Merge pull request '3.41.0-01' (#3) from 3.41.0-01 into master

Reviewed-on: https://scm.raffbrains.xyz/Custom-Dockers/docker-nexus3/pulls/3
LGTM

.drone.yml

@@ -0,0 +1,45 @@
+kind: pipeline
+type: docker
+name: nexus3_Build
+platform:
+  arch: arm64
+
+steps:
+- name: dryrun-nexus3-build
+  image: plugins/docker
+  settings:
+    repo:
+      from_secret: docker_repo
+    cache_from:
+      from_secret: docker_repo
+    dockerfile: Dockerfile.rh.ubi
+    mirror:
+      from_secret: docker_regst
+    insecure: true
+    auto_tag: true
+    dry_run: true
+    when:
+      branch:
+        exclude:
+        - master
+
+- name: docker-build-push
+  image: plugins/docker
+  settings:
+    repo:
+      from_secret: docker_repo
+    username:
+      from_secret: docker_user
+    password:
+      from_secret: docker_pass
+    registry:
+      from_secret: docker_regst
+    cache_from:
+      from_secret: docker_repo
+    dockerfile: Dockerfile
+    auto_tag: true
+    insecure: true
+    when:
+      event:
+      - push
+      - tag

Dockerfile

@@ -12,13 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM registry.access.redhat.com/ubi8/ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal
 
 LABEL name="Nexus Repository Manager" \
       maintainer="Sonatype <support@sonatype.com>" \
       vendor=Sonatype \
-      version="3.38.0-01" \
-      release="3.38.0" \
+      version="3.44.0-01" \
+      release="3.44.0" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.38.0-01
+ARG NEXUS_VERSION=3.44.0-01
 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=d7ee5e2d7233ac8cfd4e9cc1e97d88313d24d662509d446784be5a50f677cc6f
+ARG NEXUS_DOWNLOAD_SHA256_HASH=1b508c4494845c27a8afd56a5b2065039a1867a5a6ce022f12251e0a9b358b76
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -46,32 +46,39 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     NEXUS_DATA=/nexus-data \
     NEXUS_CONTEXT='' \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
-    DOCKER_TYPE='3x-docker'
+    DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20210628-162332.70a6cb6"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
+# Install Java & tar
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-1.8.0-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
 
-ADD solo.json.erb /var/chef/solo.json.erb
+WORKDIR ${SONATYPE_DIR}
 
-# Install using chef-solo
-# Chef version locked to avoid needing to accept the EULA on behalf of whomever builds the image
-RUN yum install -y --disableplugin=subscription-manager hostname procps \
-    && curl -L https://omnitruck.chef.io/install.sh | bash -s -- -v 14.12.9 \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
-    && rm -rf /var/cache/yum \
-    && rm -rf /var/chef \
-    && yum clean all
-    
-# download and install openjdk 8
-RUN curl -O https://vault.centos.org/8.3.2011/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-headless-1.8.0.282.b08-2.el8_3.x86_64.rpm \
-    && yum localinstall -y --disableplugin=subscription-manager java-1.8.0-openjdk-headless-1.8.0.282.b08-2.el8_3.x86_64.rpm \
-    && rm -rf java-1.8.0-openjdk-headless-1.8.0.282.b08-2.el8_3.x86_64.rpm
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN microdnf remove -y tar gzip shadow-utils
 
 VOLUME ${NEXUS_DATA}
 
@@ -80,4 +87,4 @@ USER nexus
 
 ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.centos

@@ -17,8 +17,8 @@ FROM centos:centos7
 LABEL name="Nexus Repository Manager" \
       maintainer="Sonatype <support@sonatype.com>" \
       vendor=Sonatype \
-      version="3.38.0-01" \
-      release="3.38.0" \
+      version="3.44.0-01" \
+      release="3.44.0" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.38.0-01
+ARG NEXUS_VERSION=3.44.0-01
 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=d7ee5e2d7233ac8cfd4e9cc1e97d88313d24d662509d446784be5a50f677cc6f
+ARG NEXUS_DOWNLOAD_SHA256_HASH=1b508c4494845c27a8afd56a5b2065039a1867a5a6ce022f12251e0a9b358b76
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -48,26 +48,45 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
-
-ADD solo.json.erb /var/chef/solo.json.erb
-
-# Install using chef-solo
-ARG CHEF_VERSION=16.17.18
-RUN curl -L https://omnitruck.chef.io/install.sh | bash -s -- -v ${CHEF_VERSION} \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --node_name nexus_repository_red_hat_docker_build \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-       --chef-license=accept \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rpm --rebuilddb \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
+# Install java & setup user
+RUN yum install -y java-1.8.0-openjdk-headless \
+    && yum clean all \
     && rm -rf /var/cache/yum \
-    && rm -rf /var/chef
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
 
