Merge pull request #163 from mendix/DES-4896_replace-ubuntu-with-ubi8

DES-4896 Replace Ubuntu with ubi8

Author: zlogic

.github/workflows/test.yml

@@ -9,50 +9,15 @@ on:
     branches: [ master ]
 
 jobs:
-  test-default:
-    name: Test with default parameters
-    runs-on: ubuntu-latest
-
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Run the integration test script
-      - name: Run integration tests
-        run: sh ./.integrationtest.sh
-
-  test-bionic:
-    name: Test with a bionic rootfs
-    runs-on: ubuntu-latest
-
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Switch to Ubuntu Bionic rootfs
-      - name: Switch to Ubuntu Bionic rootfs
-        run: |
-          echo -n "mendix/rootfs:bionic" > rootfs.version
-          echo -n "bionic" > docker-buildpack.version
-
-      # Run the integration test script
-      - name: Run integration tests
-        run: sh ./.integrationtest.sh
 
   test-ubi8:
     name: Test with a ubi8 rootfs
     runs-on: ubuntu-latest
 
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Switch to ubi8 rootfs
-      - name: Switch to ubi8 rootfs
-        run: |
-          echo -n "mendix/rootfs:ubi8" > rootfs.version
-          echo -n "ubi8" > docker-buildpack.version
+      - uses: actions/checkout@v3
 
       # Run the integration test script
       - name: Run integration tests
-        run: sh ./.integrationtest.sh
+        run: sh tests/integrationtest.sh

.integrationtest.sh

@@ -3,8 +3,8 @@
 #
 # Author: Mendix Digital Ecosystems, [email protected]
 # Version: 2.1.0
-ARG ROOTFS_IMAGE=mendix/rootfs:ubi8
-ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic
+ARG ROOTFS_IMAGE=mendix-rootfs:app
+ARG BUILDER_ROOTFS_IMAGE=mendix-rootfs:builder
 
 # Build stage
 FROM ${BUILDER_ROOTFS_IMAGE} AS builder
@@ -13,7 +13,7 @@ FROM ${BUILDER_ROOTFS_IMAGE} AS builder
 ARG BUILD_PATH=project
 ARG DD_API_KEY
 # CF buildpack version
-ARG CF_BUILDPACK=v4.30.14
+ARG CF_BUILDPACK=v4.30.17
 # CF buildpack download URL
 ARG CF_BUILDPACK_URL=https://github.com/mendix/cf-mendix-buildpack/releases/download/${CF_BUILDPACK}/cf-mendix-buildpack.zip
 
@@ -36,6 +36,7 @@ ARG USER_UID=1001
 # 6. Update permissions of /opt/mendix so that the app can run as a non-root user
 RUN mkdir -p /opt/mendix/buildpack /opt/mendix/build &&\
     ln -s /root /home/vcap &&\
+    mkdir -p /home/vcap/.local/bin && ln -s /etc/alternatives/pip3 /home/vcap/.local/bin/pip && pip3 install --upgrade pip &&\
     echo "Downloading CF Buildpack from ${CF_BUILDPACK_URL}" &&\
     curl -fsSL ${CF_BUILDPACK_URL} -o /tmp/cf-mendix-buildpack.zip && \
     python3 -m zipfile -e /tmp/cf-mendix-buildpack.zip /opt/mendix/buildpack/ &&\
@@ -44,7 +45,7 @@ RUN mkdir -p /opt/mendix/buildpack /opt/mendix/build &&\
     chmod -R g=u /opt/mendix
 
 # Copy python scripts which execute the buildpack (exporting the VCAP variables)
-COPY scripts/compilation scripts/git /opt/mendix/buildpack/
+COPY scripts/compilation.py scripts/git /opt/mendix/buildpack/
 
