Add the xwiki official image

[vmassol]

Documentation is in the following PR: docker-library/docs#804

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)

• associated with or contacted upstream?
  • https://github.com/xwiki-contrib (location for "official" community projects)
• does it fit into one of the common categories? ("service", "language stack", "base distribution")
• is it reasonably popular, or does it solve a particular use case well?
• does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)
  • Add documentation for the xwiki official image docs#804
• dockerization review for best practices and cache gotchas/improvements (ala the official review guidelines)?
• 2+ dockerization review?
• existing official images have been considered as a base? (ie, if foobar needs Node.js, has FROM node:... instead of grabbing node via other means been considered?)
• if FROM scratch, tarballs only exist in a single commit within the associated history?
• passes current tests? any simple new tests that might be appropriate to add? (https://github.com/docker-library/official-images/tree/master/test)

[vmassol]

Travis is failing but I don't think it's caused by my PR. The sha1 I've provided seems correct, see xwiki/xwiki-docker@7ab5cfa

fatal: ambiguous argument '7ab5cfafc4ffec3fed180ef950f747226a3312ca^{commit}': unknown revision or path not in the working tree.

Is the CI build working fine (not sure what is this trailing ^{commit})?

Thanks

[vmassol]

When I run git rev-parse "e8ad90aa6d119301bd4b810a88ed71b2f8a0e224^{commit}" locally it works fine...

[dgageot]

@vmassol I can reproduce the issue on my machine so you might want to take a second look

[vmassol]

@dgageot Thanks for checking. I still don't understand something: All I'm providing are 2 sha1 (1f845295f650ce5c755712b801b84ad8198b9d7b and e8ad90aa6d119301bd4b810a88ed71b2f8a0e224) and they exist:

• xwiki/xwiki-docker@1f84529
• xwiki/xwiki-docker@e8ad90a

I don't know what Travis script is executed and why it fails on:

command: git ["rev-parse" "e8ad90aa6d119301bd4b810a88ed71b2f8a0e224^{commit}"]
fatal: ambiguous argument 'e8ad90aa6d119301bd4b810a88ed71b2f8a0e224^{commit}': unknown revision or path not in the working tree.

Would you have any idea?

Thanks

[tianon]

It looks like e8ad90aa6d119301bd4b810a88ed71b2f8a0e224 isn't on the master branch (which is what bashbrew defaults to fetching, if a branch isn't specified. You'll need to add GitFetch: refs/heads/8.x to that Tags: 8... entry.

I haven't looked at the Dockerfile contents yet (will probably get to that a little bit later today), but from the contents here, it looks like you'll probably want to give the "Tags and aliases" section a re-read (https://github.com/docker-library/official-images#tags-and-aliases, specifically the notes about xyz-latest or latest-xyz).

[vmassol]

Thanks @tianon (stupid me for not seeing this)! I'll fix this ASAP

[vmassol]

fix applied and it's now passing ;)

[tianon]

Thanks ❤️

A few initial comments after looking into the Dockerization:

1. the section of ENV XWIKI_VERSION=... should be moved as far down as it can get (right before those values are used) so that we can use Docker's build cache as aggressively as possible
2. any particular reason to be installing openjdk-8-jdk and tomcat8 from APT rather than simply using FROM tomcat:8-jre8 or FROM openjdk:8-jdk (if the JDK is truly necessary at runtime, which is a bit suspect)?
3. I'm guessing libreoffice is used as part of xwiki for doing document conversion or something? It's pretty hefty, so I just want to be absolutely sure it's actually necessary 😄
4. I definitely don't understand why both sudo and nano are being installed -- are either used directly in xwiki itself (or in xwiki's official scripts/wrappers)? if sudo is only being used by start_xwiki.sh for running as non-root, then it's worth pointing out that sudo is very poorly behaved as a general solution for this problem (strange TTY behavior, and sometimes stays resident), so something like su-exec or gosu should be evaluated
5. I think https://github.com/docker-library/official-images#consistency is probably a good section to re-read as well (especially for refactoring start_xwiki.sh, but also as an example of decent gosu usage -- there are a lot of other examples in other https://github.com/docker-library repos too)
6. RUN chmod after a COPY will sometimes fail, depending on different host-specific factors (especially on AUFS), so the files you COPY should instead be committed to your repo with chmod +x pre-applied (which Git will track and keep), and then COPY can simply apply the executable bit directly at the time of the initial COPY

[vmassol]

@tianon Very cool to benefit from your expertise and review. I'll address those points in the coming few days. Thanks.

