Red Hat Certified Recipe - INT-414 (#20)

* INT-414 Red Hat Certified Recipe.

* License headers, help update.

.kitchen.yml

@@ -32,6 +32,12 @@ suites:
     verifier:
       inspec_tests:
         - test/smoke/docker
+  - name: rhel-docker
+    run_list:
+      - recipe[nexus_repository_manager::rhel-docker]
+    verifier:
+      inspec_tests:
+        - test/smoke/rhel-docker
   - name: nexus_properties_configured
     run_list:
       - recipe[nexus_repository_manager::default]

.kitchen.yml.erb

@@ -42,6 +42,12 @@ suites:
     verifier:
       inspec_tests:
         - test/smoke/docker
+  - name: rhel-docker
+    run_list:
+      - recipe[nexus_repository_manager::rhel-docker]
+    verifier:
+      inspec_tests:
+        - test/smoke/rhel-docker
   - name: nexus_properties_configured
     run_list:
       - recipe[nexus_repository_manager::default]

README.md

@@ -14,6 +14,17 @@ We also provide a `nexus-repository-manager::docker` recipe which is exactly the
    Installs Nexus Repository Manager and starts it as systemd service.
  - nexus-repository-manager::docker
    Installs Nexus Repository Manager. Instead of a systemd service a startup script `start-nexus-repository-manager.sh` is provided in install_dir.
+ - nexus-repository-manager::rhel-docker
+   Uses the nexus-repository-manager::docker recipe but includes additional meta data to comform with Atomic and
+   OpenShift standards, a directory with the licenses applicable to the software and a man file for help on how to use
+   the software. It also uses an ENTRYPOINT script the ensure the running user has access to the appropriate 
+   permissions for OpenShift 'restricted' SCC.
+
+#### Red Hat help.1
+
+The man file included in the Red Hat image is generated from this [help markdown](files/rhel-docker/help.md). Markdown
+can be converted to the appropriate format using [md2roff](https://github.com/nereusx/md2roff). This process is
+currently not part of the automated build and needs to be done manually after any update to the help markdown.
 
 #### Testing
 

files/rhel-docker/help.1

@@ -0,0 +1,74 @@
+.PP
+% 
+.BR NEXUS (1) 
+Container Image Pages
+% Sonatype
+% December 15, 2017
+.TH NAME
+.PP
+nexus \- Nexus Repository Manager container image
+.SH DESCRIPTION
+.PP
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+.PP
+The nexus image is designed to be run by the atomic command with one of these options:
+.PP
+\fB\fCrun\fR
+.PP
+Starts the installed container with selected privileges to the host.
+.PP
+\fB\fCstop\fR
+.PP
+Stops the installed container
+.PP
+The container itself consists of:
+    \- Linux base image
+    \- Oracle Java JDK
+    \- Nexus Repository Manager
+    \- Atomic help file
+.PP
+Files added to the container during docker build include: /help.1.
+.SH USAGE
+.PP
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+.PP
+To run the nexus container:
+.IP
+atomic run nexus
+.PP
+To stop the nexus container (after it is installed), run:
+.IP
+atomic stop nexus
+.SH LABELS
+.PP
+The nexus container includes the following LABEL settings:
+.PP
+That atomic command runs the docker command set in this label:
+.PP
+\fB\fCRUN=\fR
+.IP
+LABEL RUN='docker run \-d \-p 8081:8081 \-\-name ${NAME} ${IMAGE}'
+.IP
+The contents of the RUN label tells an \fB\fCatomic run nexus\fR command to open port 8081 & set the name of the container.
+.PP
+\fB\fCSTOP=\fR
+.IP
+LABEL STOP='docker stop ${NAME}'
+.PP
+\fB\fCName=\fR
+.PP
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+.PP
+\fB\fCVersion=\fR
+.PP
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2\-01".
+.PP
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+.SH SECURITY IMPLICATIONS
+.PP
+\fB\fC\-d\fR
+.PP
+Runs continuously as a daemon process in the background

