Merge pull request #445 from mq-cloudpak/tadj-go-update-lts

Update go version (LTS)
2023-05-25 14:56:26 +01:00 · 2023-05-25 14:30:08 +01:00 · 2023-05-25 10:40:49 +01:00 · 2023-05-24 17:45:14 +01:00 · 2023-05-18 09:32:09 +01:00 · 2023-05-17 15:26:53 +01:00
1166 changed files with 162250 additions and 182603 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,11 @@ vendor/github.com/prometheus/client_model/.classpath
 vendor/github.com/prometheus/client_model/.project
 vendor/github.com/prometheus/client_model/.settings*
 gosec_results.json
+internal/qmgrauth/qmgroam/patch
+.tagcache
+
+# Nix
+*.nix
+.envrc
+.direnv
+result
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018, 2019
+# © Copyright IBM Corporation 2018, 2020
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,72 +12,85 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-dist: xenial
-
+dist: bionic
+group: beta
 sudo: required
 language: go

 go:
-  - "1.12"
+  - "1.19.9"

 services:
  - docker

-go_import_path: "github.com/ibm-messaging/mq-container"
-
-cache:	
-  directories:
-    - downloads
-
 env:
  global:
-    - RELEASE=""
+    - MAIN_BRANCH=v9.3.0.x
+    - TAGCACHE_FILE=tagcache
+    - RELEASE=r3
+
+go_import_path: "github.com/ibm-messaging/mq-container"
+
+# cache:
+#   directories:
+#     - downloads

 jobs:
  include:
-    - stage: build
-      name: "Basic build"
-      if: branch != private-master AND tag IS blank
+    - stage: basic-build
+      if: branch != v9.3.0.x AND tag IS blank
+      name: "Basic AMD64 build"
      os: linux
      env:
-        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_914_ARCHIVE_REPOSITORY_DEV_AMD64
+        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_930_ARCHIVE_REPOSITORY_DEV_AMD64
      script: bash -e travis-build-scripts/run.sh
-    - if: branch = private-master OR tag =~ ^pre-release*
+
+    # CD Build
+
+    - stage: global-tag
+      if: branch = v9.3.0.x AND type != pull_request OR tag =~ ^release-candidate*
+      name: "Generate Global Tag"
+      os: linux
+      script: bash -e travis-build-scripts/global-tag.sh
+    - stage: build
+      if: branch = v9.3.0.x OR tag =~ ^release-candidate*
      name: "Multi-Arch AMD64 build"
      os: linux
      env:
        - BUILD_ALL=true
-        - MQ_ARCHIVE_REPOSITORY=$MQ_914_ARCHIVE_REPOSITORY_AMD64
-        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_914_ARCHIVE_REPOSITORY_DEV_AMD64
+        - MQ_ARCHIVE_REPOSITORY=$MQ_930_ARCHIVE_REPOSITORY_AMD64
+        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_930_ARCHIVE_REPOSITORY_DEV_AMD64
      script: bash -e travis-build-scripts/run.sh
-    - if: branch = private-master OR tag =~ ^pre-release*
-      name: "Multi-Arch PPC64LE build"
-      os: linux-ppc64le
-      env:
-        - BUILD_ALL=true
-        - TEST_OPTS_DOCKER="-run TestGoldenPathWithMetrics"
-        - MQ_ARCHIVE_REPOSITORY=$MQ_914_ARCHIVE_REPOSITORY_PPC64LE
-        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_914_ARCHIVE_REPOSITORY_DEV_PPC64LE
-      script: bash -e travis-build-scripts/run.sh
-    - if: branch = private-master OR tag =~ ^pre-release*
+    - stage: build
+      if: branch = v9.3.0.x OR tag =~ ^release-candidate*
      name: "Multi-Arch S390X build"
      os: linux-s390
      env:
        - BUILD_ALL=true
        - TEST_OPTS_DOCKER="-run TestGoldenPathWithMetrics"
-        - MQ_ARCHIVE_REPOSITORY=$MQ_914_ARCHIVE_REPOSITORY_S390X
-        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_914_ARCHIVE_REPOSITORY_DEV_S390X
+        - MQ_ARCHIVE_REPOSITORY=$MQ_930_ARCHIVE_REPOSITORY_S390X
+        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_930_ARCHIVE_REPOSITORY_DEV_S390X
+      script: bash -e travis-build-scripts/run.sh
+    - stage: build
+      if: branch = v9.3.0.x OR tag =~ ^release-candidate*
+      name: "Multi-Arch PPC64LE build"
+      os: linux-ppc64le
+      env:
+        - BUILD_ALL=true
+        - TEST_OPTS_DOCKER="-run TestGoldenPathWithMetrics"
+        - MQ_ARCHIVE_REPOSITORY=$MQ_930_ARCHIVE_REPOSITORY_PPC64LE
+        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_930_ARCHIVE_REPOSITORY_DEV_PPC64LE
+      script: bash -e travis-build-scripts/run.sh
+    - stage: push-manifest
+      if: branch = v9.3.0.x AND type != pull_request OR tag =~ ^release-candidate*
+      name: "Push Manifest-list to registry"
+      env:
+        - PUSH_MANIFEST_ONLY=true
      script: bash -e travis-build-scripts/run.sh
-    - stage: deploy
-      name: "Pre-release deploy"
-      if: tag =~ ^pre-release*
-      script: bash -e travis-build-scripts/release.sh staging
-    - name: "Production release deploy"
-      if: tag =~ ^production-release*
-      script: bash -e travis-build-scripts/release.sh production

