This is an automated email from the ASF dual-hosted git repository. twolf pushed a commit to branch dev_3.0 in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 5ae2694e74e777c628d1e792dfe2699c77a44db8 Author: Thomas Wolf <[email protected]> AuthorDate: Sat Mar 28 13:26:45 2026 +0100 [releng] Pin docker images Pin all docker images used in tests via their SHA-256 instead of using floating tags. --- .../org/apache/sshd/scp/client/ScpCharsetTest.java | 17 ++++++------ .../org/apache/sshd/sftp/client/OpenSshTest.java | 4 ++- .../org/apache/sshd/sftp/client/ProFtpdTest.java | 4 ++- .../client/auth/ClientOpenSSHCertificatesTest.java | 32 ++++++++++++---------- .../sshd/client/auth/HostBoundPubKeyAuthTest.java | 20 ++++++++------ .../forward/PortForwardingWithOpenSshTest.java | 4 ++- .../apache/sshd/client/kex/OpenSshMlKemTest.java | 20 ++++++++------ .../client/kex/StrictKexInteroperabilityTest.java | 4 +-- .../client/proxy/ProxyHttpAuthIntegrationTest.java | 4 ++- .../client/proxy/ProxyHttpIntegrationTest.java | 4 ++- .../proxy/ProxySocksAuthIntegrationTest.java | 4 ++- .../client/proxy/ProxySocksIntegrationTest.java | 4 ++- .../sshd/common/cipher/OpenSshCipherTest.java | 24 ++++++++-------- 13 files changed, 84 insertions(+), 61 deletions(-) diff --git a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpCharsetTest.java b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpCharsetTest.java index 85afdf226..932260765 100644 --- a/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpCharsetTest.java +++ b/sshd-scp/src/test/java/org/apache/sshd/scp/client/ScpCharsetTest.java @@ -59,14 +59,15 @@ class ScpCharsetTest extends BaseTestSupport { @Container GenericContainer<?> sshdContainer = new GenericContainer<>(new ImageFromDockerfile() - .withDockerfileFromBuilder(builder -> builder.from("alpine:3.21") // - .env("MUSL_LOCPATH", "/usr/share/i18n/locales/musl") // Install locales - .run("apk --update add musl-locales openssh-server openssh") // ... and OpenSSH (client for scp) - .run("ssh-keygen -A") // Generate multiple host keys - .run("adduser -D bob") // Add a user - .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user - .entryPoint("/entrypoint.sh") // Prepare environment, set locale to en_US.ISO8859-1, and launch - .build())) // + .withDockerfileFromBuilder( + builder -> builder.from("alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709") // 3.21 + .env("MUSL_LOCPATH", "/usr/share/i18n/locales/musl") // Install locales + .run("apk --update add musl-locales openssh-server openssh") // ... and OpenSSH (client for scp) + .run("ssh-keygen -A") // Generate multiple host keys + .run("adduser -D bob") // Add a user + .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user + .entryPoint("/entrypoint.sh") // Prepare environment, set locale to en_US.ISO8859-1, and launch + .build())) // .withCopyFileToContainer(MountableFile.forClasspathResource(TEST_RESOURCES + "/bob_key.pub"), "/home/bob/.ssh/authorized_keys") // entrypoint must be executable. Spotbugs doesn't like 0777, so use hex diff --git a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/OpenSshTest.java b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/OpenSshTest.java index 19be1517a..fe05fc7d7 100644 --- a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/OpenSshTest.java +++ b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/OpenSshTest.java @@ -44,8 +44,10 @@ class OpenSshTest extends JUnitTestSupport { private static final String RESOURCES = "/" + OpenSshTest.class.getPackage().getName().replace('.', '/'); + // TODO: this is a amd64-only image. Find a multi-arch image to use instead! @Container - static GenericContainer<?> server = new GenericContainer<>("atmoz/sftp:alpine") // + static GenericContainer<?> server = new GenericContainer<>( + "atmoz/sftp@sha256:56483e4d6678cbca5afccb1a6c525d95ba8f65dfb69063954a73317eda911579") // alpine .withEnv("SFTP_USERS", "foo::::upload") // Set it up for pubkey auth .withCopyFileToContainer(MountableFile.forClasspathResource(RESOURCES + "/rsa_key.pub"), diff --git a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/ProFtpdTest.java b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/ProFtpdTest.java index 5a33411ee..7dc13f90c 100644 --- a/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/ProFtpdTest.java +++ b/sshd-sftp/src/test/java/org/apache/sshd/sftp/client/ProFtpdTest.java @@ -51,7 +51,9 @@ class ProFtpdTest extends JUnitTestSupport { @Container static GenericContainer<?