[vmassol]

the section of ENV XWIKI_VERSION=... should be moved as far down as it can get (right before those values are used) so that we can use Docker's build cache as aggressively as possible

I was basing my analysis on https://microbadger.com/images/xwiki/xwiki-mysql-tomcat which doesn't seem to show any disk usage for the ENV command but there's probably a concept that escapes me. I'll implement your suggestion now.

[dgageot]

@vmassol It's not that the ENV is taking some place. The reasoning is that if you build multiple images, the more layers they have in common, the more you leverage the cache. By moving ENV down where it's really used, you maximize the number of common layers.

[vmassol]

Ok thanks @dgageot makes sense now :)

[vmassol]

I'm guessing libreoffice is used as part of xwiki for doing document conversion or something? It's pretty hefty, so I just want to be absolutely sure it's actually necessary 😄

Yes this is required to perform office conversions (openoffice, libreoffice, MS, etc) to wiki pages and to view attached office files in the wiki.

[vmassol]

@tianon I've now applied all your suggestions and I've updated this pull request accordingly too (and doc PR too). Build results can be seen at https://hub.docker.com/r/xwiki/xwiki-mysql-tomcat/builds/

Thanks again for your review!

[yosifkit]

I have a few recommendations and questions:

• remove the apt-get upgrade
  • As outlined in the Dockerfile best practices, we recommend avoiding apt upgrades in images/containers.
  • child images are rebuilt by us when base images are updated
  • apt-get upgrade has a propensity to fail in containers. If you have any problems with the base image being out of date, feel free to let us know if there are important updates pending. We want to make sure everyone is protected from vulnerabilities.
• is there a specific reason for --force-yes on the apt-get install; I haven't seen a case where it is absolutely necessary and, if needed, usually means there is a different problem to solve.
• any curl invocation needs a -f so that fails on more http responses like 404, ie curl -fL "http://example.com/server.war"
  • it would be great if they could all be https or as much verification as possible as outlined in Security->Image-Build, like sha/md5 and gpg verification
• what's the reason for installing MySQL JDBC direct from upstream? is the version in Debian too new?
• you could simplify your sed line with a -i to do in-place and no longer need the mv: sed -i 's/../../' /usr/local/tomcat/webapps/ROOT/META-INF/extension.xed
• since the tomcat image already has EXPOSE 8080, it is unnecessary, though mostly harmless
• I would suggest a few changes inside the if [ "$1" = 'xwiki' ] block:
  • add shift just before the catalina run line to drop out xwiki from the args
  • swap /usr/local/tomcat/bin/catalina.sh run to set -- catalina.sh run "$@" this will allow users to add flags that get passed to catalina (and catalina.sh is in the PATH) `docker run -d xwiki --flag-to-catalina --more-args
    • this will let it fall through to the exec "$@" so that bash will get out of the way and signals will be sent to catalina
    • have you considered having it run as a non-root user? This comment may help you see when we choose to run as non-root.
• xwiki-config-replace.sh script feels dangerous since values are dropped right in a sed expression without escaping, but I don't have a better solution and it currently works for all the times that you use it
  • are the xwiki-set* files meant to be used by users of the image? Just curious, since they could just be functions in the entrypoint if they are only meant to be used there.

[vmassol]

@yosifkit yeah another PR review, I love those (they make me improve my docker skills ;)), thanks a lot for taking the time to do it. I'll apply your suggestions point by point today and tomorrow.

[vmassol]

@yosifkit All suggestions applied.

Some details:

Regarding https instead of http, I couldn't use https since there was a problem of certificate validation and curl was failing . However I've used the sha checksum validation instead. I hope this is acceptable.

Thanks

[vmassol]

Hi guys. Anything else I need to do or is the PR good and it can be applied? Thanks!

[vmassol]

Hi again. Is there anything I can do to speed up applying this PR? :) Thanks!

