Add liquibase as official image

[r2-lf]

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)

• associated with or contacted upstream?
  • https://github.com/liquibase
• does it fit into one of the common categories? ("service", "language stack", "base distribution")
• is it reasonably popular, or does it solve a particular use case well?
• does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)
  • Docs for Liquibase Official Image docs#1803
• official-images maintainer dockerization review for best practices and cache gotchas/improvements (ala the official review guidelines)?
• 2+ official-images maintainer dockerization review?
• existing official images have been considered as a base? (ie, if foobar needs Node.js, has FROM node:... instead of grabbing node via other means been considered?)
  • FROM openjdk:xxx
• if FROM scratch, tarballs only exist in a single commit within the associated history?
• passes current tests? any simple new tests that might be appropriate to add? (https://github.com/docker-library/official-images/tree/master/test)

[r2-lf]

Hi, @tianon and @yosifkit ! Thanks for the insight via IRC.

I think we're at a point to start working through those 9 issues now that the tests are successful. What is the process you'd like me to work through?

Thanks again!

Robert

[r2-lf]

Hey, gang! Got some feedback from Chad on this PR. How can I get these tests to start working? Thanks!!!

[metcalfc]

@r2liquibase I looked at the failed test and it took me a bit to figure out that the test thats failing is: https://github.com/docker-library/official-images/blob/master/test/tests/override-cmd/run.sh

Like we talked about, entrypoint is a PITA to override so what the official images have done is set a specific expectation for how this works. TIL, https://github.com/docker-library/official-images/blob/d28cb89e79417cac50c2a8ae163a9b3b79167f79/README.md#consistency

Short story is to make it work you'll need to write a docker-enterpoint.sh script. I'm not sure if there was one previously that you can just reuse? Its going to be a bit of project because you'll need to know the difference between folks asking for something liquidbase can do and literally anything else...

For example: https://github.com/docker-library/docker/blob/master/19.03-rc/docker-entrypoint.sh

Docker basically checks if the arg is actually docker or something that docker has a help command for and then anything else gets passed directly through.

Redis does something simpler and just checks for flags (any dash will do) and conf. https://github.com/docker-library/redis/blob/master/6.0/docker-entrypoint.sh

So write a docker-entrypoint.sh and do a little:

COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["--help"]

Since in your entrypoint script you detected flags and options the default --help flag would get picked up and this would all work.

This means you'll also want to make sure liquidbase is on the path. Easiest solution from /liquidbase/liquidbase would be you link the binary into /usr/local/bin.

[r2-lf]

Hi, @metcalfc ! We've updated this to have a docker-entrypoint.sh as suggested.

[r2-lf]

Well, I guess that didn't solve the test case issue. Would love some feedback on how to fix this. Thanks, @metcalfc! Pretty sure we did as suggested, but obviously we didn't!

[tianon]

You need to apply chmod +x in your local copy, then commit that change so that the script is executable in the container. 👍

[r2-lf]

Thanks, @tianon ! I'm on it...

[r2-lf]

Neat! Tests pass now. Thanks!

[r2-lf]

Hi, @tianon and @metcalfc ! Would love to work on those 9 requriements. I think we're good on that last one so I updated it. Thanks!

[tianon]

• does it fit into one of the common categories? ("service", "language stack", "base distribution")
• is it reasonably popular, or does it solve a particular use case well?

We talked about this a little bit on IRC, and I'm copying the logs here for posterity:

