update to jetty-9.4.7

[gregw]

This PR updates the official jetty release to 9.4.7.
There have been some performance degradation reports against 9.4.7 for machines with more than 32 CPUs, but they have not been reproduced in testing.

The update also includes changes to the docker image to avoid using the native code setuid mechanism. Instead the jetty user is specified in the Dockerfile.

See appropriate/docker-jetty#73

[yosifkit]

Diff:

diff --git a/_bashbrew-list b/_bashbrew-list
index f121bb7..eedac3b 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -21,10 +21,10 @@ jetty:9.4
 jetty:9.4-alpine
 jetty:9.4-jre8
 jetty:9.4-jre8-alpine
-jetty:9.4.6
-jetty:9.4.6-alpine
-jetty:9.4.6-jre8
-jetty:9.4.6-jre8-alpine
+jetty:9.4.7
+jetty:9.4.7-alpine
+jetty:9.4.7-jre8
+jetty:9.4.7-jre8-alpine
 jetty:alpine
 jetty:jre7
 jetty:jre8
diff --git a/jetty_jre8-alpine/Dockerfile b/jetty_jre8-alpine/Dockerfile
index 463656b..2548e30 100644
--- a/jetty_jre8-alpine/Dockerfile
+++ b/jetty_jre8-alpine/Dockerfile
@@ -8,7 +8,7 @@ ENV PATH $JETTY_HOME/bin:$PATH
 RUN mkdir -p "$JETTY_HOME"
 WORKDIR $JETTY_HOME
 
-ENV JETTY_VERSION 9.4.6.v20170531
+ENV JETTY_VERSION 9.4.7.v20170914
 ENV JETTY_TGZ_URL https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/$JETTY_VERSION/jetty-home-$JETTY_VERSION.tar.gz
 
 # GPG Keys are personal keys of Jetty committers (see https://github.com/eclipse/jetty.project/blob/0607c0e66e44b9c12a62b85551da3a0edce0281e/KEYS.txt)
@@ -57,7 +57,7 @@ RUN mkdir -p "$JETTY_BASE"
 WORKDIR $JETTY_BASE
 
 RUN set -xe \
-	&& java -jar "$JETTY_HOME/start.jar" --create-startd --add-to-start="server,http,deploy,jsp,jstl,ext,resources,websocket,setuid" \
+	&& java -jar "$JETTY_HOME/start.jar" --create-startd --add-to-start="server,http,deploy,jsp,jstl,ext,resources,websocket" \
 	&& chown -R jetty:jetty "$JETTY_BASE" \
 	&& rm -rf /tmp/hsperfdata_root
 
@@ -68,6 +68,7 @@ RUN set -xe \
 
 COPY docker-entrypoint.sh /
 
+USER jetty
 EXPOSE 8080
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["java","-jar","/usr/local/jetty/start.jar"]
diff --git a/jetty_jre8-alpine/docker-entrypoint.sh b/jetty_jre8-alpine/docker-entrypoint.sh
index ba65411..4882647 100755
--- a/jetty_jre8-alpine/docker-entrypoint.sh
+++ b/jetty_jre8-alpine/docker-entrypoint.sh
@@ -26,16 +26,72 @@ if ! command -v -- "$1" >/dev/null 2>&1 ; then
 	set -- java -jar "$JETTY_HOME/start.jar" "$@"
 fi
 
-if [ -n "$TMPDIR" ] ; then
-	case "$JAVA_OPTIONS" in
-		*-Djava.io.tmpdir=*) ;;
-		*) JAVA_OPTIONS="-Djava.io.tmpdir=$TMPDIR $JAVA_OPTIONS" ;;
-	esac
+if [ -z "$TMPDIR" ] ; then
+	TMPDIR=/tmp/jetty
+	mkdir $TMPDIR 2>/dev/null
 fi
+case "$JAVA_OPTIONS" in
+	*-Djava.io.tmpdir=*) ;;
+	*) JAVA_OPTIONS="-Djava.io.tmpdir=$TMPDIR $JAVA_OPTIONS" ;;
+esac
 
 if [ "$1" = "java" -a -n "$JAVA_OPTIONS" ] ; then
 	shift
 	set -- java $JAVA_OPTIONS "$@"
 fi
 
