-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release Neo4j 5.24.1 #17644
Release Neo4j 5.24.1 #17644
Conversation
This comment has been minimized.
This comment has been minimized.
Sorry for the delay! Looking over the diff, I'm very concerned about the OpenSSL-related changes -- I see those are related to FIPS, and limited to UBI9, which seems odd. Is there no easier way to get/enable FIPS mode for OpenSSL in UBI9 than compiling it from source yourself? Do you have a plan for updating/maintaining that over time to keep up with things like new releases, especially with relation to security updates to OpenSSL? To be explicit/clear, I think this would be lot better if we could find some cleaner/more supported way to enable FIPS mode in the OpenSSL that's presumably already shipped in the image, or at least the one maintained by the upstream distribution. 🙈 |
Hi @tianon, I totally understand the skepticism about compiling and installing OpenSSL from source in the Dockerfile. It's not great at all. The reason for the change is that we wanted to add a feature so that anyone who needs to run Neo4j in a FIPS compatible way can do so, but that requires a FIPS certified version of OpenSSL to be installed in the image. Currently that would be OpenSSL versions 3.0.0, 3.0.8 or 3.0.9 citation. For some reason Redhat only have 3.0.7 in their repositories (not even 3.0.0), so I can't install one of the certified versions from there sadly. I also couldn't find any official docker images that provide specific OpenSSL version builds, so there was nowhere I could just do a neat little That's how I ended up at the current version of our code. I 10000% agree that having some upstream provider of trustworthy OpenSSL binaries would be waaaay preferable though. Regarding maintenance, I don't think keeping the OpenSSL installation up to date will be too much of an issue, since OpenSSL themselves don't seem to FIPS certify versions very often (3.0.9 was originally certified on 23/08/2022 citation). The latest stable version they've published on their website is 3.3.2, but the latest on rhel is a super old 3.0.7, and debian 11 uses 1.1.1f which is end of life. That being said, I totally understand you need to maintain the quality of docker official images. If you think the code is unpublishable as an official image, then I'll revert the changes and update this PR to be a normal version bump. |
- gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
- 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
- B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \
+ 6380DC428747F6C393FEACA59A84159D7001A4E5 \
+ A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C; \ Just because this looked a little odd to me in wondering why It looks like the RedHat provided openssl-fips library is just pending certification/review: https://access.redhat.com/articles/compliance_activities_and_gov_standards. Maybe that's enough to just use that and not build the upstream OpenSSL in the image? |
I would be ok with using the redhat openssl-fips library in general, but the FIPS certification is required to guarantee compliance. Having pending certification isn't enough sadly. Incidentally, we have to do a new bug fix release either today or tomorrow, so I'll revert these openssl changes when we update this PR. I'll have to resubmit them afterwards though, so your feedback is still very much appreciated! |
This comment has been minimized.
This comment has been minimized.
Also revert FIPS
This comment has been minimized.
This comment has been minimized.
Hello again! Updated the PR with the new neo4j release along with the revert of the openssl changes. Thanks! |
eval "$base_variable_name=$secret_value" I think this might lead to some accidental evaluation of the secret (since the variable is expanded before the eval "$base_variable_name=\$secret_value"
# or
export "$base_variable_name"="$secret_value" The |
Diff for 3a03f87:diff --git a/_bashbrew-cat b/_bashbrew-cat
index e1ae7b4..9aa5e9a 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,4 +1,4 @@