 VOLUME ${NEXUS_DATA}
 
@@ -77,4 +96,4 @@ USER nexus
 ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
 ENTRYPOINT ["/uid_entrypoint.sh"]
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.el

@@ -17,8 +17,8 @@ FROM registry.access.redhat.com/rhel7/rhel
 LABEL name="Nexus Repository Manager" \
       maintainer="Sonatype <support@sonatype.com>" \
       vendor=Sonatype \
-      version="3.38.0-01" \
-      release="3.38.0" \
+      version="3.44.0-01" \
+      release="3.44.0" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.38.0-01
+ARG NEXUS_VERSION=3.44.0-01
 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=d7ee5e2d7233ac8cfd4e9cc1e97d88313d24d662509d446784be5a50f677cc6f
+ARG NEXUS_DOWNLOAD_SHA256_HASH=1b508c4494845c27a8afd56a5b2065039a1867a5a6ce022f12251e0a9b358b76
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -48,24 +48,45 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
-
-ADD solo.json.erb /var/chef/solo.json.erb
-
-# Install using chef-solo
-RUN curl -L https://omnitruck.chef.io/install.sh | bash \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --node_name nexus_repository_red_hat_docker_build \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rpm --rebuilddb \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
+# Install java & setup user
+RUN yum install -y java-1.8.0-openjdk-headless \
+    && yum clean all \
     && rm -rf /var/cache/yum \
-    && rm -rf /var/chef
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
 
 VOLUME ${NEXUS_DATA}
 
@@ -75,4 +96,4 @@ USER nexus
 ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
 ENTRYPOINT ["/uid_entrypoint.sh"]
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.ubi

@@ -12,13 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM registry.access.redhat.com/ubi8/ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal
 
 LABEL name="Nexus Repository Manager" \
       vendor=Sonatype \
       maintainer="Sonatype <support@sonatype.com>" \
-      version="3.38.0-01" \
-      release="3.38.0" \
+      version="3.44.0-01" \
+      release="3.44.0" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -36,9 +36,9 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.38.0-01
+ARG NEXUS_VERSION=3.44.0-01
 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=d7ee5e2d7233ac8cfd4e9cc1e97d88313d24d662509d446784be5a50f677cc6f
+ARG NEXUS_DOWNLOAD_SHA256_HASH=1b508c4494845c27a8afd56a5b2065039a1867a5a6ce022f12251e0a9b358b76
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -48,25 +48,49 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
+# Install java & setup user
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-1.8.0-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
 
-ADD solo.json.erb /var/chef/solo.json.erb
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
 
-# Install using chef-solo
-# Chef version locked to avoid needing to accept the EULA on behalf of whomever builds the image
-RUN curl -L https://omnitruck.chef.io/install.sh | bash -s -- -v 14.12.9 \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --node_name nexus_repository_red_hat_docker_build \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
-    && rm -rf /var/cache/yum \
-    && rm -rf /var/chef \
-    && yum clean all
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+# Cleanup
+RUN microdnf remove -y tar gzip shadow-utils
 
 VOLUME ${NEXUS_DATA}
 
@@ -76,4 +100,4 @@ USER nexus
 ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
 ENTRYPOINT ["/uid_entrypoint.sh"]
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Jenkinsfile

@@ -7,20 +7,8 @@
 import com.sonatype.jenkins.pipeline.GitHub
 import com.sonatype.jenkins.pipeline.OsTools
 
-properties([
-  parameters([
-    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
-    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
-    string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'),
-    booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'),
-    booleanParam(defaultValue: false, description: 'Force Red Hat Certified Build for a non-master branch', name: 'force_red_hat_build'),
-    booleanParam(defaultValue: false, description: 'Skip Red Hat Certified Build', name: 'skip_red_hat_build'),
-    booleanParam(defaultValue: false, description: 'Only update the latest tag', name: 'update_latest_only')
-  ])
-])
-
 node('ubuntu-zion') {
-  def commitId, commitDate, version, imageId, branch, dockerFileLocations
+  def commitId, commitDate, imageId, branch
   def organization = 'sonatype',
       gitHubRepository = 'docker-nexus3',
       credentialsId = 'integrations-github-api',
@@ -32,46 +20,23 @@ node('ubuntu-zion') {
   try {
     stage('Preparation') {
       deleteDir()
-      OsTools.runSafe(this, "docker system prune -a -f")
+      OsTools.runSafe(this, 'docker system prune -a -f')
 
       def checkoutDetails = checkout scm
 
-      dockerFileLocations = [
-        "${pwd()}/Dockerfile",
-        "${pwd()}/Dockerfile.rh.centos",
-        "${pwd()}/Dockerfile.rh.el",
-        "${pwd()}/Dockerfile.rh.ubi"
-      ]
-
-      branch = checkoutDetails.GIT_BRANCH == 'origin/master' ? 'master' : checkoutDetails.GIT_BRANCH
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
       commitId = checkoutDetails.GIT_COMMIT
       commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
 
       OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
       OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
 
-      version = readVersion()
-
       def apiToken
       withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
                         usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
         apiToken = env.GITHUB_API_PASSWORD
       }
       gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)
-
-      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
-        stage('Update Repository Manager Version') {
-          OsTools.runSafe(this, "git checkout ${branch}")
-          dockerFileLocations.each { updateRepositoryManagerVersion(it) }
-          version = getShortVersion(params.nexus_repository_manager_version)
-        }
-      }
-      if (params.nexus_repository_manager_cookbook_version) {
-        stage('Update Repository Manager Cookbook Version') {
-          OsTools.runSafe(this, "git checkout ${branch}")
-          dockerFileLocations.each { updateRepositoryCookbookVersion(it) }
-        }
-      }
     }
     stage('Build') {
       gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
@@ -91,141 +56,49 @@ node('ubuntu-zion') {
 
       def gemInstallDirectory = getGemInstallDirectory()
       withEnv(["PATH+GEMS=${gemInstallDirectory}/bin"]) {
-        OsTools.runSafe(this, "gem install --user-install rspec")
-        OsTools.runSafe(this, "gem install --user-install serverspec")
-        OsTools.runSafe(this, "gem install --user-install docker-api")
+        OsTools.runSafe(this, 'gem install --user-install rspec')
+        OsTools.runSafe(this, 'gem install --user-install serverspec')
+        OsTools.runSafe(this, 'gem install --user-install docker-api')
         OsTools.runSafe(this, "IMAGE_ID=${imageId} rspec --backtrace spec/Dockerfile_spec.rb")
       }
 
       if (currentBuild.result == 'FAILURE') {
         gitHub.statusUpdate commitId, 'failure', 'test', 'Tests failed'
         return
-      } else {
-        gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
       }
+
+      gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
     }
+
+    stage('Evaluate Policies') {
+      runEvaluation({ stage ->
+        nexusPolicyEvaluation(
+          iqStage: stage,
+          iqApplication: 'docker-nexus3',
+          iqScanPatterns: [[scanPattern: "container:${imageName}"]],
+          failBuildOnNetworkError: true,
+        )}, (branch == 'main') ? 'build' : 'develop')
+    }
+
     if (currentBuild.result == 'FAILURE') {
       return
     }
-    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha
-          || params.nexus_repository_manager_cookbook_version) {
-      stage('Commit Automated Code Update') {
-        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'integrations-github-api',
-                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
-          def commitMessage = [
-            params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha ?
-                "Update Repository Manager to ${params.nexus_repository_manager_version}." : "",
-            params.nexus_repository_manager_cookbook_version ?
-                "Update Repository Manager Cookbook to ${params.nexus_repository_manager_cookbook_version}." : ""
-          ].findAll({ it }).join(' ')
 
-          if (!params.update_latest_only) {
-            OsTools.runSafe(this, """
-              git add .
-              git commit -m '${commitMessage}'
-              git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
-            """)
-          }
-        }
-      }
-    }
     stage('Archive') {
       dir('build/target') {
         OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
         archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
       }
     }
-    if (branch == 'master' && !params.skip_push && !params.update_latest_only) {
-      input 'Push image and tags?'
-      stage('Push image') {
-        def dockerhubApiToken
-        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'docker-hub-credentials',
-            usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
-          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}")
-          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
-          OsTools.runSafe(this, """
-            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
-          """)
-          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
-
-          response = OsTools.runSafe(this, """
-            curl -X POST https://hub.docker.com/v2/users/login/ \
-              -H 'cache-control: no-cache' -H 'content-type: application/json' \
-              -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
-          """)
-          token = readJSON text: response
-          dockerhubApiToken = token.token
-
-          def readme = readFile file: 'README.md', encoding: 'UTF-8'
-          readme = readme.replaceAll("(?s)<!--.*?-->", "")
-          readme = readme.replace("\"", "\\\"")
-          readme = readme.replace("\n", "\\n")
-          response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
-              acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
-              requestBody: "{ \"full_description\": \"${readme}\" }",
-              url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"
-        }
-      }
-      stage('Push tags') {
-        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
-                          usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
-          OsTools.runSafe(this, "git tag ${version}")
-          OsTools.runSafe(this, """
-            git push \
-            https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
-              ${version}
-          """)
-        }
-        OsTools.runSafe(this, "git tag -d ${version}")
-      }
-    }
-    else if(params.update_latest_only) {
-      stage('Push tags') {
-        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'docker-hub-credentials',
-            usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
-          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
-          OsTools.runSafe(this, """
-            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
-          """)
-          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
-        }
-      }
-    }
-    /*
-    if ((! params.skip_red_hat_build) && (branch == 'master' || params.force_red_hat_build)) {
-      stage('Trigger Red Hat Certified Image Build') {
-        withCredentials([
-            string(credentialsId: 'docker-nexus3-rh-build-project-id', variable: 'PROJECT_ID'),
-            string(credentialsId: 'rh-build-service-api-key', variable: 'API_KEY')]) {
-          final redHatVersion = "${version}-ubi"
-          runGroovy('ci/TriggerRedHatBuild.groovy', [redHatVersion, PROJECT_ID, API_KEY].join(' '))
-        }
-      }
-    }
-    */
   } finally {
-    OsTools.runSafe(this, "docker logout")
-    OsTools.runSafe(this, "docker system prune -a -f")
-    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/master')
+    OsTools.runSafe(this, 'docker logout')
+    OsTools.runSafe(this, 'docker system prune -a -f')
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
   }
 }
 
-def readVersion() {
-  def content = readFile 'Dockerfile'
-  for (line in content.split('\n')) {
-    if (line.startsWith('ARG NEXUS_VERSION=')) {
-      return getShortVersion(line.substring(18))
-    }
-  }
-  error 'Could not determine version.'
-}
-
-def getShortVersion(version) {
-  return version.split('-')[0]
-}
-
 def getGemInstallDirectory() {
-  def content = OsTools.runSafe(this, "gem env")
+  def content = OsTools.runSafe(this, 'gem env')
   for (line in content.split('\n')) {
     if (line.startsWith('  - USER INSTALLATION DIRECTORY: ')) {
       return line.substring(33)
@@ -233,31 +106,3 @@ def getGemInstallDirectory() {
   }
   error 'Could not determine user gem install directory.'
 }
-
-def updateRepositoryManagerVersion(dockerFileLocation) {
-  def dockerFile = readFile(file: dockerFileLocation)
-
-  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
-  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
-
-  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
-  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
-
-  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
-  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
-    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
-  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
-  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")
-
-  writeFile(file: dockerFileLocation, text: dockerFile)
-}
-
-def updateRepositoryCookbookVersion(dockerFileLocation) {
-  def dockerFile = readFile(file: dockerFileLocation)
-
-  def cookbookVersionRegex = /(ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=")(release-\d\.\d\.\d{8}\-\d{6}\.[a-z0-9]{7})(")/
-
-  dockerFile = dockerFile.replaceAll(cookbookVersionRegex, "\$1${params.nexus_repository_manager_cookbook_version}\$3")
-
-  writeFile(file: dockerFileLocation, text: dockerFile)
-}

Jenkinsfile-Release

@@ -0,0 +1,260 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+import com.sonatype.jenkins.pipeline.GitHub
+import com.sonatype.jenkins.pipeline.OsTools
+
+properties([
+  parameters([
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'),
+    booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'),
+    booleanParam(defaultValue: false, description: 'Only update the latest tag', name: 'update_latest_only')
+  ])
+])
+
+node('ubuntu-zion-legacy') {
+  def commitId, commitDate, version, imageId, branch, dockerFileLocations
+  def organization = 'sonatype',
+      gitHubRepository = 'docker-nexus3',
+      credentialsId = 'integrations-github-api',
+      imageName = 'sonatype/nexus3',
+      archiveName = 'docker-nexus3',
+      dockerHubRepository = 'nexus3'
+  GitHub gitHub
+
+  try {
+    stage('Preparation') {
+      deleteDir()
+      OsTools.runSafe(this, "docker system prune -a -f")
+
+      def checkoutDetails = checkout scm
+
+      dockerFileLocations = [
+        "${pwd()}/Dockerfile",
+        "${pwd()}/Dockerfile.rh.centos",
+        "${pwd()}/Dockerfile.rh.el",
+        "${pwd()}/Dockerfile.rh.ubi"
+      ]
+
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
+      commitId = checkoutDetails.GIT_COMMIT
+      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
+
+      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
+      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
+
+      version = readVersion()
+
+      def apiToken
+      withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
+                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
+        apiToken = env.GITHUB_API_PASSWORD
+      }
+      gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)
+
+      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
+        stage('Update Repository Manager Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerFileLocations.each { updateRepositoryManagerVersion(it) }
+          version = getShortVersion(params.nexus_repository_manager_version)
+        }
+      }
+      if (params.nexus_repository_manager_cookbook_version) {
+        stage('Update Repository Manager Cookbook Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerFileLocations.each { updateRepositoryCookbookVersion(it) }
+        }
+      }
+    }
+    stage('Build') {
+      gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
+
+      def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName} .")
+      imageId = hash.split(':')[1]
+
+      if (currentBuild.result == 'FAILURE') {
+        gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed'
+        return
+      } else {
+        gitHub.statusUpdate commitId, 'success', 'build', 'Build succeeded'
+      }
+    }
+    stage('Test') {
+      gitHub.statusUpdate commitId, 'pending', 'test', 'Tests are running'
+
+      def gemInstallDirectory = getGemInstallDirectory()
+      withEnv(["PATH+GEMS=${gemInstallDirectory}/bin"]) {
+        OsTools.runSafe(this, "gem install --user-install rspec")
+        OsTools.runSafe(this, "gem install --user-install serverspec")
+        OsTools.runSafe(this, "gem install --user-install docker-api")
+        OsTools.runSafe(this, "IMAGE_ID=${imageId} rspec --backtrace spec/Dockerfile_spec.rb")
+      }
+
+      if (currentBuild.result == 'FAILURE') {
+        gitHub.statusUpdate commitId, 'failure', 'test', 'Tests failed'
+        return
+      } else {
+        gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
+      }
+    }
+
+    stage('Evaluate Policies') {
+      runEvaluation({ stage ->
+        nexusPolicyEvaluation(
+          iqStage: stage,
+          iqApplication: 'docker-nexus3',
+          iqScanPatterns: [[scanPattern: "container:${imageName}"]],
+          failBuildOnNetworkError: true,
+        )}, 'release')
+    }
+
+    if (currentBuild.result == 'FAILURE') {
+      return
+    }
+    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha
+          || params.nexus_repository_manager_cookbook_version) {
+      stage('Commit Automated Code Update') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'integrations-github-api',
+                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          def commitMessage = [
+            params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha ?
+                "Update Repository Manager to ${params.nexus_repository_manager_version}." : "",
+            params.nexus_repository_manager_cookbook_version ?
+                "Update Repository Manager Cookbook to ${params.nexus_repository_manager_cookbook_version}." : ""
+          ].findAll({ it }).join(' ')
+
+          if (!params.update_latest_only) {
+            OsTools.runSafe(this, """
+              git add .
+              git commit -m '${commitMessage}'
+              git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
+            """)
+          }
+        }
+      }
+    }
+    stage('Archive') {
+      dir('build/target') {
+        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
+        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
+      }
+    }
+    if (branch == 'main' && !params.skip_push && !params.update_latest_only) {
+      input 'Push image and tags?'
+      stage('Push image') {
+        def dockerhubApiToken
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'docker-hub-credentials',
+            usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}")
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
+          OsTools.runSafe(this, """
+            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
+          """)
+          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
+
+          response = OsTools.runSafe(this, """
+            curl -X POST https://hub.docker.com/v2/users/login/ \
+              -H 'cache-control: no-cache' -H 'content-type: application/json' \
+              -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
+          """)
+          token = readJSON text: response
+          dockerhubApiToken = token.token
+
+          def readme = readFile file: 'README.md', encoding: 'UTF-8'
+          readme = readme.replaceAll("(?s)<!--.*?-->", "")
+          readme = readme.replace("\"", "\\\"")
+          readme = readme.replace("\n", "\\n")
+          response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
+              acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
+              requestBody: "{ \"full_description\": \"${readme}\" }",
+              url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"
+        }
+      }
+      stage('Push tags') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
+                          usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "git tag ${version}")
+          OsTools.runSafe(this, """
+            git push \
+            https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
+              ${version}
+          """)
+        }
+        OsTools.runSafe(this, "git tag -d ${version}")
+      }
+    }
+    else if(params.update_latest_only) {
+      stage('Push tags') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'docker-hub-credentials',
+            usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
+          OsTools.runSafe(this, """
+            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
+          """)
+          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
+        }
+      }
+    }
+  } finally {
+    OsTools.runSafe(this, "docker logout")
+    OsTools.runSafe(this, "docker system prune -a -f")
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
+  }
+}
+
+def readVersion() {
+  def content = readFile 'Dockerfile'
+  for (line in content.split('\n')) {
+    if (line.startsWith('ARG NEXUS_VERSION=')) {
+      return getShortVersion(line.substring(18))
+    }
+  }
+  error 'Could not determine version.'
+}
+
+def getShortVersion(version) {
+  return version.split('-')[0]
+}
+
+def getGemInstallDirectory() {
+  def content = OsTools.runSafe(this, "gem env")
+  for (line in content.split('\n')) {
+    if (line.startsWith('  - USER INSTALLATION DIRECTORY: ')) {
+      return line.substring(33)
+    }
+  }
+  error 'Could not determine user gem install directory.'
+}
+
+def updateRepositoryManagerVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
+  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
+
+  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
+  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
+
+  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
+  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
+    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
+  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
+  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def updateRepositoryCookbookVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def cookbookVersionRegex = /(ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=")(release-\d\.\d\.\d{8}\-\d{6}\.[a-z0-9]{7})(")/
+
+  dockerFile = dockerFile.replaceAll(cookbookVersionRegex, "\$1${params.nexus_repository_manager_cookbook_version}\$3")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}

Jenkinsfile.rh

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+
+properties([
+  parameters([
+    string(
+      name: 'version',
+      description: 'Version tag to apply to the image, like 3.41.0-ubi-1.'
+    ),
+  ]),
+])
+
+node('ubuntu-zion') {
+  try {
+    stage('Preparation') {
+      deleteDir()
+
+      checkout scm
+
+      sh 'docker system prune -a -f'
+      sh '''
+        wget -q -O preflight \
+          https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.4.1/preflight-linux-amd64
+        chmod 755 preflight
+      '''
+    }
+    stage('Build') {
+      withCredentials([
+        usernamePassword(
+            credentialsId: 'red-hat-quay-nexus-repository-manager',
+            usernameVariable: 'REGISTRY_LOGIN',
+            passwordVariable: 'REGISTRY_PASSWORD'),
+        string(
+            credentialsId: 'red-hat-api-token',
+            variable: 'API_TOKEN')
+      ]) {
+        sh 'PATH="$PATH:." VERSION=$version ./build_red_hat_image.sh'
+      }
+    }
+  } finally {
+    sh 'docker logout'
+    sh 'docker system prune -a -f'
+    sh 'git clean -f && git reset --hard origin/main'
+  }
+}

README.md

@@ -34,7 +34,7 @@ A Dockerfile for Sonatype Nexus Repository Manager 3, starting with 3.18 the ima
 
 ## Contribution Guidelines
 
-Go read [our contribution guidelines](https://github.com/sonatype/docker-nexus3/blob/master/.github/CONTRIBUTING.md) to get a bit more familiar with how
+Go read [our contribution guidelines](https://github.com/sonatype/docker-nexus3/blob/main/.github/CONTRIBUTING.md) to get a bit more familiar with how
 we would like things to flow.
 
 ## Running
@@ -60,7 +60,7 @@ $ curl http://localhost:8081/
 
 ## Building the Nexus Repository Manager image
 
-To build a docker image from the Docker file you can use this command:
+To build a docker image from the [Dockerfile](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile) you can use this command:
 
 ```
 $ docker build --rm=true --tag=sonatype/nexus3 .
@@ -88,7 +88,7 @@ We are using `rspec` as the test framework. `serverspec` provides a docker backe
 
 ## Red Hat Certified Image
 
-A Red Hat certified container image can be created using `Dockerfile.rh.ubi` which is built to be compliant with Red Hat certification.
+A Red Hat certified container image can be created using [Dockerfile.rh.ubi](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.ubi) which is built to be compliant with Red Hat certification.
 The image includes additional meta data to comform with Kubernetes and OpenShift standards, a directory with the
 licenses applicable to the software and a man file for help on how to use the software. It also uses an ENTRYPOINT
 script the ensure the running user has access to the appropriate permissions for OpenShift 'restricted' SCC. 
@@ -100,8 +100,8 @@ and qualified accounts can pull it from registry.connect.redhat.com.
 ## Other Red Hat Images
 
 In addition to the Universal Base Image, we can build images based on:
-* Red Hat Enterprise Linux: `Dockerfile.rh.el`
-* CentOS: `Dockerfile.rh.centos`
+* Red Hat Enterprise Linux: [Dockerfile.rh.el](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.el)
+* CentOS: [Dockerfile.rh.centos](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.centos)
 
 ## Notes
 

build_red_hat_image.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2017-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# prerequisites:
+# * software:
+#   * https://github.com/redhat-openshift-ecosystem/openshift-preflight
+#   * https://podman.io/
+# * environment variables:
+#   * VERSION of the docker image  to build for the red hat registry
+#   * REGISTRY_LOGIN from Red Hat config page for image
+#   * REGISTRY_PASSWORD from Red Hat config page for image
+#   * API_TOKEN from red hat token/account page for API access
+
+set -x # log commands as they execute
+set -e # stop execution on the first failed command
+
+DOCKERFILE=Dockerfile.rh.ubi
+
+# from config/scanning page at red hat
+CERT_PROJECT_ID=5e61d90a38776799eb517bd2
+
+REPOSITORY="quay.io"
+IMAGE_TAG="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:${VERSION}"
+IMAGE_LATEST="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:latest"
+
+AUTHFILE="${HOME}/.docker/config.json"
+
+docker build -f "${DOCKERFILE}" -t "${IMAGE_TAG}" .
+docker tag "${IMAGE_TAG}" "${IMAGE_LATEST}"
+
+docker login "${REPOSITORY}" \
+       -u "${REGISTRY_LOGIN}" \
+       --password "${REGISTRY_PASSWORD}"
+
+docker push "${IMAGE_TAG}"
+docker push "${IMAGE_LATEST}"
+
+preflight check container \
+          "${IMAGE_TAG}" \
+          --docker-config="${AUTHFILE}" \
+          --submit \
+          --certification-project-id="${CERT_PROJECT_ID}" \
+          --pyxis-api-token="${API_TOKEN}"

rh-docker/help.1

@@ -0,0 +1,74 @@
+.PP
+% 
+.BR NEXUS (1) 
+Container Image Pages
+% Sonatype
+% December 15, 2017
+.TH NAME
+.PP
+nexus \- Nexus Repository Manager container image
+.SH DESCRIPTION
+.PP
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+.PP
+The nexus image is designed to be run by the atomic command with one of these options:
+.PP
+\fB\fCrun\fR
+.PP
+Starts the installed container with selected privileges to the host.
+.PP
+\fB\fCstop\fR
+.PP
+Stops the installed container
+.PP
