From 1c1d5d69546b65ca359c68dff866df555c606f40 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 3 Jul 2024 11:32:10 +0000 Subject: [PATCH] [bitnami/neo4j] Release 4.4.34-debian-12-r3 Signed-off-by: Bitnami Containers --- bitnami/neo4j/4/debian-12/Dockerfile | 4 +- .../rootfs/opt/bitnami/scripts/libneo4j.sh | 104 ++++++++++++------ .../rootfs/opt/bitnami/scripts/neo4j-env.sh | 15 ++- .../opt/bitnami/scripts/neo4j/entrypoint.sh | 6 + .../opt/bitnami/scripts/neo4j/postunpack.sh | 6 +- bitnami/neo4j/README.md | 32 +++--- 6 files changed, 118 insertions(+), 49 deletions(-) diff --git a/bitnami/neo4j/4/debian-12/Dockerfile b/bitnami/neo4j/4/debian-12/Dockerfile index 108b702a2aa57..c189c95af9639 100644 --- a/bitnami/neo4j/4/debian-12/Dockerfile +++ b/bitnami/neo4j/4/debian-12/Dockerfile @@ -8,11 +8,11 @@ ARG TARGETARCH LABEL com.vmware.cp.artifact.flavor="sha256:c50c90cfd9d12b445b011e6ad529f1ad3daea45c26d20b00732fae3cd71f6a83" \ org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \ - org.opencontainers.image.created="2024-06-29T14:38:17Z" \ + org.opencontainers.image.created="2024-07-03T11:01:34Z" \ org.opencontainers.image.description="Application packaged by Broadcom, Inc." \ org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/neo4j/README.md" \ org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.ref.name="4.4.34-debian-12-r2" \ + org.opencontainers.image.ref.name="4.4.34-debian-12-r3" \ org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/neo4j" \ org.opencontainers.image.title="neo4j" \ org.opencontainers.image.vendor="Broadcom, Inc." \ diff --git a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/libneo4j.sh b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/libneo4j.sh index 55e6faaf1fb45..0efaefa98f545 100644 --- a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/libneo4j.sh +++ b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/libneo4j.sh @@ -169,6 +169,32 @@ neo4j_conf_set() { echo "$entry" >>"$file" fi } + +######################## +# Set the initial password of the native user 'neo4j' +# Globals: +# NEO4J_* +# Arguments: +# None +# Returns: +# None +######################### +neo4j_create_admin_user() { + ## Set initial password + ## Source: https://neo4j.com/docs/operations-manual/current/configuration/set-initial-password/ + info "Configuring initial password" + local -a neo4j_admin_args=("set-initial-password") + if [ "$(get_neo4j_major_version)" -ge 5 ]; then + neo4j_admin_args=("dbms" "set-initial-password") + fi + + if am_i_root; then + debug_execute run_as_user "$NEO4J_DAEMON_USER" neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD" + else + debug_execute neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD" + fi +} + ######################### # Initialize NEO4J # Globals: @@ -183,24 +209,15 @@ neo4j_initialize() { ## The logic in this function is based on the sections here https://neo4j.com/docs/operations-manual/current/configuration/ info "Initializing Neo4j ..." - find "${NEO4J_TMP_DIR}" -type f -name "neo4j*.pid" -delete + find "${NEO4J_RUN_DIR}" -type f -name "neo4j*.pid" -delete find "${NEO4J_LOGS_DIR}" -type f -name "neo4j*.log" -delete - ## Configure permissions for read-write directories - ## Source: https://neo4j.com/docs/operations-manual/current/configuration/file-locations/#file-locations-permissions - info "Configuring file permissions for Neo4j" - if am_i_root; then - for dir in "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_TMP_DIR" "$NEO4J_METRICS_DIR"; do - configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 755 -f 644 - done - fi - - if ! is_dir_empty "$NEO4J_MOUNTED_CONF_DIR"; then + if ! is_mounted_dir_empty "$NEO4J_MOUNTED_CONF_DIR"; then info "Copying mounted configuration" cp -Lr "${NEO4J_MOUNTED_CONF_DIR}/." "$NEO4J_CONF_DIR" fi - if ! is_dir_empty "$NEO4J_MOUNTED_PLUGINS_DIR"; then + if ! is_mounted_dir_empty "$NEO4J_MOUNTED_PLUGINS_DIR"; then info "Copying mounted plugins" cp -Lr "${NEO4J_MOUNTED_PLUGINS_DIR}/." "$NEO4J_PLUGINS_DIR" fi @@ -221,23 +238,28 @@ neo4j_initialize() { info "Found mounted apoc.conf file in ${NEO4J_MOUNTED_CONF_DIR}/apoc.conf. The APOC plugin configuration will be skipped" fi - if is_dir_empty "$NEO4J_DATA_DIR"; then + local -r app_name="neo4j" + if ! is_app_initialized "$app_name"; then info "Deploying Neo4j from scratch" - ## Set initial password - ## Source: https://neo4j.com/docs/operations-manual/current/configuration/set-initial-password/ - info "Configuring initial password" - local -a neo4j_admin_args=("set-initial-password") - if [ "$(get_neo4j_major_version)" -ge 5 ]; then - neo4j_admin_args=("dbms" "set-initial-password") - fi - if am_i_root; then - debug_execute run_as_user "$NEO4J_DAEMON_USER" neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD" - else - debug_execute neo4j-admin "${neo4j_admin_args[@]}" "$NEO4J_PASSWORD" - fi + neo4j_create_admin_user else info "Deploying Neo4j with persisted data" fi + + # When running as 'root' user, ensure the Neo4j user has ownership and minimum permissions are set + if am_i_root; then + info "Configuring file permissions for Neo4j" + ## Directories that should have read-only permissions + for dir in "$NEO4J_IMPORT_DIR" "${NEO4J_BASE_DIR}/lib" "$NEO4J_CERTIFICATES_DIR" "$NEO4J_MOUNTED_CONF_DIR" "$NEO4J_MOUNTED_PLUGINS_DIR" "$NEO4J_INITSCRIPTS_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_CONF_DIR"; do + ensure_dir_exists "$dir" + configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 500 -f 400 + done + ## Directories that should have write permissions + for dir in "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_RUN_DIR" "$NEO4J_METRICS_DIR"; do + ensure_dir_exists "$dir" + configure_permissions_ownership "$dir" -u "$NEO4J_DAEMON_USER" -g "$NEO4J_DAEMON_GROUP" -d 700 -f 600 + done + fi } ######################## @@ -304,20 +326,40 @@ configure_neo4j_connector_settings() { if [ "$neo4j_major_version" -eq 4 ]; then ## Connector configuration ## Source: https://neo4j.com/docs/operations-manual/current/configuration/connectors/ + # Listen address configuration settings neo4j_conf_set "dbms.default_listen_address" "$NEO4J_BIND_ADDRESS" - neo4j_conf_set "dbms.connector.bolt.advertised_address" ":${NEO4J_BOLT_PORT_NUMBER}" - neo4j_conf_set "dbms.connector.http.advertised_address" ":${NEO4J_HTTP_PORT_NUMBER}" - neo4j_conf_set "dbms.connector.https.advertised_address" ":${NEO4J_HTTPS_PORT_NUMBER}" + neo4j_conf_set "dbms.connector.bolt.listen_address" ":${NEO4J_BOLT_PORT_NUMBER}" + neo4j_conf_set "dbms.connector.http.listen_address" ":${NEO4J_HTTP_PORT_NUMBER}" + neo4j_conf_set "dbms.connector.https.listen_address" ":${NEO4J_HTTPS_PORT_NUMBER}" + # Advertised address configuration settings neo4j_conf_set "dbms.default_advertised_address" "$host" + neo4j_conf_set "dbms.connector.bolt.advertised_address" ":${NEO4J_BOLT_ADVERTISED_PORT_NUMBER}" + neo4j_conf_set "dbms.connector.http.advertised_address" ":${NEO4J_HTTP_ADVERTISED_PORT_NUMBER}" + neo4j_conf_set "dbms.connector.https.advertised_address" ":${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER}" + # TLS settings + neo4j_conf_set "dbms.connector.bolt.tls_level" "${NEO4J_BOLT_TLS_LEVEL}" + [[ "$NEO4J_BOLT_TLS_LEVEL" == "REQUIRED" || "$NEO4J_BOLT_TLS_LEVEL" == "OPTIONAL" ]] && neo4j_conf_set "dbms.ssl.policy.bolt.enabled" "true" + neo4j_conf_set "dbms.connector.https.enabled" "${NEO4J_HTTPS_ENABLED}" + neo4j_conf_set "dbms.ssl.policy.https.enabled" "${NEO4J_HTTPS_ENABLED}" ## Upgrade configuration (This is for allowing automatic schema upgrades) ## Source: https://neo4j.com/docs/upgrade-migration-guide/current/upgrade/upgrade-4.3/deployment-upgrading/ neo4j_conf_set "dbms.allow_upgrade" "$NEO4J_ALLOW_UPGRADE" elif [ "$neo4j_major_version" -ge 5 ]; then + # Listen address configuration settings neo4j_conf_set "server.default_listen_address" "$NEO4J_BIND_ADDRESS" - neo4j_conf_set "server.bolt.advertised_address" ":${NEO4J_BOLT_PORT_NUMBER}" - neo4j_conf_set "server.http.advertised_address" ":${NEO4J_HTTP_PORT_NUMBER}" - neo4j_conf_set "server.https.advertised_address" ":${NEO4J_HTTPS_PORT_NUMBER}" + neo4j_conf_set "server.bolt.listen_address" ":${NEO4J_BOLT_PORT_NUMBER}" + neo4j_conf_set "server.http.listen_address" ":${NEO4J_HTTP_PORT_NUMBER}" + neo4j_conf_set "server.https.listen_address" ":${NEO4J_HTTPS_PORT_NUMBER}" + # Advertised address configuration settings neo4j_conf_set "server.default_advertised_address" "$host" + neo4j_conf_set "server.bolt.advertised_address" ":${NEO4J_BOLT_ADVERTISED_PORT_NUMBER}" + neo4j_conf_set "server.http.advertised_address" ":${NEO4J_HTTP_ADVERTISED_PORT_NUMBER}" + neo4j_conf_set "server.https.advertised_address" ":${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER}" + # TLS settings + neo4j_conf_set "server.bolt.tls_level" "${NEO4J_BOLT_TLS_LEVEL}" + [[ "$NEO4J_BOLT_TLS_LEVEL" == "REQUIRED" || "$NEO4J_BOLT_TLS_LEVEL" == "OPTIONAL" ]] && neo4j_conf_set "dbms.ssl.policy.bolt.enabled" "true" + neo4j_conf_set "server.https.enabled" "${NEO4J_HTTPS_ENABLED}" + neo4j_conf_set "dbms.ssl.policy.https.enabled" "${NEO4J_HTTPS_ENABLED}" else error "Neo4j branch ${neo4j_major_version} not supported" fi diff --git a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j-env.sh b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j-env.sh index 45d3f80d1fd1f..0283642b225a0 100644 --- a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j-env.sh +++ b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j-env.sh @@ -33,6 +33,11 @@ neo4j_env_vars=( NEO4J_BOLT_PORT_NUMBER NEO4J_HTTP_PORT_NUMBER NEO4J_HTTPS_PORT_NUMBER + NEO4J_BOLT_ADVERTISED_PORT_NUMBER + NEO4J_HTTP_ADVERTISED_PORT_NUMBER + NEO4J_HTTPS_ADVERTISED_PORT_NUMBER + NEO4J_HTTPS_ENABLED + NEO4J_BOLT_TLS_LEVEL ) for env_var in "${neo4j_env_vars[@]}"; do file_env_var="${env_var}_FILE" @@ -51,11 +56,12 @@ unset neo4j_env_vars export NEO4J_BASE_DIR="${BITNAMI_ROOT_DIR}/neo4j" export NEO4J_VOLUME_DIR="/bitnami/neo4j" export NEO4J_DATA_DIR="$NEO4J_VOLUME_DIR/data" -export NEO4J_TMP_DIR="${NEO4J_BASE_DIR}/run" +export NEO4J_RUN_DIR="${NEO4J_BASE_DIR}/run" export NEO4J_LOGS_DIR="${NEO4J_BASE_DIR}/logs" export NEO4J_LOG_FILE="${NEO4J_LOGS_DIR}/neo4j.log" -export NEO4J_PID_FILE="${NEO4J_TMP_DIR}/neo4j.pid" +export NEO4J_PID_FILE="${NEO4J_RUN_DIR}/neo4j.pid" export NEO4J_CONF_DIR="${NEO4J_BASE_DIR}/conf" +export NEO4J_DEFAULT_CONF_DIR="${NEO4J_BASE_DIR}/conf.default" export NEO4J_PLUGINS_DIR="${NEO4J_BASE_DIR}/plugins" export NEO4J_METRICS_DIR="${NEO4J_VOLUME_DIR}/metrics" export