WIP: Run activemq container as non root

assembly/src/docker/Dockerfile

@@ -15,31 +15,87 @@
 #  See the License for the specific language governing permissions and
 # limitations under the License.
 ################################################################################
+FROM debian:bookworm-slim AS amq_tpl
+# activemq_dist can point to a directory or a tarball on the local system
+ARG activemq_dist=NOT_SET
+ARG ACTIVEMQ_WEB_DEFAULT_USER=admin
+ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Prepare ActiveMQ distribution
+ADD $activemq_dist /
+
+RUN mv /apache-activemq-* /apache-activemq
+WORKDIR /apache-activemq
+RUN apt-get update && apt-get install xmlstarlet -y
+RUN xmlstarlet ed -L \
+  -N d='http://www.springframework.org/schema/beans' \
+  -N a='http://activemq.apache.org/schema/core' \
+  -d '//comment()' \
+  -s '/d:beans/a:broker' -t elem -n plugins \
+  -s '/d:beans/a:broker/plugins' -t elem -n simpleAuthenticationPlugin \
+  -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t elem -n users \
+  -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t attr -name anonymousAccessAllowed -v true \
+  -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users' -t elem -n authenticationUser \
+  -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -n username -v '${activemq.username}' \
+  -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name password -v '${activemq.password}' \
+  -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name groups -v '${activemq.groups}' \
+  conf/activemq.xml
+RUN xmlstarlet ed -L \
+  -N d='http://www.springframework.org/schema/beans' \
+  -N a='http://activemq.apache.org/schema/core' \
+  -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \
+  conf/activemq.xml
+# Configure default web console authentication for ActiveMQ 5.x and 6.x
+RUN if [ -n "$ACTIVEMQ_WEB_DEFAULT_USER" ]; then \
+    sed -i "s/admin=/${ACTIVEMQ_WEB_DEFAULT_USER}=/g" conf/users.properties; \
+    sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_USER}/g" conf/groups.properties; \
+    fi; \
+    if [ -n "$ACTIVEMQ_WEB_DEFAULT_PASSWORD" ]; then \
+    sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/g" conf/users.properties; \
+    fi; \
+    if [ -f conf/jetty-realm.properties ]; then \
+    sed -i "s/admin: admin/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/" conf/jetty-realm.properties; \
+    fi
+RUN rm conf/credentials.properties && touch conf/credentials.properties && \
+    mkdir tmp && \
+    chmod -R g+w conf data tmp
 
 FROM eclipse-temurin:17-jre
+ARG ACTIVEMQ_USERNAME=activemq
+ARG ACTIVEMQ_GROUPNAME=activemq
+ARG ACTIVEMQ_WEB_DEFAULT_USER=admin
+ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin
 
 # ActiveMQ environment variables
-ENV ACTIVEMQ_INSTALL_PATH /opt
-ENV ACTIVEMQ_HOME $ACTIVEMQ_INSTALL_PATH/apache-activemq
-ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf
-ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G
-ENV ACTIVEMQ_EXEC exec
-ENV PATH $PATH:$ACTIVEMQ_HOME/bin
+ENV ACTIVEMQ_INSTALL_PATH=/opt
+ENV ACTIVEMQ_HOME=$ACTIVEMQ_INSTALL_PATH/apache-activemq
+ENV ACTIVEMQ_CONF=$ACTIVEMQ_HOME/conf
+ENV ACTIVEMQ_OPTS_MEMORY="-Xms64M -Xmx1G"
+ENV ACTIVEMQ_EXEC=exec
+ENV PATH=$PATH:$ACTIVEMQ_HOME/bin
+ENV ACTIVEMQ_CONNECTION_USER=system
+ENV ACTIVEMQ_CONNECTION_GROUPS=users
+ENV ACTIVEMQ_CONNECTION_PASSWORD=manager
+ENV ACTIVEMQ_JMX_ENABLED=false
+ENV ACTIVEMQ_WEB_DEFAULT_USER=$ACTIVEMQ_WEB_DEFAULT_USER
+ENV ACTIVEMQ_WEB_DEFAULT_PASSWORD=$ACTIVEMQ_WEB_DEFAULT_PASSWORD
+
 # Make the Web console accesible from outside the container
-ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0
+ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED'
 #WORKDIR $ACTIVEMQ_HOME
 
-# activemq_dist can point to a directory or a tarball on the local system
-ARG activemq_dist=NOT_SET
+RUN groupadd --system ${ACTIVEMQ_GROUPNAME} && \
+    useradd -l --system -g ${ACTIVEMQ_GROUPNAME} -d ${ACTIVEMQ_HOME} -s /bin/false ${ACTIVEMQ_USERNAME}
 
