Dockerfile-agent

#
#© Copyright IBM Corporation 2020, 2024
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
#http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.
#

ARG UBI_BASE_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal
ARG UBI_BASE_TAG=9.4-1227.1726694542
ARG GO_TOOLSET_IMAGE=registry.access.redhat.com/ubi9/go-toolset
ARG GO_TOOLSET_TAG=1.21.13-2.1729776560
ARG GO_WORKDIR=/opt/app-root/src/go/src/github.com/ibm-messaging/mq-container-mft
ARG JDK_BASE_IMAGE=registry.access.redhat.com/ubi8/openjdk-8
ARG JDK_BASE_TAG=1.20-2

###############################################################################
# Build stage to build Go code
###############################################################################
FROM $GO_TOOLSET_IMAGE:$GO_TOOLSET_TAG as gobuilder

ARG IMAGE_REVISION="Not specified"
ARG IMAGE_SOURCE="Not specified"
ARG IMAGE_TAG="Not specified"
ARG GO_WORKDIR

# Do everything as root. We will change the user at a later point
USER 0

# Don't use Proxy when download packages
RUN go env -w GOPROXY=direct

# Create a directory where compiled golang programs will be copied
RUN mkdir -p /run

# Set golang working directory
WORKDIR $GO_WORKDIR/

# Copy golang source code for compilation
COPY go.mod go.sum ./
COPY cmd ./cmd
COPY pkg/ ./pkg

# Build the required go programs and copy them to /run directory
RUN GOTOOLCHAIN=go1.21.3+auto go build -ldflags "-X \"main.ImageCreated=$(date --iso-8601=seconds)\" -X \"main.ImageRevision=$IMAGE_REVISION\" -X \"main.ImageSource=$IMAGE_SOURCE\" -X \"main.ImageTag=$IMAGE_TAG\"" -o /run/runagent ./cmd/runagent/ \
    && GOTOOLCHAIN=go1.21.3+auto go build -o /run/agentalive ./cmd/agentalive/ \
    && GOTOOLCHAIN=go1.21.3+auto go build -o /run/agentready ./cmd/agentready/ \
    && GOTOOLCHAIN=go1.21.3+auto go build -o /run/mqfts ./cmd/mqfts/ 

# Run unit tests
RUN GOTOOLCHAIN=go1.21.3+auto go test -v ./cmd/runagent

###############################################################################
# Build IBM MQ MFT Protocol Bridge Credential custom exit
###############################################################################
# Pull in the latest IBM JDK 8 to build Protocol Bridge Credential exit.
FROM $JDK_BASE_IMAGE:$JDK_BASE_TAG AS pbaexitbuilder

# Do everything as root. We will change the user at a later point
USER 0

RUN mkdir /credentialsexit
COPY ./credentialsexit /credentialsexit
# You will need to download com.ibm.wmqfte.exitroutines.api.jar from IBM MQ 
# Managed File Transfer Redistributable package and json-20240303.jar and 
# place them in /credentialsexit/BridgeCredentialExit/thirdparty directory.
RUN mkdir -p /credentialsexit/BridgeCredentialExit/bin  \
    && javac -source 1.8 -target 1.8 -cp "/credentialsexit/BridgeCredentialExit/thirdparty/*" -d /credentialsexit/BridgeCredentialExit/bin /credentialsexit/BridgeCredentialExit/src/com/ibm/bridgecredentialexit/ProtocolBridgeCustomCredentialExit.java \
    && cd /credentialsexit/BridgeCredentialExit/bin \
    && jar cvf com.ibm.wmq.bridgecredentialexit.jar com

###############################################################################
# Main build stage, to build MQMFT image
###############################################################################
FROM $UBI_BASE_IMAGE:$UBI_BASE_TAG AS mqmft

# Set environment variables so that any shell scripts can make use of them
ARG ARG_MQMFT_REDIST_FILE
ARG ARG_MQMFT_BFG_DATA

# Use a fixed path for BFG_DATA path. Agent configuration will always be created under 
# this path. If using a persistent volume, then volume must be mounted to this path. 
ENV BFG_DATA=/mnt/mftdata
ENV KEYSTORE_PATH=/run/keystores

# Envrionment variables passed
ENV ENV_BASE_IMAGE_NAME="Red Hat Universal Base Image"
ENV ENV_BASE_IMAGE_VERSION=$UBI_BASE_TAG
ENV ENV_MQ_BUILD_LEVEL=$ARG_MQMFT_BUILD_LEVEL
ENV ENV_MQ_VERSION=$ARG_MQMFT_VERSION