<tianon> r2liquibase: ... from a cursory look at https://www.liquibase.org/, I'd also suggest you spend some time thinking about / articulating why liquibase makes sense as a separate Docker image, when it seems like it would be most useful / used within another application as part of the application startup (similar to "rake db:seed" and friends in other languages/frameworks)
<r2liquibase> roger that. we thought the same thing. we released it as a lark and it turns out that a lot of folks are using it via docker. i think that is driven by people using more and more db's in docker containers for dev/testing purposes. so, if you're using mysql, say, in a docker container, you might not want to install liquibase on the host.
<r2liquibase> ironically, liquibase came out of developer frustration that the db tools in ror weren't available for non-ruby projects.
<r2liquibase> does that justification make sense?
<r2liquibase> keep in mind, the liquibase team is willing to put in the work. don't want to task anyone else with that.
<tianon> yeah, I suppose so -- I think "thrift" is somewhat of a parallel in that sense (although I don't think that Dockerization is going to be a particularly useful example for you)
<tianon> it's somewhat unique in that users won't be using it as a long-running service, or even very often via "FROM liquibase"
<tianon> it's really more of an interactive tool
<r2liquibase> yeah, it's similar enough. thanks!
<tianon> and we don't have a lot of examples of that category in the official images
<tianon> everything typically falls into "service", "language stack", or "base image"
<r2liquibase> i can see that, but we're seeing on our side a lot more use of utilities via docker.
<tianon> even thrift is closer to "language stack" than liquibase is

So, I'm still on the fence as to whether this fits within the norm of the program generally, and I'd love to hear more opinions on this (perhaps @metcalfc has some additional thoughts?)

I think I'm open to accepting it conditionally, but I want to be clear that if we do so, this is a one-time exception (please don't open the floodgates of one-off tools here -- anyone doing so with this image as justification should be receiving a link to this comment 😅).

---

• does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)

I'm not seeing a companion PR over at https://github.com/docker-library/docs for liquibase yet -- is that something that's still in-progress? Seeing how you intend for users to use the image might be helpful on the previous point.

---

Tags: 3.10.x, latest

This should be more specific (especially as what's currently proposed is actually 4.0.0); here's what I'd suggest:

Tags: 4.0.0, 4.0, 4, latest

(Depending on how useful it is for users to be able to pin to a particular bucket of "updates" -- is "Liquibase 4" a useful thing to say/use, or is "Liquibase 4.0" the more appropriate level of specificity?)

---

I have a few more notes on the Dockerization itself, but I think many of them are fair to be addressed in a later image update (and don't necessarily need to be part of an initial merge):

(I've bolded the items that I see as outright blockers in this list, for clarity.)

• apt-get update should usually be combined with rm -rf /var/lib/apt/lists/* so that the APT list files don't linger, since they end up getting stale quickly (and thus just add ~17MB of useless bloat to the image)

• addgroup and adduser should probably be done in a single layer, since they end up touching a similar set of files

• chown liquibase /liquibase / COPY --chown=liquibase:liquibase ... -- since /liquibase is where the actual software is installed, does it make sense for this to be owned by the unprivileged user? Typically, we see maintainers instead install the software only modifiable by root, and make just the data directory user-modifiable, which also helps prevent the runtime from modifying the application files (likely less relevant here, since this is not a long-running service but more of a oneshot tool, but still relevant IMO).

• RUN GNUPGHOME="$(mktemp -d)" -- having this in a line by itself doesn't actually do anything, because there's a new shell spawned for each RUN line; you'll need to either join all these RUN lines into a single RUN line, or add setting/cleanup to each (also, that value needs export if you want the gpg tool to pick it up)

• gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys ... should use a full key fingerprint, not the short or long ID (for example, 79752DB6C966F0B8 becomes 0F07D1201BDDAB67CFB84EB479752DB6C966F0B8, which appears to be an expired key)

• gpg --batch --verify -fSLo -- this looks like a copy/pasta error from a curl invocation; I don't think you intended to pass -fSLo to gnupg

• we've recently updated https://github.com/docker-library/official-images#security to clarify that our ideal is both a checksum and GnuPG, since they verify different things (provenance vs transport/versioning)

• RUN chmod 0755 /usr/local/bin/docker-entrypoint.sh -- we've seen a lot of issues with this round-tripping through graph drivers properly due to the changed permissions; what you should do instead is commit the executable bit on the file in Git, so that what gets COPY-ed into the image can naturally be executable (Git will track the +x bit on the file properly)

• is there a particular reason to not put /liquibase/liquibase into the path somewhere, like a symlink in /usr/local/bin/liquibase so that users can start an interactive shell and just use liquibase directly without needing to know that it's under /liquibase?

[r2-lf]

Thanks, @tianon ! We're on it. Expect updates soon. Thanks!

