Update bonita, add 2022.1-b1

[baptistemesta]

This adds the beta version of bonita: 2022.1-b1

I did not remove any previous version because this one is still a beta.

There was a lot of changes in that new version. Please tell us if anything is wrong in these changes.

Also previous images still uses sks (mentioned there: docker-library/faq#26 )
Do we need to update the already existing previous versions that uses it?

Thank you!

[baptistemesta]

Ok the checks answers some of my questions! I'll fix that

[baptistemesta]

We use a new base image eclipse-temurin alpine that is not multi arch. We are discussing if we need to change that

[tianon]

See #11071 for where the checks were updated to include verifying that the referenced GitCommit: value exists on the specified (or in your case, implied) GitFetch: branch -- I've included suggestions for each commit on which branch I think they're supposed to apply to, but if I've got any wrong this should at least give you the appropriate format to get them pointing to the intended places.

I haven't done a thorough review of the new changes (especially as you've indicated that they might change again once you've re-evaluated that base image choice), but here's a few things I noticed right off:

Regarding mixing packages from Alpine Edge and a release version, we unfortunately can't accept that (#10794).

Additionally, the tests on that new version are timing out repeatedly due to the change from CMD to ENTRYPOINT (see https://github.com/docker-library/official-images#consistency).

[tianon]

Suggested change

	GitCommit: 7058084357dcd0fccf723ab2c7e21ec2b73f1f45
	GitFetch: refs/heads/docker/7.11.4
	GitCommit: 7058084357dcd0fccf723ab2c7e21ec2b73f1f45

[tianon]

Suggested change

	GitCommit: bfdd527629063b73f053320e50e1f6bfcd135d0a
	GitFetch: refs/heads/docker/2021.1
	GitCommit: bfdd527629063b73f053320e50e1f6bfcd135d0a

[tianon]

Suggested change

	GitCommit: a1d9ee5e31d38958aa553cc7f9d465f1151d902f
	GitFetch: refs/heads/dev
	GitCommit: a1d9ee5e31d38958aa553cc7f9d465f1151d902f

[tianon]

Suggested change

	GitCommit: 89271fc68c286a4f845d5a4d0c28bfa079a5af67
	GitFetch: refs/heads/release-7.14.0
	GitCommit: 89271fc68c286a4f845d5a4d0c28bfa079a5af67

[baptistemesta]

See #11071 for where the checks were updated to include verifying that the referenced GitCommit: value exists on the specified (or in your case, implied) GitFetch: branch -- I've included suggestions for each commit on which branch I think they're supposed to apply to, but if I've got any wrong this should at least give you the appropriate format to get them pointing to the intended places.

I haven't done a thorough review of the new changes (especially as you've indicated that they might change again once you've re-evaluated that base image choice), but here's a few things I noticed right off:

Regarding mixing packages from Alpine Edge and a release version, we unfortunately can't accept that (#10794).

Additionally, the tests on that new version are timing out repeatedly due to the change from CMD to ENTRYPOINT (see https://github.com/docker-library/official-images#consistency).

Thank you, I'll look into it

[baptistemesta]

@tianon Hello, we integrated all feedbacks for github actions + we are now using alpine 3.15 as base on multiple architecture. Does it looks good to you?
There is no need to merge it, we only want to be sure it will be alright for the GA version that will come in few weeks!

[tianon]

(marked as a draft to avoid accidental merging before you're ready -- still reviewing and hope to have more comments soon ❤️)

[tianon]

+RUN apk add --no-cache --upgrade curl unzip bash su-exec jattach openjdk11-jre-headless \
   && rm -rf /var/lib/apt/lists/*

Removing /var/lib/apt/lists is unnecessary (leftover from being Ubuntu-based), and --upgrade shouldn't be here (if the base image needs updates, we encourage base image maintainers to update instead):

RUN apk add --no-cache curl unzip bash su-exec jattach openjdk11-jre-headless

As a side note, you could also consider switching from curl to wget and avoid installing that (assuming Bonita itself doesn't require curl at runtime), since BusyBox includes a working wget (and the Alpine build of it even supports https URLs with validation out-of-the-box).

---

+ENV HTTP_API_USERNAME ${HTTP_API_USERNAME:-http-api}
+ENV HTTP_API_PASSWORD ${HTTP_API_PASSWORD:-""}
...

It doesn't really make much difference in the end (only in the interim maintainability) but this whole block's uses of ${...:-...} are unnecessary/unused:

ENV HTTP_API_USERNAME http-api
ENV HTTP_API_PASSWORD ""
...

(Should most/all of these be moved down next to ENV HTTP_API false? They seem similar.)

---

+## the double space is important inside the sha256sum on that version of busybox
+  && echo "$BONITA_SHA256  /opt/files/$ZIP_FILE" | sha256sum -c - ; fi \

Instead of the error-prone double-space, I'd suggest using the explicit "binary mode" signifier of * (which then only requires a single space):

  && echo "$BONITA_SHA256 */opt/files/$ZIP_FILE" | sha256sum -c - ; fi \

---

+# Ensure there is no entrypoint, docker hub require to have CMD be overridable
+ENTRYPOINT []
 # command to run when the container starts
-CMD ["/opt/files/startup.sh"]
-
+CMD ["/opt/files/startup.sh", "/opt/bonita/server/bin/catalina.sh", "run"]

Unless I'm misreading the logic in it, you appear to have updated startup.sh to meet the requirements for being ENTRYPOINT, so the following should be OK (if not, we can help figure out where/why and how we suggest fixing it, if this is something you'd like to pursue -- I'm guessing it'll be something like making sure any echo/output goes to stderr instead of stdout, or that relevant things only run if $1 is catalina.sh):

ENTRYPOINT ["/opt/files/startup.sh"]
CMD ["/opt/bonita/server/bin/catalina.sh", "run"]

If it's going to be common for users to need to invoke catalina.sh run with different arguments or if there are other tools/scripts in /opt/bonita/server/bin which are useful for users to invoke directly, it might be worth considering putting /opt/bonita/server/bin in PATH so that you could have CMD ["catalina.sh", "run"] instead (which is then much easier for users to accurately reproduce if they need to adjust it slightly).