# Use a fixed path for system and user preferences. This is to avoid "System preferences 
# are unusable" exception. This path must be set via BFG_JVM_PROPERTIES environment variable
# while running image via docker/podman run command or via the deployment yaml in Kubernetes.
ENV JAVA_PREFS_SYSTEM_DIR="/jprefs/.java/.systemPrefs"
ENV JAVA_PREFS_USER_DIR="/jprefs/.java/.userPrefs"

# Meta information of our container image
LABEL summary="IBM MQ Managed File Transfer Agent"
LABEL description="Move files and messages"
LABEL vendor="IBM"
LABEL maintainer="IBM"
LABEL distribution-scope="Private"
LABEL authoritative-source-url="https://www.ibm.com/software/passportadvantage/"
LABEL url="https://www.ibm.com/products/mq/advanced"
LABEL io.openshift.tags="mq managed file transfer"
LABEL io.k8s.display-name="IBM MQ Managed File Transfer"
LABEL io.k8s.description="Moves files and messages"
LABEL base-image=$UBI_BASE_IMAGE
LABEL base-image-release=$UBI_BASE_TAG

# Do everything as root. We will change the user at a later point
USER 0

# Copy the MFT Redistributable Image into container.
# Copy the MQMFT Redistributable Package to temporary directory in the container
COPY $ARG_MQMFT_REDIST_FILE /tmp/$ARG_MQMFT_REDIST_FILE

# Install additional packages
RUN microdnf install -y bash \
    bc \
    ca-certificates \
    gawk \
    glibc-common \ 
    grep \
    ncurses-libs \
    passwd \
    procps-ng \
    sed \
    shadow-utils \
    tar \
    util-linux \
    which \
    file \
    findutils \
    glibc \
    && rm -rf /var/lib/apt/lists/* 

# Remove postfix key as it causes twistlock scan to log a non-compliance
# vulnerability
RUN rm -f /etc/pki/tls/private/postfix.key
# Add the Agent redistributable package
RUN mkdir -p /opt/mqm/mqft \
    && mv /tmp/$ARG_MQMFT_REDIST_FILE /opt/mqm/mqft \
    && cd /opt/mqm/mqft \
    && tar -xzf ./$ARG_MQMFT_REDIST_FILE \
    && rm -f ./$ARG_MQMFT_REDIST_FILE \
    && chown -R 1001:root /opt/mqm/*


# Copy go programs
COPY --from=gobuilder $GO_WORKDIR/run/runagent /run/
COPY --from=gobuilder $GO_WORKDIR/run/agentalive /run/
COPY --from=gobuilder $GO_WORKDIR/run/agentready /run/
COPY --from=gobuilder $GO_WORKDIR/run/mqfts /run/

# Set permissions on programs so that they can be run by any user.
RUN mkdir -p $BFG_DATA \
    && mkdir -p $KEYSTORE_PATH \
    && mkdir -p /mountpath \
    && chmod -R guo+rwx /mountpath \
    && mkdir -p ${JAVA_PREFS_SYSTEM_DIR} \
    && chmod -R guo+rwx ${JAVA_PREFS_SYSTEM_DIR} \
    && mkdir -p ${JAVA_PREFS_USER_DIR} \
    && chmod -R guo+rwx ${JAVA_PREFS_USER_DIR} \
    && chmod -R guo+rwx $BFG_DATA \
    && chmod -R guo+rwx $KEYSTORE_PATH \
    && chgrp -Rf root /run/runagent \
    && chmod -Rf guo+rwx /run/runagent \
    && chgrp -Rf root /run/agentalive \
    && chmod -Rf guo+rwx /run/agentalive \
    && chgrp -Rf root /run/agentready \
    && chmod -Rf guo+rwx /run/agentready \
    && chgrp -Rf root /run/mqfts \
    && chmod -Rf guo+rwx /run/mqfts \
    && mkdir -p /customexits/mqft/pbaexit \
    && chmod -R guo+rwx /customexits/* \
    && chown -R 1001:root /customexits/*

# Copy the Bridge Credential Exit into container.
COPY --from=pbaexitbuilder /credentialsexit/BridgeCredentialExit/bin/com.ibm.wmq.bridgecredentialexit.jar /customexits/mqft/pbaexit/com.ibm.wmq.bridgecredentialexit.jar
COPY ./credentialsexit/BridgeCredentialExit/thirdparty/json-20240303.jar /customexits/mqft/pbaexit/org.json.jar

# Set path so that we can run our programs
ENV PATH=$PATH:/opt/mqm/mqft/bin:/opt/mqm/mqft/java/jre64/jre/bin:/opt/mqm/bin:/run

# We will use USER ID 1001
USER 1001

# Call our entry point
ENTRYPOINT ["runagent"]