[r2-lf]

I created a doc PR: docker-library/docs#1803

[r2-lf]

Can we address the version numbers at a later date? I'm reticent to change this until we have an official image as the current users of liquibase/liquibase got a bit heated (rightfully so!) with the changes we have made to date. Frankly, I'd like to make those changes to the official image prior to users migrating over to that. Sound fair? Let me know your thoughts, @tianon .

Also, GREAT feedback on the other issues we should address. We appreciate you, @tianon !!!

[dhwanitsshah]

Hi, @tianon any feedbacks/issues with the PR - liquibase/docker#21 ?
Hope you are good with the changes.. pl let me know if you think otherwise..thanks.

[tianon]

Running apt-get clean will be a no-op in all the Debian and Ubuntu base images -- it happens automatically (https://github.com/debuerreotype/debuerreotype/blob/d29dd5e030525d9a5d9bd925030d1c11a163380c/scripts/debuerreotype-minimizing-config#L85-L109).

[dhwanitsshah]

Running apt-get clean will be a no-op in all the Debian and Ubuntu base images -- it happens automatically (https://github.com/debuerreotype/debuerreotype/blob/d29dd5e030525d9a5d9bd925030d1c11a163380c/scripts/debuerreotype-minimizing-config#L85-L109).

Hi @tianon - indeed, have updated the code in PR, thanks.

[r2-lf]

Hi, @tianon, @yosifkit , and @metcalfc ! What are the blockers on releasing this official image? We're ready to apply changes for better tagging and labeling, but we're reticent to make the changes to the liquibase/liquibase image. We'd prefer to make them immediately to the official image due to some feedback from the community. Happy to have a conversation about it!!!

[tianon]

What I'd suggest is putting the source for "liquibase/liquibase" on a separate branch (or separate Dockerfiles/directories) so that changes you make for the official image no longer propagate to that other image, and so that users only have to adapt to the changes in the official image when they migrate to the new namespace.

[r2-lf]

Thanks, @tianon . Just made a change that we think will help. We've totally changed to using tags and I think this inline with what you are expecting.

[r2-lf]

@nvoxland is awesome!!!

@tianon @yosifkit What do you think?

[r2-lf]

Hi, @tianon and @yosifkit . How can I help with this PR? Any questions? Happy to help!!!

[jandroav]

Hi, @yosifkit @whalelines we did the change, and liquibase/liquibase:alpine has been published.

Thanks!

[jnewton03]

hi @yosifkit @whalelines. Thanks for all of the assistance here. Anything else we can do to get this merged?

[jnewton03]

hi @yosifkit @whalelines. Just checking in to see what else you need from us. Thanks!

[jandroav]

hi @tianon @yosifkit just pinging you in case we need to make more changes to get this done. Thanks!

[tianon]

I promise you're in the queue. Please be patient.

There are a few really minor things, but overall this looks reasonable.

Here are the important ones (in order of importance); I've pushed them all as a commit at liquibase/docker@15b6b4d if that's easier to integrate (git fetch origin 15b6b4dda3aadc688f7bfc798a10f4a2649abf0d && git cherry-pick 15b6b4dda3aadc688f7bfc798a10f4a2649abf0d):

---

apk --print-architecture is not a valid flag (https://github.com/liquibase/docker/actions/runs/7918608937/job/21617433482#step:4:105 -> "apk: unrecognized option: print-architecture"), so this just happens to complete "successfully" because the case statement isn't coded very defensively and as a result falls through to downloading the amd64 artifact, and you might notice that the lpm binary in your Alpine-based arm64 images is actually an amd64 binary as a result. Additionally, the strings being matched are not correct in either case for Alpine (should be x86_64 and aarch64 for APK architectures strings).

