Update container image to 24.02

.github/workflows/ctr.yaml

@@ -37,10 +37,7 @@ jobs:
 
       - name: Patch source code and prepare build context
         working-directory: ./ejabberd-source
-        run: |
-          git apply ../image/${{ env.REF }}/patches/*.patch
-          mkdir ./k8s-scripts
-          cp -r ../image/${{ env.REF }}/scripts/* ./k8s-scripts
+        run: git apply ../image/${{ env.REF }}/patches/*.patch
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2

CHANGELOG.md

@@ -7,6 +7,12 @@ project adheres to [Semantic Versioning][SemVer].
 - Add `seccompProfile` to sidecar and default `values.yaml`.
 - Add option to define sidecar image via `Values.certFiles.sideCar.image`.
 
+### Changed
+- Bump ejabberd image to `24.02-k8s1` - changelog: [ejabberd 24.02](https://github.com/processone/ejabberd/blob/master/CHANGELOG.md#version-2402).
+
+### Removed
+- Remove `mod_captcha_rust`, because of a compilation error with erlang >26.
+
 ## 0.7.1 - 2024-01-19
 ### Added
 - Add support for kubernetes native sidecars added in kubernetes version `1.29`.

README.md

@@ -49,7 +49,7 @@ A short summary:
 * Stipped/ hardened image by deleting all unneccessary packages from the image,
   e.g. package managers, etc.
 * Includes additional libraries for ejabberd contribution modules
-  `ejabberd_auth_http`, `mod_captcha_rust` and `mod_ecaptcha`.
+  `ejabberd_auth_http` and `mod_ecaptcha`.
 * The three mentioned modules plus `mod_s3_upload` are installed in the image
   already.
 * No ACME support, mounting your certs as k8s secrets is necessary.

charts/ejabberd/Chart.yaml

@@ -3,7 +3,7 @@ name: ejabberd
 description: ejabberd XMPP server helm chart
 type: application
 version: 0.7.1
-appVersion: "23.10-k8s3"
+appVersion: "24.02-k8s1"
 keywords:
   - xmpp
   - mqtt

image/24.02/patches/Dockerfile.patch

@@ -0,0 +1,135 @@
+diff --git a/.github/container/Dockerfile b/.github/container/Dockerfile
+index 24029d2b6..244d458f4 100644
+--- a/.github/container/Dockerfile
++++ b/.github/container/Dockerfile
+@@ -4,7 +4,10 @@ ARG OTP_VSN='26.2'
+ ARG ELIXIR_VSN='1.16.1'
+ ## specifc ARGs for METHOD='package'
+ ARG ALPINE_VSN='3.19'
++## specifc ARGs for elector
++ARG GO_VSN='1.21'
+ ## general ARGs
++ARG VARIANT='hardened'
+ ARG UID='9000'
+ ARG USER='ejabberd'
+ ARG HOME="opt/$USER"
+@@ -12,6 +15,19 @@ ARG METHOD='direct'
+ ARG BUILD_DIR="/$USER"
+ ARG VERSION='master'
+
++################################################################################
++#' METHOD='direct' - build and install ejabberd directly from source
++FROM docker.io/golang:${GO_VSN}-alpine AS elector
++RUN apk -U add --no-cache \
++        build-base \
++        git
++
++WORKDIR /elector
++RUN git clone https://github.com/sando38/k8s-elector \
++        --branch update-packages --depth 1 .
++
++RUN make build-linux
++
+ ################################################################################
+ #' METHOD='direct' - build and install ejabberd directly from source
+ FROM docker.io/erlang:${OTP_VSN}-alpine AS direct
+@@ -21,6 +37,7 @@ RUN apk -U add --no-cache \
+         automake \
+         bash \
+         build-base \
++        cargo \
+         curl \
+         expat-dev \
+         file \
+@@ -48,7 +65,18 @@ RUN mix local.hex --force \
+ ARG BUILD_DIR
+ COPY / $BUILD_DIR/
+
++WORKDIR $BUILD_DIR/.ejabberd-modules/sources/ejabberd-contrib
++
++# include some ejabberd contribution modules which may be nice for clusters
++RUN git clone https://github.com/processone/ejabberd-contrib --depth 1 . \
++    && install mod_s3_upload/src/*.erl $BUILD_DIR/src \
++    && install mod_s3_upload/include/*.hrl $BUILD_DIR/include \
++    && install mod_ecaptcha/src/*.erl $BUILD_DIR/src \
++    && install ejabberd_auth_http/src/*.erl $BUILD_DIR/src \
++    && rm -rf mod_ecaptcha mod_http_redirect mod_s3_upload
++
+ WORKDIR $BUILD_DIR
++
+ RUN mv .github/container/ejabberdctl.template . \
+     && ./autogen.sh \
+     && ./configure --with-rebar=mix --enable-all \
+@@ -67,9 +95,9 @@ RUN cp -p $BUILD_DIR/tools/captcha*.sh $HOME-$VERSION/lib
+ RUN find "$HOME-$VERSION/bin" -name 'ejabberd' -delete \
+     && find "$HOME-$VERSION/releases" -name 'COOKIE' -delete
+
+-RUN wget -O "$HOME/conf/cacert.pem" 'https://curl.se/ca/cacert.pem' \
+-    && sed -i '/^loglevel:/a \ \
+-        \nca_file: /opt/ejabberd/conf/cacert.pem \
++ADD https://curl.se/ca/cacert.pem $HOME/cacert/cacert.pem
++RUN sed -i '/^loglevel:/a \ \
++        \nca_file: /opt/ejabberd/cacert/cacert.pem \
+         \ncertfiles: \
+         \n  - /opt/ejabberd/conf/server.pem' "$HOME/conf/ejabberd.yml"
+
+@@ -117,7 +145,6 @@ RUN export PEM=$HOME/conf/server.pem \
+             -subj "/CN=localhost"
+
+ RUN home_root_dir=$(echo $HOME | sed 's|\(.*\)/.*|\1 |') \
+-    && setcap 'cap_net_bind_service=+ep' $(find $home_root_dir -name beam.smp) \
+     && echo -e \
+         "#!/bin/sh \
+         \n[ -z \$ERLANG_NODE_ARG ] && export ERLANG_NODE_ARG=ejabberd@localhost \
+@@ -156,6 +183,8 @@ COPY --from=ejabberd /tmp/runDeps /tmp/runDeps
+ RUN apk -U upgrade --available --no-cache \
+     && apk add --no-cache \
+         $(cat /tmp/runDeps) \
++        gettext \
++        jq \
+         so:libcap.so.2 \
+         so:libtdsodbc.so.0 \
+         tini \
+@@ -170,11 +199,40 @@ RUN addgroup $USER -g $UID \
+ ################################################################################
+ #' Build together production image
+ FROM scratch AS prod
+-ARG USER
+-ARG HOME
+
+ COPY --from=runtime / /
+ COPY --from=ejabberd /rootfs /
++COPY --from=elector /elector/elector /usr/local/bin/elector
++
++################################################################################
++#' Remove unneccessary packages from runtime environment
++FROM runtime AS runtime-hardened
++# we need busybox' 'ash', which became a sub-package in alpine 3.17
++RUN check=$(printf "$(cat /etc/alpine-release)\n3.17" | sort -V | head -n1) \
++    && if [ "$check" = '3.17' ]; then sub='-binsh'; fi \
++    && apk add --no-cache \
++        busybox${sub}
++RUN apk del --repositories-file /dev/null \
++        alpine-baselayout \
++        alpine-keys \
++        apk-tools \
++        libc-utils \
++    && rm -rf /var/cache/apk /etc/apk /tmp \
++    && find /lib/apk/db -type f -not -name 'installed' -delete
++
++################################################################################
++#' Build together hardened production image
++FROM scratch AS hardened
++
++COPY --from=runtime-hardened / /
++COPY --from=ejabberd /rootfs /
++COPY --from=elector /elector/elector /usr/local/bin/elector
++
++################################################################################
++#' Build together production image
++FROM ${VARIANT} AS final
++ARG USER
++ARG HOME
+
+ HEALTHCHECK \
+     --interval=1m \