 before_install:
  - make install-build-deps
+  - make install-credential-helper

 install:
  - echo nothing
--- a/.whitesource
+++ b/.whitesource
@@ -0,0 +1,6 @@
+{
+  "settingsInheritedFrom": "whitesource-config/whitesource-config@master",
+  "scanSettings": {
+      "baseBranches": ["private-master", "v9.2.0.x-eus", "v9.2.5"]
+  }
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,72 @@
 # Change log

+## 9.3.0.5-LTS (2023-04)
+
+* Updated to MQ version 9.3.0.5
+
+## 9.3.0.4-LTS (2023-02)
+
+* Updated to MQ version 9.3.0.4
+
+## 9.3.0.3-LTS (2023-01)
+
+* Updated to MQ version 9.3.0.3
+
+## 9.3.0.1-LTS (2022-09)
+
+* Updated to MQ version 9.3.0.1
+
+## 9.3.0.0 (2022-06)
+
+* Updated to MQ version 9.3.0.0
+* Use `registry.access.redhat.com` instead of `registry.redhat.io`, so that you don't need to login with a Red Hat account.
+* Updated default developer config to use TLS cipher `ANY_TLS12_OR_HIGHER` instead of `ANY_TLS12`
+* Added default `jvm.options` file fix issue with missing preferences file causing an error in the web server log.
+* Updated to allow building image from Podman on macOS (requires Podman 4.1)
+* Container builds are now faster
+* Updated signal handling to use a buffer, as recommended by the Go 1.17 vetting tool
+
+## 9.2.5.0 (2022-03)
+
+* Updated to MQ version 9.2.5.0
+
+## 9.2.4.0 (2021-11)
+
+* Updated to MQ version 9.2.4.0
+
+## 9.2.3.0 (2021-07-22)
+
+* Updated to MQ version 9.2.3.0
+
+## 9.2.2.0 (2021-03-26)
+
+* Updated to MQ version 9.2.2.0
+
+## 9.2.1.0 (2020-02-18)
+
+* Updated to MQ version 9.2.1.0
+
+
+## 9.2.0.1-LTS (2020-12-04)
+
+* Added support for MQ Long Term Support (production licensed only) in the mq-container
+
+## 9.2.0.0 (2020-07-23)
+
+* Updated to [MQ version 9.2.0.0](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.pro.doc/q113110_.htm)
+* Use `-ic` arguments with `crtmqm` to process MQSC files in `/etc/mqm`. Replaces previous use of "runmqsc" commands
+
+## 9.1.5.0 (2020-04-02)
+
+* Updated to MQ version 9.1.5.0
+* Can now run as a random user, instead of the "mqm" user, which has now been removed. This adds compatability for the [Red Hat OpenShift restricted SCC](https://docs.openshift.com/container-platform/4.3/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). The default image UID is `1001`.
+
 ## 9.1.4.0 (2019-12-06)

 * Updated to MQ version 9.1.4.0
 * Updated to use UBI8 as base image
 * Added required security settings to self signed certificates to align with macOS Catalina requirements
-  
+
 ## 9.1.3.0 (2019-07-19)

 * Updated to MQ version 9.1.3.0
@@ -26,7 +87,7 @@
 * Security fixes
 * Web console added to production image
 * Container built on RedHat host
-  
+
 ## 9.1.2.0 (2019-03-21)

