OPSEXP-2388: Use Tomcat native libs 2.x

.github/workflows/bumpVersions.yml

@@ -26,9 +26,11 @@ jobs:
       matrix:
         include:
           - tomcat_major: 10
-            tcnative_source_pattern: 1
+            tcnative_source_pattern: 2
+            apr_source_pattern: 1
           - tomcat_major: 9
-            tcnative_source_pattern: 1
+            tcnative_source_pattern: 2
+            apr_source_pattern: 1
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
@@ -53,6 +55,7 @@ jobs:
         run: |
           echo "TOMCAT_MAJOR=${{ matrix.tomcat_major }}" >> $GITHUB_ENV
           echo "TCNATIVE_SOURCE_PATTERN=${{ matrix.tcnative_source_pattern }}" >> $GITHUB_ENV
+          echo "APR_SOURCE_PATTERN=${{ matrix.apr_source_pattern }}" >> $GITHUB_ENV
 
       - name: Run updatecli
         run: |

.github/workflows/main.yml

@@ -82,6 +82,9 @@ jobs:
           echo "tcnative_version=$(jq -r .tcnative_version tomcat${{ matrix.tomcat_major }}.json)" >> $GITHUB_OUTPUT
           echo "tcnative_sha512=$(jq -r .tcnative_sha512 tomcat${{ matrix.tomcat_major }}.json)" >> $GITHUB_OUTPUT
 
+          echo "apr_version=$(jq -r .apr_version tomcat${{ matrix.tomcat_major }}.json)" >> $GITHUB_OUTPUT
+          echo "apr_sha256=$(jq -r .apr_sha256 tomcat${{ matrix.tomcat_major }}.json)" >> $GITHUB_OUTPUT
+
       - name: Login to quay.io
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -109,6 +112,8 @@ jobs:
             TOMCAT_SHA512=${{ steps.vars.outputs.tomcat_sha512 }}
             TCNATIVE_VERSION=${{ steps.vars.outputs.tcnative_version }}
             TCNATIVE_SHA512=${{ steps.vars.outputs.tcnative_sha512 }}
+            APR_VERSION=${{ steps.vars.outputs.apr_version }}
+            APR_SHA256=${{ steps.vars.outputs.apr_sha256 }}
           tags: local/${{ env.IMAGE_REPOSITORY }}:ci
 
       - name: Test Built Image
@@ -143,6 +148,8 @@ jobs:
             TOMCAT_SHA512=${{ steps.vars.outputs.tomcat_sha512 }}
             TCNATIVE_VERSION=${{ steps.vars.outputs.tcnative_version }}
             TCNATIVE_SHA512=${{ steps.vars.outputs.tcnative_sha512 }}
+            APR_VERSION=${{ steps.vars.outputs.apr_version }}
+            APR_SHA256=${{ steps.vars.outputs.apr_sha256 }}
             REVISION=${{ github.run_number }}
             CREATED=${{ steps.vars.outputs.image_created }}
           tags: |