NEO4J_CERTIFICATES_DIR="${NEO4J_VOLUME_DIR}/certificates" @@ -84,6 +90,11 @@ export NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG="${NEO4J_APOC_IMPORT_FILE_USE_NEO export NEO4J_BOLT_PORT_NUMBER="${NEO4J_BOLT_PORT_NUMBER:-7687}" export NEO4J_HTTP_PORT_NUMBER="${NEO4J_HTTP_PORT_NUMBER:-7474}" export NEO4J_HTTPS_PORT_NUMBER="${NEO4J_HTTPS_PORT_NUMBER:-7473}" +export NEO4J_BOLT_ADVERTISED_PORT_NUMBER="${NEO4J_BOLT_ADVERTISED_PORT_NUMBER:-$NEO4J_BOLT_PORT_NUMBER}" +export NEO4J_HTTP_ADVERTISED_PORT_NUMBER="${NEO4J_HTTP_ADVERTISED_PORT_NUMBER:-$NEO4J_HTTP_PORT_NUMBER}" +export NEO4J_HTTPS_ADVERTISED_PORT_NUMBER="${NEO4J_HTTPS_ADVERTISED_PORT_NUMBER:-$NEO4J_HTTPS_PORT_NUMBER}" +export NEO4J_HTTPS_ENABLED="${NEO4J_HTTPS_ENABLED:-false}" +export NEO4J_BOLT_TLS_LEVEL="${NEO4J_BOLT_TLS_LEVEL:-DISABLED}" # Default JVM configuration export JAVA_HOME="${BITNAMI_ROOT_DIR}/java" diff --git a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/entrypoint.sh b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/entrypoint.sh index 12dd1f1096df4..cd27d9f157d8b 100755 --- a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/entrypoint.sh +++ b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/entrypoint.sh @@ -18,6 +18,12 @@ set -o pipefail print_welcome_page +# We add the copy from default config in the entrypoint to not break users +# bypassing the setup.sh logic. If the file already exists do not overwrite (in +# case someone mounts a configuration file in /opt/bitnami/neo4j/config) +debug "Copying files from $NEO4J_DEFAULT_CONF_DIR to $NEO4J_CONF_DIR" +cp -nr "$NEO4J_DEFAULT_CONF_DIR"/. "$NEO4J_CONF_DIR" + if [[ "$1" = "/opt/bitnami/scripts/neo4j/run.sh" ]]; then /opt/bitnami/scripts/neo4j/setup.sh info "** Neo4j setup finished! **" diff --git a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/postunpack.sh b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/postunpack.sh index b237cd2d981fd..2a596f9b11591 100755 --- a/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/postunpack.sh +++ b/bitnami/neo4j/4/debian-12/rootfs/opt/bitnami/scripts/neo4j/postunpack.sh @@ -34,7 +34,7 @@ done ## Directories that should have write permissions ## NOTE: We need the configuration and plugins folder to have write permissions to create or import the configuration file -for dir in "$NEO4J_CONF_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_TMP_DIR" "$NEO4J_METRICS_DIR"; do +for dir in "$NEO4J_CONF_DIR" "$NEO4J_DEFAULT_CONF_DIR" "$NEO4J_PLUGINS_DIR" "$NEO4J_LOGS_DIR" "$NEO4J_DATA_DIR" "$NEO4J_RUN_DIR" "$NEO4J_METRICS_DIR"; do ensure_dir_exists "$dir" configure_permissions_ownership "$dir" -u "root" -g "root" -d 775 -f 664 done @@ -64,3 +64,7 @@ configure_permissions_ownership "$NEO4J_APOC_CONF_FILE" -u "root" -g "root" -f 6 ## Create a hidden directory where the cypher-shell executable can write cache and history data ensure_dir_exists "$NEO4J_BASE_DIR/.home" configure_permissions_ownership "$NEO4J_BASE_DIR/.home" -u "root" -g "root" -d 775 + +# Copy all initially generated configuration files to the default directory +# (this is to avoid breaking when entrypoint is being overridden) +cp -r "$NEO4J_CONF_DIR"/* "$NEO4J_DEFAULT_CONF_DIR" diff --git a/bitnami/neo4j/README.md b/bitnami/neo4j/README.md index 4adc610091ba3..c1fc1d49f8bcc 100644 --- a/bitnami/neo4j/README.md +++ b/bitnami/neo4j/README.md @@ -140,17 +140,22 @@ docker-compose up -d #### Customizable environment variables -| Name | Description | Default