 # Copy project model/sources
 COPY $BUILD_PATH /opt/mendix/build
@@ -68,10 +69,10 @@ ENV NGINX_CUSTOM_BIN_PATH=/usr/sbin/nginx
 # 7. Update ownership of /opt/mendix so that the app can run as a non-root user
 # 8. Update permissions of /opt/mendix so that the app can run as a non-root user
 RUN mkdir -p /tmp/buildcache /tmp/cf-deps /var/mendix/build /var/mendix/build/.local &&\
-    chmod +rx /opt/mendix/buildpack/compilation /opt/mendix/buildpack/git /opt/mendix/buildpack/buildpack/stage.py &&\
+    chmod +rx /opt/mendix/buildpack/compilation.py /opt/mendix/buildpack/git /opt/mendix/buildpack/buildpack/stage.py &&\
     cd /opt/mendix/buildpack &&\
-    ./compilation /opt/mendix/build /tmp/buildcache /tmp/cf-deps 0 &&\
-    rm -fr /tmp/buildcache /tmp/javasdk /tmp/opt /tmp/downloads /opt/mendix/buildpack/compilation /opt/mendix/buildpack/git &&\
+    ./compilation.py /opt/mendix/build /tmp/buildcache /tmp/cf-deps 0 &&\
+    rm -fr /tmp/buildcache /tmp/javasdk /tmp/opt /tmp/downloads /opt/mendix/buildpack/compilation.py /opt/mendix/buildpack/git &&\
     ln -s /opt/mendix/.java /opt/mendix/build &&\
     chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\
     chmod -R g=u /opt/mendix /var/mendix
@@ -80,9 +81,6 @@ FROM ${ROOTFS_IMAGE}
 LABEL Author="Mendix Digital Ecosystems"
 LABEL maintainer="[email protected]"
 
-# Uninstall build-time dependencies to remove potentially vulnerable libraries
-ARG UNINSTALL_BUILD_DEPENDENCIES=true
-
 # Set the user ID
 ARG USER_UID=1001
 # Set the home path
@@ -92,17 +90,11 @@ ENV HOME=/opt/mendix/build
 RUN chmod g=u /etc/passwd &&\
     chown ${USER_UID}:0 /etc/passwd
 
-# Uninstall Ubuntu packages which are only required during build time
-RUN if [ "$UNINSTALL_BUILD_DEPENDENCIES" = "true" ] && grep -q ubuntu /etc/os-release ; then\
-        DEBIAN_FRONTEND=noninteractive apt-mark manual libfontconfig1 && \
-        DEBIAN_FRONTEND=noninteractive apt-get remove --purge --auto-remove -q -y wget curl libgdiplus ; \
-    fi
-
 # Add the buildpack modules
 ENV PYTHONPATH "/opt/mendix/buildpack/lib/:/opt/mendix/buildpack/:/opt/mendix/buildpack/lib/python3.6/site-packages/"
 
 # Copy start scripts
-COPY scripts/startup scripts/vcap_application.json /opt/mendix/build/
+COPY scripts/startup.py scripts/vcap_application.json /opt/mendix/build/
 
 # Create vcap home directory for Datadog configuration
 RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\
@@ -114,7 +106,7 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\
 # 2. Update ownership of /opt/mendix so that the app can run as a non-root user
 # 3. Update permissions of /opt/mendix so that the app can run as a non-root user
 # 4. Ensure that running Java 8 as root will still be able to load offline licenses
-RUN chmod +rx /opt/mendix/build/startup &&\
+RUN chmod +rx /opt/mendix/build/startup.py &&\
     chown -R ${USER_UID}:0 /opt/mendix &&\
     chmod -R g=u /opt/mendix &&\
     ln -s /opt/mendix/.java /root
@@ -139,4 +131,4 @@ WORKDIR /opt/mendix/build
 ENV PORT 8080
 EXPOSE $PORT
 
-ENTRYPOINT ["/opt/mendix/build/startup","/opt/mendix/buildpack/buildpack/start.py"]
+ENTRYPOINT ["/opt/mendix/build/startup.py"]

Dockerfile

@@ -2,7 +2,11 @@
 
 ![Test status](https://github.com/mendix/docker-mendix-buildpack/workflows/Test/badge.svg)
 
-The Mendix Buildpack for Docker (aka docker-mendix-buildpack) is an example project you can use to build and run your Mendix Application in a [Docker](https://www.docker.com/) container.
+The Mendix Buildpack for Docker (aka docker-mendix-buildpack) is an **example project** you can use to build and run your Mendix Application in a [Docker](https://www.docker.com/) container.
+
+**⚠️ Warning** If your pipeline is based on Docker Buildpack V4 or an earlier version, see the [upgrading from Docker Buildpack v4](upgrading-from-v4.md) document. To use Docker Buildpack v5, some changes will be required in your build process.
+
+For a Kubernetes native solution to run Mendix apps, see [Mendix for Private Cloud](https://www.mendix.com/evaluation-guide/app-lifecycle/mendix-for-private-cloud/).
 
