feat: Update influxdb2 image to 2.9.0, remove 2.7.x#21362
Open
devanbenz wants to merge 2 commits intodocker-library:masterfrom
Open
feat: Update influxdb2 image to 2.9.0, remove 2.7.x#21362devanbenz wants to merge 2 commits intodocker-library:masterfrom
devanbenz wants to merge 2 commits intodocker-library:masterfrom
Conversation
Diff for 868dc6f:diff --git a/_bashbrew-cat b/_bashbrew-cat
index 2435f66..533a32f 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,6 +1,6 @@
Maintainers: Brandon Pfeifer <bpfeifer@influxdata.com> (@bnpfeife), Devan Benz <dbenz@influxdata.com> (@devanbenz), Geoffrey Wossum <gwossum@influxdata.com> (@gwossum), Michael Gattozzi <mgattozzi@influxdata.com> (@mgattozzi), Praveenkumar Hemakumar <pkumar@influxdata.com> (@praveen-influx), Trevor Hilton <thilton@influxdata.com> (@hiltontj)
GitRepo: https://github.com/influxdata/influxdata-docker
-GitCommit: ca349af15bb3dbe666a26fa0acf7e19b32ac74ec
+GitCommit: 0b46f38b4529d6732665d0610522fc7e4416e95a
Tags: 1.11, 1.11.8
Architectures: amd64, arm64v8
@@ -42,21 +42,21 @@ Directory: influxdb/1.12/meta
Tags: 1.12-meta-alpine, 1.12.4-meta-alpine, meta-alpine
Directory: influxdb/1.12/meta/alpine
-Tags: 2, 2.8, 2.8.0, latest
+Tags: 2, 2.9, 2.9.0, latest
Architectures: amd64, arm64v8
-Directory: influxdb/2.8
+Directory: influxdb/2.9
-Tags: 2-alpine, 2.8-alpine, 2.8.0-alpine, alpine
+Tags: 2-alpine, 2.9-alpine, 2.9.0-alpine, alpine
Architectures: amd64, arm64v8
-Directory: influxdb/2.8/alpine
+Directory: influxdb/2.9/alpine
-Tags: 2.7, 2.7.12
+Tags: 2.8, 2.8.0
Architectures: amd64, arm64v8
-Directory: influxdb/2.7
+Directory: influxdb/2.8
-Tags: 2.7-alpine, 2.7.12-alpine
+Tags: 2.8-alpine, 2.8.0-alpine
Architectures: amd64, arm64v8
-Directory: influxdb/2.7/alpine
+Directory: influxdb/2.8/alpine
Tags: 3-core, 3.9-core, 3.9.1-core, core
Architectures: amd64, arm64v8
diff --git a/_bashbrew-list b/_bashbrew-list
index 9c1acc3..129de79 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -24,14 +24,14 @@ influxdb:1.12.4-meta
influxdb:1.12.4-meta-alpine
influxdb:2
influxdb:2-alpine
-influxdb:2.7
-influxdb:2.7-alpine
-influxdb:2.7.12
-influxdb:2.7.12-alpine
influxdb:2.8
influxdb:2.8-alpine
influxdb:2.8.0
influxdb:2.8.0-alpine
+influxdb:2.9
+influxdb:2.9-alpine
+influxdb:2.9.0
+influxdb:2.9.0-alpine
influxdb:3-core
influxdb:3-enterprise
influxdb:3.9-core
diff --git a/_bashbrew-list-build-order b/_bashbrew-list-build-order
index 895c2fa..601726f 100644
--- a/_bashbrew-list-build-order
+++ b/_bashbrew-list-build-order
@@ -6,8 +6,8 @@ influxdb:1.11.9-meta
influxdb:1.11.9-meta-alpine
influxdb:1.12.4
influxdb:1.12.4-alpine
-influxdb:2.7.12
-influxdb:2.7.12-alpine
+influxdb:2.8.0
+influxdb:2.8.0-alpine
influxdb:alpine
influxdb:core
influxdb:data
diff --git a/influxdb_2.7.12/Dockerfile b/influxdb_2.7.12/Dockerfile
deleted file mode 100644
index 9f3a6de..0000000
diff --git a/influxdb_2.7.12-alpine/Dockerfile b/influxdb_2.8.0-alpine/Dockerfile
similarity index 81%
rename from influxdb_2.7.12-alpine/Dockerfile
rename to influxdb_2.8.0-alpine/Dockerfile
index 46193cc..39d3dd3 100644
--- a/influxdb_2.7.12-alpine/Dockerfile
+++ b/influxdb_2.8.0-alpine/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.23
RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
RUN apk add --no-cache \
@@ -31,7 +31,9 @@ RUN addgroup -S -g 1000 influxdb && \
chown -R influxdb:influxdb /home/influxdb
# Install the infuxd server
-ENV INFLUXDB_VERSION 2.7.12
+ENV INFLUXDB_VERSION=2.8.0
+ENV INFLUXDB_PR=-2
+ENV INFLUXDB_PV=${INFLUXDB_VERSION}${INFLUXDB_PR}
RUN case "$(apk --print-arch)" in \
x86_64) arch=amd64 ;; \
aarch64) arch=arm64 ;; \
@@ -41,19 +43,19 @@ RUN case "$(apk --print-arch)" in \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \
# InfluxData Package Signing Key <support@influxdata.com>
24C975CBA61A024EE1B631787C3D57159FC2F927 &&\
- curl -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
- -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" && \
- gpg --batch --verify "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
- "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
- tar xzf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
+ curl -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
+ -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" && \
+ gpg --batch --verify "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
+ "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
+ tar xzf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
cp "influxdb2-${INFLUXDB_VERSION}/usr/bin/influxd" /usr/local/bin/influxd && \
- rm -rf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
- "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
+ rm -rf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
+ "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
"influxdb2-${INFLUXDB_VERSION}" && \
influxd version
# Install the influx CLI
-ENV INFLUX_CLI_VERSION 2.7.5
+ENV INFLUX_CLI_VERSION=2.7.5
RUN case "$(apk --print-arch)" in \
x86_64) arch=amd64 ;; \
aarch64) arch=arm64 ;; \
@@ -88,7 +90,7 @@ CMD ["influxd"]
EXPOSE 8086
-ENV INFLUX_CONFIGS_PATH /etc/influxdb2/influx-configs
-ENV INFLUXD_INIT_PORT 9999
-ENV INFLUXD_INIT_PING_ATTEMPTS 600
-ENV DOCKER_INFLUXDB_INIT_CLI_CONFIG_NAME default
+ENV INFLUX_CONFIGS_PATH=/etc/influxdb2/influx-configs
+ENV INFLUXD_INIT_PORT=9999
+ENV INFLUXD_INIT_PING_ATTEMPTS=600
+ENV DOCKER_INFLUXDB_INIT_CLI_CONFIG_NAME=default
diff --git a/influxdb_2.7.12-alpine/default-config.yml b/influxdb_2.8.0-alpine/default-config.yml
similarity index 100%
rename from influxdb_2.7.12-alpine/default-config.yml
rename to influxdb_2.8.0-alpine/default-config.yml
diff --git a/influxdb_2.7.12-alpine/entrypoint.sh b/influxdb_2.8.0-alpine/entrypoint.sh
similarity index 100%
rename from influxdb_2.7.12-alpine/entrypoint.sh
rename to influxdb_2.8.0-alpine/entrypoint.sh
diff --git a/influxdb_latest/Dockerfile b/influxdb_2.8.0/Dockerfile
similarity index 100%
copy from influxdb_latest/Dockerfile
copy to influxdb_2.8.0/Dockerfile
diff --git a/influxdb_2.7.12/default-config.yml b/influxdb_2.8.0/default-config.yml
similarity index 100%
rename from influxdb_2.7.12/default-config.yml
rename to influxdb_2.8.0/default-config.yml
diff --git a/influxdb_2.7.12/entrypoint.sh b/influxdb_2.8.0/entrypoint.sh
similarity index 100%
rename from influxdb_2.7.12/entrypoint.sh
rename to influxdb_2.8.0/entrypoint.sh
diff --git a/influxdb_alpine/Dockerfile b/influxdb_alpine/Dockerfile
index 37b5501..cc5d8e8 100644
--- a/influxdb_alpine/Dockerfile
+++ b/influxdb_alpine/Dockerfile
@@ -7,7 +7,7 @@ RUN apk add --no-cache \
curl \
gnupg \
run-parts \
- su-exec \
+ setpriv \
tzdata && \
update-ca-certificates
@@ -17,23 +17,21 @@ RUN case "$(apk --print-arch)" in \
aarch64) arch=arm64 ;; \
*) echo 'Unsupported architecture' && exit 1 ;; \
esac && \
- curl -fL "https://github.com/TomWright/dasel/releases/download/v2.8.1/dasel_linux_${arch}.gz" | gzip -d > /usr/local/bin/dasel && \
+ curl -fL "https://github.com/TomWright/dasel/releases/download/v3.4.1/dasel_linux_${arch}.gz" | gzip -d > /usr/local/bin/dasel && \
case ${arch} in \
- amd64) echo '21fda0a4dc3c779c42737eca4b37e4f187d7ab91ba6301eed97b801af84a9ea2 /usr/local/bin/dasel' ;; \
- arm64) echo '2c75e63f9884c37578f48788819dda5a5a5c32ec6c4a663eefc19839f44d6291 /usr/local/bin/dasel' ;; \
+ amd64) echo '3c947a8dcd88856a32c172081db091c38059394fb57a15fa43871f6d046427e1 /usr/local/bin/dasel' ;; \
+ arm64) echo 'a128c5554c53e6e4af880700adba1d212ce651db208da1592fb1cae0e959cbc6 /usr/local/bin/dasel' ;; \
esac | sha256sum -c - && \
chmod +x /usr/local/bin/dasel && \
- dasel --version
+ dasel version
RUN addgroup -S -g 1000 influxdb && \
adduser -S -G influxdb -u 1000 -h /home/influxdb -s /bin/sh influxdb && \
mkdir -p /home/influxdb && \
chown -R influxdb:influxdb /home/influxdb
-# Install the infuxd server
-ENV INFLUXDB_VERSION=2.8.0
-ENV INFLUXDB_PR=-2
-ENV INFLUXDB_PV=${INFLUXDB_VERSION}${INFLUXDB_PR}
+# Install the influxd server
+ENV INFLUXDB_VERSION=2.9.0
RUN case "$(apk --print-arch)" in \
x86_64) arch=amd64 ;; \
aarch64) arch=arm64 ;; \
@@ -43,14 +41,14 @@ RUN case "$(apk --print-arch)" in \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \
# InfluxData Package Signing Key <support@influxdata.com>
24C975CBA61A024EE1B631787C3D57159FC2F927 &&\
- curl -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
- -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" && \
- gpg --batch --verify "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
- "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
- tar xzf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
- cp "influxdb2-${INFLUXDB_VERSION}/usr/bin/influxd" /usr/local/bin/influxd && \
- rm -rf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
- "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
+ curl -fLO "https://dl.influxdata.com/influxdb/releases/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
+ -fLO "https://dl.influxdata.com/influxdb/releases/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" && \
+ gpg --batch --verify "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
+ "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
+ tar xzf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
+ cp "influxdb2-${INFLUXDB_VERSION}/influxd" /usr/local/bin/influxd && \
+ rm -rf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
+ "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
"influxdb2-${INFLUXDB_VERSION}" && \
influxd version
diff --git a/influxdb_alpine/entrypoint.sh b/influxdb_alpine/entrypoint.sh
index 74a142c..5cd1d40 100755
--- a/influxdb_alpine/entrypoint.sh
+++ b/influxdb_alpine/entrypoint.sh
@@ -164,8 +164,13 @@ function influxd::config::get()
#
# Parse Value from Configuration
#
-
- dasel -f "${INFLUXD_CONFIG_PATH}" -s "${primary_key}" -w - 2>/dev/null || \
+ local config_format
+ case "${INFLUXD_CONFIG_PATH,,}" in
+ *.toml) config_format=toml ;;
+ *.json) config_format=json ;;
+ *) config_format=yaml ;;
+ esac
+ dasel -i "${config_format}" 'get("'"${primary_key}"'")' < "${INFLUXD_CONFIG_PATH}" 2>/dev/null || \
table::get "${primary_key}" "${COLUMN_DEFAULT}"
}
@@ -193,10 +198,10 @@ function create_directories () {
fi
}
-# Read password and username from file to avoid unsecure env variables
+# Read password and username from file to avoid insecure env variables
if [ -n "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ] && DOCKER_INFLUXDB_INIT_PASSWORD=$(cat "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}") || echo "DOCKER_INFLUXDB_INIT_PASSWORD_FILE defined, but file not existing, skipping."; fi
if [ -n "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ] && DOCKER_INFLUXDB_INIT_USERNAME=$(cat "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}") || echo "DOCKER_INFLUXDB_INIT_USERNAME_FILE defined, but file not existing, skipping."; fi
-if [ -n "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ] && DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=$(cat "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}") || echo "DOCKER_INFLUXDB_INIT_USERNAME_FILE defined, but file not existing, skipping."; fi
+if [ -n "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ] && DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=$(cat "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}") || echo "DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE defined, but file not existing, skipping."; fi
# List of env vars required to auto-run setup or upgrade processes.
declare -ra REQUIRED_INIT_VARS=(
@@ -225,7 +230,20 @@ function ensure_init_vars_set () {
# the DB is already full set up.
function cleanup_influxd () {
log warn "cleaning bolt and engine files to prevent conflicts on retry" bolt_path "${BOLT_PATH}" engine_path "${ENGINE_PATH}"
- rm -rf "${BOLT_PATH}" "${ENGINE_PATH}/"*
+
+ # Only remove the bolt path if it is set and not the filesystem root.
+ if [ -n "${BOLT_PATH}" ] && [ "${BOLT_PATH}" != "/" ]; then
+ rm -rf -- "${BOLT_PATH}"
+ else
+ log error "refusing to clean unsafe or empty bolt path" bolt_path "${BOLT_PATH}"
+ fi
+
+ # Only remove engine contents if ENGINE_PATH is set and not the filesystem root.
+ if [ -n "${ENGINE_PATH}" ] && [ "${ENGINE_PATH}" != "/" ]; then
+ rm -rf -- "${ENGINE_PATH}/"*
+ else
+ log error "refusing to clean unsafe or empty engine path" engine_path "${ENGINE_PATH}"
+ fi
}
# Upgrade V1 data into the V2 format using influxd upgrade.
@@ -322,7 +340,7 @@ function setup_influxd () {
# Get the IDs of the initial user/org/bucket created during setup, and export them into the env.
# We do this to help with arbitrary user scripts, since many influx CLI commands only take IDs.
function set_init_resource_ids () {
- DOCKER_INFLUXDB_INIT_USER_ID="$(influx user list -n "${DOCKER_INFLUXDB_INIT_USER}" --hide-headers | cut -f 1)"
+ DOCKER_INFLUXDB_INIT_USER_ID="$(influx user list -n "${DOCKER_INFLUXDB_INIT_USERNAME}" --hide-headers | cut -f 1)"
DOCKER_INFLUXDB_INIT_ORG_ID="$(influx org list -n "${DOCKER_INFLUXDB_INIT_ORG}" --hide-headers | cut -f 1)"
DOCKER_INFLUXDB_INIT_BUCKET_ID="$(influx bucket list -n "${DOCKER_INFLUXDB_INIT_BUCKET}" --hide-headers | cut -f 1)"
export DOCKER_INFLUXDB_INIT_USER_ID DOCKER_INFLUXDB_INIT_ORG_ID DOCKER_INFLUXDB_INIT_BUCKET_ID
@@ -397,16 +415,14 @@ function init_influxd () {
esac
# Generate a config file with a known HTTP port, and TLS disabled.
+ # TLS keys are set to empty here and also overridden via env vars when
+ # launching influxd below, so explicit deletion is unnecessary.
local -r init_config=/tmp/config.json
(
- dasel -r "${influxd_config_format}" -w json \
- | dasel -r json put http-bind-address -v "${init_bind_addr}" \
- `# insert "tls-cert" and "tls-key" so delete succeeds` \
- | dasel -r json put tls-cert -v '' \
- | dasel -r json put tls-key -v '' \
- `# delete "tls-cert" and "tls-key"` \
- | dasel -r json delete tls-cert \
- | dasel -r json delete tls-key
+ dasel -i "${influxd_config_format}" -o json \
+ | dasel -i json -o json --root 'get("http-bind-address") = "'"${init_bind_addr}"'"' \
+ | dasel -i json -o json --root 'get("tls-cert") = ""' \
+ | dasel -i json -o json --root 'get("tls-key") = ""'
) <"${INFLUXD_CONFIG_PATH}" | tee "${init_config}"
# Start influxd in the background.
@@ -491,7 +507,7 @@ function main () {
fi
if [ "$(id -u)" = 0 ]; then
- exec su-exec influxdb "$BASH_SOURCE" "${@}"
+ exec setpriv --reuid=influxdb --regid=influxdb --init-groups "$BASH_SOURCE" "${@}"
fi
# Run influxd.
diff --git a/influxdb_core/Dockerfile b/influxdb_core/Dockerfile
index 919b9a2..c5dd61c 100644
--- a/influxdb_core/Dockerfile
+++ b/influxdb_core/Dockerfile
@@ -16,7 +16,7 @@ RUN groupadd --gid 1500 influxdb3 && \
/usr/lib/influxdb3 \
/plugins
-ENV INFLUXDB_VERSION=3.9.1
+ENV INFLUXDB_VERSION=3.9.2
RUN case "$(dpkg --print-architecture)" in \
amd64) ARCH=amd64 ;; \
arm64) ARCH=arm64 ;; \
diff --git a/influxdb_enterprise/Dockerfile b/influxdb_enterprise/Dockerfile
index d55c8f3..e42d957 100644
--- a/influxdb_enterprise/Dockerfile
+++ b/influxdb_enterprise/Dockerfile
@@ -16,7 +16,7 @@ RUN groupadd --gid 1500 influxdb3 && \
/usr/lib/influxdb3 \
/plugins
-ENV INFLUXDB_VERSION=3.9.1
+ENV INFLUXDB_VERSION=3.9.2
RUN case "$(dpkg --print-architecture)" in \
amd64) ARCH=amd64 ;; \
arm64) ARCH=arm64 ;; \
diff --git a/influxdb_latest/Dockerfile b/influxdb_latest/Dockerfile
index 47d9bfa..7899f8a 100644
--- a/influxdb_latest/Dockerfile
+++ b/influxdb_latest/Dockerfile
@@ -6,7 +6,8 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
- gnupg && \
+ gnupg \
+ util-linux && \
# cleanup apt \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
@@ -17,41 +18,19 @@ RUN case "$(dpkg --print-architecture)" in \
*arm64) arch=arm64 ;; \
*) echo 'Unsupported architecture' && exit 1 ;; \
esac && \
- curl -fL "https://github.com/TomWright/dasel/releases/download/v2.8.1/dasel_linux_${arch}.gz" | gzip -d > /usr/local/bin/dasel && \
+ curl -fL "https://github.com/TomWright/dasel/releases/download/v3.4.1/dasel_linux_${arch}.gz" | gzip -d > /usr/local/bin/dasel && \
case ${arch} in \
- amd64) echo '21fda0a4dc3c779c42737eca4b37e4f187d7ab91ba6301eed97b801af84a9ea2 /usr/local/bin/dasel' ;; \
- arm64) echo '2c75e63f9884c37578f48788819dda5a5a5c32ec6c4a663eefc19839f44d6291 /usr/local/bin/dasel' ;; \
+ amd64) echo '3c947a8dcd88856a32c172081db091c38059394fb57a15fa43871f6d046427e1 /usr/local/bin/dasel' ;; \
+ arm64) echo 'a128c5554c53e6e4af880700adba1d212ce651db208da1592fb1cae0e959cbc6 /usr/local/bin/dasel' ;; \
esac | sha256sum -c - && \
chmod +x /usr/local/bin/dasel && \
- dasel --version
+ dasel version
RUN groupadd -r influxdb --gid=1000 && \
useradd -r -g influxdb --uid=1000 --create-home --home-dir=/home/influxdb --shell=/bin/bash influxdb
-# Install gosu for easy step-down from root
-ENV GOSU_VER=1.19
-RUN case "$(dpkg --print-architecture)" in \
- *amd64) arch=amd64 ;; \
- *arm64) arch=arm64 ;; \
- *) echo 'Unsupported architecture' && exit 1 ;; \
- esac && \
- export GNUPGHOME="$(mktemp -d)" && \
- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \
- # Tianon Gravi <tianon@tianon.xyz> (gosu)
- B42F6819007F00F88E364FD4036A9C25BF357DD4 && \
- curl -fLo /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VER/gosu-${arch}" \
- -fLo /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VER/gosu-${arch}.asc" && \
- gpg --batch --verify /usr/local/bin/gosu.asc \
- /usr/local/bin/gosu && \
- rm -rf /usr/local/bin/gosu.asc && \
- chmod +x /usr/local/bin/gosu && \
- gosu --version && \
- gosu nobody true
-
# Install the influxd server
-ENV INFLUXDB_VERSION=2.8.0
-ENV INFLUXDB_PR=-2
-ENV INFLUXDB_PV=${INFLUXDB_VERSION}${INFLUXDB_PR}
+ENV INFLUXDB_VERSION=2.9.0
RUN case "$(dpkg --print-architecture)" in \
*amd64) arch=amd64 ;; \
*arm64) arch=arm64 ;; \
@@ -61,14 +40,14 @@ RUN case "$(dpkg --print-architecture)" in \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys \
# InfluxData Package Signing Key <support@influxdata.com>
24C975CBA61A024EE1B631787C3D57159FC2F927 && \
- curl -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
- -fLO "https://dl.influxdata.com/influxdb/releases/v${INFLUXDB_VERSION}/influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" && \
- gpg --batch --verify "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
- "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
- tar xzf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" && \
- cp "influxdb2-${INFLUXDB_VERSION}/usr/bin/influxd" /usr/local/bin/influxd && \
- rm -rf "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz" \
- "influxdb2-${INFLUXDB_PV}_linux_${arch}.tar.gz.asc" \
+ curl -fLO "https://dl.influxdata.com/influxdb/releases/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
+ -fLO "https://dl.influxdata.com/influxdb/releases/influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" && \
+ gpg --batch --verify "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
+ "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
+ tar xzf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" && \
+ cp "influxdb2-${INFLUXDB_VERSION}/influxd" /usr/local/bin/influxd && \
+ rm -rf "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz" \
+ "influxdb2-${INFLUXDB_VERSION}_linux_${arch}.tar.gz.asc" \
"influxdb2-${INFLUXDB_VERSION}" && \
influxd version
diff --git a/influxdb_latest/entrypoint.sh b/influxdb_latest/entrypoint.sh
index 2bef975..28b2e22 100755
--- a/influxdb_latest/entrypoint.sh
+++ b/influxdb_latest/entrypoint.sh
@@ -164,7 +164,13 @@ function influxd::config::get()
#
# Parse Value from Configuration
#
- dasel -f "${INFLUXD_CONFIG_PATH}" -s "${primary_key}" -w - 2>/dev/null || \
+ local config_format
+ case "${INFLUXD_CONFIG_PATH,,}" in
+ *.toml) config_format=toml ;;
+ *.json) config_format=json ;;
+ *) config_format=yaml ;;
+ esac
+ dasel -i "${config_format}" 'get("'"${primary_key}"'")' < "${INFLUXD_CONFIG_PATH}" 2>/dev/null || \
table::get "${primary_key}" "${COLUMN_DEFAULT}"
}
@@ -192,7 +198,7 @@ function create_directories () {
fi
}
-# Read password and username from file to avoid unsecure env variables
+# Read password and username from file to avoid insecure env variables
if [ -n "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}" ] && DOCKER_INFLUXDB_INIT_PASSWORD=$(cat "${DOCKER_INFLUXDB_INIT_PASSWORD_FILE}") || echo "DOCKER_INFLUXDB_INIT_PASSWORD_FILE defined, but file not existing, skipping."; fi
if [ -n "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}" ] && DOCKER_INFLUXDB_INIT_USERNAME=$(cat "${DOCKER_INFLUXDB_INIT_USERNAME_FILE}") || echo "DOCKER_INFLUXDB_INIT_USERNAME_FILE defined, but file not existing, skipping."; fi
if [ -n "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ]; then [ -e "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}" ] && DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=$(cat "${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}") || echo "DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE defined, but file not existing, skipping."; fi