Here's what I'd suggest instead (explicit apk --print-arch as a separate command so its failure is captured correctly, fixed case strings, explicit failure case for unknown/unsupported architectures):

@@ -29,19 +32,18 @@ ARG LPM_SHA256_ARM=375acfa1e12aa0e11c4af65e231e6471ea8d5eea465fb58b516ea2ffbd18f
 # Download and Install lpm
 RUN mkdir /liquibase/bin && \
     apk add --no-cache --virtual .fetch-deps wget unzip && \
-    case "$(apk --print-architecture)" in \
-      *amd64*)  DOWNLOAD_ARCH=""  ;; \
-      *arm64*)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM  ;; \
+    arch="$(apk --print-arch)" && \
+    case "$arch" in \
+      x86_64)   DOWNLOAD_ARCH=""  ;; \
+      aarch64)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM  ;; \
+      *) echo >&2 "error: unsupported architecture '$arch'" && exit 1 ;; \
     esac && wget -q -O lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip "https://github.com/liquibase/liquibase-package-manager/releases/download/v${LPM_VERSION}/lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" && \

@@ -30,10 +33,12 @@
     apt-get -yqq install unzip --no-install-recommends && \
     rm -rf /var/lib/apt/lists/* && \
     mkdir /liquibase/bin && \
-    case "$(dpkg --print-architecture)" in \
-      *amd64*)  DOWNLOAD_ARCH=""  ;; \
-      *arm64*)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM ;; \
+    arch="$(dpkg --print-architecture)" && \
+    case "$arch" in \
+      amd64)  DOWNLOAD_ARCH=""  ;; \
+      arm64)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM ;; \
+      *) echo >&2 "error: unsupported architecture '$arch'" && exit 1 ;; \
     esac && wget -q -O lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip "https://github.com/liquibase/liquibase-package-manager/releases/download/v${LPM_VERSION}/lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" && \

(I'd even suggest going further and not using LPM_SHA256 as a fallback at all so that every part of this becomes explicit, but that's not necessary -- however, adding set -e and/or set -u or just set -eux to all these RUN lines would be strongly recommended, especially as it would've caught the missing DOWNLOAD_ARCH fallback)

---

Adding validation that the commands were not downloaded successfully, but work would also help here; I'd suggest something like this:

@@ -20,7 +20,10 @@ RUN set -x && \
     echo "$LB_SHA256 *liquibase-${LIQUIBASE_VERSION}.tar.gz" | sha256sum -c - && \
     tar -xzf liquibase-${LIQUIBASE_VERSION}.tar.gz && \
     rm liquibase-${LIQUIBASE_VERSION}.tar.gz && \
-    apk del --no-network .fetch-deps
+    apk del --no-network .fetch-deps && \
+    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
+    ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
+    liquibase --version
 
@@ -38,12 +41,9 @@ RUN mkdir /liquibase/bin && \
     echo "$LPM_SHA256 *lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" | sha256sum -c - && \
     unzip lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip -d bin/ && \
     rm lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip && \
-    apk del --no-network .fetch-deps
-
-# Setup symbolic links
-RUN ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
-    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
-    ln -s /liquibase/bin/lpm /usr/local/bin/lpm
+    apk del --no-network .fetch-deps && \
+    ln -s /liquibase/bin/lpm /usr/local/bin/lpm && \
+    lpm --version
 

@@ -19,7 +19,10 @@ ARG LB_SHA256=46850b5fd21c548f969253cbbc97dc6c846198a8225581e3af5346ac8aa7dbf2
 RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquibase/liquibase/releases/download/v${LIQUIBASE_VERSION}/liquibase-${LIQUIBASE_VERSION}.tar.gz" && \
     echo "$LB_SHA256 *liquibase-${LIQUIBASE_VERSION}.tar.gz" | sha256sum -c - && \
     tar -xzf liquibase-${LIQUIBASE_VERSION}.tar.gz && \
-    rm liquibase-${LIQUIBASE_VERSION}.tar.gz
+    rm liquibase-${LIQUIBASE_VERSION}.tar.gz && \
+    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
+    ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
+    liquibase --version
 
@@ -39,12 +42,9 @@ RUN apt-get update && \
     echo "$LPM_SHA256 *lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" | sha256sum -c - && \
     unzip lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip -d bin/ && \
     rm lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip && \
-    apt-get purge -y --auto-remove unzip
-
-# Setup symbolic links
-RUN ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
-    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
-    ln -s /liquibase/bin/lpm /usr/local/bin/lpm
+    apt-get purge -y --auto-remove unzip && \
+    ln -s /liquibase/bin/lpm /usr/local/bin/lpm && \
+    lpm --version
 

