Skip to main content

Docker TomEE base image 3.0.0

· 4 min read
Frédéric Hannes
Frédéric Hannes
R&D Engineer

Version 3 of the nsx-tomee-base Docker image is now available. This version introduces (experimental) support for rootless containers, as well as some minor breaking changes.

Rootless

New images have been added that can be used to run rootless containers. They add a new tomee user, which is used to execute the TomEE application server instead of the root user. Not running containers with a root user reduces security risks for the host system. All existing images are available as rootless as well under labels with the suffix -rootless appended to it.

Data volume

The image now pre-defines a volume at the /data path for applications to write files to. The volume is pre-defined so it will be created even if it is not explicitly defined in the deployment of the container, so any files stored there will always be put into a persistent volume.

Scripts moved

Previously all fixed scripts were stored in the /tmp folder. Though this is not ideal, we kept this for consistency and backwards compatibility. With this major version we've now moved those scripts to a new location in /scripts. There are still symlinks to the existing scripts in case they were called.

Migration guide

Moving scripts

In most cases, there will be no impact from scripts that moved from /tmp to /scripts, with the exception if they were overwritten in derived images.

  • /tmp/wrapper.sh was moved to /scripts/wrapper.sh:
    • If /tmp/wrapper.sh was overwritten in a derived image, its target location should be updated to /scripts/wrapper.sh.
    • There is still a symlink at /tmp/wrapper.sh to /scripts/wrapper.sh in case this file was called from another script, but ideally all of these calls are updated.
  • /tmp/health-check.sh was moved to /scripts/health-check.sh:
    • If /tmp/health-check.sh was overwritten in a derived image, its target location should be updated to /scripts/health-check.sh.
    • There is still a symlink at /tmp/health-check.sh to /scripts/health-check.sh in case this file was called from another script, but ideally all of these calls are updated.
  • Calling location for /tmp/pre-shutdown-script.sh was moved to /scripts/pre-shutdown-script.sh:
    • If /tmp/pre-shutdown-script.sh was added in a derived image, its target location should be updated to /scripts/pre-shutdown-script.sh.
    • The script at /tmp/pre-shutdown-script.sh is still called if it exists, but ideally the script is moved.
  • Calling location for /tmp/post-shutdown-script.sh was moved to /scripts/post-shutdown-script.sh:
    • If /tmp/post-shutdown-script.sh was added in a derived image, its target location should be updated to /scripts/post-shutdown-script.sh.
    • The script at /tmp/post-shutdown-script.sh is still called if it exists, but ideally the script is moved.
  • Derived images typically add a prepare.sh script that is executed prior to the entrypoint. This image used to be placed in the /tmp directory for consistency. This should also be moved to /scripts for consistency, but retaining its current location should not impact behavior.

Switching to rootless

This migration is not required at this time, but for any existing application that is migrated, the following things should be taken into account.

Adding prepare script

The base image is provided with the tomee user already activated. All scripts under /scripts are still owned by the root user. As such, it will be required to switch back to the root user temporarily to add the script. The user and group should not have write permissions.

Example
prepare.sh
USER root

COPY --chmod=755 prepare.sh /scripts/prepare.sh
RUN dos2unix /scripts/prepare.sh

USER tomee

Added additional packages

The base image is provided with the tomee user already activated. It will be required to switch back to the root user temporarily to install additional packages.

Example
prepare.sh
USER root

RUN apt-get update && apt-get install -y sl && rm -rf /var/lib/apt/lists/*

USER tomee

Updating permissions

All locations and files that the application has to read or write must be accessible to them. Typically these should be owned by the tomee user, so existing paths should be updated.

Example

Executed in the container:

chown -R tomee:tomee /my/volume/path

Executed on the host:

chown -R 10000:10001 /var/lib/docker/volumes/myvolume/_data

TomEE builder

Any images that are built with a builder stage using the nsx-tomee-builder image should be updated to version 1.2.0 and use the new rootless variant. While the image is not rootless itself, it will set the correct owner for the /workspace/base folder, so they can be copied hassle-free to the rootless image without any other changes needed.

Example
# Prebuild stage
FROM docker.normalizedsystems.org/nsx-tomee-builder:1.2.0-rootless AS builder