 * Updated to MQ version 9.1.2.0
--- a/201
+++ b/201
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2015, 2019
+# © Copyright IBM Corporation 2015, 2022
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,143 +12,166 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-ARG BASE_IMAGE=registry.redhat.io/ubi8/ubi-minimal
-ARG BASE_TAG=8.1-279
+ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-minimal
+ARG BASE_TAG=8.8-860
+ARG BUILDER_IMAGE=registry.access.redhat.com/ubi8/go-toolset
+ARG BUILDER_TAG=1.19.9-2
+ARG GO_WORKDIR=/opt/app-root/src/go/src/github.com/ibm-messaging/mq-container
+ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/9.3.0.5-IBM-MQ-Advanced-for-Developers-Non-Install-LinuxX64.tar.gz"
 ###############################################################################
 # Build stage to build Go code
 ###############################################################################
-FROM registry.redhat.io/rhel8/go-toolset:1.12.8-11 as builder
-# FROM docker.io/centos/go-toolset-7-centos7 as builder
+FROM $BUILDER_IMAGE:$BUILDER_TAG as builder
 # The URL to download the MQ installer from in tar.gz format
-# This assumes an archive containing the MQ RPM install packages
-ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/mqadv_dev912_linux_x86-64.tar.gz"
+# This assumes an archive containing the MQ Non-Install packages
+ARG MQ_URL
 ARG IMAGE_REVISION="Not specified"
 ARG IMAGE_SOURCE="Not specified"
 ARG IMAGE_TAG="Not specified"
-ARG MQM_UID=888
+ARG GO_WORKDIR
 USER 0
-COPY install-mq.sh /usr/local/bin/
-RUN chmod a+x /usr/local/bin/install-mq.sh \
-  && sleep 1 \
-  && MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesSDK-*.rpm MQSeriesSamples*.rpm" install-mq.sh $MQM_UID
-WORKDIR /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/
+WORKDIR /opt/mqm
+# Download and extract MQ files, to get the MQ client needed to compile.
+# Only extract certain MQ files to make the build quicker
+RUN curl --fail --location $MQ_URL | tar --extract --gunzip \
+  && chown -R 1001:root /opt/mqm/*
+WORKDIR $GO_WORKDIR/
+COPY go.mod go.sum ./
 COPY cmd/ ./cmd
 COPY internal/ ./internal
 COPY pkg/ ./pkg
 COPY vendor/ ./vendor
-ENV PATH="${PATH}:/opt/rh/go-toolset-1.11/root/usr/bin" \
-    CGO_CFLAGS="-I/opt/mqm/inc/" \
-    CGO_LDFLAGS_ALLOW="-Wl,-rpath.*"
-RUN go build -ldflags "-X \"main.ImageCreated=$(date --iso-8601=seconds)\" -X \"main.ImageRevision=$IMAGE_REVISION\" -X \"main.ImageSource=$IMAGE_SOURCE\" -X \"main.ImageTag=$IMAGE_TAG\"" ./cmd/runmqserver/
-RUN go build ./cmd/chkmqready/
-RUN go build ./cmd/chkmqhealthy/
-RUN go build ./cmd/runmqdevserver/
-RUN go test -v ./cmd/runmqdevserver/...
-RUN go test -v ./cmd/runmqserver/
-RUN go test -v ./cmd/chkmqready/
-RUN go test -v ./cmd/chkmqhealthy/
-RUN go test -v ./pkg/...
-RUN go test -v ./internal/...
-RUN go vet ./cmd/... ./internal/...
+ENV CGO_CFLAGS="-I/opt/mqm/inc/" \
+    CGO_LDFLAGS_ALLOW="-Wl,-rpath.*" \
+    PATH="${PATH}:/opt/mqm/bin"
+RUN go build -ldflags "-X \"main.ImageCreated=$(date --iso-8601=seconds)\" -X \"main.ImageRevision=$IMAGE_REVISION\" -X \"main.ImageSource=$IMAGE_SOURCE\" -X \"main.ImageTag=$IMAGE_TAG\"" ./cmd/runmqserver/ \
+  && go build ./cmd/chkmqready/ \
+  && go build ./cmd/chkmqhealthy/ \
+  && go build ./cmd/chkmqstarted/ \
+  && go build ./cmd/runmqdevserver/ \
+  && go test -v ./cmd/runmqdevserver/... \
+  && go test -v ./cmd/runmqserver/ \
+  && go test -v ./cmd/chkmqready/ \
+  && go test -v ./cmd/chkmqhealthy/ \
+  && go test -v ./cmd/chkmqstarted/ \
+  && go test -v ./pkg/... \
+  && go test -v ./internal/... \
+  && go vet ./cmd/... ./internal/...