-Maintainers: Jenny Owen <[email protected]> (@jennyowen), Gustav Lindroth <[email protected]> (@glindroth), Eric Sporre <[email protected]> (@ericsporre)
+Maintainers: Jenny Owen <[email protected]> (@jennyowen), Eric Sporre <[email protected]> (@ericsporre), Tobias Ericsson <[email protected]> (@neo-tobias)
GitRepo: https://github.com/neo4j/docker-neo4j-publish.git
Tags: 4.4.37, 4.4.37-community, 4.4, 4.4-community
@@ -11,22 +11,22 @@ Architectures: amd64, arm64v8
GitCommit: 7422ac53238f689a26144d3c1c5aee434a07a325
Directory: 4.4.37/bullseye/enterprise
-Tags: 5.23.0-community-bullseye, 5.23-community-bullseye, 5-community-bullseye, 5.23.0-community, 5.23-community, 5-community, 5.23.0-bullseye, 5.23-bullseye, 5-bullseye, 5.23.0, 5.23, 5, community-bullseye, community, bullseye, latest
+Tags: 5.24.1-community-bullseye, 5.24-community-bullseye, 5-community-bullseye, 5.24.1-community, 5.24-community, 5-community, 5.24.1-bullseye, 5.24-bullseye, 5-bullseye, 5.24.1, 5.24, 5, community-bullseye, community, bullseye, latest
Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/bullseye/community
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/bullseye/community
-Tags: 5.23.0-community-ubi9, 5.23-community-ubi9, 5-community-ubi9, 5.23.0-ubi9, 5.23-ubi9, 5-ubi9, community-ubi9, ubi9
+Tags: 5.24.1-community-ubi9, 5.24-community-ubi9, 5-community-ubi9, 5.24.1-ubi9, 5.24-ubi9, 5-ubi9, community-ubi9, ubi9
Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/ubi9/community
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/ubi9/community
-Tags: 5.23.0-enterprise-bullseye, 5.23-enterprise-bullseye, 5-enterprise-bullseye, 5.23.0-enterprise, 5.23-enterprise, 5-enterprise, enterprise-bullseye, enterprise
+Tags: 5.24.1-enterprise-bullseye, 5.24-enterprise-bullseye, 5-enterprise-bullseye, 5.24.1-enterprise, 5.24-enterprise, 5-enterprise, enterprise-bullseye, enterprise
Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/bullseye/enterprise
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/bullseye/enterprise
-Tags: 5.23.0-enterprise-ubi9, 5.23-enterprise-ubi9, 5-enterprise-ubi9, enterprise-ubi9
+Tags: 5.24.1-enterprise-ubi9, 5.24-enterprise-ubi9, 5-enterprise-ubi9, enterprise-ubi9
Architectures: amd64, arm64v8
-GitCommit: 8e55c5a5629327d318a63703f4f4f361c97c6293
-Directory: 5.23.0/ubi9/enterprise
+GitCommit: b38cae5fc959dd046cfa75bc48248f0ec9d2798b
+Directory: 5.24.1/ubi9/enterprise
diff --git a/_bashbrew-list b/_bashbrew-list
index 64415db..e6dd758 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -13,24 +13,24 @@ neo4j:5-enterprise
neo4j:5-enterprise-bullseye
neo4j:5-enterprise-ubi9
neo4j:5-ubi9
-neo4j:5.23
-neo4j:5.23-bullseye
-neo4j:5.23-community
-neo4j:5.23-community-bullseye
-neo4j:5.23-community-ubi9
-neo4j:5.23-enterprise
-neo4j:5.23-enterprise-bullseye
-neo4j:5.23-enterprise-ubi9
-neo4j:5.23-ubi9
-neo4j:5.23.0
-neo4j:5.23.0-bullseye
-neo4j:5.23.0-community
-neo4j:5.23.0-community-bullseye
-neo4j:5.23.0-community-ubi9
-neo4j:5.23.0-enterprise
-neo4j:5.23.0-enterprise-bullseye
-neo4j:5.23.0-enterprise-ubi9
-neo4j:5.23.0-ubi9
+neo4j:5.24
+neo4j:5.24-bullseye
+neo4j:5.24-community
+neo4j:5.24-community-bullseye
+neo4j:5.24-community-ubi9
+neo4j:5.24-enterprise
+neo4j:5.24-enterprise-bullseye
+neo4j:5.24-enterprise-ubi9
+neo4j:5.24-ubi9
+neo4j:5.24.1
+neo4j:5.24.1-bullseye
+neo4j:5.24.1-community
+neo4j:5.24.1-community-bullseye
+neo4j:5.24.1-community-ubi9
+neo4j:5.24.1-enterprise
+neo4j:5.24.1-enterprise-bullseye
+neo4j:5.24.1-enterprise-ubi9
+neo4j:5.24.1-ubi9
neo4j:bullseye
neo4j:community
neo4j:community-bullseye
diff --git a/neo4j_enterprise-ubi9/Dockerfile b/neo4j_enterprise-ubi9/Dockerfile
index 6d670db..44a4920 100644
--- a/neo4j_enterprise-ubi9/Dockerfile
+++ b/neo4j_enterprise-ubi9/Dockerfile
@@ -50,12 +50,12 @@ RUN set -eux; \
microdnf remove -y git* perl* make gcc glibc-headers glibc-devel libxcrypt-devel; \
microdnf clean all
-ENV NEO4J_SHA256=9311d86cfe0ace3e5f1463dd92db13117d1aae54358113a291e2ca254faec3d9 \
- NEO4J_TARBALL=neo4j-enterprise-5.23.0-unix.tar.gz \