---

Switching the Ubuntu-based variant from the adduser/addgroup wrappers to the lower level useradd/groupadd commands will clean up some errorneous output (https://github.com/liquibase/docker/actions/runs/7918608937/job/21617432684#step:4:63; yes, confusingly Alpine is the other way around because adduser and addgroup there come from BusyBox, so should be left as-is):

@@ -2,8 +2,8 @@
 FROM eclipse-temurin:17-jre-jammy
 
 # Create liquibase user
-RUN addgroup --gid 1001 liquibase && \
-    adduser --disabled-password --uid 1001 --ingroup liquibase liquibase
+RUN groupadd --gid 1001 liquibase && \
+    useradd --uid 1001 --gid liquibase liquibase
 

[tianon]

I'm updating the status of this PR to "draft" for now. When it's ready for re-review, please remove the draft status and leave a comment (GitHub unfortunately does not notify maintainers for draft state changes).

[jandroav]

Hey @tianon, we added your recommendations on Feb 26. We also updated this PR with our latest 4.27.0 release.

I can not remove the draft status:

Only those with write access to this repository can mark a draft pull request as ready for review.

[github-actions]

Diff for c74054e:

diff --git a/_bashbrew-arches b/_bashbrew-arches
index 8b13789..e85a97f 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -1 +1,2 @@
-
+amd64
+arm64v8
diff --git a/_bashbrew-cat b/_bashbrew-cat
index bdfae4a..b533524 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1 +1,12 @@
-Maintainers: New Image! :D (@docker-library-bot)
+Maintainers: Jake Newton <[email protected]> (@jnewton03)
+Architectures: amd64, arm64v8
+GitRepo: https://github.com/liquibase/docker.git
+
+Tags: 4.27, 4.27.0, latest
+GitFetch: refs/heads/main
+GitCommit: 7229778e4e912224ff54dbae0e05aae149544ed2
+
+Tags: 4.27-alpine, 4.27.0-alpine, alpine
+GitFetch: refs/heads/main
+GitCommit: 7229778e4e912224ff54dbae0e05aae149544ed2
+File: Dockerfile.alpine
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..3d9fd5e 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,6 @@
+liquibase:4.27
+liquibase:4.27-alpine
+liquibase:4.27.0
+liquibase:4.27.0-alpine
+liquibase:alpine
+liquibase:latest
diff --git a/liquibase_alpine/Dockerfile.alpine b/liquibase_alpine/Dockerfile.alpine
new file mode 100644
index 0000000..3ab23ca
--- /dev/null
+++ b/liquibase_alpine/Dockerfile.alpine
@@ -0,0 +1,58 @@
+# Use multi-stage build
+FROM alpine:3.19
+
+# Create liquibase user
+RUN addgroup --gid 1001 liquibase && \
+    adduser --disabled-password --uid 1001 --ingroup liquibase liquibase && \
+    mkdir /liquibase && chown liquibase /liquibase
+
+# Install smaller JRE, if available and acceptable
+RUN apk add --no-cache openjdk17-jre-headless bash
+
+WORKDIR /liquibase
+
+ARG LIQUIBASE_VERSION=4.27.0
+ARG LB_SHA256=50d89e1fc10249bf198f1a8ff2d81fd0b68e6ca0805db28a94d38649784d82f0
+
+# Download, verify, extract
+RUN set -x && \
+    apk add --no-cache --virtual .fetch-deps wget && \
+    wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquibase/liquibase/releases/download/v${LIQUIBASE_VERSION}/liquibase-${LIQUIBASE_VERSION}.tar.gz" && \
+    echo "$LB_SHA256 *liquibase-${LIQUIBASE_VERSION}.tar.gz" | sha256sum -c - && \
+    tar -xzf liquibase-${LIQUIBASE_VERSION}.tar.gz && \
+    rm liquibase-${LIQUIBASE_VERSION}.tar.gz && \