 ###############################################################################
 # Main build stage, to build MQ image
 ###############################################################################
 FROM $BASE_IMAGE:$BASE_TAG AS mq-server
 # The MQ packages to install - see install-mq.sh for default value
-ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/mqadv_dev914_linux_x86-64.tar.gz"
-ARG MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesWeb*.rpm MQSeriesAMS-*.rpm"
-#ARG MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-web ibmmq-ams"
-ARG MQM_UID=888
+ARG MQ_URL
 ARG BASE_IMAGE
 ARG BASE_TAG
-LABEL summary="IBM MQ Advanced Server"
-LABEL description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises"
-LABEL vendor="IBM"
-LABEL distribution-scope="private"
-LABEL authoritative-source-url="https://www.ibm.com/software/passportadvantage/"
-LABEL url="https://www.ibm.com/products/mq/advanced"
-LABEL io.openshift.tags="mq messaging"
-LABEL io.k8s.display-name="IBM MQ Advanced Server"
-LABEL io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises"
-LABEL base-image=$BASE_IMAGE
-LABEL base-image-release=$BASE_TAG
+ARG GO_WORKDIR
+LABEL summary="IBM MQ Advanced Server" \
+      description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+      vendor="IBM" \
+      maintainer="IBM" \
+      distribution-scope="private" \
+      authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
+      url="https://www.ibm.com/products/mq/advanced" \
+      io.openshift.tags="mq messaging" \
+      io.k8s.display-name="IBM MQ Advanced Server" \
+      io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+      base-image=$BASE_IMAGE \
+      base-image-release=$BASE_TAG
 COPY install-mq.sh /usr/local/bin/
 COPY install-mq-server-prereqs.sh /usr/local/bin/
 # Install MQ.  To avoid a "text file busy" error here, we sleep before installing.
-RUN env && chmod u+x /usr/local/bin/install-*.sh \
+RUN env \
+  && mkdir /opt/mqm \
+  && chmod u+x /usr/local/bin/install-*.sh \
  && sleep 1 \
-  && install-mq-server-prereqs.sh $MQM_UID \
-  && install-mq.sh $MQM_UID
-# Create a directory for runtime data from runmqserver
-RUN mkdir -p /run/runmqserver \
-  && chown mqm:mqm /run/runmqserver
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/runmqserver /usr/local/bin/
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/chkmq* /usr/local/bin/
+  && install-mq-server-prereqs.sh \
+  && install-mq.sh \
+  && /opt/mqm/bin/security/amqpamcf \
+  && chown -R 1001:root /opt/mqm/*
+COPY --from=builder $GO_WORKDIR/runmqserver /usr/local/bin/
+COPY --from=builder $GO_WORKDIR/chkmq* /usr/local/bin/
 COPY NOTICES.txt /opt/mqm/licenses/notices-container.txt
+COPY ha/native-ha.ini.tpl /etc/mqm/native-ha.ini.tpl
 # Copy web XML files
 COPY web /etc/mqm/web
 COPY etc/mqm/*.tpl /etc/mqm/
 RUN chmod ug+x /usr/local/bin/runmqserver \
-  && chown mqm:mqm /usr/local/bin/*mq* \
-  && chmod ug+xs /usr/local/bin/chkmq* \
-  && chown -R mqm:mqm /etc/mqm/* \
-  && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \
+  && chown 1001:root /usr/local/bin/*mq* \
+  && chmod ug+x /usr/local/bin/chkmq* \
+  && chown -R 1001:root /etc/mqm/* \
+  && install --directory --mode 2775 --owner 1001 --group root /run/runmqserver \
  && touch /run/termination-log \
-  && chown mqm:root /run/termination-log \
-  && chmod 0660 /run/termination-log
+  && chown 1001:root /run/termination-log \
+  && chmod 0660 /run/termination-log \
+  && chmod -R g+w /etc/mqm/web
 # Always use port 1414 for MQ & 9157 for the metrics
 EXPOSE 1414 9157 9443
+ENV MQ_OVERRIDE_DATA_PATH=/mnt/mqm/data MQ_OVERRIDE_INSTALLATION_NAME=Installation1 MQ_USER_NAME="mqm" PATH="${PATH}:/opt/mqm/bin"
+ENV MQ_GRACE_PERIOD=30
 ENV LANG=en_US.UTF-8 AMQ_DIAGNOSTIC_MSG_SEVERITY=1 AMQ_ADDITIONAL_JSON_LOG=1 LOG_FORMAT=basic
-USER $MQM_UID
+# We can run as any UID
+USER 1001
+ENV MQ_CONNAUTH_USE_HTP=false
 ENTRYPOINT ["runmqserver"]