[baptistemesta]

Thank you for the great review!

I've integrated most of your comments. For now I've kept curl but it's definitively something that can be changed.
Regarding the entry point, I chose to ignore the initialisation when the CMD is not catalina, as you suggested.

I've put the PR back as "ready to review" because it looks like the Github Actions are not triggering otherwise

[yosifkit]

Attempting to re-trigger github actions.

[tianon]

I re-reviewed and overall it looks like it's in pretty good shape! None of my remaining comments are in any way blockers, and I'd be OK with merging this as-is if you wanted to. I'll include my minor comments here just for your benefit:

---

+RUN apk add --no-cache --upgrade curl unzip bash su-exec jattach openjdk11-jre-headless

As mentioned previously, I'd suggest dropping --upgrade from this (since the base image should be updated when necessary instead).

---

+## the double space is important inside the sha256sum on that version of busybox
+  && echo "$BONITA_SHA256 */opt/files/$ZIP_FILE" | sha256sum -c - ; fi \

The comment here doesn't actually apply anymore. 😅 👀

---

+        host=$(echo $(hostname -i) | xargs)

I'm not sure what this is trying to do, but it's then embedded in the next line directly in that string as -Djava.rmi.server.hostname=${host}, so it appears that it's trying to scrape just one single IP address? Maybe something like this was more in line with the intention?

        host=$(hostname -i | head -1)

[github-actions]

Diff for 7a6da1d:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 87ecb2d..26b85aa 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,15 +1,19 @@
 Maintainers: Baptiste Mesta <[email protected]> (@baptistemesta), Danila Mazour <[email protected]> (@danila-m), Emmanuel Duchastenier <[email protected]> (@educhastenier), Pascal Garcia <[email protected]> (@passga), Anthony Birembaut <[email protected]> (@abirembaut), Dumitru Corini <[email protected]> (@DumitruCorini)
 Architectures: amd64, arm64v8, ppc64le
 GitRepo: https://github.com/bonitasoft/bonita-distrib.git
+Directory: docker
 
 Tags: 7.11.4, 7.11
-GitCommit: 231024c8290a9aa31a45b758a0765a684c21ed21
-Directory: docker
+GitFetch: refs/heads/docker/7.11.4
+GitCommit: 7058084357dcd0fccf723ab2c7e21ec2b73f1f45
 
 Tags: 2021.1, 7.12.1, 7.12
-GitCommit: c9b816249504017bb3418252bf58ec9d4fc3e86e
-Directory: docker
+GitFetch: refs/heads/docker/2021.1
+GitCommit: bfdd527629063b73f053320e50e1f6bfcd135d0a
 
-Tags: 2021.2-u0, 2021.2, 7.13.0, 7.13, latest
+Tags: 2021.2-u0, 2021.2, 7.13.0, 7.13
+GitFetch: refs/heads/docker/2021.2
 GitCommit: a1d9ee5e31d38958aa553cc7f9d465f1151d902f
-Directory: docker
+
+Tags: 2022.1-u0, 2022.1, 7.14.0, 7.14, latest
+GitCommit: 694bf79347add872f8c6a4c0a7f5c3ef12c31dc8
diff --git a/_bashbrew-list b/_bashbrew-list
index 8dd1507..6ef06ba 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -4,7 +4,11 @@ bonita:7.12
 bonita:7.12.1
 bonita:7.13
 bonita:7.13.0
+bonita:7.14
+bonita:7.14.0
 bonita:2021.1
 bonita:2021.2
 bonita:2021.2-u0
+bonita:2022.1
+bonita:2022.1-u0
 bonita:latest
diff --git a/bonita_7.11/Dockerfile b/bonita_7.11/Dockerfile
index 8137168..dedde7e 100644
--- a/bonita_7.11/Dockerfile
+++ b/bonita_7.11/Dockerfile
@@ -20,8 +20,7 @@ RUN groupadd -r bonita -g 1000 \
   && useradd -u 1000 -r -g bonita -d /opt/bonita/ -s /sbin/nologin -c "Bonita User" bonita
 
 # grab gosu
-RUN (gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
-  || gpg --keyserver ipv4.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4) \
+RUN gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
   && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" -o /usr/local/bin/gosu \
   && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" -o /usr/local/bin/gosu.asc \
   && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
diff --git a/bonita_7.12/Dockerfile b/bonita_7.12/Dockerfile
index 3c720c3..29ae0bb 100644
--- a/bonita_7.12/Dockerfile
+++ b/bonita_7.12/Dockerfile
@@ -20,8 +20,7 @@ RUN groupadd -r bonita -g 1000 \
   && useradd -u 1000 -r -g bonita -d /opt/bonita/ -s /sbin/nologin -c "Bonita User" bonita
 