 ## Try a sample mendix application
 
@@ -13,13 +17,17 @@ Open a terminal and run the following code:
 ```
 git clone --branch <TAG> --config core.autocrlf=false https://github.com/mendix/docker-mendix-buildpack
 cd docker-mendix-buildpack
-make get-sample
-make build-image
-make run-container
+tests/integrationtest.sh
 ```
 
 You can now open your browser [http://localhost:8080]([http://localhost:8080])
 
+### Scanning for vulnerabilities
+
+If you would like to run a vulnerability scanner (to get a baseline security score), please use the latest, LTS or MTS version of Mendix.
+
+Security patches are only available in the latest version of Mendix, and running a security scan on an outdated version might show CVEs that are already patched in the latest version.
+
 ## Uses cases scenarios:
 
 This project is a goto reference for the following scenarios :
@@ -31,35 +39,64 @@ This project is a goto reference for the following scenarios :
 
 ### Requirements
 
-* Docker 17.05 (Installation [here](https://docs.docker.com/engine/installation/))
+* Docker 20.10 (Installation [here](https://docs.docker.com/engine/installation/))
   * Earlier Docker versions are no longer compatible because they don't support multistage builds.
-    To use Docker versions below 17.05, download an earlier Mendix Docker Buildpack release, such as [v2.3.2](https://github.com/mendix/docker-mendix-buildpack/releases/tag/v2.3.2)
-* For preparing, a local installation of wget (for macOS)
+    To use Docker versions below 20.10, download an earlier Mendix Docker Buildpack release, such as [v2.3.2](https://github.com/mendix/docker-mendix-buildpack/releases/tag/v2.3.2)
+* For preparing, a local installation of `curl`
 * For local testing, make sure you can run the [docker-compose command](https://docs.docker.com/compose/install/)
+* A Mendix app based on Mendix 7 or a later version
 
 ## Usage
 
-### Compilation
+### Preparation: rootfs
+
+To save build time, the build pack needs a prebuilt rootfs containing the base OS and additional packages.
+This rootfs is based on [Red Hat Universal Base Image 8 minimal](https://developers.redhat.com/articles/ubi-faq) image.
+
+To build the rootfs, run the following commands
+
+```shell
+docker build -t <builder-root-fs-image-tag> -f rootfs-builder.dockerfile .
+docker build -t <app-root-fs-image-tag> -f rootfs-app.dockerfile .
+```
+
+The `builder` image contains packages required to build an app; the `app` image contains a reduced package set, containing only packages required to run a Mendix app.
+
+For example:
+
+```shell
+docker build -t mendix-rootfs:app -f rootfs-app.dockerfile .
+docker build -t mendix-rootfs:builder -f rootfs-builder.dockerfile .
+```
+
+This command needs to be done at least once on the builder OS.
+
+Building images on a licensed RHEL host will enable access to additional packages and Red Hat support.
+
+To reuse the rootfs image, push it to a private repository:
+
+```shell
+docker push <builder-root-fs-image-tag>
+docker push <app-root-fs-image-tag>
+```
+
+### Compile an app
 
 Before running the container, it is necessary to build the image with your application. This buildpack contains Dockerfile with a script that will compile your application using [cf-mendix-buildpack](https://github.com/mendix/cf-mendix-buildpack/).
 
 ```
-docker build 
+docker build \
   --build-arg BUILD_PATH=<mendix-project-location> \
-  --build-arg ROOTFS_IMAGE=<root-fs-image-tag> \
-  --build-arg BUILDER_ROOTFS_IMAGE=<root-fs-image-tag> \
-  --build-arg CF_BUILDPACK=<cf-buildpack-version> \
   --tag mendix/mendix-buildpack:v1.2 .
 ```
 
 For build you can provide next arguments:
 