+###############################################################################
+# Build stage to build C code for custom authorization service (developer-only)
+###############################################################################
+# Use the Go toolset image, which already includes gcc and the MQ SDK
+FROM builder as cbuilder
+# The URL to download the MQ installer from in tar.gz format
+# This assumes an archive containing the MQ Non-Install packages
+ARG MQ_URL
+USER 0
+# Install the Apache Portable Runtime code (used for htpasswd hash checking)
+RUN yum --assumeyes --disableplugin=subscription-manager install apr-devel apr-util-openssl apr-util-devel
+COPY authservice/ /opt/app-root/src/authservice/
+WORKDIR /opt/app-root/src/authservice/mqhtpass
+RUN make all
+
 ###############################################################################
 # Add default developer config
 ###############################################################################
 FROM mq-server AS mq-dev-server
-ARG MQM_UID=888
 ARG BASE_IMAGE
 ARG BASE_TAG
-# Enable MQ developer default configuration
-ENV MQ_DEV=true
-# Default administrator password
-ENV MQ_ADMIN_PASSWORD=passw0rd
-LABEL summary="IBM MQ Advanced for Developers Server"
-LABEL description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises"
-LABEL vendor="IBM"
-LABEL distribution-scope="private"
-LABEL authoritative-source-url="https://www.ibm.com/software/passportadvantage/"
-LABEL url="https://www.ibm.com/products/mq/advanced"
-LABEL io.openshift.tags="mq messaging"
-LABEL io.k8s.display-name="IBM MQ Advanced for Developers Server"
-LABEL io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises"
-LABEL base-image=$BASE_IMAGE
-LABEL base-image-release=$BASE_TAG
+ARG GO_WORKDIR
+LABEL summary="IBM MQ Advanced for Developers Server" \
+      description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+      vendor="IBM" \
+      distribution-scope="private" \
+      authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
+      url="https://www.ibm.com/products/mq/advanced" \
+      io.openshift.tags="mq messaging" \
+      io.k8s.display-name="IBM MQ Advanced for Developers Server" \
+      io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+      base-image=$BASE_IMAGE \
+      base-image-release=$BASE_TAG
 USER 0
+COPY --from=cbuilder /opt/app-root/src/authservice/mqhtpass/build/mqhtpass.so /opt/mqm/lib64/
+COPY etc/mqm/*.ini /etc/mqm/
+COPY etc/mqm/mq.htpasswd /etc/mqm/
 COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/
 RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
  && sleep 1 \
  && install-extra-packages.sh
-# WARNING: This is what allows the mqm user to change the password of any other user
-# It's used by runmqdevserver to change the admin/app passwords.
-RUN echo "mqm    ALL = NOPASSWD: /usr/sbin/chpasswd" > /etc/sudoers.d/mq-dev-config
-## Add admin and app users, and set a default password for admin
-RUN useradd admin -G mqm \
-  && groupadd mqclient \
-  && useradd app -G mqclient \
-  && echo admin:$MQ_ADMIN_PASSWORD | chpasswd
-# Create a directory for runtime data from runmqserver
-RUN mkdir -p /run/runmqdevserver \
-  && chown mqm:mqm /run/runmqdevserver
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/runmqdevserver /usr/local/bin/
+COPY --from=builder $GO_WORKDIR/runmqdevserver /usr/local/bin/
 # Copy template files
 COPY incubating/mqadvanced-server-dev/*.tpl /etc/mqm/
 # Copy web XML files for default developer configuration
 COPY incubating/mqadvanced-server-dev/web /etc/mqm/web
-RUN chown -R mqm:mqm /etc/mqm/* \
+RUN chown -R 1001:root /etc/mqm/* \
+  && chmod -R g+w /etc/mqm/web \
  && chmod +x /usr/local/bin/runmq* \
-  && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
-ENV MQ_ENABLE_EMBEDDED_WEB_SERVER=1 MQ_GENERATE_CERTIFICATE_HOSTNAME=localhost
-USER $MQM_UID
+  && chmod 0660 /etc/mqm/mq.htpasswd \
+  && install --directory --mode 2775 --owner 1001 --group root /run/runmqdevserver
+ENV MQ_DEV=true \
+    MQ_ENABLE_EMBEDDED_WEB_SERVER=1 \
+    MQ_GENERATE_CERTIFICATE_HOSTNAME=localhost \
+    LD_LIBRARY_PATH=/opt/mqm/lib64 \
+    MQ_CONNAUTH_USE_HTP=true \
+    MQS_PERMIT_UNKNOWN_ID=true
+USER 1001
 ENTRYPOINT ["runmqdevserver"]
--- a/433
+++ b/433
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2017, 2019
+# © Copyright IBM Corporation 2017, 2023
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,67 +16,72 @@