[yosifkit]

LGTM (build test incoming and I'll go double check the documentation)

error: failed fetching repo "xwiki"
unable to find a manifest named "xwiki" (in "/tmp/tmp.103XDSiogT/oi/library" or as a remote URL)
fatal: pathspec '.' did not match any files
diff --git a/xwiki_8-mysql-tomcat/Dockerfile b/xwiki_8-mysql-tomcat/Dockerfile
new file mode 100644
index 0000000..a853240
--- /dev/null
+++ b/xwiki_8-mysql-tomcat/Dockerfile
@@ -0,0 +1,90 @@
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+FROM tomcat:8-jre8
+
+MAINTAINER Vincent Massol <[email protected]>
+
+# Note: when using docker-compose, the ENV values below are overridden from the .env file.
+
+# Install LibreOffice + other tools
+RUN apt-get update && \
+  apt-get --no-install-recommends -y install \
+    curl \
+    libreoffice \
+    unzip \
+    libmysql-java && \
+  rm -rf /var/lib/apt/lists/*
+
+# Install XWiki as the ROOT webapp context in Tomcat
+# Create the Tomcat temporary directory
+# Configure the XWiki permanent directory
+ENV XWIKI_VERSION=8.4.4
+ENV XWIKI_URL_PREFIX "http://maven.xwiki.org/releases/org/xwiki/enterprise/xwiki-enterprise-web/${XWIKI_VERSION}"
+ENV XWIKI_DOWNLOAD_SHA256 b414edb4527e3d8b27c40a8c3f2f09423980de7963207b7dc89da71d14e7fb23
+RUN rm -rf /usr/local/tomcat/webapps/* && \
+  mkdir -p /usr/local/tomcat/temp && \
+  mkdir -p /usr/local/xwiki/data && \
+  curl -fSL "${XWIKI_URL_PREFIX}/xwiki-enterprise-web-${XWIKI_VERSION}.war" -o xwiki.war && \
+  echo "$XWIKI_DOWNLOAD_SHA256 xwiki.war" | sha256sum -c - && \
+  unzip -d /usr/local/tomcat/webapps/ROOT xwiki.war && \
+  rm -f xwiki.war
+
+# Copy the MySQL JDBC driver in the XWiki webapp
+RUN cp /usr/share/java/mysql-connector-java-*.jar /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/
+
+# Configure Tomcat. For example set the memory for the Tomcat JVM since the default value is too small for XWiki
+COPY tomcat/setenv.sh /usr/local/tomcat/bin/
+
+# Setup the XWiki Hibernate configuration
+ENV MYSQL_DATABASE=xwiki
+COPY xwiki/hibernate.cfg.xml /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+
+# Set a specific distribution id in XWiki for this docker packaging.
+RUN sed -i 's/<id>org.xwiki.enterprise:xwiki-enterprise-web/<id>org.xwiki.enterprise:xwiki-enterprise-docker/' \
+    /usr/local/tomcat/webapps/ROOT/META-INF/extension.xed
+
+# Add scripts required to make changes to XWiki configuration files at execution time
+# Note: we don't run CHMOD since 1) it's not required since the executabe bit is already set in git and 2) running
+# CHMOD after a COPY will sometimes fail, depending on different host-specific factors (especially on AUFS).
+COPY xwiki/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# Make the XWiki directory (the permanent directory is included in it) persist on the host (so that it's not recreated
+# across runs)
+VOLUME /var/lib/xwiki
+
+# At this point the image is done and what remains below are the runtime configuration used by the user to configure
+# the container that will be created out of the image. Namely the user can override some environment variables with
+#   docker run -e "var1=val1" -e "var2=val2" ...
+# The supported environment variables that can be overridden are:
+# - MYSQL_USER: the name of the user configured for XWiki in the DB. Default is "xwiki". This is used to configure
+#               xwiki's hibernate.cfg.xml file.
+# - MYSQL_PASSWORD: the password for the user configured for XWiki in the DB. Default is "xwiki". This is used to
+#                   configure xwiki's hibernate.cfg.xml file.
+# Example:
+#   docker run -it -e "MYSQL_USER=xwiki" -e "MYSQL_PASSWORD=xwiki" <imagename>
+
+# Starts XWiki by starting Tomcat. All options passed to "docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]"
+# are also passed to docker-entrypoint.sh. If "xwiki" is passed then XWiki will be configured the first time the
