Summary

Fixes #137.

This change scans the base and distribution layers to include dependencies in the SBoM. I could not figure out a more targeted approach since there is no way to query the Liberty feature installer tool to see which jars and versions it installs for a given feature at the moment.

I also tried investigating on providing the information in a manner useful to vulnerability scanners like grype but it did not look possible since Liberty only includes the version of Liberty that a vulnerability is resolved in and does not include the which feature is vulnerable and what version of the feature it is resolved in. I talked with the lead maintainer for Open Liberty and he was open to improving this process.

I was not sure the best approach for including feature and iFix information in the SBoM. If there is a better approach to include useful information, please let me know and I can try to update.

Use Cases

• Include feature and iFix information in the SBoM.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

The configuration information is not clear enough

• $BP_LIBERTY_VERSION
  • need an example of how the version looks like, 22.0.0.7
  • what value for the latest version?
• $BP_LIBERTY_PROFILE
  • beside full, what are the other values?
• $BP_LIBERTY_CONTEXT_ROOT
  • if the server.xml has an application named app defined, will also generate and override the context root?
• $BP_LIBERTY_FEATURES
  • better point to a Open Liberty features doc, e.g. https://openliberty.io/docs/latest/reference/feature/feature-overview.html
• $BP_LIBERTY_EXT_CONF_SHA256
  • how the values look like? list the values or point to another doc

the server.xml contains cdi-3.0, jsonb-2.0, jsonp-2.0, restfulWS-3.0 features

built the image by the following command

pack build --path ./system ^
--env BP_JAVA_APP_SERVER=liberty ^
--env BP_LIBERTY_FEATURES="cdi-3.0 jsonb-2.0 jsonp-2.0 restfulWS-3.0" ^
--env BP_MAVEN_BUILT_ARTIFACT="target/*.[ejw]ar src/main/liberty/config/*" ^
--env BP_LIBERTY_PROFILE=kernel ^
--buildpack paketo-buildpacks/eclipse-openj9 ^
--buildpack paketo-buildpacks/java system:1.0-SNAPSHOT

ran the image and got following error

CWWKF0033E: The singleton features io.openliberty.servlet.api-5.0 and io.openliberty.servlet.api-3.0 cannot be loaded at the same time.  The configured features restfulWS-3.0 and restfulWS-3.0 include one or more features that cause the conflict. Your configuration is not supported; update server.xml to remove incompatible features.

What happened?

• What were you attempting to do? Tried to execute this buildpack against OpenLiberty starter created app https://openliberty.io/start/ hoping to have src/main/liberty/config/server.xml included in the image

• What did you expect to happen? I wanted to use src/main/liberty/config/server.xml as a /layers/paketo-buildpacks_open-liberty/open-liberty-runtime-full/usr/servers/defaultServer/server.xml in the image

• What was the actual behavior? Please provide log output, if possible. Going through the code and docs I spotted that custom server.xml is possible with bindings. However, to me, it looks like it's only possible with bindings for the run image rather than the build image. The problem I see is that if I want to use e.g.

    <featureManager>
        <feature>javaee-7.0</feature>
        <feature>microProfile-1.4</feature>
    </featureManager>

I need to bind server.xml when actually running the container rather than when building it. My understanding is that the recommended way of doing it (according to the OpenLiberty guide) is to include server.xml within the image. Please let me know if there is some other way of adding standard features to server.xml in this buildpack.

Build Configuration

• What platform (pack, kpack, tekton buildpacks plugin, etc.) are you using? Please include a version. pack Pack: Version: 0.24.0 OS/Arch: linux/amd64

Default Lifecycle Version: 0.13.3

Supported Platform APIs: 0.3, 0.4, 0.5, 0.6, 0.7, 0.8

• What buildpacks are you using? Please include versions. paketo-buildpacks/java gcr.io/paketo-buildpacks/open-liberty

paketo-buildpacks/ca-certificates 3.0.3 paketo-buildpacks/bellsoft-liberica 9.1.0 paketo-buildpacks/syft 1.7.0 paketo-buildpacks/apache-tomcat 7.1.0 paketo-buildpacks/dist-zip 5.1.0 paketo-buildpacks/spring-boot 5.5.0 paketo-buildpacks/open-liberty 0.3.2

• What builder are you using? If custom, can you provide the output from pack inspect-builder <builder>? paketobuildpacks/builder:base

• Can you provide a sample app or relevant configuration (buildpack.yml, nginx.conf, etc.)?

any app generated with

pack build -e BP_DEBUG --buildpack paketo-buildpacks/java --buildpack gcr.io/paketo-buildpacks/open-liberty app-name --path target/app-name

Checklist

• [ ] I have included log output. n/a
• [ ] The log output includes an error message. n/a
• [x] I have included steps for reproduction.