 # grab gosu
-RUN (gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
-  || gpg --keyserver ipv4.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4) \
+RUN gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
   && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" -o /usr/local/bin/gosu \
   && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" -o /usr/local/bin/gosu.asc \
   && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
diff --git a/bonita_latest/Dockerfile b/bonita_7.13/Dockerfile
similarity index 100%
copy from bonita_latest/Dockerfile
copy to bonita_7.13/Dockerfile
diff --git a/bonita_latest/files/config.sh b/bonita_7.13/files/config.sh
similarity index 100%
copy from bonita_latest/files/config.sh
copy to bonita_7.13/files/config.sh
diff --git a/bonita_latest/files/functions.sh b/bonita_7.13/files/functions.sh
similarity index 100%
rename from bonita_latest/files/functions.sh
rename to bonita_7.13/files/functions.sh
diff --git a/bonita_latest/files/logging.awk b/bonita_7.13/files/logging.awk
similarity index 100%
rename from bonita_latest/files/logging.awk
rename to bonita_7.13/files/logging.awk
diff --git a/bonita_7.12/files/startup.sh b/bonita_7.13/files/startup.sh
similarity index 100%
copy from bonita_7.12/files/startup.sh
copy to bonita_7.13/files/startup.sh
diff --git a/bonita_7.11/templates/database.properties b/bonita_7.13/templates/database.properties
similarity index 100%
copy from bonita_7.11/templates/database.properties
copy to bonita_7.13/templates/database.properties
diff --git a/bonita_7.11/templates/setenv.sh b/bonita_7.13/templates/setenv.sh
similarity index 100%
copy from bonita_7.11/templates/setenv.sh
copy to bonita_7.13/templates/setenv.sh
diff --git a/bonita_latest/Dockerfile b/bonita_latest/Dockerfile
index 80d7503..b2ec9d1 100644
--- a/bonita_latest/Dockerfile
+++ b/bonita_latest/Dockerfile
@@ -1,47 +1,32 @@
-FROM ubuntu:18.04
+FROM alpine:3.15
 
 LABEL maintainer="Bonitasoft Runtime team <[email protected]>"
 
 # Execute instructions less likely to change first
 
 # Install packages
-RUN apt-get update && apt-get install -y --no-install-recommends \
-      curl \
-      gnupg2 \
-      mysql-client-core-5.7 \
-      openjdk-11-jre-headless \
-      postgresql-client \
-      unzip \
-      zip \
-  && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache curl unzip bash su-exec jattach openjdk11-jre-headless
 
 RUN mkdir /opt/custom-init.d/
 
 # create user to launch Bonita as non-root
-RUN groupadd -r bonita -g 1000 \
-  && useradd -u 1000 -r -g bonita -d /opt/bonita/ -s /sbin/nologin -c "Bonita User" bonita
-
-RUN gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
-  && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.13/gosu-$(dpkg --print-architecture)" -o /usr/local/bin/gosu \
-  && curl -fsSL "https://github.com/tianon/gosu/releases/download/1.13/gosu-$(dpkg --print-architecture).asc" -o /usr/local/bin/gosu.asc \
-  && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
-  && rm /usr/local/bin/gosu.asc \
-  && chmod +x /usr/local/bin/gosu
+RUN addgroup -S -g 1000 bonita \
+ && adduser -u 1000 -S  -G bonita -h /opt/bonita/ -s /sbin/nologin  bonita
 
 
 # Install Bundle
 
 ## ARGS and ENV required to download and unzip the toncat bundle
-## use --build-arg key=value in docker build command to override arguments
+# use --build-arg key=value in docker build command to override arguments
 ARG BONITA_VERSION
 ARG BRANDING_VERSION
 ARG BONITA_SHA256
 ARG BASE_URL
 ARG BONITA_URL
 
-ENV BONITA_VERSION ${BONITA_VERSION:-7.13.0}
-ENV BRANDING_VERSION ${BRANDING_VERSION:-2021.2-u0}
-ENV BONITA_SHA256  ${BONITA_SHA256:-e4f279765cd729885a4e353d96d1d85c5f69fef63f79183e0ccf3ffaa0cb2417}
+ENV BONITA_VERSION ${BONITA_VERSION:-7.14.0}
+ENV BRANDING_VERSION ${BRANDING_VERSION:-2022.1-u0}
+ENV BONITA_SHA256  ${BONITA_SHA256:-a88b3f4368bd68dda4eccf4680a71b7e523678811b6b3bcd61cd85e67e9b9aeb}
 ENV ZIP_FILE BonitaCommunity-${BRANDING_VERSION}.zip
 ENV BASE_URL ${BASE_URL:-https://github.com/bonitasoft/bonita-platform-releases/releases/download}
 ENV BONITA_URL ${BONITA_URL:-${BASE_URL}/${BRANDING_VERSION}/BonitaCommunity-${BRANDING_VERSION}.zip}
@@ -50,26 +35,58 @@ ENV BONITA_URL ${BONITA_URL:-${BASE_URL}/${BRANDING_VERSION}/BonitaCommunity-${B
 RUN mkdir /opt/files
 COPY files /opt/files
 