+    apk del --no-network .fetch-deps && \
+    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
+    ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
+    liquibase --version
+
+ARG LPM_VERSION=0.2.4
+ARG LPM_SHA256=c3ecdc0fc0be75181b40e189289bf7fdb3fa62310a1d2cf768483b34e1d541cf
+ARG LPM_SHA256_ARM=375acfa1e12aa0e11c4af65e231e6471ea8d5eea465fb58b516ea2ffbd18f3e0
+
+# Download and Install lpm
+RUN mkdir /liquibase/bin && \
+    apk add --no-cache --virtual .fetch-deps wget unzip && \
+    arch="$(apk --print-arch)" && \
+    case "$arch" in \
+      x86_64)   DOWNLOAD_ARCH=""  ;; \
+      aarch64)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM  ;; \
+      *) echo >&2 "error: unsupported architecture '$arch'" && exit 1 ;; \
+    esac && wget -q -O lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip "https://github.com/liquibase/liquibase-package-manager/releases/download/v${LPM_VERSION}/lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" && \
+    echo "$LPM_SHA256 *lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" | sha256sum -c - && \
+    unzip lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip -d bin/ && \
+    rm lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip && \
+    apk del --no-network .fetch-deps && \
+    ln -s /liquibase/bin/lpm /usr/local/bin/lpm && \
+    lpm --version
+
+# Set LIQUIBASE_HOME environment variable
+ENV LIQUIBASE_HOME=/liquibase
+
+COPY docker-entrypoint.sh ./
+COPY liquibase.docker.properties ./
+
+USER liquibase:liquibase
+
+ENTRYPOINT ["/liquibase/docker-entrypoint.sh"]
+CMD ["--help"]
diff --git a/liquibase_alpine/docker-entrypoint.sh b/liquibase_alpine/docker-entrypoint.sh
new file mode 100755
index 0000000..544ddef
--- /dev/null
+++ b/liquibase_alpine/docker-entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+if [[ "$INSTALL_MYSQL" ]]; then
+  lpm add mysql --global
+fi
+
+if [[ "$1" != "history" ]] && [[ "$1" != "init" ]] && type "$1" > /dev/null 2>&1; then
+  ## First argument is an actual OS command (except if the command is history or init as it is a liquibase command). Run it
+  exec "$@"
+else
+  if [[ "$*" == *--defaultsFile* ]] || [[ "$*" == *--defaults-file* ]] || [[ "$*" == *--version* ]]; then
+    ## Just run as-is
+    exec /liquibase/liquibase "$@"
+  else
+    ## Include standard defaultsFile
+    exec /liquibase/liquibase "--defaultsFile=/liquibase/liquibase.docker.properties" "$@"
+  fi
+fi
\ No newline at end of file
diff --git a/liquibase_alpine/liquibase.docker.properties b/liquibase_alpine/liquibase.docker.properties
new file mode 100644
index 0000000..1cfe066
--- /dev/null
+++ b/liquibase_alpine/liquibase.docker.properties
@@ -0,0 +1 @@
+liquibase.headless: true
diff --git a/liquibase_latest/Dockerfile b/liquibase_latest/Dockerfile
new file mode 100644
index 0000000..c81b544
--- /dev/null
+++ b/liquibase_latest/Dockerfile
@@ -0,0 +1,60 @@
+# Builder Stage
+FROM eclipse-temurin:17-jre-jammy
+
+# Create liquibase user
+RUN groupadd --gid 1001 liquibase && \
+    useradd --uid 1001 --gid liquibase liquibase && \
+    mkdir /liquibase && chown liquibase /liquibase
+
+# Install necessary dependencies
+#RUN apt-get update && \
+#    apt-get -yqq install krb5-user libpam-krb5 --no-install-recommends && \
+#    rm -rf /var/lib/apt/lists/*