Dockerfile

@@ -2,7 +2,7 @@
 # Alfresco Base Tomcat Image
 # see also https://github.com/docker-library/tomcat
 ARG JAVA_MAJOR
-ARG DISTRIB_NAME
+ARG DISTRIB_NAME=rockylinux
 ARG DISTRIB_MAJOR
 ARG IMAGE_JAVA_REPO=quay.io/alfresco
 ARG IMAGE_JAVA_NAME=alfresco-base-java
@@ -15,14 +15,17 @@ ARG TOMCAT_VERSION
 ARG TOMCAT_SHA512
 ARG TCNATIVE_VERSION
 ARG TCNATIVE_SHA512
+ARG APR_VERSION
+ARG APR_SHA256
 ENV APACHE_MIRRORS="https://archive.apache.org/dist https://dlcdn.apache.org https://downloads.apache.org"
 ENV DEBIAN_FRONTEND=noninteractive
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 RUN apt-get -y update && apt-get -y install xmlstarlet curl gpg; \
-  mkdir -p /build/{tcnative,tomcat}; \
+  mkdir -p /build/{apr,tcnative,tomcat}; \
   active_mirror=; \
   for mirror in $APACHE_MIRRORS; do \
     if curl -fsSL ${mirror}/tomcat/tomcat-${TOMCAT_MAJOR}/KEYS | gpg --import; then \
+      curl -fsSL ${mirror}/apr/KEYS | gpg --import; \
       active_mirror=$mirror; \
       break; \
     fi; \
@@ -33,15 +36,19 @@ RUN apt-get -y update && apt-get -y install xmlstarlet curl gpg; \
   for filetype in '.tar.gz' '.tar.gz.asc'; do \
     curl -fsSLo tomcat${filetype} ${active_mirror}/tomcat/tomcat-${TOMCAT_MAJOR}/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}${filetype}; \
     curl -fsSLo tcnative${filetype}  ${active_mirror}/tomcat/tomcat-connectors/native/${TCNATIVE_VERSION}/source/tomcat-native-${TCNATIVE_VERSION}-src${filetype}; \
+    curl -fsSLo apr${filetype}  ${active_mirror}/apr/apr-${APR_VERSION}${filetype}; \
   done; \
   \
   echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum -c - || (echo "Checksum did't match: $(sha512sum *tomcat.tar.gz)" && exit 1); \
   echo "$TCNATIVE_SHA512 *tcnative.tar.gz" | sha512sum -c - || (echo "Checksum did't match: $(sha512sum *tcnative.tar.gz)" && exit 1); \
+  echo "$APR_SHA256 *apr.tar.gz" | sha256sum -c - || (echo "Checksum did't match: $(sha256sum *apr.tar.gz)" && exit 1); \
   \
   gpg --batch --verify tcnative.tar.gz.asc tcnative.tar.gz && \
   gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz && \
+  gpg --batch --verify apr.tar.gz.asc apr.tar.gz && \
   tar -zxf tomcat.tar.gz -C /build/tomcat --strip-components=1 && \
-  tar -zxf tcnative.tar.gz -C /build/tcnative --strip-components=1
+  tar -zxf tcnative.tar.gz -C /build/tcnative --strip-components=1 && \
+  tar -zxf apr.tar.gz -C /build/apr --strip-components=1
 WORKDIR /build/tomcat
 # sh removes env vars it doesn't support (ones with periods)
 # https://github.com/docker-library/tomcat/issues/77
@@ -77,30 +84,55 @@ RUN xmlstarlet ed -L \
 # Remove unwanted files from distribution
 RUN rm -fr webapps/* *.txt *.md RELEASE-NOTES logs/ temp/ work/ bin/*.bat
 
+# hadolint ignore=DL3041
 FROM ${IMAGE_JAVA_REPO}/${IMAGE_JAVA_NAME}:${IMAGE_JAVA_TAG} AS tcnative_build-rockylinux
+ARG DISTRIB_MAJOR
 ARG JAVA_MAJOR
 ENV JAVA_HOME=/usr/lib/jvm/java-openjdk
 ARG BUILD_DIR=/build
 ARG INSTALL_DIR=/usr/local
 COPY --from=tomcat_dist /build/tcnative $BUILD_DIR/tcnative
-WORKDIR ${BUILD_DIR}/tcnative/native
+COPY --from=tomcat_dist /build/apr $BUILD_DIR/apr
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
-RUN yum install -y gcc make openssl-devel expat-devel java-${JAVA_MAJOR}-openjdk-devel apr-devel redhat-rpm-config && yum clean all; \
+RUN <<EOT
+  yum install -y gcc make expat-devel java-${JAVA_MAJOR}-openjdk-devel redhat-rpm-config
+  yum clean all
+EOT
+
+WORKDIR ${BUILD_DIR}/apr
+RUN <<EOT
+  ./configure --prefix=${INSTALL_DIR}/apr
+  make -j "$(nproc)"
+  make install
+EOT
+
+WORKDIR ${BUILD_DIR}/tcnative/native
+RUN <<EOT
+  if [ $DISTRIB_MAJOR -eq 8 ]; then
+    dnf install -y dnf-plugins-core
+    dnf config-manager -y --set-enabled powertools
+    dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+    dnf install -y openssl3-devel
+    ln -s /usr/include/openssl3/openssl /usr/include/openssl
+    export LIBS="-L/usr/lib64/openssl3 -Wl,-rpath,/usr/lib64/openssl3 -lssl -lcrypto"
+    export CFLAGS="-I/usr/include/openssl3"
+    else dnf install -y openssl-devel
+  fi
+  dnf clean all
   ./configure \
     --libdir=${INSTALL_DIR}/tcnative \
-    --with-apr=/usr/bin/apr-1-config \
-    --with-java-home="$JAVA_HOME"; \
-  make -j "$(nproc)"; \
+    --with-apr=${INSTALL_DIR}/apr/bin/apr-1-config \
+    --with-java-home="$JAVA_HOME" \
+    --disable-openssl-version-check
+  make -j "$(nproc)"
   make install
+EOT
 