+# container executes and Tomcat will be started. If some other parameter is passed then it'll be executed to comply
+# with best practices defined at https://github.com/docker-library/official-images#consistency.
+ENV MYSQL_USER=xwiki \
+    MYSQL_PASSWORD=xwiki
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["xwiki"]
diff --git a/xwiki_8-mysql-tomcat/tomcat/setenv.sh b/xwiki_8-mysql-tomcat/tomcat/setenv.sh
new file mode 100755
index 0000000..9e4977b
--- /dev/null
+++ b/xwiki_8-mysql-tomcat/tomcat/setenv.sh
@@ -0,0 +1 @@
+export CATALINA_OPTS="-Xmx1024m"
diff --git a/xwiki_8-mysql-tomcat/xwiki/docker-entrypoint.sh b/xwiki_8-mysql-tomcat/xwiki/docker-entrypoint.sh
new file mode 100755
index 0000000..a1f9367
--- /dev/null
+++ b/xwiki_8-mysql-tomcat/xwiki/docker-entrypoint.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+
+set -e
+
+function first_start() {
+  configure
+  touch /usr/local/xwiki/.first_start_completed
+}
+
+# $1 - the path to xwiki.[cfg|properties]
+# $2 - the setting/property to set
+# $3 - the new value
+function xwiki_replace() {
+  sed -i s~"\#\? \?$2 \?=.*"~"$2=$3"~g "$1"
+}
+
+# $1 - the setting/property to set
+# $2 - the new value
+function xwiki_set_cfg() {
+  xwiki_replace /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg "$1" "$2"
+}
+
+# $1 - the setting/property to set
+# $2 - the new value
+function xwiki_set_properties() {
+  xwiki_replace /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties "$1" "$2"
+}
+
+function configure() {
+  echo 'Configuring XWiki...'
+  sed -i "s/replacemysqluser/${MYSQL_USERNAME:-xwiki}/g" /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+  sed -i "s/replacemysqlpassword/${MYSQL_PASSWORD:-xwiki}/g" /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+
+  echo '  Using filesystem-based attachments...'
+  xwiki_set_cfg 'xwiki.store.attachment.hint' 'file'
+  xwiki_set_cfg 'xwiki.store.attachment.versioning.hint' 'file'
+  xwiki_set_cfg 'xwiki.store.attachment.recyclebin.hint' 'file'
+  echo '  Generating authentication validation and encryption keys...'
+  xwiki_set_cfg 'xwiki.authentication.validationKey' "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+  xwiki_set_cfg 'xwiki.authentication.encryptionKey' "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+
+  echo '  Setting permanent directory...'
+  xwiki_set_properties 'environment.permanentDirectory' '/usr/local/xwiki/data'
+  echo '  Configure libreoffice...'
+  xwiki_set_properties 'openoffice.autoStart' 'true'
+}
+
+# This if will check if the first argument is a flag but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "${1:0:1}" = '-' ]; then
+    set -- xwiki "$@"
+fi
+
+# Check for the expected command
+if [ "$1" = 'xwiki' ]; then
+  if [[ ! -f /usr/local/xwiki/.first_start_completed ]]; then
+    first_start
+  fi
+  shift
+  set -- catalina.sh run "$@"
+fi
+
+# Else default to run whatever the user wanted like "bash"
+exec "$@"
diff --git a/xwiki_8-mysql-tomcat/xwiki/hibernate.cfg.xml b/xwiki_8-mysql-tomcat/xwiki/hibernate.cfg.xml
new file mode 100644
index 0000000..6411837
--- /dev/null
+++ b/xwiki_8-mysql-tomcat/xwiki/hibernate.cfg.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+-->
+
+<!DOCTYPE hibernate-configuration PUBLIC
+  "-//Hibernate/Hibernate Configuration DTD//EN"
+  "http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">
+<hibernate-configuration>
+  <session-factory>
+
+    <!-- Please refer to the installation guide on
+         http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation for configuring your
+         database. You'll need to do 2 things:
+         1) Copy your database driver JAR in WEB-INF/lib or in some shared lib directory
+         2) Uncomment the properties below for your specific DB (and comment the default
+            database configuration if it doesn't match your DB)
+    -->
+
+    <!-- Generic parameters common to all Databases -->
+
+    <property name="show_sql">false</property>
+    <property name="use_outer_join">true</property>
+
+    <!-- Without it, some queries fail in MS SQL. XWiki doesn't need scrollable result sets, anyway. -->
+    <property name="jdbc.use_scrollable_resultset">false</property>
+
+    <!-- DBCP Connection Pooling configuration. Only some properties are shown. All available properties can be found
+         at http://commons.apache.org/proper/commons-dbcp/configuration.html
+    -->
+    <property name="dbcp.defaultAutoCommit">false</property>
+    <property name="dbcp.maxTotal">50</property>
+    <property name="dbcp.maxIdle">5</property>
+    <property name="dbcp.maxWaitMillis">30000</property>
+    <property name="connection.provider_class">com.xpn.xwiki.store.DBCPConnectionProvider</property>
+
+    <!-- Setting "dbcp.poolPreparedStatements" to true and "dbcp.maxOpenPreparedStatements" will tell DBCP to cache
+         Prepared Statements (it's off by default). Note that for backward compatibility the "dbcp.ps.maxActive" is also
+         supported and when set it'll set "dbcp.poolPreparedStatements" to true and "dbcp.maxOpenPreparedStatements" to
+         value of "dbcp.ps.maxActive".
+
+         Note 1: When using HSQLDB for example, it's important to NOT cache prepared statements because HSQLDB
+         Prepared Statements (PS) contain the schema on which they were initially created and thus when switching
+         schema if the same PS is reused it'll execute on the wrong schema! Since HSQLDB does internally cache
+         prepared statement there's no performance loss by not caching Prepared Statements at the DBCP level.
+         See http://jira.xwiki.org/browse/XWIKI-1740.
+         Thus we recommend not turning on this configuration for HSQLDB unless you know what you're doing :)
+
+         Note 2: The same applies to PostGreSQL.
+    -->
+
+    <!-- BoneCP Connection Pooling configuration.
+    <property name="bonecp.idleMaxAgeInMinutes">240</property>
+    <property name="bonecp.idleConnectionTestPeriodInMinutes">60</property>
+    <property name="bonecp.partitionCount">3</property>
+    <property name="bonecp.acquireIncrement">10</property>
+    <property name="bonecp.maxConnectionsPerPartition">60</property>
+    <property name="bonecp.minConnectionsPerPartition">20</property>
+    <property name="bonecp.statementsCacheSize">50</property>
+    <property name="bonecp.releaseHelperThreads">3</property>
+    <property name="connection.provider_class">com.xpn.xwiki.store.DBCPConnectionProvider</property>
+    -->
+
+    <!-- MySQL configuration.
+         Uncomment if you want to use MySQL and comment out other database configurations.
+         Notes:
+           - if you want the main wiki database to be different than "xwiki"
+             you will also have to set the property xwiki.db in xwiki.cfg file
+    -->
+    <property name="connection.url">jdbc:mysql://db/${MYSQL_DATABASE:-xwiki}?useSSL=false</property>
+    <property name="connection.username">replacemysqluser</property>
+    <property name="connection.password">replacemysqlpassword</property>
+    <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
+    <property name="dialect">org.hibernate.dialect.MySQL5InnoDBDialect</property>
+    <property name="dbcp.poolPreparedStatements">true</property>
+    <property name="dbcp.maxOpenPreparedStatements">20</property>
+    <mapping resource="xwiki.hbm.xml"/>
+    <mapping resource="feeds.hbm.xml"/>
+    <mapping resource="activitystream.hbm.xml"/>
+    <mapping resource="instance.hbm.xml"/>
+    <mapping resource="mailsender.hbm.xml"/>
+
+  </session-factory>
+</hibernate-configuration>
diff --git a/xwiki_mysql-tomcat/Dockerfile b/xwiki_mysql-tomcat/Dockerfile
new file mode 100644
index 0000000..a853240
--- /dev/null
+++ b/xwiki_mysql-tomcat/Dockerfile
@@ -0,0 +1,90 @@
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+FROM tomcat:8-jre8
+
+MAINTAINER Vincent Massol <[email protected]>
+
+# Note: when using docker-compose, the ENV values below are overridden from the .env file.
+
+# Install LibreOffice + other tools
+RUN apt-get update && \
+  apt-get --no-install-recommends -y install \
+    curl \
+    libreoffice \
+    unzip \
+    libmysql-java && \
+  rm -rf /var/lib/apt/lists/*
+
+# Install XWiki as the ROOT webapp context in Tomcat
+# Create the Tomcat temporary directory
+# Configure the XWiki permanent directory
+ENV XWIKI_VERSION=8.4.4
+ENV XWIKI_URL_PREFIX "http://maven.xwiki.org/releases/org/xwiki/enterprise/xwiki-enterprise-web/${XWIKI_VERSION}"
+ENV XWIKI_DOWNLOAD_SHA256 b414edb4527e3d8b27c40a8c3f2f09423980de7963207b7dc89da71d14e7fb23
+RUN rm -rf /usr/local/tomcat/webapps/* && \
+  mkdir -p /usr/local/tomcat/temp && \
+  mkdir -p /usr/local/xwiki/data && \
+  curl -fSL "${XWIKI_URL_PREFIX}/xwiki-enterprise-web-${XWIKI_VERSION}.war" -o xwiki.war && \
+  echo "$XWIKI_DOWNLOAD_SHA256 xwiki.war" | sha256sum -c - && \
+  unzip -d /usr/local/tomcat/webapps/ROOT xwiki.war && \
+  rm -f xwiki.war
+
+# Copy the MySQL JDBC driver in the XWiki webapp
+RUN cp /usr/share/java/mysql-connector-java-*.jar /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/
+
+# Configure Tomcat. For example set the memory for the Tomcat JVM since the default value is too small for XWiki
+COPY tomcat/setenv.sh /usr/local/tomcat/bin/
+
+# Setup the XWiki Hibernate configuration
+ENV MYSQL_DATABASE=xwiki
+COPY xwiki/hibernate.cfg.xml /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+
+# Set a specific distribution id in XWiki for this docker packaging.
+RUN sed -i 's/<id>org.xwiki.enterprise:xwiki-enterprise-web/<id>org.xwiki.enterprise:xwiki-enterprise-docker/' \
+    /usr/local/tomcat/webapps/ROOT/META-INF/extension.xed
+
+# Add scripts required to make changes to XWiki configuration files at execution time
+# Note: we don't run CHMOD since 1) it's not required since the executabe bit is already set in git and 2) running
+# CHMOD after a COPY will sometimes fail, depending on different host-specific factors (especially on AUFS).
+COPY xwiki/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+# Make the XWiki directory (the permanent directory is included in it) persist on the host (so that it's not recreated
+# across runs)
+VOLUME /var/lib/xwiki
+
+# At this point the image is done and what remains below are the runtime configuration used by the user to configure
+# the container that will be created out of the image. Namely the user can override some environment variables with
+#   docker run -e "var1=val1" -e "var2=val2" ...
+# The supported environment variables that can be overridden are:
+# - MYSQL_USER: the name of the user configured for XWiki in the DB. Default is "xwiki". This is used to configure
+#               xwiki's hibernate.cfg.xml file.
+# - MYSQL_PASSWORD: the password for the user configured for XWiki in the DB. Default is "xwiki". This is used to
+#                   configure xwiki's hibernate.cfg.xml file.
+# Example:
+#   docker run -it -e "MYSQL_USER=xwiki" -e "MYSQL_PASSWORD=xwiki" <imagename>
+
+# Starts XWiki by starting Tomcat. All options passed to "docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]"
+# are also passed to docker-entrypoint.sh. If "xwiki" is passed then XWiki will be configured the first time the
+# container executes and Tomcat will be started. If some other parameter is passed then it'll be executed to comply
+# with best practices defined at https://github.com/docker-library/official-images#consistency.
+ENV MYSQL_USER=xwiki \
+    MYSQL_PASSWORD=xwiki
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["xwiki"]
diff --git a/xwiki_mysql-tomcat/tomcat/setenv.sh b/xwiki_mysql-tomcat/tomcat/setenv.sh
new file mode 100755
index 0000000..9e4977b
--- /dev/null
+++ b/xwiki_mysql-tomcat/tomcat/setenv.sh
@@ -0,0 +1 @@
+export CATALINA_OPTS="-Xmx1024m"
diff --git a/xwiki_mysql-tomcat/xwiki/docker-entrypoint.sh b/xwiki_mysql-tomcat/xwiki/docker-entrypoint.sh
new file mode 100755
index 0000000..a1f9367
--- /dev/null
+++ b/xwiki_mysql-tomcat/xwiki/docker-entrypoint.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+
+set -e
+
+function first_start() {
+  configure
+  touch /usr/local/xwiki/.first_start_completed
+}
+
+# $1 - the path to xwiki.[cfg|properties]
+# $2 - the setting/property to set
+# $3 - the new value
+function xwiki_replace() {
+  sed -i s~"\#\? \?$2 \?=.*"~"$2=$3"~g "$1"
+}
+
+# $1 - the setting/property to set
+# $2 - the new value
+function xwiki_set_cfg() {
+  xwiki_replace /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg "$1" "$2"
+}
+
+# $1 - the setting/property to set
+# $2 - the new value
+function xwiki_set_properties() {
+  xwiki_replace /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties "$1" "$2"
+}
+
+function configure() {
+  echo 'Configuring XWiki...'
+  sed -i "s/replacemysqluser/${MYSQL_USERNAME:-xwiki}/g" /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+  sed -i "s/replacemysqlpassword/${MYSQL_PASSWORD:-xwiki}/g" /usr/local/tomcat/webapps/ROOT/WEB-INF/hibernate.cfg.xml
+
+  echo '  Using filesystem-based attachments...'
+  xwiki_set_cfg 'xwiki.store.attachment.hint' 'file'
+  xwiki_set_cfg 'xwiki.store.attachment.versioning.hint' 'file'
+  xwiki_set_cfg 'xwiki.store.attachment.recyclebin.hint' 'file'
+  echo '  Generating authentication validation and encryption keys...'
+  xwiki_set_cfg 'xwiki.authentication.validationKey' "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+  xwiki_set_cfg 'xwiki.authentication.encryptionKey' "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+
+  echo '  Setting permanent directory...'
+  xwiki_set_properties 'environment.permanentDirectory' '/usr/local/xwiki/data'
+  echo '  Configure libreoffice...'
+  xwiki_set_properties 'openoffice.autoStart' 'true'
+}
+
+# This if will check if the first argument is a flag but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "${1:0:1}" = '-' ]; then
+    set -- xwiki "$@"
+fi
+
+# Check for the expected command
+if [ "$1" = 'xwiki' ]; then
+  if [[ ! -f /usr/local/xwiki/.first_start_completed ]]; then
+    first_start
+  fi
+  shift
+  set -- catalina.sh run "$@"
+fi
+
+# Else default to run whatever the user wanted like "bash"
+exec "$@"
diff --git a/xwiki_mysql-tomcat/xwiki/hibernate.cfg.xml b/xwiki_mysql-tomcat/xwiki/hibernate.cfg.xml
new file mode 100644
index 0000000..6411837
--- /dev/null
+++ b/xwiki_mysql-tomcat/xwiki/hibernate.cfg.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+-->
+
+<!DOCTYPE hibernate-configuration PUBLIC
+  "-//Hibernate/Hibernate Configuration DTD//EN"
+  "http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">
+<hibernate-configuration>
+  <session-factory>
+
+    <!-- Please refer to the installation guide on
+         http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Installation for configuring your
+         database. You'll need to do 2 things:
+         1) Copy your database driver JAR in WEB-INF/lib or in some shared lib directory
+         2) Uncomment the properties below for your specific DB (and comment the default
+            database configuration if it doesn't match your DB)
+    -->
+
+    <!-- Generic parameters common to all Databases -->
+
+    <property name="show_sql">false</property>
+    <property name="use_outer_join">true</property>
+
+    <!-- Without it, some queries fail in MS SQL. XWiki doesn't need scrollable result sets, anyway. -->
+    <property name="jdbc.use_scrollable_resultset">false</property>
+
+    <!-- DBCP Connection Pooling configuration. Only some properties are shown. All available properties can be found
+         at http://commons.apache.org/proper/commons-dbcp/configuration.html
+    -->
+    <property name="dbcp.defaultAutoCommit">false</property>
+    <property name="dbcp.maxTotal">50</property>
+    <property name="dbcp.maxIdle">5</property>
+    <property name="dbcp.maxWaitMillis">30000</property>
+    <property name="connection.provider_class">com.xpn.xwiki.store.DBCPConnectionProvider</property>
+
+    <!-- Setting "dbcp.poolPreparedStatements" to true and "dbcp.maxOpenPreparedStatements" will tell DBCP to cache
+         Prepared Statements (it's off by default). Note that for backward compatibility the "dbcp.ps.maxActive" is also
+         supported and when set it'll set "dbcp.poolPreparedStatements" to true and "dbcp.maxOpenPreparedStatements" to
+         value of "dbcp.ps.maxActive".
+
+         Note 1: When using HSQLDB for example, it's important to NOT cache prepared statements because HSQLDB
+         Prepared Statements (PS) contain the schema on which they were initially created and thus when switching
+         schema if the same PS is reused it'll execute on the wrong schema! Since HSQLDB does internally cache
+         prepared statement there's no performance loss by not caching Prepared Statements at the DBCP level.
+         See http://jira.xwiki.org/browse/XWIKI-1740.
+         Thus we recommend not turning on this configuration for HSQLDB unless you know what you're doing :)
+
+         Note 2: The same applies to PostGreSQL.
+    -->
+
+    <!-- BoneCP Connection Pooling configuration.
+    <property name="bonecp.idleMaxAgeInMinutes">240</property>
+    <property name="bonecp.idleConnectionTestPeriodInMinutes">60</property>
+    <property name="bonecp.partitionCount">3</property>
+    <property name="bonecp.acquireIncrement">10</property>
+    <property name="bonecp.maxConnectionsPerPartition">60</property>
+    <property name="bonecp.minConnectionsPerPartition">20</property>
+    <property name="bonecp.statementsCacheSize">50</property>
+    <property name="bonecp.releaseHelperThreads">3</property>
+    <property name="connection.provider_class">com.xpn.xwiki.store.DBCPConnectionProvider</property>
+    -->
+
+    <!-- MySQL configuration.
+         Uncomment if you want to use MySQL and comment out other database configurations.
+         Notes:
+           - if you want the main wiki database to be different than "xwiki"
+             you will also have to set the property xwiki.db in xwiki.cfg file
+    -->
+    <property name="connection.url">jdbc:mysql://db/${MYSQL_DATABASE:-xwiki}?useSSL=false</property>
+    <property name="connection.username">replacemysqluser</property>
+    <property name="connection.password">replacemysqlpassword</property>
+    <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
+    <property name="dialect">org.hibernate.dialect.MySQL5InnoDBDialect</property>
+    <property name="dbcp.poolPreparedStatements">true</property>
+    <property name="dbcp.maxOpenPreparedStatements">20</property>
+    <mapping resource="xwiki.hbm.xml"/>
+    <mapping resource="feeds.hbm.xml"/>
+    <mapping resource="activitystream.hbm.xml"/>
+    <mapping resource="instance.hbm.xml"/>
+    <mapping resource="mailsender.hbm.xml"/>
+
+  </session-factory>
+</hibernate-configuration>

[yosifkit]

Build test of #2563; c6aa560 (xwiki):

$ bashbrew build xwiki:latest
Building bashbrew/cache:8a9aff5474a98d2da1302d6767156479286bc723ec7526a06e2fab766583c307 (xwiki:latest)
Tagging xwiki:latest
Tagging xwiki:mysql-tomcat

$ test/run.sh xwiki:latest
testing xwiki:latest
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build xwiki:8
Building bashbrew/cache:2b7fb42731386f09eeb91660f368e3bd164eb91fc8deeb64856339fca3f2b081 (xwiki:8)
Tagging xwiki:8
Tagging xwiki:8-mysql-tomcat

$ test/run.sh xwiki:8
testing xwiki:8
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed

[vmassol]

Thanks guys! :)