From 29cb617e92d507bea42183ed2cf887b74ae129b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Thu, 9 Apr 2026 11:13:01 +0200 Subject: [PATCH 1/3] SOLR-17353 Bump gosu binary to v1.19 in docker images --- .github/renovate.json | 14 ++++++-- .../SOLR-17353-docker-gosu-upgrade.yml | 32 +++++++++++++++++++ .../docker/templates/Dockerfile.body.template | 24 +++++++++++--- 3 files changed, 63 insertions(+), 7 deletions(-) create mode 100644 changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml diff --git a/.github/renovate.json b/.github/renovate.json index ab543ca162a..ae405735105 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -4,9 +4,19 @@ "enabled": true, "gitIgnoredAuthors": ["renovate-bot "], "dependencyDashboard": false, - "enabledManagers": ["gradle", "github-actions"], + "enabledManagers": ["gradle", "github-actions", "regex"], "labels": ["exempt-stale"], - "includePaths": ["gradle/libs.versions.toml", "versions.*", "build.gradle", ".github/workflows/*"], + "includePaths": ["gradle/libs.versions.toml", "versions.*", "build.gradle", ".github/workflows/*", "solr/docker/templates/Dockerfile.body.template"], + "customManagers": [ + { + "description": "Track gosu GitHub releases and update ARG GOSU_VERSION in Dockerfile template", + "customType": "regex", + "fileMatch": ["^solr/docker/templates/Dockerfile\\.body\\.template$"], + "matchStrings": ["ARG GOSU_VERSION=(?[^\\s]+)"], + "depNameTemplate": "tianon/gosu", + "datasourceTemplate": "github-releases" + } + ], "postUpgradeTasks": { "commands": [ "./gradlew resolveAndLockAll --write-locks", diff --git a/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml b/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml new file mode 100644 index 00000000000..6fa94ccad37 --- /dev/null +++ b/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml @@ -0,0 +1,32 @@ +# (DELETE ALL COMMENTS UP HERE AFTER FILLING THIS IN + +# See https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc + +# If the change is minor, don't bother adding a changelog entry. +# For `other` type entries, the threshold to bother with a changelog entry should be even higher. + +# title: +# * The audience is end-users and administrators, not committers. +# * Be short and focused on the user impact. Multiple sentences is fine! +# * For technical/geeky details, prefer the commit message instead of changelog. +# * Reference JIRA issues like `SOLR-12345`, or if no JIRA but have a GitHub PR then `PR#12345`. + +# type: +# `added` for new features/improvements, opt-in by the user typically documented in the ref guide +# `changed` for improvements; not opt-in +# `fixed` for improvements that are deemed to have fixed buggy behavior +# `deprecated` for marking things deprecated +# `removed` for code removed +# `dependency_update` for updates to dependencies +# `other` for anything else, like large/significant refactorings, build changes, +# test infrastructure, or documentation. +# Most such changes are too small/minor to bother with a changelog entry. + +title: Docker gosu upgrade +type: +authors: + - name: Jan Høydahl + url: https://home.apache.org/phonebook.html?uid=janhoy +links: + - name: SOLR-17353 + url: https://issues.apache.org/jira/browse/SOLR-17353 diff --git a/solr/docker/templates/Dockerfile.body.template b/solr/docker/templates/Dockerfile.body.template index 57c5793a7c3..a592f51bf50 100644 --- a/solr/docker/templates/Dockerfile.body.template +++ b/solr/docker/templates/Dockerfile.body.template @@ -48,6 +48,25 @@ ENV SOLR_USER="solr" \ SOLR_HOST_BIND="0.0.0.0" \ SOLR_ZOOKEEPER_EMBEDDED_HOST="0.0.0.0" +ARG GOSU_VERSION=1.19 +RUN set -eux; \ + apt-get update; \ + apt-get -y --no-install-recommends install curl acl lsof procps wget netcat-openbsd tini jattach gpg gnupg dirmngr; \ + rm -rf /var/lib/apt/lists/*; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}"; \ + wget -O /tmp/gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org \ + --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /tmp/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill gpg-agent; \ + rm -rf "$GNUPGHOME" /tmp/gosu.asc; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true; \ + apt-get -y remove gpg dirmngr && apt-get -y autoremove + RUN set -ex; \ groupadd -r --gid "$SOLR_GID" "$SOLR_GROUP"; \ useradd -r --uid "$SOLR_UID" --gid "$SOLR_GID" "$SOLR_USER" @@ -67,11 +86,6 @@ RUN set -ex; \ mkdir -p -m0770 /var/solr; \ chown -R "$SOLR_USER:0" /var/solr; -RUN set -ex; \ - apt-get update; \ - apt-get -y --no-install-recommends install curl acl lsof procps wget netcat-openbsd gosu tini jattach; \ - rm -rf /var/lib/apt/lists/*; - VOLUME /var/solr EXPOSE 8983 WORKDIR /opt/solr From 05b280eee9ce6d13446c447c69c5517712400074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Thu, 9 Apr 2026 11:22:02 +0200 Subject: [PATCH 2/3] Update changelog with proper type --- .../SOLR-17353-docker-gosu-upgrade.yml | 28 ++----------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml b/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml index 6fa94ccad37..5fee10c9f63 100644 --- a/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml +++ b/changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml @@ -1,29 +1,5 @@ -# (DELETE ALL COMMENTS UP HERE AFTER FILLING THIS IN - -# See https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc - -# If the change is minor, don't bother adding a changelog entry. -# For `other` type entries, the threshold to bother with a changelog entry should be even higher. - -# title: -# * The audience is end-users and administrators, not committers. -# * Be short and focused on the user impact. Multiple sentences is fine! -# * For technical/geeky details, prefer the commit message instead of changelog. -# * Reference JIRA issues like `SOLR-12345`, or if no JIRA but have a GitHub PR then `PR#12345`. - -# type: -# `added` for new features/improvements, opt-in by the user typically documented in the ref guide -# `changed` for improvements; not opt-in -# `fixed` for improvements that are deemed to have fixed buggy behavior -# `deprecated` for marking things deprecated -# `removed` for code removed -# `dependency_update` for updates to dependencies -# `other` for anything else, like large/significant refactorings, build changes, -# test infrastructure, or documentation. -# Most such changes are too small/minor to bother with a changelog entry. - -title: Docker gosu upgrade -type: +title: Bump gosu binary to v1.19 in docker images +type: dependency_update authors: - name: Jan Høydahl url: https://home.apache.org/phonebook.html?uid=janhoy From e996fa8c47871e930a0022da5dc9a1c75b421269 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Thu, 9 Apr 2026 11:23:35 +0200 Subject: [PATCH 3/3] Apply stricter chmod on GNUPGHOME Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- solr/docker/templates/Dockerfile.body.template | 1 + 1 file changed, 1 insertion(+) diff --git a/solr/docker/templates/Dockerfile.body.template b/solr/docker/templates/Dockerfile.body.template index a592f51bf50..1193ba26be2 100644 --- a/solr/docker/templates/Dockerfile.body.template +++ b/solr/docker/templates/Dockerfile.body.template @@ -57,6 +57,7 @@ RUN set -eux; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}"; \ wget -O /tmp/gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc"; \ export GNUPGHOME="$(mktemp -d)"; \ + chmod 700 "$GNUPGHOME"; \ gpg --batch --keyserver hkps://keys.openpgp.org \ --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ gpg --batch --verify /tmp/gosu.asc /usr/local/bin/gosu; \