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --from=amq_tpl --chown=:${ACTIVEMQ_GROUPNAME} /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq
 
-# Install build dependencies and activemq
-ADD $activemq_dist $ACTIVEMQ_INSTALL_PATH
-RUN set -x && \
-  cp -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-* $ACTIVEMQ_HOME && \
-	rm -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-*
+RUN chmod 600 ${ACTIVEMQ_HOME}/conf/jmx.password && \
+    chown ${ACTIVEMQ_USERNAME}:${ACTIVEMQ_GROUPNAME} ${ACTIVEMQ_HOME}/conf/jmx.password
 
+USER ${ACTIVEMQ_USERNAME}
 EXPOSE 8161 61616 5672 61613 1883 61614 1099
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["activemq", "console"]

assembly/src/docker/README.md

@@ -158,9 +158,13 @@ Edit the `docker-compose.yml` file to edit port settings.
 
 | Environment Variable | Description |
 |----------------------|-------------|
-| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required |
+| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required. |
 | `ACTIVEMQ_CONNECTION_PASSWORD` | Password to access transport connector on the broker (JMS, ...). It should be used with `ACTIVEMQ_CONNECTION_USER`. |
+| `ACTIVEMQ_CONNECTION_GROUPS` | Comma-separated list of groups to which the user belongs. |
 | `ACTIVEMQ_JMX_USER` | Username to access the JMX MBean server of the broker. If set, ActiveMQ accepts remote JMX connection, else, only local connection are allowed. |
-| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`/  |
+| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`.  |
+| `ACTIVEMQ_JMX_ENABLED` | Toggle ActiveMQ's JMX connector (without authentication). |
+| `ACTIVEMQ_WEB_DEFAULT_USER` | Default username to access the ActiveMQ WebConsole (used at build time). |
+| `ACTIVEMQ_WEB_DEFAULT_PASSWORD` | Default password to access the ActiveMQ WebConsole (used at build time). |
 | `ACTIVEMQ_WEB_USER` | Username to access the ActiveMQ WebConsole. |
-| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |
+| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |

assembly/src/docker/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
 
 ################################################################################
 #  Licensed to the Apache Software Foundation (ASF) under one
@@ -18,48 +18,12 @@
 # limitations under the License.
 ################################################################################
 
-# Transport/connection security
-if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then
-  if [ -f "${ACTIVEMQ_HOME}/conf/connection.security.enabled" ]; then
-    echo "ActiveMQ Connection Security enabled"
-  else
-    echo "Enabling ActiveMQ Connection Security"
-    sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
-    sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
-    read -r -d '' REPLACE << END
-      <plugins>
-        <simpleAuthenticationPlugin>
-          <users>
-            <authenticationUser username="$\{activemq.username}" password="$\{activemq.password}"/>
-          </users>
-        </simpleAuthenticationPlugin>
-      </plugins>
-    </broker>
-END
-    REPLACE=${REPLACE//$\\/$}
-    REPLACE=${REPLACE//\//\\\/}
-    REPLACE=$(echo $REPLACE | tr '\n' ' ')
-    sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
-    touch "${ACTIVEMQ_HOME}/conf/connection.security.enabled"
-  fi
-fi
-
 # JMX security
 if [ -n "${ACTIVEMQ_JMX_USER}" ]; then
   if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then
     echo "JMX Security already enabled"
   else
      echo "Enabling ActiveMQ JMX security"
-     read -r -d '' REPLACE << END
-       <managementContext>
-         <managementContext createConnector="true" />
-       </managementContext>
-     </broker>
-END
-     REPLACE=${REPLACE//\//\\\/}
-     REPLACE=${REPLACE//$\\/$}
-     REPLACE=$(echo $REPLACE | tr '\n' ' ')
-     sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
      sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.access
      sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.password
      if [ -n "${ACTIVEMQ_JMX_PASSWORD}" ]; then
@@ -72,9 +36,16 @@ fi
 # WebConsole security
 if [ -n "${ACTIVEMQ_WEB_USER}" ]; then
   echo "Enabling ActiveMQ WebConsole security"
-  sed -i s/admin=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties
+  sed -i s/$ACTIVEMQ_WEB_DEFAULT_USER=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties
   if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then
-    sed -i s/=admin/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties
+    sed -i s/=$ACTIVEMQ_WEB_DEFAULT_PASSWORD/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties
+  fi
+  # ACTIVEMQ 5.x
+  if [ -f "${ACTIVEMQ_HOME}/conf/jetty-realm.properties" ]; then
+    sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: /${ACTIVEMQ_WEB_DEFAULT_USER}: /" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties
+    if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then
+      sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/${ACTIVEMQ_WEB_USER}: ${ACTIVEMQ_WEB_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties
+    fi
   fi
 fi