-RUN if [ -f "/opt/files/BonitaCommunity-${BRANDING_VERSION}.zip" ]; then echo "File already present in /opt/files"; else curl -fsSL ${BONITA_URL} -o /opt/files/BonitaCommunity-${BRANDING_VERSION}.zip; fi \
-  && sha256sum /opt/files/${ZIP_FILE} \
-  && echo "$BONITA_SHA256" /opt/files/${ZIP_FILE} | sha256sum -c - \
+RUN if [ -f "/opt/files/BonitaCommunity-${BRANDING_VERSION}.zip" ]; then echo "File already present in /opt/files"; else curl -fsSL ${BONITA_URL} -o /opt/files/BonitaCommunity-${BRANDING_VERSION}.zip \
+  && echo "$BONITA_SHA256 */opt/files/$ZIP_FILE" | sha256sum -c - ; fi \
   && unzip -q /opt/files/BonitaCommunity-${BRANDING_VERSION}.zip -d /opt/bonita/ \
-  && unzip /opt/bonita/BonitaCommunity-${BRANDING_VERSION}/server/webapps/bonita.war -d /opt/bonita/BonitaCommunity-${BRANDING_VERSION}/server/webapps/bonita/ \
-  && rm /opt/bonita/BonitaCommunity-${BRANDING_VERSION}/server/webapps/bonita.war \
-  && rm -f /opt/files/BonitaCommunity-${BRANDING_VERSION}.zip
+  && mv /opt/bonita/BonitaCommunity-${BRANDING_VERSION}/* /opt/bonita \
+  && rmdir /opt/bonita/BonitaCommunity-${BRANDING_VERSION} \
+  && unzip /opt/bonita/server/webapps/bonita.war -d /opt/bonita/server/webapps/bonita/ \
+  && rm /opt/bonita/server/webapps/bonita.war \
+  && rm -f /opt/files/BonitaCommunity-${BRANDING_VERSION}.zip \
+  && mkdir -p /opt/bonita/conf/logs/ \
+  && mkdir -p /opt/bonita/logs/ \
+  && mv /opt/files/log4j2/log4j2-appenders.xml /opt/bonita/conf/logs/ \
+  && mv /opt/bonita/server/conf/log4j2-loggers.xml /opt/bonita/conf/logs/ \
+  && chown -R bonita:bonita /opt/bonita \
+  && chmod go+w /opt/ \
+  && chmod -R +rX /opt \
+  && chmod go+w /opt/bonita \
+  && chmod 777 /opt/bonita/server/logs \
+  && chmod 777 /opt/bonita/logs/ \
+  && chmod 777 /opt/bonita/server/temp \
+  && chmod 777 /opt/bonita/server/work \
+  && chmod -R go+w /opt/bonita/server/conf \
+  && chmod -R go+w /opt/bonita/server/bin \
+  && chmod -R go+w /opt/bonita/server/lib/bonita \
+  && chmod -R go+w /opt/bonita/setup
 
 # ENV only required at runtime
 ENV HTTP_API false
+ENV HTTP_API_USERNAME http-api
+ENV HTTP_API_PASSWORD ""
+ENV MONITORING_USERNAME monitoring
+ENV MONITORING_PASSWORD mon1tor1ng_adm1n
+ENV JMX_REMOTE_ACCESS false
+ENV REMOTE_IP_VALVE_ENABLED false
+# Allow to redirect access logs to stdout:
+ENV ACCESSLOGS_STDOUT_ENABLED false
+# Allow to redirect access logs to file:
+ENV ACCESSLOGS_FILES_ENABLED false
+# If access log files enabled, where to put the access log files:
+ENV ACCESSLOGS_PATH /opt/bonita/logs
+# access log files enabled, should we append new HOSTNAME directory to full path:
+ENV ACCESSLOGS_PATH_APPEND_HOSTNAME false
+# max days access log files are conserved:
+ENV ACCESSLOGS_MAX_DAYS 30
+# max Http threads Tomcat will use to serve HTTP/1.1 requests:
+ENV HTTP_MAX_THREADS 20
 
 
-# create Volume to store Bonita files
-VOLUME /opt/bonita
-
 COPY templates /opt/templates
-# expose Tomcat port
-EXPOSE 8080
+# exposed ports (Tomcat, JMX)
+EXPOSE 8080 9000
 
 # command to run when the container starts
-CMD ["/opt/files/startup.sh"]
-
+ENTRYPOINT ["/opt/files/startup.sh"]
+CMD ["/opt/bonita/server/bin/catalina.sh","run"]
 
diff --git a/bonita_latest/files/config.sh b/bonita_latest/files/config.sh
index 872d68d..82e36dc 100755
--- a/bonita_latest/files/config.sh
+++ b/bonita_latest/files/config.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+set -eo pipefail
 
 # Path to deploy the Tomcat Bundle
 BONITA_PATH=/opt/bonita
@@ -9,10 +9,12 @@ BONITA_TPL=/opt/templates
 BONITA_FILES=/opt/files
 # Flag to allow or not the SQL queries to automatically check and create the databases
 ENSURE_DB_CHECK_AND_CREATION=${ENSURE_DB_CHECK_AND_CREATION:-true}
+# XA transaction timeout:
+BONITA_RUNTIME_TRANSACTION_XATIMEOUT=${BONITA_RUNTIME_TRANSACTION_XATIMEOUT:-180}
+# Tomcat Remote IP Valve (reverse-proxy):
+REMOTE_IP_VALVE_ENABLED=${REMOTE_IP_VALVE_ENABLED=-false}
 # Java OPTS
 JAVA_OPTS=${JAVA_OPTS:--Xms1024m -Xmx1024m}
-# Flag to enable or not dynamic authorization checking on Bonita REST API
-REST_API_DYN_AUTH_CHECKS=${REST_API_DYN_AUTH_CHECKS:-true}
 
 # retrieve the db parameters from the container linked
 if [ -n "$POSTGRES_PORT_5432_TCP_PORT" ]
@@ -50,11 +52,9 @@ BIZ_DB_VENDOR=$DB_VENDOR
 DB_NAME=${DB_NAME:-bonitadb}
 DB_USER=${DB_USER:-bonitauser}
 DB_PASS=${DB_PASS:-bonitapass}
-DB_DROP_EXISTING=${DB_DROP_EXISTING:-N}
 BIZ_DB_NAME=${BIZ_DB_NAME:-businessdb}
 BIZ_DB_USER=${BIZ_DB_USER:-businessuser}
 BIZ_DB_PASS=${BIZ_DB_PASS:-businesspass}
-BIZ_DB_DROP_EXISTING=${BIZ_DB_DROP_EXISTING:-N}
 
 # if not enforced, set the default credentials
 PLATFORM_LOGIN=${PLATFORM_LOGIN:-platformAdmin}
@@ -62,52 +62,20 @@ PLATFORM_PASSWORD=${PLATFORM_PASSWORD:-platform}
 TENANT_LOGIN=${TENANT_LOGIN:-install}
 TENANT_PASSWORD=${TENANT_PASSWORD:-install}
 
-
-if [ "${ENSURE_DB_CHECK_AND_CREATION}" = 'true' ]
+if [ "${HTTP_API}" = "true" -a "${HTTP_API_PASSWORD}" = "" ]
 then
-    echo "Creating (if missing) database and users"
-	# load SQL functions
-	. ${BONITA_FILES}/functions.sh
-	case "${DB_VENDOR}" in
-		mysql)
-			DB_ADMIN_USER=${DB_ADMIN_USER:-root}
-			if [ -z "$DB_ADMIN_PASS" ]
-			then
-				DB_ADMIN_PASS=$MYSQL_ENV_MYSQL_ROOT_PASSWORD
-			fi
-			;;
-		postgres)
-			DB_ADMIN_USER=${DB_ADMIN_USER:-postgres}
-			if [ -z "$DB_ADMIN_PASS" ]
-			then
-				DB_ADMIN_PASS=$POSTGRES_ENV_POSTGRES_PASSWORD
-			fi
-			;;
-	esac
-	if [ "${DB_VENDOR}" != 'h2' ]
-	then
-		# ensure to create bonita db and user
-		create_user_if_not_exists "$DB_VENDOR" "$DB_HOST" "$DB_PORT" "$DB_ADMIN_USER" "$DB_ADMIN_PASS" "$DB_USER" "$DB_PASS"
-		create_database_if_not_exists "$DB_VENDOR" "$DB_HOST" "$DB_PORT" "$DB_ADMIN_USER" "$DB_ADMIN_PASS" "$DB_NAME" "$DB_USER" "$DB_PASS" "$DB_DROP_EXISTING"
-		# ensure to create business db and user if needed
-		create_user_if_not_exists "$DB_VENDOR" "$DB_HOST" "$DB_PORT" "$DB_ADMIN_USER" "$DB_ADMIN_PASS" "$BIZ_DB_USER" "$BIZ_DB_PASS"
-		create_database_if_not_exists "$DB_VENDOR" "$DB_HOST" "$DB_PORT" "$DB_ADMIN_USER" "$DB_ADMIN_PASS" "$BIZ_DB_NAME" "$BIZ_DB_USER" "$BIZ_DB_PASS" "$BIZ_DB_DROP_EXISTING"
-	fi
+  echo "Error: HTTP_API is activated: you MUST provide a custom password with '-e HTTP_API_PASSWORD=...'"
+  exit 2
 fi
 
 # apply conf
 # copy templates
-cp ${BONITA_TPL}/setenv.sh ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/tomcat-templates/setenv.sh
-cp ${BONITA_TPL}/database.properties ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/database.properties
-
-# if required, uncomment dynamic checks on REST API
-if [ "$REST_API_DYN_AUTH_CHECKS" = 'true' ]
-then
-    sed -i -e 's/^#GET|/GET|/' -e 's/^#POST|/POST|/' -e 's/^#PUT|/PUT|/' -e 's/^#DELETE|/DELETE|/' ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/platform_conf/initial/tenant_template_portal/dynamic-permissions-checks-custom.properties
-fi
+cp ${BONITA_TPL}/setenv.sh ${BONITA_PATH}/setup/tomcat-templates/setenv.sh
+cp ${BONITA_TPL}/database.properties ${BONITA_PATH}/setup/database.properties
+cp ${BONITA_TPL}/server.xml ${BONITA_PATH}/server/conf/server.xml
 
 # replace variables
-find ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/platform_conf/initial -name "*.properties" | xargs -n10 sed -i \
+find ${BONITA_PATH}/setup/platform_conf/initial -name "*.properties" | xargs -n10 sed -i \
     -e 's/^#userName\s*=.*/'"userName=${TENANT_LOGIN}"'/' \
     -e 's/^#userPassword\s*=.*/'"userPassword=${TENANT_PASSWORD}"'/' \
     -e 's/^platform.tenant.default.username\s*=.*/'"platform.tenant.default.username=${TENANT_LOGIN}"'/' \
@@ -115,16 +83,31 @@ find ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/platform_conf/init
     -e 's/^#platformAdminUsername\s*=.*/'"platformAdminUsername=${PLATFORM_LOGIN}"'/' \
     -e 's/^#platformAdminPassword\s*=.*/'"platformAdminPassword=${PLATFORM_PASSWORD}"'/'
 
-echo "Using JAVA_OPTS: ${JAVA_OPTS}"
-sed -i -e 's/{{JAVA_OPTS}}/'"${JAVA_OPTS}"'/' ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/tomcat-templates/setenv.sh
+sed -e 's/{{HTTP_API_USERNAME}}/'"${HTTP_API_USERNAME}"'/' \
+      -e 's/{{HTTP_API_PASSWORD}}/'"${HTTP_API_PASSWORD}"'/' \
+      ${BONITA_TPL}/tomcat-users.xml > ${BONITA_PATH}/server/conf/tomcat-users.xml
+
+if [ "$JMX_REMOTE_ACCESS" = 'true' ]
+then
+    sed -e 's/{{MONITORING_USERNAME}}/'"${MONITORING_USERNAME}"'/' \
+      ${BONITA_TPL}/jmxremote.access > ${BONITA_PATH}/server/conf/jmxremote.access
+
+    sed -e 's/{{MONITORING_USERNAME}}/'"${MONITORING_USERNAME}"'/' \
+      -e 's/{{MONITORING_PASSWORD}}/'"${MONITORING_PASSWORD}"'/' \
+      ${BONITA_TPL}/jmxremote.password > ${BONITA_PATH}/server/conf/jmxremote.password
+fi
+
+echo "XA transaction timeout: ${BONITA_RUNTIME_TRANSACTION_XATIMEOUT}"
+sed -i -e 's/{{TRANSACTION_XATIMEOUT_OPTS}}/'"${BONITA_RUNTIME_TRANSACTION_XATIMEOUT}"'/' ${BONITA_PATH}/setup/tomcat-templates/setenv.sh
+
 
 if [ -n "$JDBC_DRIVER" ]
 then
     # if $JDBC_DRIVER is set and the driver is not present, copy the JDBC driver into the Bundle
     file=$(basename $JDBC_DRIVER)
-    if [ ! -e ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/lib/$file ]
+    if [ ! -e ${BONITA_PATH}/setup/lib/$file ]
     then
-        cp ${BONITA_FILES}/${JDBC_DRIVER} ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/lib/
+        cp ${BONITA_FILES}/${JDBC_DRIVER} ${BONITA_PATH}/setup/lib/
     fi
 fi
 
