -z "${OAUTH_GITLAB_CLIENT_ID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-gitlab-oauth.client-id "${OAUTH_GITLAB_CLIENT_ID}"
[ -z "${OAUTH_GITLAB_CLIENT_SECRET}" ] || set_gerrit_config plugin.gerrit-oauth-provider-gitlab-oauth.client-secret "${OAUTH_GITLAB_CLIENT_SECRET}"
# Bitbucket
[ -z "${OAUTH_BITBUCKET_CLIENT_ID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-bitbucket-oauth.client-id "${OAUTH_BITBUCKET_CLIENT_ID}"
[ -z "${OAUTH_BITBUCKET_CLIENT_SECRET}" ] || set_gerrit_config plugin.gerrit-oauth-provider-bitbucket-oauth.client-secret "${OAUTH_BITBUCKET_CLIENT_SECRET}"
[ -z "${OAUTH_BITBUCKET_FIX_LEGACY_USER_ID}" ] || set_gerrit_config plugin.gerrit-oauth-provider-bitbucket-oauth.fix-legacy-user-id "${OAUTH_BITBUCKET_FIX_LEGACY_USER_ID}"
fi
#Section container
[ -z "${JAVA_HEAPLIMIT}" ] || set_gerrit_config container.heapLimit "${JAVA_HEAPLIMIT}"
[ -z "${JAVA_OPTIONS}" ] || set_gerrit_config container.javaOptions "${JAVA_OPTIONS}"
[ -z "${JAVA_SLAVE}" ] || set_gerrit_config container.slave "${JAVA_SLAVE}"
#Section sendemail
if [ -z "${SMTP_SERVER}" ]; then
set_gerrit_config sendemail.enable false
else
set_gerrit_config sendemail.enable true
set_gerrit_config sendemail.smtpServer "${SMTP_SERVER}"
if [ "smtp.gmail.com" = "${SMTP_SERVER}" ]; then
echo "gmail detected, using default port and encryption"
set_gerrit_config sendemail.smtpServerPort 587
set_gerrit_config sendemail.smtpEncryption tls
fi
[ -z "${SMTP_SERVER_PORT}" ] || set_gerrit_config sendemail.smtpServerPort "${SMTP_SERVER_PORT}"
[ -z "${SMTP_USER}" ] || set_gerrit_config sendemail.smtpUser "${SMTP_USER}"
[ -z "${SMTP_PASS}" ] || set_secure_config sendemail.smtpPass "${SMTP_PASS}"
[ -z "${SMTP_ENCRYPTION}" ] || set_gerrit_config sendemail.smtpEncryption "${SMTP_ENCRYPTION}"
[ -z "${SMTP_CONNECT_TIMEOUT}" ] || set_gerrit_config sendemail.connectTimeout "${SMTP_CONNECT_TIMEOUT}"
[ -z "${SMTP_FROM}" ] || set_gerrit_config sendemail.from "${SMTP_FROM}"
fi
#Section user
[ -z "${USER_NAME}" ] || set_gerrit_config user.name "${USER_NAME}"
[ -z "${USER_EMAIL}" ] || set_gerrit_config user.email "${USER_EMAIL}"
[ -z "${USER_ANONYMOUS_COWARD}" ] || set_gerrit_config user.anonymousCoward "${USER_ANONYMOUS_COWARD}"
#Section plugins
set_gerrit_config plugins.allowRemoteAdmin true
#Section plugin events-log
set_gerrit_config plugin.events-log.storeUrl "jdbc:h2:${GERRIT_SITE}/db/ChangeEvents"
#Section httpd
[ -z "${HTTPD_LISTENURL}" ] || set_gerrit_config httpd.listenUrl "${HTTPD_LISTENURL}"
#Section gitweb
case "$GITWEB_TYPE" in
"gitiles") su-exec $GERRIT_USER cp -f $GERRIT_HOME/gitiles.jar $GERRIT_SITE/plugins/gitiles.jar ;;
"") # Gitweb by default
set_gerrit_config gitweb.cgi "/usr/share/gitweb/gitweb.cgi"
export GITWEB_TYPE=gitweb
;;
esac
set_gerrit_config gitweb.type "$GITWEB_TYPE"
case "${DATABASE_TYPE}" in
#postgresql) wait_for_database ${DB_PORT_5432_TCP_ADDR} ${DB_PORT_5432_TCP_PORT} ;;
#mysql) wait_for_database ${DB_PORT_3306_TCP_ADDR} ${DB_PORT_3306_TCP_PORT} ;;
*) ;;
esac
echo "Upgrading gerrit..."
su-exec ${GERRIT_USER} java ${JAVA_OPTIONS} ${JAVA_MEM_OPTIONS} -jar "${GERRIT_WAR}" init --batch -d "${GERRIT_SITE}" ${GERRIT_INIT_ARGS}
if [ $? -eq 0 ]; then
GERRIT_VERSIONFILE="${GERRIT_SITE}/gerrit_version"
if [ -n "${IGNORE_VERSIONCHECK}" ]; then
echo "Don't perform a version check and never do a full reindex"
NEED_REINDEX=0
else
# check whether its a good idea to do a full upgrade
NEED_REINDEX=1
echo "Checking version file ${GERRIT_VERSIONFILE}"
if [ -f "${GERRIT_VERSIONFILE}" ]; then
OLD_GERRIT_VER="V$(cat ${GERRIT_VERSIONFILE})"
GERRIT_VER="V${GERRIT_VERSION}"
echo " have old gerrit version ${OLD_GERRIT_VER}"
if [ "${OLD_GERRIT_VER}" == "${GERRIT_VER}" ]; then
echo " same gerrit version, no upgrade necessary ${OLD_GERRIT_VER} == ${GERRIT_VER}"
NEED_REINDEX=0
else
echo " gerrit version mismatch #${OLD_GERRIT_VER}# != #${GERRIT_VER}#"
fi
else
echo " gerrit version file does not exist, upgrade necessary"
fi
fi
if [ ${NEED_REINDEX} -eq 1 ]; then
echo "Reindexing..."
su-exec ${GERRIT_USER} java ${JAVA_OPTIONS} ${JAVA_MEM_OPTIONS} -jar "${GERRIT_WAR}" reindex --verbose -d "${GERRIT_SITE}"
if [ $? -eq 0 ]; then
echo "Upgrading is OK. Writing versionfile ${GERRIT_VERSIONFILE}"
su-exec ${GERRIT_USER} touch "${GERRIT_VERSIONFILE}"
su-exec ${GERRIT_USER} echo "${GERRIT_VERSION}" > "${GERRIT_VERSIONFILE}"
echo "${GERRIT_VERSIONFILE} written."
else
echo "Upgrading fail!"
fi
fi
else
echo "Something wrong..."
cat "${GERRIT_SITE}/logs/error_log"
fi
fi
exec "$@"
gerrit/jre/java.security 0 → 100644
View file @ 05474b5e
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment