Keep Images Up to Date

Lucee Docker Images

This repository focuses on building and maintaining the Lucee Docker Images provided for Lucee.

Lucee application engine running on Apache Tomcat J2EE application server.

Supported tags and respective Dockerfile links

Latest stable release

Lucee 6.0.x - Tomcat 9.0 with Java 11 (recommended)

6.0.3.1-tomcat9.0-jre11-temurin-jammy, 6.0.3.1, 6.0, latest (Dockerfile)
- 6.0.3.1-nginx-tomcat9.0-jre11-temurin-jammy, 6.0.3.1-nginx, 6.0-nginx (Dockerfile.nginx)

Previous stable release (LTS)

Lucee 5.4.x - Tomcat 9.0 with Java 11 (recommended)

5.4.5.23-tomcat9.0-jre11-temurin-jammy, 5.4.5.23, 5.4 (Dockerfile)
- 5.4.5.23-nginx-tomcat9.0-jre11-temurin-jammy, 5.4.5.23-nginx, 5.4-nginx (Dockerfile.nginx)

Lucee 5.4.x - Tomcat 9.0 with Java 8

5.4.5.23-tomcat9.0-jre8-temurin-jammy (Dockerfile)
- 5.4.5.23-nginx-tomcat9.0-jre8-temurin-jammy (Dockerfile.nginx)

Bleeding edge Snapshot / RC / Beta

6.1.0.193-RC-tomcat9.0-jre21-temurin-jammy, 6.1.0.193-RC
- 6.1.0.193-RC-nginx-tomcat9.0-jre21-temurin-jammy, 6.1.0.193-RC-nginx
6.0.2.41-RC-tomcat9.0-jre11-temurin-jammy, 6.0.2.41-RC
- 6.0.2.41-RC-nginx-tomcat9.0-jre11-temurin-jammy, 6.0.2.41-RC-nginx

The SNAPSHOTS Docker image builds are automatically generated after a successful Lucee build. Check the Docker Hub tags and/or the Lucee Downloads page to see the latest SNAPSHOT version numbers.

The RC and Beta builds are manually triggered when they are announced.

For more information about Lucee versions and extensions see the Lucee Downloads page.

How the tags work

The Lucee Docker image tags follow a naming convention which is used to produce "simple tags" that are updated with each release (e.g. 6.1, 6.1-nginx) as well as "full tags" which allow for very specific version targeting (e.g. 6.1.0.175-tomcat9.0-jre21-temurin-jammy).

The tag naming convention is;

LUCEE_VERSION[-RELEASE_TYPE][-light][-nginx][-TOMCAT_VERSION-JRE_VERSION]

LUCEE_VERSION is the Lucee Version number string. For simple tags it may optionally be in the MAJOR.MINOR format (e.g. 5.4) and for full tags it's in the MAJOR.MINOR.PATCH.BUILD format (e.g. 6.1.0.175). Snapshot, RC and Beta builds always include the full version number.
RELEASE_TYPE is the type of release; omitted for Releases, otherwise SNAPSHOT, RC or BETA
-light (optional) is a build with the Lucee "Light" JAR file, WITHOUT any extensions (users must install extensions separately, this includes database drivers, ORM, ESAPI, S3, image handling, etc)
-nginx (optional) is a build with the NGINX web server bundled and configured
-TOMCAT_VERSION-JRE_VERSION is the Tomcat major and minor version and Java major version of the build to allow users to choose between different combinations (e.g. tomcat9.0-jre11-temurin-jammy vs tomcat9.0-jre21-temurin-jammy). This is omitted for "simple tags" where the recommended Tomcat and Java versions are used.

Base Image / Operating System Notes:

The Lucee images are based on the Docker Tomcat images.
The Docker Tomcat images were previously based on OpenJDK images which used Debian as the underlying OS. The OpenJDK Debian images have been discontinued for Java 8 and Java 11 so the next best match in the Docker Tomcat images are now the Ubuntu Jammy (22.04 LTS) and Focal (20.04 LTS) images using the OpenJDK baed Temurin Java distributions.
The Docker Tomcat images removed support for Alpine and so the Lucee -alpine variant can no longer be supported. If the Tomcat base images add support for Alpine in the future then we will look to support the -alpine variant again.

Example Project Dockerfile

For the latest stable release with Tomcat only:

FROM lucee/lucee:6.0

COPY config/lucee/ /opt/lucee/web/
COPY www /var/www

For the latest stable release with NGINX and Tomcat:

FROM lucee/lucee:6.0-nginx

COPY config/nginx/ /etc/nginx/
COPY config/lucee/ /opt/lucee/web/
COPY www /var/www

More examples here

Features

Java optimisation tweaks

JVM is set to use /dev/urandom as an entropy source for secure random numbers to avoid blocking Tomcat on startup.
Tomcat is configured to skip the default scanning of Jar files on startup, significantly improving startup time.

Optimised for single-site application

The default configuration serves a single application for any hostname on the listening port. Multiple applications can be supported by editing the server.xml in the Tomcat config.

Lucee 6 by default runs in single mode (only one configuration and Administrator), if you prefer to run it in multi mode you need to to set the flag "mode" to "multi" in the of the .CFConfig.json file.

Using this image

Accessing the service

Lucee server's Tomcat installation listens on port 8888, and optional NGINX listens on port 80.

This base image exposes port 8080 to linked containers but its not used. You must publish or expose port 8888 if you wish to access Tomcat from your installation.

Accessing the Lucee Admin

The Lucee Admin URL is /lucee/admin/ from the exposed port. With Lucee 5.4.6 (and above), 6.0.2 (and above) and 6.1 (and above), you can set the password with the environment variable LUCEE_ADMIN_PASSWORD=qwerty or the system property -Dlucee.admin.password=123456.

