diff --git a/bitnami/influxdb/3/debian-12/Dockerfile b/bitnami/influxdb/3/debian-12/Dockerfile index 586c16e5f2b33..c49548dbd399c 100644 --- a/bitnami/influxdb/3/debian-12/Dockerfile +++ b/bitnami/influxdb/3/debian-12/Dockerfile @@ -7,7 +7,7 @@ ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith" ARG TARGETARCH LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \ - org.opencontainers.image.created="2026-05-25T14:45:46Z" \ + org.opencontainers.image.created="2026-06-05T18:31:34Z" \ org.opencontainers.image.description="Application packaged by Broadcom, Inc." \ org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/influxdb/README.md" \ org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/influxdb" \ @@ -28,19 +28,19 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \ DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \ mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \ COMPONENTS=( \ - "libpython-3.12.13-3-linux-${OS_ARCH}-debian-12" \ + "libpython-3.12.13-4-linux-${OS_ARCH}-debian-12" \ "influxdb-3.9.2-0-linux-${OS_ARCH}-debian-12" \ - "wait-for-port-1.0.10-10-linux-${OS_ARCH}-debian-12" \ + "wait-for-port-1.0.10-11-linux-${OS_ARCH}-debian-12" \ ) ; \ for COMPONENT in "${COMPONENTS[@]}"; do \ if [ ! -f "${COMPONENT}.tar.gz" ]; then \ curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz" -O ; \ - curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz.sha256" -O ; \ fi ; \ - sha256sum -c "${COMPONENT}.tar.gz.sha256" ; \ + sha256sum -c "/opt/bitnami/checksums/${COMPONENT}.tar.gz.sha256" ; \ tar -zxf "${COMPONENT}.tar.gz" -C /opt/bitnami --strip-components=2 --no-same-owner ; \ - rm -rf "${COMPONENT}".tar.gz{,.sha256} ; \ - done + rm -rf "${COMPONENT}".tar.gz ; \ + done ; \ + rm -rf /opt/bitnami/checksums ; RUN apt-get update && apt-get upgrade -y && \ apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives RUN chmod g+rwX /opt/bitnami @@ -50,8 +50,8 @@ COPY rootfs / RUN /opt/bitnami/scripts/influxdb/postunpack.sh ENV APP_VERSION="3.9.2" \ BITNAMI_APP_NAME="influxdb" \ - IMAGE_REVISION="5" \ - LD_LIBRARY_PATH="/opt/bitnami/python/lib:$LD_LIBRARY_PATH" \ + IMAGE_REVISION="6" \ + LD_LIBRARY_PATH="/opt/bitnami/python/lib" \ PATH="/opt/bitnami/influxdb/bin:/opt/bitnami/common/bin:$PATH" VOLUME [ "/bitnami/influxdb" ] diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..ceea95296ca50 --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +c8a48abc2e3ef2ae0a27db0f57af9f6f5f216f7bd3c4242f4cdc7ecffb2dd443 influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..dd9de47d5f1a5 --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +467483f07803433f3e773148b6efb68827a7e116a09ebad7c54f354cf4380a36 influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-amd64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-amd64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..818600814e233 --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-amd64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +042c31d20f1294a6645c3001367194123ab86462ab2de31444501c61a2f85427 libpython-3.12.13-4-linux-amd64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-arm64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-arm64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..6df342c9c600a --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-arm64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +fbfcc9a072dc9630fd24722ce606794dcd62811d0c813006b5de7eed0424d8af libpython-3.12.13-4-linux-arm64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..ab86dab7c5d10 --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +b8a9cd842e95ae16de5bbf157cc7e246c79a24d3b5b626bcce32f6904a895383 wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz.sha256 b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz.sha256 new file mode 100644 index 0000000000000..3799475af6722 --- /dev/null +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz.sha256 @@ -0,0 +1 @@ +ae2e822f8c673eb66a2cadbc6dc5fe9c8c0791564751e453a04a416ab9bd6f61 wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfile.sh b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfile.sh index 1c69e0e48a5d0..335c1c7c9ef70 100644 --- a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfile.sh +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfile.sh @@ -139,3 +139,40 @@ wait_for_log_entry() { return 1 fi } + +######################## +# Creates a secure temporary file containing the provided secret +# Arguments: +# $1 - secret to write to the temporary file +# Returns: +# String +######################### +credential_to_temp_file() { + local secret="$1" + local tmp_file + + # Use mktemp with a specific prefix for easier debugging if something lingers + if ! tmp_file=$(mktemp "${TMPDIR:-/tmp}/at.cred.XXXXXXXX"); then + echo "Error: Failed to create temp file" >&2 + return 1 + fi + + # Restrict permissions before writing the secret + chmod 0600 "$tmp_file" + # Write secret and ensure it's flushed to disk + printf "%s" "$secret" > "$tmp_file" + # Output the filename so the caller can capture it + echo "$tmp_file" +} + +######################## +# Cleans up temporary files created by credential_to_temp_file +# Arguments: +# None +# Returns: +# None +######################### +cleanup_credentials() { + debug "Cleaning up temporary files containing credentials" + rm -rf "${TMPDIR:-/tmp}"/at.cred.* +} diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfs.sh b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfs.sh index 1337f6c2dd59f..b16efabd32304 100644 --- a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfs.sh +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfs.sh @@ -131,6 +131,7 @@ relativize() { # -d|--dir-mode - mode for files. # -u|--user - user # -g|--group - group +# -n|--no-dereference - do not follow symlinks (use for runtime root chown of daemon-writable dirs) # Returns: # None ######################### @@ -140,6 +141,7 @@ configure_permissions_ownership() { local file_mode="" local user="" local group="" + local follow_symlinks="yes" # Validate arguments shift 1 @@ -161,6 +163,9 @@ configure_permissions_ownership() { shift group="${1:?missing group}" ;; + -n | --no-dereference) + follow_symlinks="no" + ;; *) echo "Invalid command line flag $1" >&2 return 1 @@ -169,22 +174,29 @@ configure_permissions_ownership() { shift done + # -L: follow symlinks and emits the target path + # This is dangerous at runtime, given a co-located lower-privileged process with write access + # to the target path can redirect the chown/chmod to arbitrary paths. Example: + # Lower-privileged process run: ln -s /etc /tmp/etc + # Then, setup.sh runs: configure_permissions_ownership --dir-mode 775 /tmp + local find_L_flag=(); [[ "$follow_symlinks" == "yes" ]] && find_L_flag=("-L") + # -h: changes symlink inode ownership without touching the target. + local chown_flags=(); [[ "$follow_symlinks" == "no" ]] && chown_flags=("-h") read -r -a filepaths <<<"$paths" for p in "${filepaths[@]}"; do if [[ -e "$p" ]]; then - find -L "$p" -printf "" if [[ -n $dir_mode ]]; then - find -L "$p" -type d ! -perm "$dir_mode" -print0 | xargs -r -0 chmod "$dir_mode" + find "${find_L_flag[@]}" "$p" -not -type l -type d ! -perm "$dir_mode" -print0 | xargs -r -0 chmod "$dir_mode" fi if [[ -n $file_mode ]]; then - find -L "$p" -type f ! -perm "$file_mode" -print0 | xargs -r -0 chmod "$file_mode" + find "${find_L_flag[@]}" "$p" -not -type l -type f ! -perm "$file_mode" -print0 | xargs -r -0 chmod "$file_mode" fi if [[ -n $user ]] && [[ -n $group ]]; then - find -L "$p" -print0 | xargs -r -0 chown "${user}:${group}" + find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chown "${chown_flags[@]}" "${user}:${group}" elif [[ -n $user ]] && [[ -z $group ]]; then - find -L "$p" -print0 | xargs -r -0 chown "${user}" + find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chown "${chown_flags[@]}" "${user}" elif [[ -z $user ]] && [[ -n $group ]]; then - find -L "$p" -print0 | xargs -r -0 chgrp "${group}" + find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chgrp "${chown_flags[@]}" "${group}" fi else stderr_print "$p does not exist" diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh index 9d908c48579b9..2d3c3bdb5f4ae 100644 --- a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh @@ -170,7 +170,7 @@ ensure_user_exists() { if [[ -n "$home" ]]; then mkdir -p "$home" usermod -d "$home" "$user" >/dev/null 2>&1 - configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group" + configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group" -n fi } diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh index bbd31b26bb2c5..3a996383cfabd 100644 --- a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh @@ -20,7 +20,7 @@ ######################### is_int() { local -r int="${1:?missing value}" - if [[ "$int" =~ ^-?[0-9]+ ]]; then + if [[ "$int" =~ ^-?