+
+# Download and install Liquibase
+WORKDIR /liquibase
+
+ARG LIQUIBASE_VERSION=4.27.0
+ARG LB_SHA256=50d89e1fc10249bf198f1a8ff2d81fd0b68e6ca0805db28a94d38649784d82f0
+
+RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquibase/liquibase/releases/download/v${LIQUIBASE_VERSION}/liquibase-${LIQUIBASE_VERSION}.tar.gz" && \
+    echo "$LB_SHA256 *liquibase-${LIQUIBASE_VERSION}.tar.gz" | sha256sum -c - && \
+    tar -xzf liquibase-${LIQUIBASE_VERSION}.tar.gz && \
+    rm liquibase-${LIQUIBASE_VERSION}.tar.gz && \
+    ln -s /liquibase/liquibase /usr/local/bin/liquibase && \
+    ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
+    liquibase --version
+
+ARG LPM_VERSION=0.2.4
+ARG LPM_SHA256=c3ecdc0fc0be75181b40e189289bf7fdb3fa62310a1d2cf768483b34e1d541cf
+ARG LPM_SHA256_ARM=375acfa1e12aa0e11c4af65e231e6471ea8d5eea465fb58b516ea2ffbd18f3e0
+
+# Download and Install lpm
+RUN apt-get update && \
+    apt-get -yqq install unzip --no-install-recommends && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir /liquibase/bin && \
+    arch="$(dpkg --print-architecture)" && \
+    case "$arch" in \
+      amd64)  DOWNLOAD_ARCH=""  ;; \
+      arm64)  DOWNLOAD_ARCH="-arm64" && LPM_SHA256=$LPM_SHA256_ARM ;; \
+      *) echo >&2 "error: unsupported architecture '$arch'" && exit 1 ;; \
+    esac && wget -q -O lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip "https://github.com/liquibase/liquibase-package-manager/releases/download/v${LPM_VERSION}/lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" && \
+    echo "$LPM_SHA256 *lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip" | sha256sum -c - && \
+    unzip lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip -d bin/ && \
+    rm lpm-${LPM_VERSION}-linux${DOWNLOAD_ARCH}.zip && \
+    apt-get purge -y --auto-remove unzip && \
+    ln -s /liquibase/bin/lpm /usr/local/bin/lpm && \
+    lpm --version
+
+# Set LIQUIBASE_HOME environment variable
+ENV LIQUIBASE_HOME=/liquibase
+
+COPY docker-entrypoint.sh ./
+COPY liquibase.docker.properties ./
+
+# Set user and group
+USER liquibase:liquibase
+
+ENTRYPOINT ["/liquibase/docker-entrypoint.sh"]
+CMD ["--help"]
diff --git a/liquibase_latest/docker-entrypoint.sh b/liquibase_latest/docker-entrypoint.sh
new file mode 100755
index 0000000..544ddef
--- /dev/null
+++ b/liquibase_latest/docker-entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+if [[ "$INSTALL_MYSQL" ]]; then
+  lpm add mysql --global
+fi
+
+if [[ "$1" != "history" ]] && [[ "$1" != "init" ]] && type "$1" > /dev/null 2>&1; then
+  ## First argument is an actual OS command (except if the command is history or init as it is a liquibase command). Run it
+  exec "$@"
+else
+  if [[ "$*" == *--defaultsFile* ]] || [[ "$*" == *--defaults-file* ]] || [[ "$*" == *--version* ]]; then
+    ## Just run as-is
+    exec /liquibase/liquibase "$@"
+  else
+    ## Include standard defaultsFile
+    exec /liquibase/liquibase "--defaultsFile=/liquibase/liquibase.docker.properties" "$@"
+  fi
+fi
\ No newline at end of file
diff --git a/liquibase_latest/liquibase.docker.properties b/liquibase_latest/liquibase.docker.properties
new file mode 100644
index 0000000..1cfe066
--- /dev/null
+++ b/liquibase_latest/liquibase.docker.properties
@@ -0,0 +1 @@
+liquibase.headless: true