THIS IS NOT A SECURE CONFIGURATION FOR PRODUCTION ENVIRONMENTS! It is strongly recommended that you secure the container by:

Changing the server password
Using IP or URL filtering to restrict access to the Lucee Admin
Following recommended security practices such as the Lucee Lockdown Guide

The NGINX tagged Docker images are configured to deny access to the Lucee Admin by default in the default.conf.

Folder locations

Web root for default site: /var/www

Configuration folders:

Tomcat config: /usr/local/tomcat/conf
Lucee config for default site: /opt/lucee/web
Lucee server context: /opt/lucee/server/lucee-server/context

Log folders:

Tomcat logs: /usr/local/tomcat/logs
Lucee logs for default site: /opt/lucee/web/logs

Environment variables

Following some helpful Environment variables you can use with the Lucee docker image.

LUCEE_ADMIN_PASSWORD: The password for the Lucee Administrator
LUCEE_VERSION: If set Lucee will run this version independent of the version installed.
LUCEE_JAVA_OPTS: Additional JVM parameters for Tomcat. Used by /usr/local/tomcat/bin/setenv.sh. Default: "-Xms64m -Xmx512m".

For all possible enviroment variables supported by Lucee, see here.

How to locally develop Lucee Docker builds

Developing and testing builds locally requires a Docker environment with buildx support and Python 3 installed. Run pip3 install -r requirements.txt to install the required dependencies.

To build and test specific verions set environment variables for the Tomcat and Lucee verions that are to be used, e.g.

export TOMCAT_VERSION=9.0
export TOMCAT_JAVA_VERSION=jre11-temurin-jammy
export TOMCAT_BASE_IMAGE=
export LUCEE_MINOR=5.4
export LUCEE_SERVER=,-nginx
export LUCEE_VARIANTS=

export LUCEE_VERSION=5.4.4.38

Then use the default builder with buildx and run the build-images script using a single target platform only (matching your native platform), e.g.

docker buildx use default
./build-images.py --no-push --buildx-load --buildx-platform linux/amd64

Specify the newly built image tag in a Docker Compose file to run and test the container image with docker-compose up;

lucee:
  image: lucee/lucee:5.4.4.38
  ports: 
    - "8854:8888"
    - "8054:80"

You can also find examples that show you how to for example add your own configuration or custom extensions here

Advanced build changes

If adding new Tomcat base (OS) images, Tomcat versions, Java versions, or Lucee versions or variants, the matrix.yaml needs to be edited so that several features like the tag building/lookups will work. After modifying the matrix.yaml run the script ./generate-matrix.py to generate the new Travis configuration (note: Travis CI is deprecated as builds have transitioned to GitHub Actions, however this part of the build hasn't been fully removed yet).

Older Lucee Base Images

The older versions of Lucee remain available as tags in the lucee/lucee Docker Hub repository. Listed are the newest releases for each minor version.

Lucee 5.3.x - Tomcat 9.0 with Java 11

5.3.12.1-tomcat9.0-jre11-temurin-jammy, 5.3.12.1, 5.3 (Dockerfile)
- 5.3.12.1-nginx-tomcat9.0-jre11-temurin-jammy, 5.3.12.1-nginx, 5.3-nginx (Dockerfile.nginx)

Lucee 5.2.x - Tomcat 9.0 with Java 11

5.2.9.31-tomcat9.0-jre11, 5.2.9.31, 5.2 (Dockerfile)
- 5.2.9.31-nginx-tomcat9.0-jre11, 5.2.9.31-nginx, 5.2-nginx (Dockerfile.nginx)

Legacy Lucee Base Images

The legacy Lucee Base Images / repositories will remain available for the projects that are using them, though the build process for those images is considered "legacy" as they have been superseded by the new build matrix builds.

The base images can be accessed in the existing Docker Hub repositories and the source is now in the legacy branch;

https://github.com/lucee/lucee-dockerfiles/tree/legacy

Lucee 5.2 (Legacy builds)

Lucee 5.1 (Legacy builds)

Lucee 5.0 (Legacy builds)

Lucee 4.5 (Legacy builds)

Contributing to this Project

The Lucee Dockerfiles project is maintained by the community. Chief protagonist is @justincarter (Justin Carter of Daemon). Bug reports and pull requests are most welcome.

Special thanks to @rye (Kristofer Rye) and @hawkrives (Hawken Rives) for their work on the Travis build matrix.

License

The Docker files and config files are available under the MIT License. The Lucee engine, Tomcat, NGINX and any other softwares are available under their respective licenses.

Name	Package	Severity	Description
CVE-2020-10878	perl:5.28.1-6	HIGH	Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-8492	python2.7:2.7.16-2+deb10u1	HIGH	Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2018-12886	gcc-8:8.3.0-6	MEDIUM	stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVE-2020-1751	glibc:2.28-10	MEDIUM	An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2019-20367	libbsd:0.9.1-2	MEDIUM	nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVE-2019-12290	libidn2:2.0.5-1+deb10u1	MEDIUM	GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVE-2019-13115	libssh2:1.8.0-2.1	MEDIUM	In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
CVE-2019-20454	pcre2:10.32-5	MEDIUM	An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVE-2020-14155	pcre3:2:8.39-12	MEDIUM	libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2020-12723	perl:5.28.1-6	MEDIUM	regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2020-10543	perl:5.28.1-6	MEDIUM	Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-11655	sqlite3:3.27.2-3	MEDIUM	SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2019-16168	sqlite3:3.27.2-3	MEDIUM	In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVE-2019-19603	sqlite3:3.27.2-3	MEDIUM	SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVE-2019-20218	sqlite3:3.27.2-3	MEDIUM	selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.

lucee / lucee-dockerfiles Goto Github PK

lucee-dockerfiles's Introduction