@@ -224,7 +230,20 @@ function ensure_init_vars_set () {
# the DB is already full set up.
function cleanup_influxd () {
log warn "cleaning bolt and engine files to prevent conflicts on retry" bolt_path "${BOLT_PATH}" engine_path "${ENGINE_PATH}"
- rm -rf "${BOLT_PATH}" "${ENGINE_PATH}/"*
+
+ # Safety checks to avoid accidentally deleting the filesystem root or other
+ # unintended locations if the paths are empty or misconfigured.
+ if [ -n "${BOLT_PATH}" ] && [ "${BOLT_PATH}" != "/" ]; then
+ rm -rf "${BOLT_PATH}"
+ else
+ log error "refusing to remove invalid bolt path" bolt_path "${BOLT_PATH}"
+ fi
+
+ if [ -n "${ENGINE_PATH}" ] && [ "${ENGINE_PATH}" != "/" ]; then
+ rm -rf "${ENGINE_PATH}/"*
+ else
+ log error "refusing to remove invalid engine path" engine_path "${ENGINE_PATH}"
+ fi
}
# Upgrade V1 data into the V2 format using influxd upgrade.
@@ -321,7 +340,7 @@ function setup_influxd () {
# Get the IDs of the initial user/org/bucket created during setup, and export them into the env.
# We do this to help with arbitrary user scripts, since many influx CLI commands only take IDs.
function set_init_resource_ids () {
- DOCKER_INFLUXDB_INIT_USER_ID="$(influx user list -n "${DOCKER_INFLUXDB_INIT_USER}" --hide-headers | cut -f 1)"
+ DOCKER_INFLUXDB_INIT_USER_ID="$(influx user list -n "${DOCKER_INFLUXDB_INIT_USERNAME}" --hide-headers | cut -f 1)"
DOCKER_INFLUXDB_INIT_ORG_ID="$(influx org list -n "${DOCKER_INFLUXDB_INIT_ORG}" --hide-headers | cut -f 1)"
DOCKER_INFLUXDB_INIT_BUCKET_ID="$(influx bucket list -n "${DOCKER_INFLUXDB_INIT_BUCKET}" --hide-headers | cut -f 1)"
export DOCKER_INFLUXDB_INIT_USER_ID DOCKER_INFLUXDB_INIT_ORG_ID DOCKER_INFLUXDB_INIT_BUCKET_ID
@@ -396,16 +415,14 @@ function init_influxd () {
esac
# Generate a config file with a known HTTP port, and TLS disabled.
+ # TLS keys are set to empty here and also overridden via env vars when
+ # launching influxd below, so explicit deletion is unnecessary.
local -r init_config=/tmp/config.json
(
- dasel -r "${influxd_config_format}" -w json \
- | dasel -r json put http-bind-address -v "${init_bind_addr}" \
- `# insert "tls-cert" and "tls-key" so delete succeeds` \
- | dasel -r json put tls-cert -v '' \
- | dasel -r json put tls-key -v '' \
- `# delete "tls-cert" and "tls-key"` \
- | dasel -r json delete tls-cert \
- | dasel -r json delete tls-key
+ dasel -i "${influxd_config_format}" -o json \
+ | dasel -i json -o json --root 'get("http-bind-address") = "'"${init_bind_addr}"'"' \
+ | dasel -i json -o json --root 'get("tls-cert") = ""' \
+ | dasel -i json -o json --root 'get("tls-key") = ""'
) <"${INFLUXD_CONFIG_PATH}" | tee "${init_config}"
# Start influxd in the background.
@@ -490,7 +507,7 @@ function main () {
fi
if [ "$(id -u)" = 0 ]; then
- exec gosu influxdb "$BASH_SOURCE" "${@}"
+ exec setpriv --reuid=influxdb --regid=influxdb --init-groups "$BASH_SOURCE" "${@}"
fi
# Run influxd.Relevant Maintainers: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.