files/rhel-docker/help.md

@@ -0,0 +1,72 @@
+% NEXUS(1) Container Image Pages
+% Sonatype
+% December 15, 2017
+
+# NAME
+nexus \- Nexus Repository Manager container image
+
+# DESCRIPTION
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+
+The nexus image is designed to be run by the atomic command with one of these options:
+
+`run`
+
+Starts the installed container with selected privileges to the host.
+
+`stop`
+
+Stops the installed container
+
+The container itself consists of:
+    - Linux base image
+    - Oracle Java JDK
+    - Nexus Repository Manager
+    - Atomic help file
+
+Files added to the container during docker build include: /help.1.
+
+# USAGE
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+
+To run the nexus container:
+
+  atomic run nexus
+
+To stop the nexus container (after it is installed), run:
+
+  atomic stop nexus
+
+# LABELS
+The nexus container includes the following LABEL settings:
+
+That atomic command runs the docker command set in this label:
+
+`RUN=`
+
+  LABEL RUN='docker run -d -p 8081:8081 --name ${NAME} ${IMAGE}'
+
+  The contents of the RUN label tells an `atomic run nexus` command to open port 8081 & set the name of the container.
+
+`STOP=`
+
+  LABEL STOP='docker stop ${NAME}'
+
+`Name=`
+
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+
+`Version=`
+
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2-01".
+
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+
+# SECURITY IMPLICATIONS
+
+`-d`
+
+Runs continuously as a daemon process in the background

files/rhel-docker/licenses/LICENSE

@@ -0,0 +1,10 @@
+Sonatype Nexus (TM) Open Source Version
+Copyright (c) 2008-present Sonatype, Inc.
+All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+Eclipse Foundation. All other trademarks are the property of their respective owners.

files/rhel-docker/uid_entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+# arbitrary uid recognition at runtime - for OpenShift deployments
+USER_ID=$(id -u)
+if [[ ${USER_UID} != ${USER_ID} ]]; then
+    sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" /etc/passwd.template > /etc/passwd
+fi
+exec "$@"

files/rhel-docker/uid_template.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+# arbitrary uid recognition at runtime - for OpenShift deployments
+sed "s@${USER_NAME}:x:${USER_UID}:@${USER_NAME}:x:\${USER_ID}:@g" /etc/passwd > /etc/passwd.template

recipes/rhel-docker.rb

@@ -0,0 +1,39 @@
+#
+# Cookbook:: nexus_repository_manager
+# Recipe:: rhel-docker
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+
+include_recipe 'nexus_repository_manager::docker'
+
+group 'root' do
+  action :modify
+  members 'nexus'
+  append true
+end
+
+directory '/licenses/' do
+  owner 'root'
+  group 'root'
+  mode '755'
+  action :create
+end
+
+[ 'help.1', 'uid_template.sh', 'uid_entrypoint.sh', 'licenses/LICENSE' ].each do | file |
+  cookbook_file "/#{file}" do
+    source "rhel-docker/#{file}"
+    owner 'root'
+    group 'root'
+    mode '755'
+  end
+end
+
+bash 'uid_template.sh' do
+  code <<-EOH
+    /uid_template.sh
+  EOH
+end
+
+file '/etc/passwd' do
+  mode '664'
+end

test/smoke/rhel-docker/perm_test.rb

@@ -0,0 +1,25 @@
+#
+# Cookbook:: nexus_repository_manager
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+
+# Permissions test for recipe nexus_repository_manager::rhel-docker
+
+control 'rhel-docker-perms-test-001' do
+  title 'Allows nexus user to mutate /etc/password'
+  describe user('nexus') do
+    it { should exist }
+  end
+
+  describe file('/etc/passwd') do
+    it { should be_allowed('write', by_user: 'nexus') }
+  end
+end
+
+control 'rhel-docker-perms-test-002' do
+ title 'Creates a template for passwd'
+  describe file('/etc/passwd.template') do
+    it { should exist }
+  end
+end

test/smoke/rhel-docker/rhel_requirements_test.rb

@@ -0,0 +1,18 @@
+#
+# Cookbook:: nexus_repository_manager
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+
+# Red Hat requirements test for recipe nexus_repository_manager::rhel-docker
+
+control 'rhel-docker-requirements-test-001' do
+  title 'Includes the required files for Red Hat certification'
+  describe file('/help.1') do
+    it { should exist }
+  end
+
+  describe file('/licenses/LICENSE') do
+    it { should exist }
+  end
+end