> server = new GenericContainer<>( - new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder.from("instantlinux/proftpd:latest") // + new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder + // latest as of 2026-03-27 + .from("instantlinux/proftpd@sha256:3de65108bc60548c575eb3dd8289500d9bfd42358c662ecfcbff93ced732e230") // Get SFTP logs on stderr .run("sed -i -e 's:^WtmpLog:AllowLogSymLinks on\\nSystemLog /dev/stderr\\nSFTPLog /dev/stderr\\nWtmpLog:' /etc/proftpd/proftpd.conf") // .build())) // diff --git a/sshd-test/src/test/java/org/apache/sshd/client/auth/ClientOpenSSHCertificatesTest.java b/sshd-test/src/test/java/org/apache/sshd/client/auth/ClientOpenSSHCertificatesTest.java index c984f9f0e..78c63c564 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/auth/ClientOpenSSHCertificatesTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/auth/ClientOpenSSHCertificatesTest.java @@ -85,21 +85,23 @@ public class ClientOpenSSHCertificatesTest extends AbstractContainerTestBase { **/ @Container static GenericContainer<?> sshdContainer = new GenericContainer<>( - new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder.from("alpine:3.19") // - .run(discriminate()) // - .run("apk --update add openssh openssh-server") // Install - .run("rm -rf /var/cache/apk/*") // Clear cache - .run("addgroup customusers") // Give our users a group - .run("adduser -D user01 -G customusers") // Create a user - .run("adduser -D user02 -G customusers") // Create another one - .run("passwd -u user01") // Unlock, but... - .run("passwd -u user02") // ... don't set passwords - .run("mkdir -p /keys/user/user01") // Directories for... - .run("mkdir -p /keys/user/user02") // ... the authorized keys - .run("echo 'user01:password01' | chpasswd") // Passwords for... - .run("echo 'user02:password02' | chpasswd") // ...both users - .entryPoint("/entrypoint.sh") // - .build())) // + new ImageFromDockerfile().withDockerfileFromBuilder( + // 3.19 + builder -> builder.from("alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1") // + .run(discriminate()) // + .run("apk --update add openssh openssh-server") // Install + .run("rm -rf /var/cache/apk/*") // Clear cache + .run("addgroup customusers") // Give our users a group + .run("adduser -D user01 -G customusers") // Create a user + .run("adduser -D user02 -G customusers") // Create another one + .run("passwd -u user01") // Unlock, but... + .run("passwd -u user02") // ... don't set passwords + .run("mkdir -p /keys/user/user01") // Directories for... + .run("mkdir -p /keys/user/user02") // ... the authorized keys + .run("echo 'user01:password01' | chpasswd") // Passwords for... + .run("echo 'user02:password02' | chpasswd") // ...both users + .entryPoint("/entrypoint.sh") // + .build())) // .withCopyFileToContainer( MountableFile.forClasspathResource(TEST_RESOURCES + "/sshd_config"), "/etc/ssh/sshd_config") .withCopyFileToContainer( diff --git a/sshd-test/src/test/java/org/apache/sshd/client/auth/HostBoundPubKeyAuthTest.java b/sshd-test/src/test/java/org/apache/sshd/client/auth/HostBoundPubKeyAuthTest.java index afe73ab9a..86a3cdc78 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/auth/HostBoundPubKeyAuthTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/auth/HostBoundPubKeyAuthTest.java @@ -59,15 +59,17 @@ public class HostBoundPubKeyAuthTest extends AbstractContainerTestBase { @Container static GenericContainer<?> sshdContainer = new GenericContainer<>( - new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder.from("alpine:3.16") - .run(discriminate()) // - .run("apk --update add openssh-server") // Installs OpenSSH 9.0 - .run("ssh-keygen -A") // Generate multiple host keys - .run("adduser -D bob") // Add a user - .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user - .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory - .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd - .build())) // + new ImageFromDockerfile().withDockerfileFromBuilder( + // 3.19 + builder -> builder.from("alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1") + .run(discriminate()) // + .run("apk --update add openssh-server") // Installs OpenSSH 9.0 + .run("ssh-keygen -A") // Generate multiple host keys + .run("adduser -D bob") // Add a user + .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user + .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory + .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd + .build())) // .withCopyFileToContainer( MountableFile.forClasspathResource(TEST_KEYS + "/user01_authorized_keys"), "/home/bob/.ssh/authorized_keys") diff --git a/sshd-test/src/test/java/org/apache/sshd/client/forward/PortForwardingWithOpenSshTest.java b/sshd-test/src/test/java/org/apache/sshd/client/forward/PortForwardingWithOpenSshTest.java index 5623ef665..66a3b443a 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/forward/PortForwardingWithOpenSshTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/forward/PortForwardingWithOpenSshTest.java @@ -174,7 +174,9 @@ class PortForwardingWithOpenSshTest extends AbstractContainerTestBase { // Create the container @SuppressWarnings("resource") GenericContainer<?