 # Conditional variables - you can override the values of these variables from
 # the command line
 ###############################################################################
+
+include config.env
+include source-branch.env
+
 # RELEASE shows what release of the container code has been built
 RELEASE ?=
-# MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.4.0
 # MQ_ARCHIVE_REPOSITORY is a remote repository from which to pull the MQ_ARCHIVE (if required)
-MQ_ARCHIVE_REPOSITORY ?= 
+MQ_ARCHIVE_REPOSITORY ?=
 # MQ_ARCHIVE_REPOSITORY_DEV is a remote repository from which to pull the MQ_ARCHIVE_DEV (if required)
-MQ_ARCHIVE_REPOSITORY_DEV ?= 
+MQ_ARCHIVE_REPOSITORY_DEV ?=
 # MQ_ARCHIVE_REPOSITORY_USER is the user for the remote repository (if required)
-MQ_ARCHIVE_REPOSITORY_USER ?= 
+MQ_ARCHIVE_REPOSITORY_USER ?=
 # MQ_ARCHIVE_REPOSITORY_CREDENTIAL is the password/API key for the remote repository (if required)
-MQ_ARCHIVE_REPOSITORY_CREDENTIAL ?= 
+MQ_ARCHIVE_REPOSITORY_CREDENTIAL ?=
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
-# be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
-# Does not apply to MQ Advanced for Developers.
-MQ_ARCHIVE ?= IBM_MQ_$(MQ_VERSION_VRM)_$(MQ_ARCHIVE_TYPE)_$(MQ_ARCHIVE_ARCH).tar.gz
+# be installed. Does not apply to MQ Advanced for Developers
+MQ_ARCHIVE ?= IBM_MQ_$(MQ_VERSION_VRM)_$(MQ_ARCHIVE_TYPE)_$(MQ_ARCHIVE_ARCH)_NOINST.tar.gz
 # MQ_ARCHIVE_DEV is the name of the file, under the downloads directory, from which MQ Advanced
 # for Developers can be installed
-MQ_ARCHIVE_DEV ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
+MQ_ARCHIVE_DEV ?= $(MQ_VERSION)-IBM-MQ-Advanced-for-Developers-Non-Install-$(MQ_ARCHIVE_DEV_TYPE)$(MQ_ARCHIVE_DEV_ARCH).tar.gz
 # MQ_SDK_ARCHIVE specifies the archive to use for building the golang programs.  Defaults vary on developer or advanced.
 MQ_SDK_ARCHIVE ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # Options to `go test` for the Docker tests
 TEST_OPTS_DOCKER ?=
+# Timeout for the Docker tests
+TEST_TIMEOUT_DOCKER ?= 30m
 # MQ_IMAGE_ADVANCEDSERVER is the name of the built MQ Advanced image
-MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server
+MQ_IMAGE_ADVANCEDSERVER ?=ibm-mqadvanced-server
 # MQ_IMAGE_DEVSERVER is the name of the built MQ Advanced for Developers image
-MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev
+MQ_IMAGE_DEVSERVER ?=ibm-mqadvanced-server-dev
+# MQ_MANIFEST_TAG is the tag to use for fat-manifest
+MQ_MANIFEST_TAG ?= $(MQ_VERSION)$(RELEASE_TAG)$(LTS_TAG)$(MQ_MANIFEST_TAG_SUFFIX)
 # MQ_TAG is the tag of the built MQ Advanced image & MQ Advanced for Developers image
-MQ_TAG ?=$(MQ_VERSION)-$(ARCH)
-# MQ_PACKAGES specifies the MQ packages (.deb or .rpm) to install.  Defaults vary on base image.
-MQ_PACKAGES ?=MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesWeb*.rpm MQSeriesAMS-*.rpm
-# MQM_UID is the UID to use for the "mqm" user
-MQM_UID ?= 888
+MQ_TAG ?= $(MQ_MANIFEST_TAG)-$(ARCH)
 # COMMAND is the container command to run.  "podman" or "docker"
 COMMAND ?=$(shell type -p podman 2>&1 >/dev/null && echo podman || echo docker)
 # MQ_DELIVERY_REGISTRY_HOSTNAME is a remote registry to push the MQ Image to (if required)
-MQ_DELIVERY_REGISTRY_HOSTNAME ?= 
+MQ_DELIVERY_REGISTRY_HOSTNAME ?=
 # MQ_DELIVERY_REGISTRY_NAMESPACE is the namespace/path on the delivery registry (if required)
-MQ_DELIVERY_REGISTRY_NAMESPACE ?= 
+MQ_DELIVERY_REGISTRY_NAMESPACE ?=
 # MQ_DELIVERY_REGISTRY_USER is the user for the remote registry (if required)
-MQ_DELIVERY_REGISTRY_USER ?= 
+MQ_DELIVERY_REGISTRY_USER ?=
 # MQ_DELIVERY_REGISTRY_CREDENTIAL is the password/API key for the remote registry (if required)
-MQ_DELIVERY_REGISTRY_CREDENTIAL ?= 
-# REGISTRY_USER is the username used to login to the Red Hat registry
-REGISTRY_USER ?=
-# REGISTRY_PASS is the password used to login to the Red Hat registry
-REGISTRY_PASS ?=
+MQ_DELIVERY_REGISTRY_CREDENTIAL ?=
 # ARCH is the platform architecture (e.g. amd64, ppc64le or s390x)
 ARCH ?= $(if $(findstring x86_64,$(shell uname -m)),amd64,$(shell uname -m))
+# LTS is a boolean value to enable/disable LTS container build
+LTS ?= false
+# VOLUME_MOUNT_OPTIONS is used when bind-mounting files from the "downloads" directory into the container.  By default, SELinux labels are automatically re-written, but this doesn't work on some filesystems with extended attributes (xattrs).  You can turn off the label re-writing by setting this variable to be blank.
+VOLUME_MOUNT_OPTIONS ?= :Z