+if expr "$*" : 'java .*/start\.jar.*$' >/dev/null ; then
+	# this is a command to run jetty
+
+	# check if it is a terminating command
+	for A in "$@" ; do
+		case $A in
+			--add-to-start* |\
+			--create-files |\
+			--create-startd |\
+			--download |\
+			--dry-run |\
+			--exec-print |\
+			--help |\
+			--info |\
+			--list-all-modules |\
+			--list-classpath |\
+			--list-config |\
+			--list-modules* |\
+			--stop |\
+			--update-ini |\
+			--version |\
+			-v )\
+			# It is a terminating command, so exec directly
+			exec "$@"
+		esac
+	done
+
+	if [ -f /jetty-start ] ; then
+		if [ $JETTY_BASE/start.d -nt /jetty-start ] ; then
+			cat >&2 <<- 'EOWARN'
+			********************************************************************
+			WARNING: The $JETTY_BASE/start.d directory has been modified since
+			         the /jetty-start files was generated. Please either delete 
+			         the /jetty-start file or re-run /generate-jetty-start.sh 
+			         from a Dockerfile
+			********************************************************************
+			EOWARN
+		fi
+		echo $(date +'%Y-%m-%d %H:%M:%S.000'):INFO:docker-entrypoint:jetty start command from /jetty-start
+		set -- $(cat /jetty-start)
+	else
+		# Do a jetty dry run to set the final command
+		"$@" --dry-run > /$TMPDIR/jetty-start
+		if [ $(egrep -v '\\$' $TMPDIR/jetty-start | wc -l ) -gt 1 ] ; then
+			# command was more than a dry-run
+			cat $TMPDIR/jetty-start \
+			| awk '/\\$/ { printf "%s", substr($0, 1, length($0)-1); next } 1' \
+			| egrep -v '[^ ]*java .* org\.eclipse\.jetty\.xml\.XmlConfiguration '
+			exit
+		fi
+		set -- $(sed 's/\\$//' $TMPDIR/jetty-start)
+	fi
+fi
+
 exec "$@"
diff --git a/jetty_jre8/Dockerfile b/jetty_jre8/Dockerfile
index d0b8d9b..85a2c00 100644
--- a/jetty_jre8/Dockerfile
+++ b/jetty_jre8/Dockerfile
@@ -8,7 +8,7 @@ ENV PATH $JETTY_HOME/bin:$PATH
 RUN mkdir -p "$JETTY_HOME"
 WORKDIR $JETTY_HOME
 
-ENV JETTY_VERSION 9.4.6.v20170531
+ENV JETTY_VERSION 9.4.7.v20170914
 ENV JETTY_TGZ_URL https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/$JETTY_VERSION/jetty-home-$JETTY_VERSION.tar.gz
 
 # GPG Keys are personal keys of Jetty committers (see https://github.com/eclipse/jetty.project/blob/0607c0e66e44b9c12a62b85551da3a0edce0281e/KEYS.txt)
@@ -48,7 +48,7 @@ RUN mkdir -p "$JETTY_BASE"
 WORKDIR $JETTY_BASE
 
 RUN set -xe \
-	&& java -jar "$JETTY_HOME/start.jar" --create-startd --add-to-start="server,http,deploy,jsp,jstl,ext,resources,websocket,setuid" \
+	&& java -jar "$JETTY_HOME/start.jar" --create-startd --add-to-start="server,http,deploy,jsp,jstl,ext,resources,websocket" \
 	&& chown -R jetty:jetty "$JETTY_BASE" \
 	&& rm -rf /tmp/hsperfdata_root
 
@@ -57,8 +57,9 @@ RUN set -xe \
 	&& mkdir -p "$TMPDIR" \
 	&& chown -R jetty:jetty "$TMPDIR"
 
-COPY docker-entrypoint.sh /
+COPY docker-entrypoint.sh generate-jetty-start.sh /
 
+USER jetty
 EXPOSE 8080
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["java","-jar","/usr/local/jetty/start.jar"]
diff --git a/jetty_jre8/docker-entrypoint.sh b/jetty_jre8/docker-entrypoint.sh
index ba65411..4882647 100755
--- a/jetty_jre8/docker-entrypoint.sh
+++ b/jetty_jre8/docker-entrypoint.sh
@@ -26,16 +26,72 @@ if ! command -v -- "$1" >/dev/null 2>&1 ; then
 	set -- java -jar "$JETTY_HOME/start.jar" "$@"
 fi
 
-if [ -n "$TMPDIR" ] ; then
-	case "$JAVA_OPTIONS" in
-		*-Djava.io.tmpdir=*) ;;
-		*) JAVA_OPTIONS="-Djava.io.tmpdir=$TMPDIR $JAVA_OPTIONS" ;;
-	esac
+if [ -z "$TMPDIR" ] ; then
+	TMPDIR=/tmp/jetty
+	mkdir $TMPDIR 2>/dev/null
 fi
+case "$JAVA_OPTIONS" in
+	*-Djava.io.tmpdir=*) ;;
+	*) JAVA_OPTIONS="-Djava.io.tmpdir=$TMPDIR $JAVA_OPTIONS" ;;
+esac
 
 if [ "$1" = "java" -a -n "$JAVA_OPTIONS" ] ; then
 	shift
 	set -- java $JAVA_OPTIONS "$@"
 fi
 