@@ -143,16 +126,37 @@ sed -e 's/{{DB_VENDOR}}/'"${DB_VENDOR}"'/' \
     -e 's/{{BIZ_DB_USER}}/'"${BIZ_DB_USER}"'/' \
     -e 's/{{BIZ_DB_PASS}}/'"${BIZ_DB_PASS}"'/' \
     -e 's/{{BIZ_DB_NAME}}/'"${BIZ_DB_NAME}"'/' \
-    -i ${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/setup/database.properties
+    -i ${BONITA_PATH}/setup/database.properties
+
+sed -e "s/{{HTTP_MAX_THREADS}}/${HTTP_MAX_THREADS}/" -i ${BONITA_PATH}/server/conf/server.xml
 
-# apply logging configuration
-LOGGING_FILE=${BONITA_PATH}/BonitaCommunity-${BRANDING_VERSION}/server/conf/logging.properties
-mv ${LOGGING_FILE} ${LOGGING_FILE}.original
-awk -f ${BONITA_FILES}/logging.awk ${LOGGING_FILE}.original > ${LOGGING_FILE}
+if [ "${REMOTE_IP_VALVE_ENABLED}" = 'true' ]; then
+  sed -e 's/<!--REMOTE_IP_VALVE//' -e 's/REMOTE_IP_VALVE-->//' \
+      -i ${BONITA_PATH}/server/conf/server.xml
+fi
+
+if [ "${ACCESSLOGS_STDOUT_ENABLED}" = 'true' ]; then
+  sed -e 's/<!--ACCESSLOGS_STDOUT_ENABLED//' -e 's/ACCESSLOGS_STDOUT_ENABLED-->//' -i ${BONITA_PATH}/server/conf/server.xml
+fi
+
+if [ "${ACCESSLOGS_FILES_ENABLED}" = 'true' ]; then
+  sed -e 's/<!--ACCESSLOGS_FILES_ENABLED//' \
+      -e 's/ACCESSLOGS_FILES_ENABLED-->//' \
+      -e "s@{{ACCESSLOGS_PATH}}@${ACCESSLOGS_PATH}@" \
+      -i ${BONITA_PATH}/server/conf/server.xml
+  if [ "${ACCESSLOGS_PATH_APPEND_HOSTNAME}" = 'true' ]; then
+    HOSTNAME_APPEND_VALUE="/$(hostname)"  # append '/' + hostname value
+  else
+    HOSTNAME_APPEND_VALUE=""
+  fi
+  sed -e "s@{{HOSTNAME}}@${HOSTNAME_APPEND_VALUE}@" \
+      -e "s@{{ACCESSLOGS_MAX_DAYS}}@${ACCESSLOGS_MAX_DAYS}@" \
+      -i ${BONITA_PATH}/server/conf/server.xml
+fi
 