[0-9]+$ ]]; then true else false diff --git a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh index f0d5a5cd33892..770861ecedcd3 100644 --- a/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh +++ b/bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh @@ -49,3 +49,36 @@ get_sematic_version () { fi fi } + +######################## +# Compares two semantic versions +# Arguments: +# $1 - version1: first version to compare +# $2 - version2: second version to compare +# Returns: +# -1 if version1 is less than version2 +# 0 if version1 is equal to version2 +# 1 if version1 is greater than version2 +######################### +compare_semantic_versions() { + local version1="${1:?version1 is required}" + local version2="${2:?version2 is required}" + local major1 major2 minor1 minor2 patch1 patch2 + + major1="$(get_sematic_version "$version1" 1)" + major2="$(get_sematic_version "$version2" 1)" + minor1="$(get_sematic_version "$version1" 2)" + minor2="$(get_sematic_version "$version2" 2)" + patch1="$(get_sematic_version "$version1" 3)" + patch2="$(get_sematic_version "$version2" 3)" + + if [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -eq "$patch2" ]]; then + echo "0" + elif [[ "$major1" -lt "$major2" ]] || + { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -lt "$minor2" ]]; } || + { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -lt "$patch2" ]]; }; then + echo "-1" + else + echo "1" + fi +} diff --git a/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/influxdb/setup.sh b/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/influxdb/setup.sh index e0dc2a57503ae..f799bf9ed6162 100755 --- a/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/influxdb/setup.sh +++ b/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/influxdb/setup.sh @@ -23,8 +23,8 @@ influxdb_validate if am_i_root && ! is_influxdb_3; then chown -R "$INFLUXDB_DAEMON_USER" "$INFLUXDB_VOLUME_DIR" "$INFLUXDB_CONF_DIR" fi -# Ensure InfluxDB is stopped when this script ends. -trap "influxdb_stop" EXIT +# Ensure InfluxDB is stopped when this script ends and we clean up temporary files +trap "influxdb_stop; cleanup_credentials" EXIT # Ensure InfluxDB is initialized influxdb_initialize # Allow running custom initialization scripts diff --git a/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/libinfluxdb.sh b/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/libinfluxdb.sh index 716d018ab3a05..fd9715653621b 100644 --- a/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/libinfluxdb.sh +++ b/bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/libinfluxdb.sh @@ -8,6 +8,7 @@ # Load Generic Libraries . /opt/bitnami/scripts/liblog.sh +. /opt/bitnami/scripts/libfile.sh . /opt/bitnami/scripts/libfs.sh . /opt/bitnami/scripts/libos.sh . /opt/bitnami/scripts/libservice.sh @@ -214,13 +215,8 @@ influxdb_create_primary_setup() { ) # Avoid passing credentials as arguments to influx CLI, to avoid leaking them # given a local observer with /proc read access can read them - # Instead, we can read them from temporary files local admin_user_password_file - admin_user_password_file="$(mktemp)" - chmod 0600 "$admin_user_password_file" - echo "$INFLUXDB_ADMIN_USER_PASSWORD" > "$admin_user_password_file" - # shellcheck disable=SC2064 - trap "rm -f $admin_user_password_file" RETURN ERR INT TERM + admin_user_password_file="$(credential_to_temp_file "$INFLUXDB_ADMIN_USER_PASSWORD")" args+=('--password' "$(<"$admin_user_password_file")") if [ -n "${INFLUXDB_ADMIN_USER_TOKEN}" ]; then @@ -265,13 +261,8 @@ influxdb_run_upgrade() { # Avoid passing credentials as arguments to influx CLI, to avoid leaking them # given a local observer with /proc read access can read them - # Instead, we can read them from temporary files local admin_user_password_file - admin_user_password_file="$(mktemp)" - chmod 0600 "$admin_user_password_file" - echo "$INFLUXDB_ADMIN_USER_PASSWORD" > "$admin_user_password_file" - # shellcheck disable=SC2064 - trap "rm -f $admin_user_password_file" RETURN ERR INT TERM + admin_user_password_file="$(credential_to_temp_file "$INFLUXDB_ADMIN_USER_PASSWORD")" args+=('--password' "$(<"$admin_user_password_file")") if [ -n "${INFLUXDB_ADMIN_USER_TOKEN}" ]; then @@ -394,7 +385,7 @@ influxdb_start_bg() { debug_execute "${start_command[@]}" & wait-for-port "$INFLUXDB_HTTP_PORT_NUMBER" else - INFLUXDB_HTTP_HTTPS_ENABLED=false INFLUXDB_HTTP_BIND_ADDRESS="127.0.0.1:${INFLUXDB_HTTP_PORT_NUMBER}" debug_execute "${start_command[@]}" & + INFLUXDB_HTTP_HTTPS_ENABLED=false INFLUXD_HTTP_BIND_ADDRESS="127.0.0.1:${INFLUXDB_HTTP_PORT_NUMBER}" debug_execute "${start_command[@]}" & wait-for-port --timeout="$INFLUXDB_PORT_READINESS_TIMEOUT" "$INFLUXDB_HTTP_PORT_NUMBER" wait_for_influxdb fi