> sshdContainer = new GenericContainer<>( - new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder.from("alpine:3.16") // + new ImageFromDockerfile().withDockerfileFromBuilder(builder -> builder + // 3.16 + .from("alpine@sha256:452e7292acee0ee16c332324d7de05fa2c99f9994ecc9f0779c602916a672ae4") // .run(discriminate()) // .run("apk --update add openssh openssh-server") // Installs OpenSSH 9.0 .run("mkdir -p /root/.ssh") // Create the SSH config directory diff --git a/sshd-test/src/test/java/org/apache/sshd/client/kex/OpenSshMlKemTest.java b/sshd-test/src/test/java/org/apache/sshd/client/kex/OpenSshMlKemTest.java index bebb61c32..37f2d7fda 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/kex/OpenSshMlKemTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/kex/OpenSshMlKemTest.java @@ -56,15 +56,17 @@ class OpenSshMlKemTest extends AbstractContainerTestBase { @Container static GenericContainer<?> sshdContainer = new GenericContainer<>(new ImageFromDockerfile() - .withDockerfileFromBuilder(builder -> builder.from("alpine:3.21") // - .run(discriminate()) // - .run("apk --update add openssh-server") // Installs OpenSSH 9.9 - .run("ssh-keygen -A") // Generate multiple host keys - .run("adduser -D bob") // Add a user - .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user - .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory - .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd - .build())) // + .withDockerfileFromBuilder( + // 3.21 + builder -> builder.from("alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709") // + .run(discriminate()) // + .run("apk --update add openssh-server") // Installs OpenSSH 9.9 + .run("ssh-keygen -A") // Generate multiple host keys + .run("adduser -D bob") // Add a user + .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user + .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory + .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd + .build())) // .withCopyFileToContainer(MountableFile.forClasspathResource(TEST_KEYS + "/user01_ed25519.pub"), "/home/bob/.ssh/authorized_keys") // entrypoint must be executable. Spotbugs doesn't like 0777, so use hex diff --git a/sshd-test/src/test/java/org/apache/sshd/client/kex/StrictKexInteroperabilityTest.java b/sshd-test/src/test/java/org/apache/sshd/client/kex/StrictKexInteroperabilityTest.java index f101fef03..a058057a0 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/kex/StrictKexInteroperabilityTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/kex/StrictKexInteroperabilityTest.java @@ -85,7 +85,7 @@ class StrictKexInteroperabilityTest extends AbstractContainerTestBase { private DockerfileBuilder strictKexImage(DockerfileBuilder builder, boolean withStrictKex) { if (!withStrictKex) { return builder - .from("alpine:3.9.2") // + .from("alpine@sha256:644fcb1a676b5165371437feaa922943aaf7afcfa8bfee4472f6860aad1ef2a0") // 3.9.2 .run(discriminate()) // .run("apk --update add openssh-server") // Installs OpenSSH 7.9_p1-r6 .run("echo 'PrintMotd no' >> /etc/ssh/sshd_config") // @@ -94,7 +94,7 @@ class StrictKexInteroperabilityTest extends AbstractContainerTestBase { .run("echo 'bob:passwordBob' | chpasswd"); // Give it a password to unlock the user } else { return builder - .from("alpine:3.19") // + .from("alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1") // 3.19 .run(discriminate()) // .run("apk --update add openssh-server") // Installs OpenSSH 9.6 .run("ssh-keygen -A") // Generate multiple host keys diff --git a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpAuthIntegrationTest.java b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpAuthIntegrationTest.java index ce23edbd8..dbc60c7d2 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpAuthIntegrationTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpAuthIntegrationTest.java @@ -54,7 +54,9 @@ class ProxyHttpAuthIntegrationTest extends AbstractContainerTestBase { private static final Logger LOG = LoggerFactory.getLogger(ProxyHttpAuthIntegrationTest.class); - private static GenericContainer<?> proxy = new GenericContainer<>("ajoergensen/tinyproxy") // + private static GenericContainer<?> proxy = new GenericContainer<>( + // latest as of 2026-03-27 + "ajoergensen/tinyproxy@sha256:ab5be3120573a3bb6b1d238b6f43940a587cbbc3ea83c3d18f0900e60461a5c4") // .withCopyFileToContainer(MountableFile.forClasspathResource("org/apache/sshd/proxy/tinyproxy-auth.conf"), "/etc/tinyproxy/tinyproxy.conf") // .withExposedPorts(1080) // diff --git a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpIntegrationTest.java b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpIntegrationTest.java index 3ec91b42b..3f8a2686c 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpIntegrationTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxyHttpIntegrationTest.java @@ -48,7 +48,9 @@ class ProxyHttpIntegrationTest extends AbstractContainerTestBase { private static final Logger LOG = LoggerFactory.getLogger(ProxyHttpIntegrationTest.class); - private static GenericContainer<?