+ENV NEO4J_SHA256=c1b51e08cfb5d8063240656ab58ee0766264b63b27cbcdcff2d28e77f8972534 \
+ NEO4J_TARBALL=neo4j-enterprise-5.24.1-unix.tar.gz \
NEO4J_EDITION=enterprise \
NEO4J_HOME="/var/lib/neo4j" \
LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.24.1-unix.tar.gz
COPY ./local-package/* /startup/
diff --git a/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh b/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
+++ b/neo4j_enterprise-ubi9/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
fi
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+ # Check if the variable ends with "_FILE"
+ if [[ $variable_name == *"_FILE" ]]; then
+ # Create a new variable name by removing the "_FILE" suffix
+ base_variable_name=${variable_name%_FILE}
+
+ # Get the value of the _FILE variable
+ secret_file_path="${!variable_name}"
+
+ if is_readable "${secret_file_path}"; then
+ # Read the secret value from the file
+ secret_value=$(<"$secret_file_path")
+ else
+ # File not readable
+ echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+ exit 1
+ fi
+ # Assign the value to the new variable
+ export "$base_variable_name"="$secret_value"
+ fi
+done
+
# ==== CHECK LICENSE AGREEMENT ====
# Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
if containsElement "$i" "${not_configs[@]}"; then
continue
fi
+
+ # Skip env variables with suffix _FILE, these are docker secrets
+ if [[ "$i" == *"_FILE" ]]; then
+ continue
+ fi
+
setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
value=$(echo "${!i}")
# Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json b/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
+++ b/neo4j_enterprise-ubi9/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
"dbms.bloom.license_file": "/licenses/bloom.license"
}
},
- "graphql": {
- "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
- "properties": {
- "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
- "dbms.security.procedures.unrestricted": "graphql.*"
- }
- },
- "graph-algorithms": {
- "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
- "properties": {
- "dbms.security.procedures.unrestricted": "algo.*"
- }
- },
"graph-data-science": {
"versions": "https://graphdatascience.ninja/versions.json",
"location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_enterprise/Dockerfile b/neo4j_enterprise/Dockerfile
index d8e5217..ffa42eb 100644
--- a/neo4j_enterprise/Dockerfile
+++ b/neo4j_enterprise/Dockerfile
@@ -2,12 +2,12 @@ FROM debian:bullseye-slim
ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17 $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}" \
- NEO4J_SHA256=9311d86cfe0ace3e5f1463dd92db13117d1aae54358113a291e2ca254faec3d9 \
- NEO4J_TARBALL=neo4j-enterprise-5.23.0-unix.tar.gz \
+ NEO4J_SHA256=c1b51e08cfb5d8063240656ab58ee0766264b63b27cbcdcff2d28e77f8972534 \
+ NEO4J_TARBALL=neo4j-enterprise-5.24.1-unix.tar.gz \
NEO4J_EDITION=enterprise \
NEO4J_HOME="/var/lib/neo4j" \
LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-enterprise-5.24.1-unix.tar.gz
RUN addgroup --gid 7474 --system neo4j && adduser --uid 7474 --system --no-create-home --home "${NEO4J_HOME}" --ingroup neo4j neo4j
diff --git a/neo4j_enterprise/local-package/docker-entrypoint.sh b/neo4j_enterprise/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_enterprise/local-package/docker-entrypoint.sh
+++ b/neo4j_enterprise/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
fi
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+ # Check if the variable ends with "_FILE"
+ if [[ $variable_name == *"_FILE" ]]; then
+ # Create a new variable name by removing the "_FILE" suffix
+ base_variable_name=${variable_name%_FILE}
+
+ # Get the value of the _FILE variable
+ secret_file_path="${!variable_name}"
+
+ if is_readable "${secret_file_path}"; then
+ # Read the secret value from the file
+ secret_value=$(<"$secret_file_path")
+ else
+ # File not readable
+ echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+ exit 1
+ fi
+ # Assign the value to the new variable
+ export "$base_variable_name"="$secret_value"
+ fi
+done
+