+if expr "$*" : 'java .*/start\.jar.*$' >/dev/null ; then
+	# this is a command to run jetty
+
+	# check if it is a terminating command
+	for A in "$@" ; do
+		case $A in
+			--add-to-start* |\
+			--create-files |\
+			--create-startd |\
+			--download |\
+			--dry-run |\
+			--exec-print |\
+			--help |\
+			--info |\
+			--list-all-modules |\
+			--list-classpath |\
+			--list-config |\
+			--list-modules* |\
+			--stop |\
+			--update-ini |\
+			--version |\
+			-v )\
+			# It is a terminating command, so exec directly
+			exec "$@"
+		esac
+	done
+
+	if [ -f /jetty-start ] ; then
+		if [ $JETTY_BASE/start.d -nt /jetty-start ] ; then
+			cat >&2 <<- 'EOWARN'
+			********************************************************************
+			WARNING: The $JETTY_BASE/start.d directory has been modified since
+			         the /jetty-start files was generated. Please either delete 
+			         the /jetty-start file or re-run /generate-jetty-start.sh 
+			         from a Dockerfile
+			********************************************************************
+			EOWARN
+		fi
+		echo $(date +'%Y-%m-%d %H:%M:%S.000'):INFO:docker-entrypoint:jetty start command from /jetty-start
+		set -- $(cat /jetty-start)
+	else
+		# Do a jetty dry run to set the final command
+		"$@" --dry-run > /$TMPDIR/jetty-start
+		if [ $(egrep -v '\\$' $TMPDIR/jetty-start | wc -l ) -gt 1 ] ; then
+			# command was more than a dry-run
+			cat $TMPDIR/jetty-start \
+			| awk '/\\$/ { printf "%s", substr($0, 1, length($0)-1); next } 1' \
+			| egrep -v '[^ ]*java .* org\.eclipse\.jetty\.xml\.XmlConfiguration '
+			exit
+		fi
+		set -- $(sed 's/\\$//' $TMPDIR/jetty-start)
+	fi
+fi
+
 exec "$@"
diff --git a/jetty_jre8/generate-jetty-start.sh b/jetty_jre8/generate-jetty-start.sh
new file mode 100755
index 0000000..0dbaba7
--- /dev/null
+++ b/jetty_jre8/generate-jetty-start.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+rm -f /jetty-start
+/docker-entrypoint.sh --dry-run | sed 's/\\$//' > /jetty-start

[yosifkit]

Build test of #3500; aebcacb (jetty):

$ bashbrew build jetty:9.4.7
Using bashbrew/cache:e7306890d3fdfe1894e337cd4556e7654c805d41e459671bd0bb82423748f23f (jetty:9.4.7)
Tagging jetty:9.4.7
Tagging jetty:9.4
Tagging jetty:9
Tagging jetty:9.4.7-jre8
Tagging jetty:9.4-jre8
Tagging jetty:9-jre8
Tagging jetty:latest
Tagging jetty:jre8

$ test/run.sh jetty:9.4.7
testing jetty:9.4.7
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]...passed


$ bashbrew build jetty:9.4.7-alpine
Using bashbrew/cache:b120a7af62a048de2508252274bddc5b2415f52fef807d3b784198b44e9776a6 (jetty:9.4.7-alpine)
Tagging jetty:9.4.7-alpine
Tagging jetty:9.4-alpine
Tagging jetty:9-alpine
Tagging jetty:9.4.7-jre8-alpine
Tagging jetty:9.4-jre8-alpine
Tagging jetty:9-jre8-alpine
Tagging jetty:alpine
Tagging jetty:jre8-alpine

$ test/run.sh jetty:9.4.7-alpine
testing jetty:9.4.7-alpine
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]....passed


$ bashbrew build jetty:9.3.20
Building bashbrew/cache:7e946eff78ed83c925c809a1e9c06e9f2581f12881c0d2bd9dfb24a2bbd353cd (jetty:9.3.20)
Tagging jetty:9.3.20
Tagging jetty:9.3
Tagging jetty:9.3.20-jre8
Tagging jetty:9.3-jre8

$ test/run.sh jetty:9.3.20
testing jetty:9.3.20
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]....passed


$ bashbrew build jetty:9.3.20-alpine
Using bashbrew/cache:5885fbb4c7ae040083661889cb3a25769555432ece8048e7d3017722d99c513f (jetty:9.3.20-alpine)
Tagging jetty:9.3.20-alpine
Tagging jetty:9.3-alpine
Tagging jetty:9.3.20-jre8-alpine
Tagging jetty:9.3-jre8-alpine

$ test/run.sh jetty:9.3.20-alpine
testing jetty:9.3.20-alpine
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]....passed


$ bashbrew build jetty:9.2.22
Building bashbrew/cache:c0f7d68c0503ac7ec6e7f08a4f41786c895615879e3b92d84d8e033d02ba3458 (jetty:9.2.22)
Tagging jetty:9.2.22
Tagging jetty:9.2
Tagging jetty:9.2.22-jre8
Tagging jetty:9.2-jre8

$ test/run.sh jetty:9.2.22
testing jetty:9.2.22
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]...passed


$ bashbrew build jetty:9.2.22-jre7
Building bashbrew/cache:49f6120a727cbd8959267559e8f45d898a598af927903abedce3a3b83d8f7826 (jetty:9.2.22-jre7)
Tagging jetty:9.2.22-jre7
Tagging jetty:9.2-jre7
Tagging jetty:9-jre7
Tagging jetty:jre7

$ test/run.sh jetty:9.2.22-jre7
testing jetty:9.2.22-jre7
	'utc' [1/5]...passed
	'cve-2014--shellshock' [2/5]...passed
	'no-hard-coded-passwords' [3/5]...passed
	'override-cmd' [4/5]...passed
	'jetty-hello-web' [5/5]....passed