 # hadolint ignore=DL3006
 FROM tcnative_build-${DISTRIB_NAME} AS tcnative_build
 
-FROM ${IMAGE_JAVA_REPO}/${IMAGE_JAVA_NAME}:${IMAGE_JAVA_TAG} AS apr_pkg-rockylinux
-RUN yum install -y apr && yum clean all
-
 # hadolint ignore=DL3006
-FROM apr_pkg-${DISTRIB_NAME}
+FROM tcnative_build
 ARG DISTRIB_MAJOR
 ARG CREATED
 ARG REVISION
@@ -127,7 +159,8 @@ LABEL org.label-schema.schema-version="1.0" \
 ENV CATALINA_HOME=/usr/local/tomcat
 # let "Tomcat Native" live somewhere isolated
 ENV TOMCAT_NATIVE_LIBDIR=$CATALINA_HOME/native-jni-lib
-ENV LD_LIBRARY_PATH=$TOMCAT_NATIVE_LIBDIR
+ENV APR_LIBDIR=$CATALINA_HOME/apr
+ENV LD_LIBRARY_PATH=$TOMCAT_NATIVE_LIBDIR:$APR_LIBDIR
 ENV PATH=$CATALINA_HOME/bin:$PATH
 WORKDIR $CATALINA_HOME
 # fix permissions (especially for running as non-root)
@@ -136,13 +169,24 @@ RUN groupadd --system tomcat && \
   useradd -M -s /bin/false --home $CATALINA_HOME --system --gid tomcat tomcat
 COPY --chown=:tomcat --chmod=640 --from=tomcat_dist /build/tomcat $CATALINA_HOME
 COPY --chown=:tomcat --chmod=640 --from=tcnative_build /usr/local/tcnative $TOMCAT_NATIVE_LIBDIR
+COPY --chown=:tomcat --chmod=640 --from=tcnative_build /usr/local/apr $APR_LIBDIR
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
-RUN mkdir -m 770 logs temp work && chgrp tomcat . logs temp work; \
-  chmod ug+x bin/*.sh; \
-  find . -type d -exec chmod 770 {} +; \
+RUN <<EOT
+  if [ $DISTRIB_MAJOR -eq 8 ]; then
+    dnf install -y dnf-plugins-core
+    dnf config-manager -y --set-enabled powertools
+    dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+    dnf install -y openssl3-libs
+    dnf clean all
+  fi
+  mkdir -m 770 logs temp work && chgrp tomcat . logs temp work
+  chmod ug+x bin/*.sh
+  find . -type d -exec chmod 770 {} +
   # verify Tomcat Native is working properly
-  nativeLines="$(catalina.sh configtest 2>&1 | grep -c 'Loaded Apache Tomcat Native library')" && \
+  nativeLines="$(catalina.sh configtest 2>&1 | grep -c 'Loaded Apache Tomcat Native library')"
   test $nativeLines -ge 1 || exit 1
+EOT
+
 USER tomcat
 EXPOSE 8080
 # Starting tomcat with Security Manager

get-checksum.sh

@@ -9,10 +9,16 @@ case "$1" in
         VERSION=$(jq -r '.tcnative_version' "tomcat${TOMCAT_MAJOR}.json")
         SHA_URL="https://dlcdn.apache.org/tomcat/tomcat-connectors/native/${VERSION}/source/tomcat-native-${VERSION}-src.tar.gz.sha512"
     ;;
+    apr)
+        VERSION=$(jq -r '.apr_version' "tomcat${TOMCAT_MAJOR}.json")
+        SHA_URL="https://dlcdn.apache.org/apr/apr-${VERSION}.tar.gz.sha256"
+    ;;
 esac
 
+SHA_LEN=$((${SHA_URL##*.sha} / 4))
+
 CHECKSUM=$(curl -sLf "${SHA_URL}" | cut -d ' ' -f 1)
-if [ ${#CHECKSUM} -eq 128 ]; then
+if [ ${#CHECKSUM} -eq $SHA_LEN ]; then
     echo "$CHECKSUM"
 else
     echo -n "ERROR Looks like checksum cannot be retrieved correctly from ${SHA_URL} - Actual contents: " >&2