image/24.02/patches/mix.exs.patch

@@ -0,0 +1,27 @@
+diff --git a/mix.exs b/mix.exs
+index 631e0e728..6203d36b3 100644
+--- a/mix.exs
++++ b/mix.exs
+@@ -47,6 +47,7 @@ defmodule Ejabberd.MixProject do
+                     :p1_utils, :stringprep, :syntax_tools, :yconf]
+      ++ cond_apps(),
+      included_applications: [:mnesia, :os_mon,
++                             :cuesport, :fusco, :ecaptcha,
+                              :cache_tab, :eimp, :mqtree, :p1_acme,
+                              :p1_oauth2, :pkix, :xmpp]
+      ++ cond_included_apps()]
+@@ -104,11 +105,14 @@ defmodule Ejabberd.MixProject do
+   defp deps do
+     [{:base64url, "~> 1.0"},
+      {:cache_tab, "~> 1.0"},
++     {:cuesport, github: "goj/cuesport", manager: :rebar3},
++     {:ecaptcha, github: "seriyps/ecaptcha"},
+      {:eimp, "~> 1.0"},
+      {:ex_doc, "~> 0.31", only: [:dev, :edoc], runtime: false},
+      {:fast_tls, ">= 1.1.18"},
+      {:fast_xml, ">= 1.1.51"},
+      {:fast_yaml, "~> 1.0"},
++     {:fusco, "~> 0.1"},
+      {:idna, "~> 6.0"},
+      {:jiffy, "~> 1.1.1"},
+      {:jose, "~> 1.11.5"},

image/24.02/scripts/ejabberdctl

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# Determine pod's cluster name
+pod_name="${POD_NAME:-$(hostname -s)}" # e.g. pod-0
+pod_endpoint_name="$(hostname -f)" # e.g. pod-0.servicename.namespace.svc.cluster.local
+sts_name="$(echo $pod_name | sed 's|-[0-9]\+||g')"
+
+[ -z "$ERLANG_NODE_ARG" ] && export ERLANG_NODE_ARG="$sts_name@$pod_endpoint_name"
+export CONFIG_DIR="$HOME"/conf
+export LOGS_DIR="$HOME"/logs
+export SPOOL_DIR="$HOME"/database
+
+exec $(find /opt -name ejabberdctl) "$@"