[tianon]

Thanks, looks good after the latest update 👍

I left some documentation notes at docker-library/docs#1803 (review), which I think is all that's blocking this now 👍

[jandroav]

Thanks @tianon , I updated the docs PR with the fixes.

[jandroav]

Hi @tianon thanks for all your work here. Now that we are tagged as an official image we noticed that there are two separate repositories for Liquibase Docker images: https://hub.docker.com/_/liquibase and https://hub.docker.com/r/liquibase/liquibase

Could you please provide some clarification on the difference between these two repositories? Can they be unified? Is there a specific reason for having two separate repositories for Liquibase images?

Additionally, we are wondering if there are any implications in our CICD pipeline. Do we need to choose one repository over the other for specific reasons? Any good practices here? We also would like not to lose the download count metric (10M+) shown here https://hub.docker.com/r/liquibase/liquibase

Thanks!

[whalelines]

@jandroav , there are actually quite a few more than two liquibase related images and we do not control namespaces on Docker Hub other than the library namespace.

Can I deduce from your question that Liquibase does not control the liquibase organization on Docker Hub?

[jandroav]

@whalelines we own the Liquibase org. We were publishing our liquibase/liquibase image to https://hub.docker.com/r/liquibase/liquibase using this user https://hub.docker.com/u/liquibase in https://github.com/liquibase/docker/blob/main/.github/workflows/create-release.yml

Our latest release matches this:

So, from now instead of doing our CI, we only need to update this https://github.com/docker-library/official-images/blob/master/library/liquibase and https://doi-janky.infosiftr.net will push it, right?

It seems we need to update our docs to reflect that the correct pull command is docker pull liquibase instead of the old docker liquibase/liquibase, correct?

[whalelines]

So, from now instead of doing our CI, we only need to update this https://github.com/docker-library/official-images/blob/master/library/liquibase and https://doi-janky.infosiftr.net/ will push it, right?

Correct, you will open a PR to update the library/liquibase file. Once it is reviewed, approved, and merged, the DOI build system will create the images and push them to Docker Hub.

It seems we need to update our docs to reflect that the correct pull command is docker pull liquibase instead of the old docker pull liquibase/liquibase, correct?

That is correct. You can also update the documentation on https://hub.docker.com/r/liquibase/liquibase to point to https://hub.docker.com/_/liquibase .

It is probably a good idea to maintain the liquibase/liquibase image to ensure users who have not updated their Dockerfiles and scripts continue to get an up-to-date image.

[jandroav]

Thanks for your comments @whalelines. We will do it.

[jnewton03]

So, from now instead of doing our CI, we only need to update this https://github.com/docker-library/official-images/blob/master/library/liquibase and https://doi-janky.infosiftr.net/ will push it, right?

Correct, you will open a PR to update the library/liquibase file. Once it is reviewed, approved, and merged, the DOI build system will create the images and push them to Docker Hub.

It seems we need to update our docs to reflect that the correct pull command is docker pull liquibase instead of the old docker pull liquibase/liquibase, correct?

That is correct. You can also update the documentation on https://hub.docker.com/r/liquibase/liquibase to point to https://hub.docker.com/_/liquibase .

It is probably a good idea to maintain the liquibase/liquibase image to ensure users who have not updated their Dockerfiles and scripts continue to get an up-to-date image.

hi @whalelines We're trying to determine if we should continue maintaining and updating both the liquibase/liquibase image AND the official image or if we should stop updating the liquibase/liquibase image and only update the official image. Do you have any examples of how other companies have handled this transition in the past? We'd like to follow best practices.

One thought we had was to have a cutover version where for versions 4.27.0 and earlier you can use liquibase/liquibase but for anything 4.28.0 and newer, to use the official image.

[tianon]

Yeah, I think you've got the right idea that it's really a communication problem -- having a specific version at which you'll stop updating the other image is a very sane way to handle that (straightforward for users to understand), although our experience is that getting them to notice the communication can sometimes be a challenge. An approach we've used for that in the past has been deleting generic tags like latest so that users who aren't pinning to an explicit older version get a 404 as a signal that they should check the repository and hopefully see the notice that the images are in a new place now. (I don't think there's "one" standard flow that's best because each company's situation and userbase is inevitably a little bit different.)

[LaurentGoderre]

From a Hub perspective you could do something like this: https://hub.docker.com/r/mattermost/mattermost-prod-db