java 25 and ssl cipher updates (#163)

* testing java 25 updates

* remove cipher settings that are included in jar with 26.1

* add check for env var AWS_ACCESS_KEY_ID before running aws commands

Author: labkey-willm

Dockerfile

@@ -1,9 +1,9 @@
 # main eclipse-temurin jre, which is debian-based
 ARG FROM_REPO_IMAGE=eclipse-temurin
-ARG FROM_TAG=17-jre-noble
+ARG FROM_TAG=25-jre-noble
 
 # uncomment for alpine-based eclipse-temurin jre
-# ARG FROM_TAG=17-jre-alpine
+# ARG FROM_TAG=25-jre-alpine
 
 FROM ${FROM_REPO_IMAGE}:${FROM_TAG} AS base
 
@@ -77,10 +77,6 @@ ENV DEBUG="${DEBUG}" \
     TOMCAT_KEYSTORE_FORMAT="PKCS12" \
     TOMCAT_KEYSTORE_ALIAS="tomcat" \
     \
-    TOMCAT_SSL_CIPHERS="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20" \
-    TOMCAT_SSL_ENABLED_PROTOCOLS="TLSv1.3,TLSv1.2" \
-    TOMCAT_SSL_PROTOCOL="TLS" \
-    \
     TOMCAT_ENABLE_ACCESS_LOG=""
 
 ENV CERT_C="US" \
@@ -151,20 +147,18 @@ RUN [ -n "${DEBUG}" ] && set -x; \
             openssl \
             gettext-base=0.21-14ubuntu2 \
             unzip=6.0-28ubuntu4.1 \
+            wget=1.21.4-1ubuntu4.1 \
             ; \
         if [ -n "${DEBUG}" ]; then \
-            # next 2 lines are to get postgres15 to install on ubuntu 22.04
-            echo "deb http://apt.postgresql.org/pub/repos/apt $(grep VERSION_CODENAME /etc/os-release | cut -d "=" -f2)-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \
-            wget -qO- https://www.postgresql.org/media/keys/ACCC4CF8.asc | tee /etc/apt/trusted.gpg.d/pgdg.asc > /dev/null 2>&1; \
             apt-get update; \
             apt-get -yq --no-install-recommends install \
-                iputils-ping=3:20240117-1build1 \
+                iputils-ping=3:20240117-1ubuntu0.1 \
                 less=590-2ubuntu2.1 \
                 netcat-traditional=1.10-48 \
-                postgresql-client-16=16.6-0ubuntu0.24.04.1 \
-                sudo=1.9.15p5-3ubuntu5 \
-                tree=2.1.1-2ubuntu3 \
-                vim=2:9.1.0016-1ubuntu7.5 \
+                postgresql-client-16=16.10-0ubuntu0.24.04.1 \
+                sudo=1.9.15p5-3ubuntu5.24.04.1 \
+                tree=2.1.1-2ubuntu3.24.04.2 \
+                vim=2:9.1.0016-1ubuntu7.9 \
                 ; \
         fi; \
         apt-get -yq upgrade; \

Makefile

@@ -8,7 +8,7 @@ endif
 
 DEBUG ?=
 
-FROM_TAG ?= 17-jre-noble
+FROM_TAG ?= 25-jre-noble
 
 CACHE_FLAG ?= --no-cache
 
@@ -18,8 +18,13 @@ IDENT ?= labkey
 
 PULL_TAG ?= latest
 
-AWS_ACCOUNT_ID ?= $(shell aws sts get-caller-identity | jq -r '.Account' | grep -E '[0-9]{12}' || exit 1)
-AWS_REGION ?= $(shell aws configure get region || exit 1)
+ifeq ($(AWS_ACCESS_KEY_ID),)
+	AWS_ACCOUNT_ID=123456789
+	AWS_REGION=us-west-2
+else
+	AWS_ACCOUNT_ID ?= $(shell aws sts get-caller-identity | jq -r '.Account' | grep -E '[0-9]{12}' || exit 1)
+	AWS_REGION ?= $(shell aws configure get region || exit 1)
+endif
 
 LABKEY_VERSION ?= 21.5-SNAPSHOT
 LABKEY_DISTRIBUTION ?= community

README.md

@@ -147,14 +147,14 @@ Setting `DEBUG` to any value will suffice: `docker build ... --build-arg DEBUG=1
 The `Dockerfile` currently supports 2 base-container operating systems, Alpine Linux and Debian-based Linux, both of which originate from `eclipse-temurin`. Debian-based Linux deployments are much more thoroughly tested. Toggling between the two or overriding them can be achieved by changing the `FROM_TAG` Docker build arg. The `Dockerfile` provides 2 examples:
 
