From 86c85825ee62a7f38385d12b15f6720ebce78297 Mon Sep 17 00:00:00 2001
From: Mike Bonnet <mikeb@redhat.com>
Date: Nov 01 2019 19:04:36 +0000
Subject: update container base images to Fedora 31


Also update the uid management in the frontend image to be more consistent with
best practices, as demonstrated by:

https://github.com/RHsyseng/container-rhel-examples/tree/master/starter-arbitrary-uid

This allows the dependency on nss_wrapper to be dropped.

---

diff --git a/Vagrantfile b/Vagrantfile
index 07c24a5..fe005fb 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -130,7 +130,7 @@ $script_services = <<SCRIPT_SERVICES
 SCRIPT_SERVICES
 
 Vagrant.configure("2") do |config|
-  config.vm.box = "fedora/29-cloud-base"
+  config.vm.box = "fedora/31-cloud-base"
   config.vm.synced_folder "./", "/opt/module_build_service"
   # Disable the default share
   config.vm.synced_folder ".", "/vagrant", disabled: true
diff --git a/docker/Dockerfile-tests-py3 b/docker/Dockerfile-tests-py3
index 610284d..4527125 100644
--- a/docker/Dockerfile-tests-py3
+++ b/docker/Dockerfile-tests-py3
@@ -1,4 +1,4 @@
-FROM fedora:29
+FROM fedora:31
 
 WORKDIR /build
 RUN dnf -y install \
diff --git a/openshift/backend/Dockerfile b/openshift/backend/Dockerfile
index 28a29ae..f276680 100644
--- a/openshift/backend/Dockerfile
+++ b/openshift/backend/Dockerfile
@@ -1,4 +1,4 @@
-FROM fedora:29 AS builder
+FROM fedora:31 AS builder
 
 ARG EXTRA_RPMS=""
 ARG GIT_REPO=""
@@ -24,7 +24,7 @@ RUN flake8 && \
     tox -v -e py3
 
 
-FROM fedora:29
+FROM fedora:31
 LABEL \
     org.opencontainers.image.title="Backend for the Module Build Service (MBS)" \
     org.opencontainers.image.description="The MBS coordinates module builds. This image is to serve as the MBS backend." \
@@ -42,13 +42,10 @@ LABEL \
 COPY --from=builder /srv/RPMS /srv/RPMS
 COPY repos/ /etc/yum.repos.d/
 
-# TODO: Unpin the `python3-libmodulemd` RPM once MBS is released with libmodulemd v2
 RUN $DNF_CMD install \
       python3-psycopg2 \
-      python3-docopt \
       python3-service-identity \
       /srv/*/*/*.rpm \
-      python3-libmodulemd \
       $EXTRA_RPMS && \
     $DNF_CMD clean all && \
     rm -rf /srv/RPMS
diff --git a/openshift/frontend/Dockerfile b/openshift/frontend/Dockerfile
index 94358b1..3e80d5d 100644
--- a/openshift/frontend/Dockerfile
+++ b/openshift/frontend/Dockerfile
@@ -25,10 +25,11 @@ LABEL \
 USER root
 
 RUN $DNF_CMD install \
-      nss_wrapper httpd mod_ssl mod_auth_gssapi python3-mod_wsgi && \
+      httpd mod_ssl mod_auth_gssapi python3-mod_wsgi && \
     $DNF_CMD clean all
 
 RUN chmod a+rwx /run/httpd && \
+    chmod a+rw /etc/passwd && \
     sed -i -r -e 's!Listen 80!Listen 8080!' \
               -e 's!^User apache!User default!' \
               -e 's!^Group apache!Group root!' \
@@ -45,10 +46,11 @@ RUN chmod a+rwx /run/httpd && \
               -e 's!^#(SSLCertificateChainFile)\s+\S+!\1 /etc/mbs-certs/frontendca.crt!' \
         /etc/httpd/conf.d/ssl.conf
 
-COPY openshift/frontend/run-httpd /usr/bin
+COPY openshift/frontend/run /usr/bin
 
