[bitnami/influxdb] Release 3.9.2-debian-12-r6

bitnami/influxdb/3/debian-12/Dockerfile

@@ -7,7 +7,7 @@ ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith"
 ARG TARGETARCH
 
 LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
-      org.opencontainers.image.created="2026-05-25T14:45:46Z" \
+      org.opencontainers.image.created="2026-06-05T18:31:34Z" \
       org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
       org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/influxdb/README.md" \
       org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/influxdb" \
@@ -28,19 +28,19 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \
     DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \
     mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \
     COMPONENTS=( \
-      "libpython-3.12.13-3-linux-${OS_ARCH}-debian-12" \
+      "libpython-3.12.13-4-linux-${OS_ARCH}-debian-12" \
       "influxdb-3.9.2-0-linux-${OS_ARCH}-debian-12" \
-      "wait-for-port-1.0.10-10-linux-${OS_ARCH}-debian-12" \
+      "wait-for-port-1.0.10-11-linux-${OS_ARCH}-debian-12" \
     ) ; \
     for COMPONENT in "${COMPONENTS[@]}"; do \
       if [ ! -f "${COMPONENT}.tar.gz" ]; then \
         curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz" -O ; \
-        curl -SsLf "https://${DOWNLOADS_URL}/${COMPONENT}.tar.gz.sha256" -O ; \
       fi ; \
-      sha256sum -c "${COMPONENT}.tar.gz.sha256" ; \
+      sha256sum -c "/opt/bitnami/checksums/${COMPONENT}.tar.gz.sha256" ; \
       tar -zxf "${COMPONENT}.tar.gz" -C /opt/bitnami --strip-components=2 --no-same-owner ; \
-      rm -rf "${COMPONENT}".tar.gz{,.sha256} ; \
-    done
+      rm -rf "${COMPONENT}".tar.gz ; \
+    done ; \
+    rm -rf /opt/bitnami/checksums ;
 RUN apt-get update && apt-get upgrade -y && \
     apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives
 RUN chmod g+rwX /opt/bitnami
@@ -50,8 +50,8 @@ COPY rootfs /
 RUN /opt/bitnami/scripts/influxdb/postunpack.sh
 ENV APP_VERSION="3.9.2" \
     BITNAMI_APP_NAME="influxdb" \
-    IMAGE_REVISION="5" \
-    LD_LIBRARY_PATH="/opt/bitnami/python/lib:$LD_LIBRARY_PATH" \
+    IMAGE_REVISION="6" \
+    LD_LIBRARY_PATH="/opt/bitnami/python/lib" \
     PATH="/opt/bitnami/influxdb/bin:/opt/bitnami/common/bin:$PATH"
 
 VOLUME [ "/bitnami/influxdb" ]

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+c8a48abc2e3ef2ae0a27db0f57af9f6f5f216f7bd3c4242f4cdc7ecffb2dd443  influxdb-3.9.2-0-linux-amd64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+467483f07803433f3e773148b6efb68827a7e116a09ebad7c54f354cf4380a36  influxdb-3.9.2-0-linux-arm64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-amd64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+042c31d20f1294a6645c3001367194123ab86462ab2de31444501c61a2f85427  libpython-3.12.13-4-linux-amd64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/libpython-3.12.13-4-linux-arm64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+fbfcc9a072dc9630fd24722ce606794dcd62811d0c813006b5de7eed0424d8af  libpython-3.12.13-4-linux-arm64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+b8a9cd842e95ae16de5bbf157cc7e246c79a24d3b5b626bcce32f6904a895383  wait-for-port-1.0.10-11-linux-amd64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/checksums/wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+ae2e822f8c673eb66a2cadbc6dc5fe9c8c0791564751e453a04a416ab9bd6f61  wait-for-port-1.0.10-11-linux-arm64-debian-12.tar.gz

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfile.sh

@@ -139,3 +139,40 @@ wait_for_log_entry() {
         return 1
     fi
 }
+
+########################
+# Creates a secure temporary file containing the provided secret
+# Arguments:
+#   $1 - secret to write to the temporary file
+# Returns:
+#   String
+#########################
+credential_to_temp_file() {
+    local secret="$1"
+    local tmp_file
+
+    # Use mktemp with a specific prefix for easier debugging if something lingers
+    if ! tmp_file=$(mktemp "${TMPDIR:-/tmp}/at.cred.XXXXXXXX"); then
+        echo "Error: Failed to create temp file" >&2
+        return 1
+    fi
+
+    # Restrict permissions before writing the secret
+    chmod 0600 "$tmp_file"
+    # Write secret and ensure it's flushed to disk
+    printf "%s" "$secret" > "$tmp_file"
+    # Output the filename so the caller can capture it
+    echo "$tmp_file"
+}
+
+########################
+# Cleans up temporary files created by credential_to_temp_file
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+cleanup_credentials() {
+    debug "Cleaning up temporary files containing credentials"
+    rm -rf "${TMPDIR:-/tmp}"/at.cred.*
+}