 - debian-based
-  - FROM_TAG=17-jre
+  - FROM_TAG=25-jre
 - alpine-based
-  - FROM_TAG=17-jre-alpine
+  - FROM_TAG=25-jre-alpine
 
 | name            | purpose                                                                          | default                  |
 | --------------- | ------------------------------------------------------                           | ------------------------ |                          
 | FROM_REPO_IMAGE | Docker repository & image to use as basis of container                           | `eclipse-temurin` |
-| FROM_TAG        | repository tag to use as basis of container                                      | `17-jre`             |
+| FROM_TAG        | repository tag to use as basis of container                                      | `25-jre`             |
 | LABKEY_HOME     | The Docker WORKDIR and top level under which all LabKey-related files are nested | `/labkey` |
 | BUILD_REMOTE_TAG | allows for alternate remote tags during `make tag` and `make push`  | [BUILD_REPO_URI]/labkey/community:[LABKEY_VERSION] |
 
@@ -248,9 +248,6 @@ The `CERT_*` ENVs should look familiar to anyone that has used the `openssl` com
 | TOMCAT_KEYSTORE_ALIAS        | self-signed cert/keystore "alias"                            | `tomcat`                                                 |
 | TOMCAT_KEYSTORE_FILENAME     | self-signed cert/keystore filename                           | `labkey.p12`                                             |
 | TOMCAT_KEYSTORE_FORMAT       | self-signed cert/keystore format                             | `PKCS12`                                                 |
-| TOMCAT_SSL_CIPHERS           | allowable SSL ciphers for use by tomcat | `HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20` |
-| TOMCAT_SSL_ENABLED_PROTOCOLS | allowable SSL protocols and versions                         | `TLSv1.3,TLSv1.2`                                        |
-| TOMCAT_SSL_PROTOCOL          | basic SSL protocol to use                                    | `TLS`                                                    |
 | CERT_C                       | "Country" value for the generated self-signed cert           | `US`                                                     |
 | CERT_CN                      | "Common Name" value for the generated self-signed cert       | `localhost`                                              |
 | CERT_L                       | "Location" value for the generated self-signed cert          | `Seattle`                                                |

application.properties

@@ -113,11 +113,6 @@ server.http2.enabled=true
 
 server.ssl.enabled=true
 
-server.ssl.ciphers=${TOMCAT_SSL_CIPHERS}
-server.ssl.enabled-protocols=${TOMCAT_SSL_ENABLED_PROTOCOLS}
-server.ssl.protocol=${TOMCAT_SSL_PROTOCOL}
-
-
 # must match values in entrypoint.sh
 server.ssl.key-alias=${TOMCAT_KEYSTORE_ALIAS}
 server.ssl.key-store=${LABKEY_HOME}/${TOMCAT_KEYSTORE_FILENAME}

docker-compose.yml

@@ -27,7 +27,6 @@ services:
       # - LABKEY_SYSTEM_DESCRIPTION=Sirius Cybernetics Corporation
 
       # - TOMCAT_ENABLE_ACCESS_LOG=1
-      - TOMCAT_SSL_CIPHERS=${TOMCAT_SSL_CIPHERS:-HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20}      
       - LOG_LEVEL_SPRING_WEB=INFO
       - LOG_LEVEL_TOMCAT=DEBUG
       - LOG_LEVEL_DEFAULT=DEBUG
@@ -140,7 +139,6 @@ services:
       # - LABKEY_SYSTEM_DESCRIPTION=Sirius Cybernetics Corporation
 
       # - TOMCAT_ENABLE_ACCESS_LOG=1
-      - TOMCAT_SSL_CIPHERS=${TOMCAT_SSL_CIPHERS:-HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20}
       - LOG_LEVEL_SPRING_WEB=INFO
       - LOG_LEVEL_TOMCAT=DEBUG
       - LOG_LEVEL_DEFAULT=DEBUG
@@ -251,7 +249,6 @@ services:
       # - LABKEY_SYSTEM_DESCRIPTION=Sirius Cybernetics Corporation
 
       # - TOMCAT_ENABLE_ACCESS_LOG=1
-      - TOMCAT_SSL_CIPHERS=${TOMCAT_SSL_CIPHERS:-HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20}
       - LOG_LEVEL_SPRING_WEB=INFO
       - LOG_LEVEL_TOMCAT=DEBUG
       - LOG_LEVEL_DEFAULT=DEBUG
@@ -363,7 +360,6 @@ services:
       # - LABKEY_SYSTEM_DESCRIPTION=Sirius Cybernetics Corporation
 
       # - TOMCAT_ENABLE_ACCESS_LOG=1
-      - TOMCAT_SSL_CIPHERS=${TOMCAT_SSL_CIPHERS:-HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20}
       - LOG_LEVEL_SPRING_WEB=INFO
       - LOG_LEVEL_TOMCAT=DEBUG
       - LOG_LEVEL_DEFAULT=DEBUG

quickstart_envs.sh

@@ -3,7 +3,7 @@
 # example minimal set of environment variables to get started - see readme for additional envs you may wish to set
 
 # embedded tomcat LabKey .jar version to build container with
-export LABKEY_VERSION="25.11"
+export LABKEY_VERSION="26.1"
 
 # minimal SMTP settings
 export SMTP_HOST="localhost"