 USER 1001
 
 VOLUME ["/etc/module-build-service", "/etc/fedmsg.d", "/etc/mbs-certs", "/etc/httpd/conf.d"]
 EXPOSE 8080/tcp 8443/tcp
-CMD ["/usr/bin/run-httpd"]
+ENTRYPOINT ["/usr/bin/run"]
+CMD ["httpd", "-D", "FOREGROUND"]
diff --git a/openshift/frontend/run b/openshift/frontend/run
new file mode 100755
index 0000000..6b3d8de
--- /dev/null
+++ b/openshift/frontend/run
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# OpenShift containers run as a user with a random uid. That uid does not appear
+# in /etc/passwd, causing any attempts to look up the username associated with
+# that uid to fail. This script appends an entry to /etc/passwd for the
+# "default" user, using the current uid and gid.
+
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):$(id -g):${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec "$@"
diff --git a/openshift/frontend/run-httpd b/openshift/frontend/run-httpd
deleted file mode 100755
index 184684a..0000000
--- a/openshift/frontend/run-httpd
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-# OpenShift containers run as a user with a random uid, which does not appear in
-# /etc/passwd. httpd tries to look up the uid for the user it is running as
-# (default in this case), and will exit if it cannot find that user in
-# /etc/passwd. This script copies /etc/passwd to /tmp to make it writable, and
-# appends an entry to /etc/passwd for the "default" user, using the current uid
-# and gid. It then uses libnss_wrapper.so to redirect references from
-# /etc/passwd to our modified file in /tmp, so httpd can run as "default".
-
-export USER_ID=$(id -u)
-export GROUP_ID=$(id -g)
-
-cp /etc/passwd /tmp/passwd
-cat >> /tmp/passwd <<EOF
-default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin
-EOF
-
-export LD_PRELOAD=libnss_wrapper.so
-export NSS_WRAPPER_PASSWD=/tmp/passwd
-export NSS_WRAPPER_GROUP=/etc/group
-
-exec httpd -D FOREGROUND $@
diff --git a/openshift/integration/koji/containers/jenkins-slave/Dockerfile b/openshift/integration/koji/containers/jenkins-slave/Dockerfile
index f216f24..ae8666f 100644
--- a/openshift/integration/koji/containers/jenkins-slave/Dockerfile
+++ b/openshift/integration/koji/containers/jenkins-slave/Dockerfile
@@ -2,7 +2,7 @@
 # https://github.com/jenkinsci/docker-jnlp-slave/blob/master/Dockerfile
 # https://github.com/jenkinsci/docker-slave/blob/master/Dockerfile
 
-FROM fedora:29
+FROM fedora:31
 LABEL \
     org.opencontainers.image.title="Jenkins slave for Module Build Service (MBS) pipelines" \
     org.opencontainers.image.description="The MBS coordinates module builds. This image is to serve as the slave for executing build and test pipelines." \
@@ -15,8 +15,8 @@ LABEL \
 
 ARG USER=jenkins
 ARG UID=10000
-ARG HOME_DIR=/var/lib/jenkins
-ARG SLAVE_VERSION=3.29
+ARG HOME_DIR=/home/jenkins
+ARG REMOTING_VERSION=3.35
 ARG TINI_VERSION=0.18.0
 ARG DNF_CMD="dnf -y --setopt=deltarpm=0 --setopt=install_weak_deps=false --setopt=tsflags=nodocs"
 ARG CA_URLS=""
@@ -56,7 +56,7 @@ RUN chmod g+rw /etc/passwd
 
 # Retrieve jenkins slave client
 RUN curl --create-dirs -sSLo /usr/share/jenkins/slave.jar \
-    https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/${SLAVE_VERSION}/remoting-${SLAVE_VERSION}.jar && \
+    https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/${REMOTING_VERSION}/remoting-${REMOTING_VERSION}.jar && \
     chmod 755 /usr/share/jenkins && \
     chmod 644 /usr/share/jenkins/slave.jar
 
diff --git a/openshift/integration/koji/pipelines/jobs/mbs-postmerge.env b/openshift/integration/koji/pipelines/jobs/mbs-postmerge.env
index 352a9cb..f27e694 100644
--- a/openshift/integration/koji/pipelines/jobs/mbs-postmerge.env
+++ b/openshift/integration/koji/pipelines/jobs/mbs-postmerge.env
@@ -1,4 +1,4 @@
 NAME=mbs-postmerge
-EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-29/mikeb-mbs-messaging-umb-fedora-29.repo
+EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-31/mikeb-mbs-messaging-umb-fedora-31.repo
 EXTRA_RPMS=mbs-messaging-umb
 MAIL_ADDRESS=pnt-factory2-alerts@redhat.com
diff --git a/openshift/integration/koji/pipelines/jobs/mbs-premerge.env b/openshift/integration/koji/pipelines/jobs/mbs-premerge.env
index 010cab0..82f0ca6 100644
--- a/openshift/integration/koji/pipelines/jobs/mbs-premerge.env
+++ b/openshift/integration/koji/pipelines/jobs/mbs-premerge.env
@@ -1,4 +1,4 @@
 NAME=mbs-premerge
-EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-29/mikeb-mbs-messaging-umb-fedora-29.repo
+EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-31/mikeb-mbs-messaging-umb-fedora-31.repo
 EXTRA_RPMS=mbs-messaging-umb
 MAIL_ADDRESS=pnt-factory2-alerts@redhat.com