 # use the setup tool to initialize and configure Bonita Tomcat bundle
 
 # platform setup tool logging configuration file
-BONITA_SETUP_LOGGING_FILE=${BONITA_SETUP_LOGGING_FILE:-/opt/bonita/BonitaCommunity-${BRANDING_VERSION}/setup/logback.xml}
-./opt/bonita/BonitaCommunity-${BRANDING_VERSION}/setup/setup.sh init -Dh2.noconfirm -Dlogging.config=${BONITA_SETUP_LOGGING_FILE}
-./opt/bonita/BonitaCommunity-${BRANDING_VERSION}/setup/setup.sh configure -Dlogging.config=${BONITA_SETUP_LOGGING_FILE}
+BONITA_SETUP_LOGGING_FILE=${BONITA_SETUP_LOGGING_FILE:-/opt/bonita/setup/logback.xml}
+./opt/bonita/setup/setup.sh init -Dh2.noconfirm -Dlogging.config=${BONITA_SETUP_LOGGING_FILE}
+./opt/bonita/setup/setup.sh configure -Dlogging.config=${BONITA_SETUP_LOGGING_FILE}
diff --git a/bonita_latest/files/log4j2/log4j2-appenders.xml b/bonita_latest/files/log4j2/log4j2-appenders.xml
new file mode 100644
index 0000000..f123712
--- /dev/null
+++ b/bonita_latest/files/log4j2/log4j2-appenders.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration status="info" monitorInterval="60">
+    <Properties>
+        <Property name="LOG_PATTERN">%d{ISO8601_OFFSET_DATE_TIME_HHMM} | ${hostName} | %-5p | [%t|%T] %c{1.} - %m%n</Property>
+        <Property name="baseDir">/opt/bonita/logs/</Property>
+    </Properties>
+    <Appenders>
+        <!-- use json logger if json output is required -->
+        <Console name="Console-JSON" target="SYSTEM_OUT">
+            <JSONLayout compact="true" eventEol="true" properties="true" stacktraceAsString="true">
+                <KeyValuePair key="timestamp" value="$${date:yyyy-MM-dd'T'HH:mm:ss.SSSZ}"/>
+            </JSONLayout>
+        </Console>
+        <Console name="Console" target="SYSTEM_OUT">
+            <PatternLayout pattern="${LOG_PATTERN}"/>
+        </Console>
+    </Appenders>
+
+    <Loggers>
+        <Root level="INFO">
+            <AppenderRef ref="Console"/>
+        </Root>
+    </Loggers>
+
+</Configuration>
diff --git a/bonita_latest/files/startup.sh b/bonita_latest/files/startup.sh
index 35f4223..f6ad65d 100755
--- a/bonita_latest/files/startup.sh
+++ b/bonita_latest/files/startup.sh
@@ -1,22 +1,33 @@
 #!/bin/bash
-# ensure to set the proper owner of data volume
-if [ `stat -c %U /opt/bonita/` != 'bonita' ]
-then
-	chown -R bonita:bonita /opt/bonita/
-fi
-# ensure to apply the proper configuration
-if [ ! -f /opt/${BONITA_VERSION}-configured ]
-then
-	gosu bonita /opt/files/config.sh \
-      && touch /opt/${BONITA_VERSION}-configured || exit 1
-fi
-if [ -d /opt/custom-init.d/ ]
-then
-	for f in $(ls -v /opt/custom-init.d/*.sh)
+set -eo pipefail
+# only execute bonita specific customization when the executable is tomcat
+# it allows to not run this script when CMD is overridden
+if [[ "$1" == "/opt/bonita/server/bin/catalina.sh" ]]
+  then
+  # if we are root user, we restrict access to files to the user 'bonita'
+  if [ "$(id -u)" = '0' ]; then
+    chmod -R go-rwx /opt/bonita/
+    chown -R bonita:bonita /opt/custom-init.d/
+    chown -R bonita:bonita /opt/files
+    exec su-exec  bonita "$BASH_SOURCE" "$@"
+  fi
+
+  # ensure to apply the proper configuration
+  if [ ! -f /opt/bonita/${BONITA_VERSION}-configured ]
+  then
+    /opt/files/config.sh \
+        && touch /opt/bonita/${BONITA_VERSION}-configured || exit 1
+  fi
+  if [ -d /opt/custom-init.d/ ]
+  then
+    echo "Custom scripts:"
+    find /opt/custom-init.d -name '*.sh' | sort
+    for f in $(find /opt/custom-init.d -name '*.sh' | sort)
     do
-		[ -f "$f" ] && . "$f"
+      [ -f "$f" ] && echo "Executing custom script $f" && . "$f"
     done
+  fi
 fi
 # launch tomcat
-export LOGGING_CONFIG="-Djava.util.logging.config.file=${BONITA_SERVER_LOGGING_FILE:-/opt/bonita/BonitaCommunity-${BRANDING_VERSION}/server/conf/logging.properties}"
-exec gosu bonita /opt/bonita/BonitaCommunity-${BRANDING_VERSION}/server/bin/catalina.sh run
+
+exec "$@"
diff --git a/bonita_latest/templates/jmxremote.access b/bonita_latest/templates/jmxremote.access
new file mode 100644
index 0000000..8bee179
--- /dev/null
+++ b/bonita_latest/templates/jmxremote.access
@@ -0,0 +1 @@
+{{MONITORING_USERNAME}} readwrite
\ No newline at end of file
diff --git a/bonita_latest/templates/jmxremote.password b/bonita_latest/templates/jmxremote.password
new file mode 100644
index 0000000..14834d8
--- /dev/null
+++ b/bonita_latest/templates/jmxremote.password
@@ -0,0 +1 @@
+{{MONITORING_USERNAME}} {{MONITORING_PASSWORD}}
\ No newline at end of file
diff --git a/bonita_latest/templates/server.xml b/bonita_latest/templates/server.xml
new file mode 100644
index 0000000..3a73e05
--- /dev/null
+++ b/bonita_latest/templates/server.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <Listener className="org.jboss.narayana.tomcat.jta.TransactionLifecycleListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+        <Connector port="8080" protocol="HTTP/1.1"
+                   connectionTimeout="20000"
+                   maxThreads="{{HTTP_MAX_THREADS}}"
+                   redirectPort="8443"
+                   maxPostSize="-1"
+                   URIEncoding="UTF-8" />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the
+         AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443" />
+    -->
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
+<!--REMOTE_IP_VALVE
+        <Valve className="org.apache.catalina.valves.RemoteIpValve" />
+REMOTE_IP_VALVE-->
+
+        <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+<!--ACCESSLOGS_STDOUT_ENABLED
+        <Valve className="org.bonitasoft.runtime.tomcat.StdoutAccessLogValve"
+               requestAttributesEnabled="true"
+               pattern="{&quot;http&quot;:{&quot;url&quot;:&quot;%U&quot;,&quot;status_code&quot;:&quot;%s&quot;,&quot;method&quot;:&quot;%m&quot;,&quot;referer&quot;:&quot;%{Referer}i&quot;,&quot;useragent&quot;:&quot;%{User-Agent}i&quot;},&quot;network&quot;:{&quot;client&quot;:{&quot;ip&quot;:&quot;%a&quot;},&quot;destination&quot;:{&quot;ip&quot;:&quot;%A&quot;,&quot;port&quot;:&quot;%{local}p&quot;},&quot;bytes_written&quot;:&quot;%b&quot;},&quot;x_forwarded_for&quot;:&quot;%{X-Forwarded-For}i&quot;,&quot;x_forwarded_host&quot;:&quot;%{X-Forwarded-Host}i&quot;,&quot;x_forwarded_proto&quot;:&quot;%{X-Forwarded-Proto}i&quot;,&quot;remote_user&quot;:&quot;%u&quot;,&quot;request&quot;:&quot;%r&quot;,&quot;request_body_length&quot;:&quot;%{requestBodyLength}r&quot;,&quot;process_millis&quot;:&quot;%D&quot;,&quot;session_tracker&quot;:&quot;%{sessionTracker}s&quot;,&quot;session_user&quot;:&quot;%{username}s&quot;,&quot;thread_name&quot;:&quot;%I&quot;,&quot;time&quot;:&quot;%{yyyy-MM-dd'T'HH:mm:ss.SSS Z}t&quot;}" />
+ACCESSLOGS_STDOUT_ENABLED-->
+
+<!--ACCESSLOGS_FILES_ENABLED
+        <Valve className="org.apache.catalina.valves.AccessLogValve"
+               requestAttributesEnabled="true"
+               directory="{{ACCESSLOGS_PATH}}{{HOSTNAME}}"
+               prefix="access-"
+               fileDateFormat="yyyy-MM-dd"
+               suffix=".log"
+               pattern="%h %l %u %{yyyy-MM-dd'T'HH:mm:ss.SSS Z}t &quot;%r&quot; %s %b %{Referer}i %{User-Agent}i %a %A %{local}p %{username}s %I %{X-Forwarded-For}i %{X-Forwarded-Host}i %{X-Forwarded-Proto}i"
+               maxDays="{{ACCESSLOGS_MAX_DAYS}}" />
+ACCESSLOGS_FILES_ENABLED-->
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/bonita_latest/templates/setenv.sh b/bonita_latest/templates/setenv.sh
index f1b178a..bd4a249 100755
--- a/bonita_latest/templates/setenv.sh
+++ b/bonita_latest/templates/setenv.sh
@@ -2,6 +2,9 @@
 