+The container itself consists of:
+    \- Linux base image
+    \- Java OpenJDK
+    \- Nexus Repository Manager
+    \- Atomic help file
+.PP
+Files added to the container during docker build include: /help.1.
+.SH USAGE
+.PP
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+.PP
+To run the nexus container:
+.IP
+atomic run nexus
+.PP
+To stop the nexus container (after it is installed), run:
+.IP
+atomic stop nexus
+.SH LABELS
+.PP
+The nexus container includes the following LABEL settings:
+.PP
+That atomic command runs the docker command set in this label:
+.PP
+\fB\fCRUN=\fR
+.IP
+LABEL RUN='docker run \-d \-p 8081:8081 \-\-name ${NAME} ${IMAGE}'
+.IP
+The contents of the RUN label tells an \fB\fCatomic run nexus\fR command to open port 8081 & set the name of the container.
+.PP
+\fB\fCSTOP=\fR
+.IP
+LABEL STOP='docker stop ${NAME}'
+.PP
+\fB\fCName=\fR
+.PP
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+.PP
+\fB\fCVersion=\fR
+.PP
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2\-01".
+.PP
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+.SH SECURITY IMPLICATIONS
+.PP
+\fB\fC\-d\fR
+.PP
+Runs continuously as a daemon process in the background

rh-docker/help.md

@@ -0,0 +1,72 @@
+% NEXUS(1) Container Image Pages
+% Sonatype
+% December 15, 2017
+
+# NAME
+nexus \- Nexus Repository Manager container image
+
+# DESCRIPTION
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+
+The nexus image is designed to be run by the atomic command with one of these options:
+
+`run`
+
+Starts the installed container with selected privileges to the host.
+
+`stop`
+
+Stops the installed container
+
+The container itself consists of:
+    - Linux base image
+    - Java OpenJDK
+    - Nexus Repository Manager
+    - Atomic help file
+
+Files added to the container during docker build include: /help.1.
+
+# USAGE
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+
+To run the nexus container:
+
+  atomic run nexus
+
+To stop the nexus container (after it is installed), run:
+
+  atomic stop nexus
+
+# LABELS
+The nexus container includes the following LABEL settings:
+
+That atomic command runs the docker command set in this label:
+
+`RUN=`
+
+  LABEL RUN='docker run -d -p 8081:8081 --name ${NAME} ${IMAGE}'
+
+  The contents of the RUN label tells an `atomic run nexus` command to open port 8081 & set the name of the container.
+
+`STOP=`
+
+  LABEL STOP='docker stop ${NAME}'
+
+`Name=`
+
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+
+`Version=`
+
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2-01".
+
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+
+# SECURITY IMPLICATIONS
+
+`-d`
+
+Runs continuously as a daemon process in the background

rh-docker/licenses/LICENSE

@@ -0,0 +1,10 @@
+Sonatype Nexus (TM) Open Source Version
+Copyright (c) 2008-present Sonatype, Inc.
+All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+Eclipse Foundation. All other trademarks are the property of their respective owners.

rh-docker/uid_entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+# arbitrary uid recognition at runtime - for OpenShift deployments
+USER_ID=$(id -u)
+if [[ ${USER_UID} != ${USER_ID} ]]; then
+    sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" /etc/passwd.template > /etc/passwd
+fi
+exec "$@"
+

rh-docker/uid_template.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# Copyright:: Copyright (c) 2017-present Sonatype, Inc. Apache License, Version 2.0.
+#
+# arbitrary uid recognition at runtime - for OpenShift deployments
+sed "s@${USER_NAME}:x:${USER_UID}:@${USER_NAME}:x:\${USER_ID}:@g" /etc/passwd > /etc/passwd.template