> proxy = new GenericContainer<>("ajoergensen/tinyproxy") // + private static GenericContainer<?> proxy = new GenericContainer<>( + // latest as of 2026-03-27 + "ajoergensen/tinyproxy@sha256:ab5be3120573a3bb6b1d238b6f43940a587cbbc3ea83c3d18f0900e60461a5c4") // .withCopyFileToContainer(MountableFile.forClasspathResource("org/apache/sshd/proxy/tinyproxy.conf"), "/etc/tinyproxy/tinyproxy.conf") // .withExposedPorts(1080) // diff --git a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksAuthIntegrationTest.java b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksAuthIntegrationTest.java index c2e72aa91..3d47fa2c7 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksAuthIntegrationTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksAuthIntegrationTest.java @@ -53,7 +53,9 @@ class ProxySocksAuthIntegrationTest extends AbstractContainerTestBase { private static final Logger LOG = LoggerFactory.getLogger(ProxySocksAuthIntegrationTest.class); - private static GenericContainer<?> proxy = new GenericContainer<>("serjs/go-socks5-proxy") // + private static GenericContainer<?> proxy = new GenericContainer<>( + // latest as of 2026-03-27 + "serjs/go-socks5-proxy@sha256:0af522996f402c03ecd985a87997158eabeb28935365e3a384df37eafcf740ea") // .withEnv("PROXY_USER", "sockstester") // .withEnv("PROXY_PASSWORD", "testsocks") // .withExposedPorts(1080) // diff --git a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksIntegrationTest.java b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksIntegrationTest.java index 458ca170a..7623f1d3e 100644 --- a/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksIntegrationTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/client/proxy/ProxySocksIntegrationTest.java @@ -47,7 +47,9 @@ class ProxySocksIntegrationTest extends AbstractContainerTestBase { private static final Logger LOG = LoggerFactory.getLogger(ProxySocksIntegrationTest.class); - private static GenericContainer<?> proxy = new GenericContainer<>("serjs/go-socks5-proxy") // + private static GenericContainer<?> proxy = new GenericContainer<>( + // latest as of 2026-03-27 + "serjs/go-socks5-proxy@sha256:0af522996f402c03ecd985a87997158eabeb28935365e3a384df37eafcf740ea") // .withEnv("REQUIRE_AUTH", "false") // .withExposedPorts(1080) // .withLogConsumer(new Slf4jLogConsumer(LOG)); diff --git a/sshd-test/src/test/java/org/apache/sshd/common/cipher/OpenSshCipherTest.java b/sshd-test/src/test/java/org/apache/sshd/common/cipher/OpenSshCipherTest.java index 67c67542d..5c29b60ea 100644 --- a/sshd-test/src/test/java/org/apache/sshd/common/cipher/OpenSshCipherTest.java +++ b/sshd-test/src/test/java/org/apache/sshd/common/cipher/OpenSshCipherTest.java @@ -58,17 +58,19 @@ class OpenSshCipherTest extends AbstractContainerTestBase { @Container static GenericContainer<?> sshdContainer = new GenericContainer<>(new ImageFromDockerfile() - .withDockerfileFromBuilder(builder -> builder.from("alpine:3.19") // - .run(discriminate()) // - .run("apk --update add openssh-server") // Installs OpenSSH - // Enable deprecated ciphers - .run("echo 'Ciphers +aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc' >> /etc/ssh/sshd_config") - .run("ssh-keygen -A") // Generate multiple host keys - .run("adduser -D bob") // Add a user - .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user - .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory - .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd - .build())) // + .withDockerfileFromBuilder( + // 3.19 + builder -> builder.from("alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1") // + .run(discriminate()) // + .run("apk --update add openssh-server") // Installs OpenSSH + // Enable deprecated ciphers + .run("echo 'Ciphers +aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc' >> /etc/ssh/sshd_config") + .run("ssh-keygen -A") // Generate multiple host keys + .run("adduser -D bob") // Add a user + .run("echo 'bob:passwordBob' | chpasswd") // Give it a password to unlock the user + .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory + .entryPoint("/entrypoint.sh") // Sets bob as owner of anything under /home/bob and launches sshd + .build())) // .withCopyFileToContainer(MountableFile.forClasspathResource(TEST_KEYS + "/user01_ed25519.pub"), "/home/bob/.ssh/authorized_keys") // entrypoint must be executable. Spotbugs doesn't like 0777, so use hex