# ==== CHECK LICENSE AGREEMENT ====
# Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
if containsElement "$i" "${not_configs[@]}"; then
continue
fi
+
+ # Skip env variables with suffix _FILE, these are docker secrets
+ if [[ "$i" == *"_FILE" ]]; then
+ continue
+ fi
+
setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
value=$(echo "${!i}")
# Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_enterprise/local-package/neo4j-plugins.json b/neo4j_enterprise/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_enterprise/local-package/neo4j-plugins.json
+++ b/neo4j_enterprise/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
"dbms.bloom.license_file": "/licenses/bloom.license"
}
},
- "graphql": {
- "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
- "properties": {
- "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
- "dbms.security.procedures.unrestricted": "graphql.*"
- }
- },
- "graph-algorithms": {
- "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
- "properties": {
- "dbms.security.procedures.unrestricted": "algo.*"
- }
- },
"graph-data-science": {
"versions": "https://graphdatascience.ninja/versions.json",
"location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_latest/Dockerfile b/neo4j_latest/Dockerfile
index f29c4ad..96046d5 100644
--- a/neo4j_latest/Dockerfile
+++ b/neo4j_latest/Dockerfile
@@ -2,12 +2,12 @@ FROM debian:bullseye-slim
ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17 $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}" \
- NEO4J_SHA256=ba71776c80ff5882524e6a535c942776249cffdcd0036baf9e1a1a257722285f \
- NEO4J_TARBALL=neo4j-community-5.23.0-unix.tar.gz \
+ NEO4J_SHA256=93986d1085b2e50fa1a569876b1a14e4d44b495b670767c0a12697909e8c6aa9 \
+ NEO4J_TARBALL=neo4j-community-5.24.1-unix.tar.gz \
NEO4J_EDITION=community \
NEO4J_HOME="/var/lib/neo4j" \
LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.24.1-unix.tar.gz
RUN addgroup --gid 7474 --system neo4j && adduser --uid 7474 --system --no-create-home --home "${NEO4J_HOME}" --ingroup neo4j neo4j
diff --git a/neo4j_latest/local-package/docker-entrypoint.sh b/neo4j_latest/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_latest/local-package/docker-entrypoint.sh
+++ b/neo4j_latest/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
fi
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+ # Check if the variable ends with "_FILE"
+ if [[ $variable_name == *"_FILE" ]]; then
+ # Create a new variable name by removing the "_FILE" suffix
+ base_variable_name=${variable_name%_FILE}
+
+ # Get the value of the _FILE variable
+ secret_file_path="${!variable_name}"
+
+ if is_readable "${secret_file_path}"; then
+ # Read the secret value from the file
+ secret_value=$(<"$secret_file_path")
+ else
+ # File not readable
+ echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+ exit 1
+ fi
+ # Assign the value to the new variable
+ export "$base_variable_name"="$secret_value"
+ fi
+done
+
# ==== CHECK LICENSE AGREEMENT ====
# Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
if containsElement "$i" "${not_configs[@]}"; then
continue
fi
+
+ # Skip env variables with suffix _FILE, these are docker secrets
+ if [[ "$i" == *"_FILE" ]]; then
+ continue
+ fi
+
setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
value=$(echo "${!i}")
# Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_latest/local-package/neo4j-plugins.json b/neo4j_latest/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_latest/local-package/neo4j-plugins.json
+++ b/neo4j_latest/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
"dbms.bloom.license_file": "/licenses/bloom.license"
}
},
- "graphql": {
- "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
- "properties": {
- "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
- "dbms.security.procedures.unrestricted": "graphql.*"
- }
- },
- "graph-algorithms": {
- "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
- "properties": {
- "dbms.security.procedures.unrestricted": "algo.*"
- }
- },
"graph-data-science": {
"versions": "https://graphdatascience.ninja/versions.json",