 ###############################################################################
 # Other variables
 ###############################################################################
+# Lock Docker API version for compatibility with Podman and with the Docker version in Travis' Ubuntu Bionic
+DOCKER_API_VERSION=1.40
 GO_PKG_DIRS = ./cmd ./internal ./test
 MQ_ARCHIVE_TYPE=LINUX
-MQ_ARCHIVE_DEV_PLATFORM=linux
+MQ_ARCHIVE_DEV_TYPE=Linux
 # BUILD_SERVER_CONTAINER is the name of the web server container used at build time
 BUILD_SERVER_CONTAINER=build-server
+# BUILD_SERVER_NETWORK is the name of the network to use for the web server container used at build time
+BUILD_SERVER_NETWORK=build
 # NUM_CPU is the number of CPUs available to Docker.  Used to control how many
 # test run in parallel
-NUM_CPU = $(or $(shell docker info --format "{{ .NCPU }}"),2)
+NUM_CPU ?= $(or $(shell $(COMMAND) info --format "{{ .NCPU }}"),2)
 # BASE_IMAGE_TAG is a normalized version of BASE_IMAGE, suitable for use in a Docker tag
 BASE_IMAGE_TAG=$(lastword $(subst /, ,$(subst :,-,$(BASE_IMAGE))))
 #BASE_IMAGE_TAG=$(subst /,-,$(subst :,-,$(BASE_IMAGE)))
@@ -88,7 +93,7 @@ IMAGE_REVISION=$(shell git rev-parse HEAD)
 IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.4 instead of 9.1.4.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.2.0 instead of 9.2.0.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))