 # Set some JVM system properties required by Bonita
 
+LOGGING_MANAGER="-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager"
+LOG_CONF_FILE_PATH="-Dlog4j.configurationFile=${BONITA_SERVER_LOGGING_FILE:-/opt/bonita/conf/logs/log4j2-appenders.xml,/opt/bonita/conf/logs/log4j2-loggers.xml}"
+
 PLATFORM_SETUP="-Dorg.bonitasoft.platform.setup.folder=${CATALINA_HOME}/../setup"
 H2_DATABASE_DIR="-Dorg.bonitasoft.h2.database.dir=${CATALINA_HOME}/../h2_database"
 INCIDENT_LOG_DIR="-Dorg.bonitasoft.engine.incident.folder=${CATALINA_HOME}/logs"
@@ -16,11 +19,19 @@ BDM_DB_OPTS="-Dsysprop.bonita.bdm.db.vendor=h2"
 # Arjuna (JTA service added to Tomcat and required by Bonita Engine for transaction management)
 ARJUNA_OPTS="-Dcom.arjuna.ats.arjuna.common.propertiesFile=${CATALINA_HOME}/conf/jbossts-properties.xml"
 
+TRANSACTION_XATIMEOUT_OPTS="-Dbonita.runtime.transaction.xa-timeout={{TRANSACTION_XATIMEOUT_OPTS}}"
+
 # Optional JAAS configuration. Usually used when delegating authentication to LDAP / Active Directory server
 #SECURITY_OPTS="-Djava.security.auth.login.config=${CATALINA_HOME}/conf/jaas-standard.cfg"
 
+# Optional JMX remote access Configuration. Used to enable remote JMX agent in tomcat to monitor Heap Memory, Threads, CPU Usage, Classes, and configure various MBeans.
+if [ "$JMX_REMOTE_ACCESS" = 'true' ]; then
+        host=$(echo $(hostname -i) | xargs)
+        JMX_REMOTE_ACCESS_OPTS="-Dcom.sun.management.jmxremote -Djava.rmi.server.hostname=${host} -Dcom.sun.management.jmxremote.port=9000 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=${CATALINA_HOME}/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=${CATALINA_HOME}/conf/jmxremote.access"
+fi
+
 # Pass the JVM system properties to Tomcat JVM using CATALINA_OPTS variable
-CATALINA_OPTS="${CATALINA_OPTS} ${PLATFORM_SETUP} ${H2_DATABASE_DIR} ${DB_OPTS} ${BDM_DB_OPTS} ${ARJUNA_OPTS} ${INCIDENT_LOG_DIR} -Dfile.encoding=UTF-8 -Xshare:auto -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_HOME}/logs -Djava.security.egd=file:/dev/./urandom"
+CATALINA_OPTS="${CATALINA_OPTS} ${LOG_CONF_FILE_PATH} ${PLATFORM_SETUP} ${TRANSACTION_XATIMEOUT_OPTS} ${H2_DATABASE_DIR} ${DB_OPTS} ${BDM_DB_OPTS} ${ARJUNA_OPTS} ${INCIDENT_LOG_DIR} ${JMX_REMOTE_ACCESS_OPTS} -Dfile.encoding=UTF-8 -Xshare:auto -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_HOME}/logs -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true"
 export CATALINA_OPTS
 
 # Only set CATALINA_PID if not already set (check for empty value) by startup script (usually done by /etc/init.d/tomcat8 but not by startup.sh nor catalina.sh)
@@ -29,5 +40,5 @@ if [ -z ${CATALINA_PID+x} ]; then
         export CATALINA_PID;
 fi
 
-# extra lib required at Tomcat startup (for instance bonita juli extensions)
+# extra lib required at Tomcat startup
 export CLASSPATH="${CATALINA_HOME}/lib/ext/*"
diff --git a/bonita_latest/templates/tomcat-users.xml b/bonita_latest/templates/tomcat-users.xml
new file mode 100644
index 0000000..8f2ec43
--- /dev/null
+++ b/bonita_latest/templates/tomcat-users.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+
+    <user username="{{HTTP_API_USERNAME}}" password="{{HTTP_API_PASSWORD}}" roles="bonita-http-api"/>
+    
+</tomcat-users>

Relevant Maintainers:

• bonita: @baptistemesta @danila-m @educhastenier @passga @abirembaut @DumitruCorini

[educhastenier]

@tianon we integrated all your remarks.
Can you give a final look? Thx.