Debian11 and log4shell patch

.travis.yml

@@ -10,6 +10,7 @@ install:
 env:
   jobs:
     - MOLECULE_DISTRO=idealista/jdk:8u252-stretch-openjdk-headless
+    - MOLECULE_DISTRO=idealista/jdk:8u922-bullseye-adoptopenjdk-headless
 script:
   - pipenv run molecule test
 

CHANGELOG.md

@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a changelog](https://github.com/olivierlacan/keep-a-changelog).
 
 ## [Unreleased](https://github.com/idealista/wildfly_role/tree/develop)
+### Added
+- *[#44](https://github.com/idealista/wildfly_role/issues/44) Add log4shell prevention flag by default* @vicsufer
+### Changed
+- *[#45](https://github.com/idealista/wildfly_role/issues/45) Upgrade role dev dependencies* @vicsufer
+- *[#45](https://github.com/idealista/wildfly_role/issues/45) Dropped debian8 (jessie) support in favour of debian11 (bullseye)* @vicsufer
 
 ## [1.6.2](https://github.com/idealista/wildfly_role/tree/1.6.0) (2021-06-03)
 [Full Changelog](https://github.com/idealista/wildfly_role/compare/1.6.1...1.6.2)

Pipfile

@@ -1,15 +1,17 @@
 [[source]]
-name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
-
-[dev-packages]
+name = "pypi"
 
 [packages]
-ansible = "==2.9.14"
-ansible-lint = "==4.2.0"
-molecule = "==3.0.4"
-docker = "==4.2.2"
+ansible = "==4.6.0"
+ansible-lint = "==5.3.2"
+molecule = "==3.5.2"
+docker = "==5.0.3"
+molecule-containers = "==1.0.0"
+yamllint = "==1.26.3"
+
+[dev-packages]
 
 [requires]
-python_version = "3.7"
+python_version = "3.9"

meta/main.yml

@@ -1,5 +1,7 @@
 ---
 galaxy_info:
+  role_name: wildfly_role
+  namespace: idealista
   company: Idealista S.A.U.
   author: Idealista S.A.U.
   description: wildfly role to install and configure this server
@@ -8,7 +10,7 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - jessie
+        - bullseye
         - stretch
   galaxy_tags:
     - container

molecule/default/Dockerfile.j2

@@ -6,7 +6,13 @@ FROM {{ item.registry.url }}/{{ item.image }}
 FROM {{ item.image }}
 {% endif %}
 
-# install minimal packages for debian slim images
+{% if item.image == 'idealista/jdk:8u292-bullseye-adoptopenjdk-headless' %}
+RUN apt-get update && \
+    apt-get install -y python3 sudo bash ca-certificates iproute2 systemd systemd-sysv python3-pip && \
+    update-alternatives --install /usr/bin/python python /usr/bin/python3 0 &&\
+    apt-get clean
+{% else %}
 RUN apt-get update && \
     apt-get install -y python sudo bash ca-certificates iproute2 systemd systemd-sysv python-pip curl && \
-    apt-get clean
+    apt-get clean
+{% endif %}

molecule/default/converge.yml

@@ -3,5 +3,4 @@
 - name: Converge
   hosts: all
   roles:
-    - role: java
     - role: wildfly_role

molecule/default/group_vars/wildfly.yml

@@ -40,6 +40,3 @@ wildfly_agents_config:
 
 wildfly_agents_required_libs:
   - unzip
-
-## JAVA
-java_jdk_vendor: openjdk

molecule/default/molecule.yml

@@ -12,7 +12,7 @@ platforms:
   - name: wildfly
     groups:
       - wildfly
-    image: ${MOLECULE_DISTRO:-idealista/jdk:8u252-stretch-openjdk-headless}
+    image: ${MOLECULE_DISTRO:-idealista/jdk:8u292-bullseye-adoptopenjdk-headless}
     privileged: false
     command: '/lib/systemd/systemd'
     capabilities:

molecule/default/templates/wildfly/conf/standalone.conf.j2

@@ -54,6 +54,8 @@ JAVA_OPTS="$JAVA_OPTS -Djava.util.logging.manager=org.jboss.logmanager.LogManage
 JAVA_OPTS="$JAVA_OPTS {{ option }}"
 {% endfor %}
 {% endif%}
+# Prevent log4shell
+JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djava.security.egd=file:///dev/urandom"
 
 jboss.http.port={{ wildfly_port }}
 jboss.bind.address={{ wildfly_bind }}

templates/standalone.conf.j2

@@ -72,6 +72,8 @@ JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Dj
 JAVA_OPTS="$JAVA_OPTS {{ option }}"
 {% endfor %}
 {% endif%}
+# Prevent log4shell
+JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djava.security.egd=file:///dev/urandom"
 
 
 jboss.http.port={{ wildfly_port }}

test-requirements.txt

@@ -1,4 +1,6 @@
-ansible==2.9.14
-ansible-lint==4.2.0
-molecule==3.0.4
-docker==4.2.2
+ansible==4.6.0
+ansible-lint==5.3.2
+molecule==3.5.2
+docker==5.0.3
+molecule-containers==1.0.0
+yamllint==1.26.3