Summary

The proposed change is to add BP_INSTALL_TYPE option to configure which Liberty runtime we use. The value defaults to ol which just pulls Open Liberty archive as it did originally.

Three other runtime options were added:

• wlp (not actually implemented yet): Download and use WebSphere Liberty runtime.
• ol-stack Do not contribute any Liberty runtime in the buildpack. Instead use the OL runtime provided in the stack (requires an OL stack run image)
• wlp-stack Do not contribute any Liberty runtime in the buildpack. Instead use the WLP runtime provided in the stack (requires an WLP stack run image)

Note: Two stack options were necessary since the OL and WLP use different root paths for their runtime. If we can determine which stack run image is being used during build, maybe we can combine both options to just stack.

Use Cases

Allows user to configure which runtime they'd like to use. The stack options allow users that are dependent on the existing OL / WLP images to use the Open Liberty CNB.

Checklist

• [x] I have viewed, signed, and submitted the Contributor License Agreement. (IN PROGRESS)
• [ ] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Summary

Fixes #168. Fix caching of the base layer so that users do not need to clear the cache to update their config.

Use Cases

Allows users to update their Liberty server config without clearing their cache.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

These changes are necessary to be compliant with stricter security settings where build and run user ID will be different.

Fixes #70, #156, #197

Summary

This change gets rid of the linker as it won't be usable with the stricter security settings coming to buildpacks. I included changes for issue 156 to include a proper default server.xml as it is necessary during the build process now (e.g. for installing server features).

Use Cases

Necessary for stricter security settings coming to buildpacks.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

The image built by paketo with kernel profile does not work.

Expected Behavior

works

Current Behavior

not work

Steps to Reproduce

• git clone https://github.com/uhryniuk/draft-guide-containerize-paketo.git
• cd draft-guide-containerize-paketo/finish
• mvn package

scenario 1

• run following command:

pack build \
--env BP_JAVA_APP_SERVER=liberty \
--env BP_MAVEN_BUILT_ARTIFACT="target/*.war src/main/liberty/config/*" \
--env BP_LIBERTY_PROFILE=kernel \
--env BP_LIBERTY_FEATURES="cdi-3.0 jsonb-2.0 jsonp-2.0 restfulWS-3.0 jsp-2.3" \
--buildpack paketo-buildpacks/eclipse-openj9 \
--buildpack paketo-buildpacks/java \
--creation-time now \
system:1.0-SNAPSHOT

• docker run --rm -d --name system -p 9080:9080 system:1.0-SNAPSHOT
• visit http://localhost:9080 and have no response because the server cannot be started
• docker logs system and will get the following error. Most likely the buildpacks installed incorrect set of features

{"type":"liberty_message","host":"0c3568ee7a48","ibm_userDir":"\/layers\/paketo-buildpacks_liberty\/open-liberty-runtime-kernel\/usr\/","ibm_serverName":"defaultServer","message":"CWWKF0033E: The singleton features io.openliberty.servlet.api-5.0 and io.openliberty.servlet.api-3.0 cannot be loaded at the same time.  The configured features restfulWS-3.0 and restfulWS-3.0 include one or more features that cause the conflict. Your configuration is not supported; update server.xml to remove incompatible features.","ibm_threadId":"0000002c","ibm_datetime":"2022-07-18T19:34:41.498+0000","ibm_messageId":"CWWKF0033E","module":"com.ibm.ws.kernel.feature.internal.FeatureManager","loglevel":"ERROR","ibm_sequence":"1658172881498_0000000000005"}

scenario 2

• run following command by this recommendation (not using BP_MAVEN_BUILT_ARTIFACT):

pack build \
--env BP_JAVA_APP_SERVER=liberty \
--env BP_LIBERTY_PROFILE=kernel \
--env BP_LIBERTY_FEATURES="cdi-3.0 jsonb-2.0 jsonp-2.0 restfulWS-3.0 jsp-2.3" \
--buildpack paketo-buildpacks/eclipse-openj9 \
--buildpack paketo-buildpacks/java \
--creation-time now \
system:1.0-SNAPSHOT