 - **BUILD_PATH** indicates where the application model is located. It is a root directory of an unzipped .MDA or .MPK file. In the latter case, this is the directory where your .MPR file is located. Must be within [build context](https://docs.docker.com/engine/reference/commandline/build/#extended-description). Defaults to `./project`.
-- **ROOTFS_IMAGE** is a type of rootfs image. Defaults to `mendix/rootfs:ubi8` (Red Hat Universal Base Image 8). To use Ubuntu 18.04, change this to `mendix/rootfs:bionic`. It's also possible to use a custom rootfs image as described in [Advanced feature: full-build](#advanced-feature-full-build).
-- **BUILDER_ROOTFS_IMAGE** is a type of rootfs image used for downloading the Mendix app dependencies and compiling the Mendix app from source. Defaults to `mendix/rootfs:bionic`. It's also possible to use a custom rootfs image as described in [Advanced feature: full-build](#advanced-feature-full-build).
-- **CF_BUILDPACK** is a version of CloudFoundry buildpack. Defaults to `v4.30.14`. For stable pipelines, it's recommended to use a fixed version from **v4.30.14** and later. CloudFoundry buildpack versions below **v4.30.14** are not supported.
+- **ROOTFS_IMAGE** is a type of rootfs image. Defaults to `mendix-rootfs:app` (a locally prebuilt image).
+- **BUILDER_ROOTFS_IMAGE** is a type of rootfs image used for downloading the Mendix app dependencies and compiling the Mendix app from source. Defaults to `mendix-rootfs:builder` (a locally prebuilt image).
+- **CF_BUILDPACK** is a version of CloudFoundry buildpack. Defaults to `v4.30.17`. For stable pipelines, it's recommended to use a fixed version from **v4.30.17** and later. CloudFoundry buildpack versions below **v4.30.17** are not supported.
 - **EXCLUDE_LOGFILTER** will exclude the `mendix-logfilter` binary from the resulting Docker image if set to `true`. Defaults to `true`. Excluding `mendix-logfilter` will reduce the image size and remove a component that's not commonly used; the `LOG_RATELIMIT` environment variable option will be disabled.
-- **UNINSTALL_BUILD_DEPENDENCIES** will uninstall packages which are not needed to launch an app, and are only used during the build phase. Defaults to `true`. This option will remove several libraries which are known to have unpatched CVE vulnerabilities.
 - **CF_BUILDPACK_URL** specifies the URL where the CF buildpack should be downloaded from (for example, a local mirror). Defaults to `https://github.com/mendix/cf-mendix-buildpack/releases/download/${CF_BUILDPACK}/cf-mendix-buildpack.zip`. Specifying **CF_BUILDPACK_URL** will override the version from **CF_BUILDPACK**.
 - **BLOBSTORE** can be used to specify an alternative buildpack resource server (instead of the default Mendix CDN). For more information, see the [CF Buildpack offline settings](https://github.com/mendix/cf-mendix-buildpack#offline-buildpack-settings).
 - **BUILDPACK_XTRACE** can be used to enable CF Buildpack [debug logging](https://github.com/mendix/cf-mendix-buildpack#logging-and-debugging). Set this variable to `true` to enable debug logging.
@@ -190,7 +227,7 @@ environment:
 
 ### Configuring Custom Runtime Settings
 
-To configure any of the advanced [Custom Runtime Settings](https://world.mendix.com/display/refguide6/Custom+Settings) you can use setting name prefixed with `MXRUNTIME_` as an environment variable.
+To configure any of the advanced [Custom Runtime Settings](https://docs.mendix.com/refguide/custom-settings/) you can use setting name prefixed with `MXRUNTIME_` as an environment variable.
 
 For example, to configure the ConnectionPoolingMinIdle setting to value 10, you can set the following environment variable:
 
@@ -290,25 +327,6 @@ In case your environment does not support multi-line environment variables, a Ba
 
 This string should be set into the CERTIFICATE_AUTHORITIES_BASE64 environment variable.
 
-### Advanced feature: full-build
-
-To save build time, the build pack will normally use a pre-built rootfs from Docker Hub. This rootfs is prepared nightly by Mendix using [this](https://github.com/mendix/docker-mendix-buildpack/blob/master/Dockerfile.rootfs.bionic) Dockerfile. If you want to build the root-fs yourself you can use the following script:
-
-```
-docker build --build-arg BUILD_PATH=<mendix-project-location> \
-	-t <root-fs-image-tag> -f Dockerfile.rootfs.bionic .
-```
-
-After that you can build the target image with the next command:
-
-```
-docker build 
-  --build-arg BUILD_PATH=<mendix-project-location> \
-  --build-arg ROOTFS_IMAGE=<root-fs-image-tag> \
-  --build-arg BUILDER_ROOTFS_IMAGE=<builder-root-fs-image-tag> \
-```
-	-t mendix/mendix-buildpack:v1.2 .
-
 
 ### Industrial Edge Configuration File support
 
@@ -349,11 +367,11 @@ Contributions are welcomed:
 
 This was built with the following:
 
-* Docker version 18.06.3
+* Docker version 20.10
 
 ### Versioning
 
-We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/mendix/IBM-Watson-Connector-Kit/tags).
+We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/mendix/docker-mendix-buildpack/tags).
 
 ## License