Value | -|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------| -| `NEO4J_HOST` | Hostname used to configure Neo4j advertised address. It can be either an IP or a domain. If left empty, it will be resolved to the machine IP | `nil` | -| `NEO4J_BIND_ADDRESS` | Neo4j bind address | `0.0.0.0` | -| `NEO4J_ALLOW_UPGRADE` | Allow automatic schema upgrades | `true` | -| `NEO4J_PASSWORD` | Neo4j password. | `bitnami1` | -| `NEO4J_APOC_IMPORT_FILE_ENABLED` | Allow importing files using the apoc library | `true` | -| `NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG` | Use neo4j configuration with the apoc library | `false` | -| `NEO4J_BOLT_PORT_NUMBER` | Port used for the bolt protocol. | `7687` | -| `NEO4J_HTTP_PORT_NUMBER` | Port used for the http protocol. | `7474` | -| `NEO4J_HTTPS_PORT_NUMBER` | Port used for the https protocol. | `7473` | +| Name | Description | Default Value | +|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------| +| `NEO4J_HOST` | Hostname used to configure Neo4j advertised address. It can be either an IP or a domain. If left empty, it will be resolved to the machine IP | `nil` | +| `NEO4J_BIND_ADDRESS` | Neo4j bind address | `0.0.0.0` | +| `NEO4J_ALLOW_UPGRADE` | Allow automatic schema upgrades | `true` | +| `NEO4J_PASSWORD` | Neo4j password. | `bitnami1` | +| `NEO4J_APOC_IMPORT_FILE_ENABLED` | Allow importing files using the apoc library | `true` | +| `NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG` | Use neo4j configuration with the apoc library | `false` | +| `NEO4J_BOLT_PORT_NUMBER` | Port used for the bolt protocol. | `7687` | +| `NEO4J_HTTP_PORT_NUMBER` | Port used for the http protocol. | `7474` | +| `NEO4J_HTTPS_PORT_NUMBER` | Port used for the https protocol. | `7473` | +| `NEO4J_BOLT_ADVERTISED_PORT_NUMBER` | Advertised port for the bolt protocol. | `$NEO4J_BOLT_PORT_NUMBER` | +| `NEO4J_HTTP_ADVERTISED_PORT_NUMBER` | Advertised port for the http protocol. | `$NEO4J_HTTP_PORT_NUMBER` | +| `NEO4J_HTTPS_ADVERTISED_PORT_NUMBER` | Advertised port for the https protocol. | `$NEO4J_HTTPS_PORT_NUMBER` | +| `NEO4J_HTTPS_ENABLED` | Enables the HTTPS connector. | `false` | +| `NEO4J_BOLT_TLS_LEVEL` | The encryption level to be used to secure communications with Bolt connector. Allowed values: REQUIRED, OPTIONAL, DISABLED | `DISABLED` | #### Read-only environment variables @@ -159,11 +164,12 @@ docker-compose up -d | `NEO4J_BASE_DIR` | Neo4j installation directory. | `${BITNAMI_ROOT_DIR}/neo4j` | | `NEO4J_VOLUME_DIR` | Neo4j volume directory. | `/bitnami/neo4j` | | `NEO4J_DATA_DIR` | Neo4j volume directory. | `$NEO4J_VOLUME_DIR/data` | -| `NEO4J_TMP_DIR` | Neo4j temp directory. | `${NEO4J_BASE_DIR}/run` | +| `NEO4J_RUN_DIR` | Neo4j temp directory. | `${NEO4J_BASE_DIR}/run` | | `NEO4J_LOGS_DIR` | Neo4j logs directory. | `${NEO4J_BASE_DIR}/logs` | | `NEO4J_LOG_FILE` | Neo4j log file. | `${NEO4J_LOGS_DIR}/neo4j.log` | -| `NEO4J_PID_FILE` | Neo4j PID file. | `${NEO4J_TMP_DIR}/neo4j.pid` | +| `NEO4J_PID_FILE` | Neo4j PID file. | `${NEO4J_RUN_DIR}/neo4j.pid` | | `NEO4J_CONF_DIR` | Configuration dir for Neo4j. | `${NEO4J_BASE_DIR}/conf` | +| `NEO4J_DEFAULT_CONF_DIR` | Neo4j default configuration directory. | `${NEO4J_BASE_DIR}/conf.default` | | `NEO4J_PLUGINS_DIR` | Plugins dir for Neo4j. | `${NEO4J_BASE_DIR}/plugins` | | `NEO4J_METRICS_DIR` | Metrics dir for Neo4j. | `${NEO4J_VOLUME_DIR}/metrics` | | `NEO4J_CERTIFICATES_DIR` | Certificates dir for Neo4j. | `${NEO4J_VOLUME_DIR}/certificates` |