• docker run --rm -d --name system -p 9080:9080 system:1.0-SNAPSHOT
• visit http://localhost:9080 and should have no problem
• visit http://localhost:9080/system/properties and will get error
  • Error 404: java.io.FileNotFoundException: SRVE0190E: File not found: /system/properties
• run docker exec -it system cat /layers/paketo-buildpacks_liberty/open-liberty-runtime-kernel/usr/servers/defaultServer/server.xml. I found the server.xml is not from finish/src/main/liberty/config/server.xml
• surely the recommendation is not the solution.

Motivations

We are writing an introduction guide but paketo buildpack does not work as expected

Summary

Skip expanding app archive and just symlink it to reduce image size.

Use Cases

Decreases image size to reduce costs to store, transfer, etc. the image.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

The JRE layer needs to be present at runtime but does not need to be present at build time. If required a JDK layer should be present at build time instead.

Signed-off-by: Emily Casey [email protected]

Summary

Use Cases

Checklist

• [x] I have viewed, signed, and submitted the Contributor License Agreement.
• [x] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [x] I have added an integration test, if necessary.
• [x] I have reviewed the styleguide for guidance on my code quality.
• [x] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Summary

Add support to install Liberty features and Liberty fixes.

Use Cases

Most liberty profiles have a subset of all available features. This PR will give the user a method to install liberty features they want to use with a smaller footprint profile. Features are specified in a space delimited list in the environment variable BP_LIBERTY_FEATURES.

iFixes are interim fixes that can be applied to a liberty installation Typically, these are security or vulnerability fixes that require immediate remediation and can not wait until the next Liberty release. This PR provides a method to install iFixes using an external configuration package.

Checklist

• [x] I have viewed, signed, and submitted the Contributor License Agreement.
• [ ] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [x] I have added an integration test, if necessary.
• [x] I have reviewed the styleguide for guidance on my code quality.
• [x] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Summary

Add the value of BP_LIBERTY_CONTEXT_ROOT to the base layer metadata so that it causes config to be regenerated with the new context root value.

Use Cases

Allows users to update their context root without having to clear their cache.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Summary

The buildpack now generates app.xml if app config has been provided in the server.xml or not. This allows the Liberty buildpack to override the app location and context root (if BP_LIBERTY_CONTEXT_ROOT is provided). This change requires an ID to be set on the app config element in order for app config to be merged properly; if not set, the build will fail.

The buildpack also now checks server.xml for any app configs defined with webApplication or enterpriseApplication in addition to application.

Use Cases

Allows the buildpack to override the location and context root even if app config is provided in the server.xml.

Checklist

• [X] I have viewed, signed, and submitted the Contributor License Agreement.
• [X] I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• [X] I have added an integration test, if necessary.
• [X] I have reviewed the styleguide for guidance on my code quality.
• [X] I'm happy with the commit history on this PR (I have rebased/squashed as needed).

The OL image built by ci.docker has following file structures

• liberty runtime is located at /opt/ol/wlp
• server configuration is also located at /config
• logs files are located at /logs
• ifixes should be put at /opt/ol/fixes/

The OL image built by Paketo

• liberty runtime /layers/paketo-buildpacks_liberty/open-liberty-runtime-kernel
• server configuration and logs is located at /layers/paketo-buildpacks_liberty/open-liberty-runtime-kernel/usr/servers/defaultServer

For user experience reason, it is better for the Paketo OL image to have same file structures as ci.docker does.

What happened?

$BPL_OPENLIBERTY_LOG_LEVEL is documented but not yet implemented. This needs to be implemented.

Checklist

• [ ] I have included log output.
• [ ] The log output includes an error message.
• [ ] I have included steps for reproduction.