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libfs.sh

@@ -131,6 +131,7 @@ relativize() {
 #   -d|--dir-mode - mode for files.
 #   -u|--user - user
 #   -g|--group - group
+#   -n|--no-dereference - do not follow symlinks (use for runtime root chown of daemon-writable dirs)
 # Returns:
 #   None
 #########################
@@ -140,6 +141,7 @@ configure_permissions_ownership() {
     local file_mode=""
     local user=""
     local group=""
+    local follow_symlinks="yes"
 
     # Validate arguments
     shift 1
@@ -161,6 +163,9 @@ configure_permissions_ownership() {
             shift
             group="${1:?missing group}"
             ;;
+        -n | --no-dereference)
+            follow_symlinks="no"
+            ;;
         *)
             echo "Invalid command line flag $1" >&2
             return 1
@@ -169,22 +174,29 @@ configure_permissions_ownership() {
         shift
     done
 
+    # -L: follow symlinks and emits the target path
+    # This is dangerous at runtime, given a co-located lower-privileged process with write access
+    # to the target path can redirect the chown/chmod to arbitrary paths. Example:
+    # Lower-privileged process run: ln -s /etc /tmp/etc
+    # Then, setup.sh runs: configure_permissions_ownership --dir-mode 775 /tmp
+    local find_L_flag=(); [[ "$follow_symlinks" == "yes" ]] && find_L_flag=("-L")
+    # -h: changes symlink inode ownership without touching the target.
+    local chown_flags=(); [[ "$follow_symlinks" == "no" ]] && chown_flags=("-h")
     read -r -a filepaths <<<"$paths"
     for p in "${filepaths[@]}"; do
         if [[ -e "$p" ]]; then
-            find -L "$p" -printf ""
             if [[ -n $dir_mode ]]; then
-                find -L "$p" -type d ! -perm "$dir_mode" -print0 | xargs -r -0 chmod "$dir_mode"
+                find "${find_L_flag[@]}" "$p" -not -type l -type d ! -perm "$dir_mode" -print0 | xargs -r -0 chmod "$dir_mode"
             fi
             if [[ -n $file_mode ]]; then
-                find -L "$p" -type f ! -perm "$file_mode" -print0 | xargs -r -0 chmod "$file_mode"
+                find "${find_L_flag[@]}" "$p" -not -type l -type f ! -perm "$file_mode" -print0 | xargs -r -0 chmod "$file_mode"
             fi
             if [[ -n $user ]] && [[ -n $group ]]; then
-                find -L "$p" -print0 | xargs -r -0 chown "${user}:${group}"
+                find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chown "${chown_flags[@]}" "${user}:${group}"
             elif [[ -n $user ]] && [[ -z $group ]]; then
-                find -L "$p" -print0 | xargs -r -0 chown "${user}"
+                find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chown "${chown_flags[@]}" "${user}"
             elif [[ -z $user ]] && [[ -n $group ]]; then
-                find -L "$p" -print0 | xargs -r -0 chgrp "${group}"
+                find "${find_L_flag[@]}" "$p" -print0 | xargs -r -0 chgrp "${chown_flags[@]}" "${group}"
             fi
         else
             stderr_print "$p does not exist"

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh

@@ -170,7 +170,7 @@ ensure_user_exists() {
     if [[ -n "$home" ]]; then
         mkdir -p "$home"
         usermod -d "$home" "$user" >/dev/null 2>&1
-        configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group"
+        configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group" -n
     fi
 }
 

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh

@@ -20,7 +20,7 @@
 #########################
 is_int() {
     local -r int="${1:?missing value}"
-    if [[ "$int" =~ ^-?[0-9]+ ]]; then
+    if [[ "$int" =~ ^-?[0-9]+$ ]]; then
         true
     else
         false