"location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar",
diff --git a/neo4j_ubi9/Dockerfile b/neo4j_ubi9/Dockerfile
index 0ea348b..ba24d3b 100644
--- a/neo4j_ubi9/Dockerfile
+++ b/neo4j_ubi9/Dockerfile
@@ -50,12 +50,12 @@ RUN set -eux; \
microdnf remove -y git* perl* make gcc glibc-headers glibc-devel libxcrypt-devel; \
microdnf clean all
-ENV NEO4J_SHA256=ba71776c80ff5882524e6a535c942776249cffdcd0036baf9e1a1a257722285f \
- NEO4J_TARBALL=neo4j-community-5.23.0-unix.tar.gz \
+ENV NEO4J_SHA256=93986d1085b2e50fa1a569876b1a14e4d44b495b670767c0a12697909e8c6aa9 \
+ NEO4J_TARBALL=neo4j-community-5.24.1-unix.tar.gz \
NEO4J_EDITION=community \
NEO4J_HOME="/var/lib/neo4j" \
LANG=C.UTF-8
-ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.23.0-unix.tar.gz
+ARG NEO4J_URI=https://dist.neo4j.org/neo4j-community-5.24.1-unix.tar.gz
COPY ./local-package/* /startup/
diff --git a/neo4j_ubi9/local-package/docker-entrypoint.sh b/neo4j_ubi9/local-package/docker-entrypoint.sh
index d6a65f7..e7021ba 100755
--- a/neo4j_ubi9/local-package/docker-entrypoint.sh
+++ b/neo4j_ubi9/local-package/docker-entrypoint.sh
@@ -394,6 +394,33 @@ if running_as_root; then
find "${NEO4J_HOME}"/conf -type f -exec chmod -R 600 {} \;
fi
+## == EXTRACT SECRETS FROM FILES ===
+# These environment variables are set by using docker secrets and they override their equivalent env vars
+# They are suffixed with _FILE and prefixed by the name of the env var they should override
+# e.g. NEO4J_AUTH_FILE will override the value of the NEO4J_AUTH
+# It's best to do this first so that the secrets are available for the rest of the script
+for variable_name in $(printenv | awk -F= '{print $1}'); do
+ # Check if the variable ends with "_FILE"
+ if [[ $variable_name == *"_FILE" ]]; then
+ # Create a new variable name by removing the "_FILE" suffix
+ base_variable_name=${variable_name%_FILE}
+
+ # Get the value of the _FILE variable
+ secret_file_path="${!variable_name}"
+
+ if is_readable "${secret_file_path}"; then
+ # Read the secret value from the file
+ secret_value=$(<"$secret_file_path")
+ else
+ # File not readable
+ echo >&2 "The secret file '$secret_file_path' does not exist or is not readable. Make sure you have correctly configured docker secrets."
+ exit 1
+ fi
+ # Assign the value to the new variable
+ export "$base_variable_name"="$secret_value"
+ fi
+done
+
# ==== CHECK LICENSE AGREEMENT ====
# Only prompt for license agreement if command contains "neo4j" in it
@@ -567,6 +594,12 @@ for i in $( set | grep ^NEO4J_ | awk -F'=' '{print $1}' | sort -rn ); do
if containsElement "$i" "${not_configs[@]}"; then
continue
fi
+
+ # Skip env variables with suffix _FILE, these are docker secrets
+ if [[ "$i" == *"_FILE" ]]; then
+ continue
+ fi
+
setting=$(echo "${i}" | sed 's|^NEO4J_||' | sed 's|_|.|g' | sed 's|\.\.|_|g')
value=$(echo "${!i}")
# Don't allow settings with no value or settings that start with a number (neo4j converts settings to env variables and you cannot have an env variable that starts with a number)
diff --git a/neo4j_ubi9/local-package/neo4j-plugins.json b/neo4j_ubi9/local-package/neo4j-plugins.json
index 32c2701..704f544 100644
--- a/neo4j_ubi9/local-package/neo4j-plugins.json
+++ b/neo4j_ubi9/local-package/neo4j-plugins.json
@@ -21,19 +21,6 @@
"dbms.bloom.license_file": "/licenses/bloom.license"
}
},
- "graphql": {
- "versions": "https://neo4j-graphql.github.io/neo4j-graphql/versions.json",
- "properties": {
- "dbms.unmanaged_extension_classes": "org.neo4j.graphql=/graphql",
- "dbms.security.procedures.unrestricted": "graphql.*"
- }
- },
- "graph-algorithms": {
- "versions": "https://neo4j-contrib.github.io/neo4j-graph-algorithms/versions.json",
- "properties": {
- "dbms.security.procedures.unrestricted": "algo.*"
- }
- },
"graph-data-science": {
"versions": "https://graphdatascience.ninja/versions.json",
"location": "/var/lib/neo4j/products/neo4j-graph-data-science-*.jar", Relevant Maintainers:
|
Hello!
Adding a new colleague as maintainer, sorry about some confusion in a previous PR caused by this.
Thanks!