tomcat10.json

@@ -1,6 +1,8 @@
 {
-  "tcnative_sha512": "06951c67d2739ab9205a537d24345e13e4472f192602fc52015ea84612c6e2c9334404b30a82be7d1e7d4ce470ea9df8b1b8ca1a3b8674d82706ff432280724f",
-  "tcnative_version": "1.3.1",
+  "tcnative_sha512": "fd45533b9c34b008717d18ed49334c7286b93c849c487c1c42746f2998cc4a6ff0362e536a8b5124c6539847a92a9f7631c7638a21cd5d22134fe1a9bb0f0702",
+  "tcnative_version": "2.0.8",
   "tomcat_sha512": "0e3d423a843e2d9ba4f28a9f0a2f1073d5a1389557dfda041759f8df968bace63cd6948bd76df2727b5133ddb7c33e05dab43cea1d519ca0b6d519461152cce9",
-  "tomcat_version": "10.1.31"
+  "tomcat_version": "10.1.31",
+  "apr_version": "1.7.5",
+  "apr_sha256": "3375fa365d67bcf945e52b52cba07abea57ef530f40b281ffbe977a9251361db"
 }

tomcat9.json

@@ -1,6 +1,8 @@
 {
-  "tcnative_sha512": "06951c67d2739ab9205a537d24345e13e4472f192602fc52015ea84612c6e2c9334404b30a82be7d1e7d4ce470ea9df8b1b8ca1a3b8674d82706ff432280724f",
-  "tcnative_version": "1.3.1",
+  "tcnative_sha512": "fd45533b9c34b008717d18ed49334c7286b93c849c487c1c42746f2998cc4a6ff0362e536a8b5124c6539847a92a9f7631c7638a21cd5d22134fe1a9bb0f0702",
+  "tcnative_version": "2.0.8",
   "tomcat_sha512": "ef3ac81debbc3a519c43d1fdb1c88ab26a8052af424d81bceccfbd6e663050a06d7aad7960fd5d11c17849829daebbebf33d92ac1158902283d0e534514aab93",
-  "tomcat_version": "9.0.96"
+  "tomcat_version": "9.0.96",
+  "apr_version": "1.7.5",
+  "apr_sha256": "3375fa365d67bcf945e52b52cba07abea57ef530f40b281ffbe977a9251361db"
 }

updatecli.d/01_tomcat_version.tpl

@@ -6,6 +6,11 @@ scms:
     spec:
       url: https://github.com/apache/tomcat-native.git
       branch: main
+  aprGitHub:
+    kind: git
+    spec:
+      url: https://github.com/apache/apr.git
+      branch: trunk
 
 sources:
   tomcatVersion:
@@ -24,19 +29,34 @@ sources:
       versionfilter:
         kind: semver
         pattern: "~{{ requiredEnv "TCNATIVE_SOURCE_PATTERN" }}"
+  aprTag:
+    name: Get Apache APR library version
+    kind: gittag
+    scmid: aprGitHub
+    spec:
+      versionfilter:
+        kind: semver
+        pattern: "~{{ requiredEnv "APR_SOURCE_PATTERN" }}"
 
 targets:
   tomcatJson:
-    name: Update version in json target
+    name: Update Tomcat version in json target
     kind: json
     sourceid: tomcatVersion
     spec:
       file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
       key: tomcat_version
   tcnativeJson:
-    name: Update version in json target
+    name: Update TCnative version in json target
     kind: json
     sourceid: tcnativeTag
     spec:
       file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
       key: tcnative_version
+  aprJson:
+    name: Update APR version in json target
+    kind: json
+    sourceid: aprTag
+    spec:
+      file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
+      key: apr_version

updatecli.d/02_tomcat_checksum.tpl

@@ -17,19 +17,34 @@ sources:
       environments:
         - name: PATH
         - name: TOMCAT_MAJOR
+  aprChecksum:
+    name: Retrieve the Apache APR libs checksum
+    kind: shell
+    spec:
+      command: ./get-checksum.sh apr
+      environments:
+        - name: PATH
+        - name: TOMCAT_MAJOR
 
 targets:
   tomcatJson:
-    name: Update version in json target
+    name: Update Tomcat checksum in json target
     kind: json
     sourceid: tomcatChecksum
     spec:
       file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
       key: tomcat_sha512
   tcnativeJson:
-    name: Update version in json target
+    name: Update Tcnative libs checksum in json target
     kind: json
     sourceid: tcnativeChecksum
     spec:
       file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
       key: tcnative_sha512
+  aprJson:
+    name: Update APR checksum in json target
+    kind: json
+    sourceid: aprChecksum
+    spec:
+      file: tomcat{{ requiredEnv "TOMCAT_MAJOR" }}.json
+      key: apr_sha256