bitnami/influxdb/3/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh

@@ -49,3 +49,36 @@ get_sematic_version () {
         fi
     fi
 }
+
+########################
+# Compares two semantic versions
+# Arguments:
+#   $1 - version1: first version to compare
+#   $2 - version2: second version to compare
+# Returns:
+#   -1 if version1 is less than version2
+#   0 if version1 is equal to version2
+#   1 if version1 is greater than version2
+#########################
+compare_semantic_versions() {
+    local version1="${1:?version1 is required}"
+    local version2="${2:?version2 is required}"
+    local major1 major2 minor1 minor2 patch1 patch2
+
+    major1="$(get_sematic_version "$version1" 1)"
+    major2="$(get_sematic_version "$version2" 1)"
+    minor1="$(get_sematic_version "$version1" 2)"
+    minor2="$(get_sematic_version "$version2" 2)"
+    patch1="$(get_sematic_version "$version1" 3)"
+    patch2="$(get_sematic_version "$version2" 3)"
+
+    if [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -eq "$patch2" ]]; then
+        echo "0"
+    elif [[ "$major1" -lt "$major2" ]] ||
+      { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -lt "$minor2" ]]; } ||
+      { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -lt "$patch2" ]]; }; then
+        echo "-1"
+    else
+        echo "1"
+    fi
+}

bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/influxdb/setup.sh

@@ -23,8 +23,8 @@ influxdb_validate
 if am_i_root && ! is_influxdb_3; then
     chown -R "$INFLUXDB_DAEMON_USER" "$INFLUXDB_VOLUME_DIR" "$INFLUXDB_CONF_DIR"
 fi
-# Ensure InfluxDB is stopped when this script ends.
-trap "influxdb_stop" EXIT
+# Ensure InfluxDB is stopped when this script ends and we clean up temporary files
+trap "influxdb_stop; cleanup_credentials" EXIT
 # Ensure InfluxDB is initialized
 influxdb_initialize
 # Allow running custom initialization scripts

bitnami/influxdb/3/debian-12/rootfs/opt/bitnami/scripts/libinfluxdb.sh

@@ -8,6 +8,7 @@
 
 # Load Generic Libraries
 . /opt/bitnami/scripts/liblog.sh
+. /opt/bitnami/scripts/libfile.sh
 . /opt/bitnami/scripts/libfs.sh
 . /opt/bitnami/scripts/libos.sh
 . /opt/bitnami/scripts/libservice.sh
@@ -214,13 +215,8 @@ influxdb_create_primary_setup() {
     )
     # Avoid passing credentials as arguments to influx CLI, to avoid leaking them
     # given a local observer with /proc read access can read them
-    # Instead, we can read them from temporary files
     local admin_user_password_file
-    admin_user_password_file="$(mktemp)"
-    chmod 0600 "$admin_user_password_file"
-    echo "$INFLUXDB_ADMIN_USER_PASSWORD" > "$admin_user_password_file"
-    # shellcheck disable=SC2064
-    trap "rm -f $admin_user_password_file" RETURN ERR INT TERM
+    admin_user_password_file="$(credential_to_temp_file "$INFLUXDB_ADMIN_USER_PASSWORD")"
     args+=('--password' "$(<"$admin_user_password_file")")
 
     if [ -n "${INFLUXDB_ADMIN_USER_TOKEN}" ]; then
@@ -265,13 +261,8 @@ influxdb_run_upgrade() {
 
     # Avoid passing credentials as arguments to influx CLI, to avoid leaking them
     # given a local observer with /proc read access can read them
-    # Instead, we can read them from temporary files
     local admin_user_password_file
-    admin_user_password_file="$(mktemp)"
-    chmod 0600 "$admin_user_password_file"
-    echo "$INFLUXDB_ADMIN_USER_PASSWORD" > "$admin_user_password_file"
-    # shellcheck disable=SC2064
-    trap "rm -f $admin_user_password_file" RETURN ERR INT TERM
+    admin_user_password_file="$(credential_to_temp_file "$INFLUXDB_ADMIN_USER_PASSWORD")"
     args+=('--password' "$(<"$admin_user_password_file")")
 
     if [ -n "${INFLUXDB_ADMIN_USER_TOKEN}" ]; then
@@ -394,7 +385,7 @@ influxdb_start_bg() {
         debug_execute "${start_command[@]}" &
         wait-for-port "$INFLUXDB_HTTP_PORT_NUMBER"
     else
-        INFLUXDB_HTTP_HTTPS_ENABLED=false INFLUXDB_HTTP_BIND_ADDRESS="127.0.0.1:${INFLUXDB_HTTP_PORT_NUMBER}" debug_execute "${start_command[@]}" &
+        INFLUXDB_HTTP_HTTPS_ENABLED=false INFLUXD_HTTP_BIND_ADDRESS="127.0.0.1:${INFLUXDB_HTTP_PORT_NUMBER}" debug_execute "${start_command[@]}" &
         wait-for-port --timeout="$INFLUXDB_PORT_READINESS_TIMEOUT" "$INFLUXDB_HTTP_PORT_NUMBER"
         wait_for_influxdb
     fi