 ifneq (,$(findstring Microsoft,$(shell uname -r)))
@@ -102,44 +107,91 @@ endif
 # Try to figure out which archive to use from the architecture
 ifeq "$(ARCH)" "amd64"
 	MQ_ARCHIVE_ARCH=X86-64
-	MQ_DEV_ARCH=x86-64
+	MQ_ARCHIVE_DEV_ARCH=X64
 else ifeq "$(ARCH)" "ppc64le"
-	MQ_ARCHIVE_ARCH=LE_POWER
-	MQ_DEV_ARCH=ppcle
+	MQ_ARCHIVE_ARCH=PPC64LE
 else ifeq "$(ARCH)" "s390x"
-	MQ_ARCHIVE_ARCH=SYSTEM_Z
-	MQ_DEV_ARCH=s390x
+	MQ_ARCHIVE_ARCH=S390X
 endif
-# Archive names for IBM MQ Advanced for Developers
-MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
-MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
-MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
-MQ_ARCHIVE_DEV_9.1.3.0=mqadv_dev913_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
-MQ_ARCHIVE_DEV_9.1.4.0=mqadv_dev914_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz

-ifneq "$(RELEASE)" "$(EMPTY)"
-	MQ_IMAGE_FULL_RELEASE_NAME=ibm-mqadvanced-server:$(MQ_VERSION)-$(RELEASE)-$(ARCH)
-	MQ_IMAGE_DEV_FULL_RELEASE_NAME=ibm-mqadvanced-server-dev:$(MQ_VERSION)-$(RELEASE)-$(ARCH)
+# If this is a fake master build, push images to alternative location (pipeline wont consider these images GA candidates)
+ifeq ($(shell [ "$(TRAVIS)" = "true" ] && [ -n "$(MAIN_BRANCH)" ] && [ -n "$(SOURCE_BRANCH)" ] && [ "$(MAIN_BRANCH)" != "$(SOURCE_BRANCH)" ] && echo "true"), true)
+	MQ_DELIVERY_REGISTRY_NAMESPACE="master-fake"
+endif
+
+# LTS_TAG is the tag modifier for an LTS container build
+LTS_TAG=
+ifeq "$(LTS)" "true"
+ifneq "$(LTS_TAG_OVERRIDE)" "$(EMPTY)"
+	LTS_TAG=$(LTS_TAG_OVERRIDE)
 else
-	MQ_IMAGE_FULL_RELEASE_NAME=ibm-mqadvanced-server:$(MQ_VERSION)-$(ARCH)
-	MQ_IMAGE_DEV_FULL_RELEASE_NAME=ibm-mqadvanced-server-dev:$(MQ_VERSION)-$(ARCH)
+	LTS_TAG=-lts
+endif
+	MQ_ARCHIVE:=$(MQ_VERSION)-IBM-MQ-Advanced-Non-Install-Linux$(MQ_ARCHIVE_ARCH).tar.gz
+	MQ_DELIVERY_REGISTRY_NAMESPACE:=$(MQ_DELIVERY_REGISTRY_NAMESPACE)$(LTS_TAG)
+endif
+
+ifneq (,$(findstring release-candidate,$(TRAVIS_TAG)))
+    MQ_DELIVERY_REGISTRY_NAMESPACE=release-candidates
 endif

 ifneq "$(MQ_DELIVERY_REGISTRY_NAMESPACE)" "$(EMPTY)"
 	MQ_DELIVERY_REGISTRY_FULL_PATH=$(MQ_DELIVERY_REGISTRY_HOSTNAME)/$(MQ_DELIVERY_REGISTRY_NAMESPACE)
-else 
+else
 	MQ_DELIVERY_REGISTRY_FULL_PATH=$(MQ_DELIVERY_REGISTRY_HOSTNAME)
 endif

+# image tagging
+
 ifneq "$(RELEASE)" "$(EMPTY)"
-	MQ_IMAGE_ADVANCEDSERVER=ibm-mqadvanced-server
-	MQ_IMAGE_DEVSERVER=ibm-mqadvanced-server-dev
-	MQ_TAG=$(MQ_VERSION)-$(RELEASE)-$(ARCH)
-	EXTRA_LABELS=--label release=$(RELEASE)
+	EXTRA_LABELS_RELEASE=--label "release=$(RELEASE)"
+	RELEASE_TAG="-$(RELEASE)"
 endif
+
+ifneq "$(MQ_ARCHIVE_LEVEL)" "$(EMPTY)"
+	EXTRA_LABELS_LEVEL=--label "mq-build=$(MQ_ARCHIVE_LEVEL)"
+endif
+
+EXTRA_LABELS=$(EXTRA_LABELS_RELEASE) $(EXTRA_LABELS_LEVEL)
+
+ifeq "$(TIMESTAMPFLAT)" "$(EMPTY)"
+	TIMESTAMPFLAT=$(shell date "+%Y%m%d%H%M%S")
+endif
+
+ifeq "$(GIT_COMMIT)" "$(EMPTY)"
+	GIT_COMMIT=$(shell git rev-parse --short HEAD)
+endif
+
+ifeq ($(shell [ ! -z $(TRAVIS) ] && [ "$(TRAVIS_PULL_REQUEST)" = "false" ] && [ "$(TRAVIS_BRANCH)" = "$(MAIN_BRANCH)" ] && echo true), true)
+	MQ_MANIFEST_TAG_SUFFIX=.$(TIMESTAMPFLAT).$(GIT_COMMIT)
+endif
+
+PATH_TO_MQ_TAG_CACHE=$(TRAVIS_BUILD_DIR)/.tagcache
+ifneq "$(TRAVIS)" "$(EMPTY)"
+ifneq ("$(wildcard $(PATH_TO_MQ_TAG_CACHE))","")
+include $(PATH_TO_MQ_TAG_CACHE)
+endif
+endif
+
+MQ_AMD64_TAG=$(MQ_MANIFEST_TAG)-amd64
+MQ_S390X_TAG?=$(MQ_MANIFEST_TAG)-s390x
+MQ_PPC64LE_TAG?=$(MQ_MANIFEST_TAG)-ppc64le
+
+# end image tagging
+
 MQ_IMAGE_FULL_RELEASE_NAME=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)
 MQ_IMAGE_DEV_FULL_RELEASE_NAME=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG)

+#setup variables for fat-manifests
+MQ_IMAGE_DEVSERVER_MANIFEST=$(MQ_IMAGE_DEVSERVER):$(MQ_MANIFEST_TAG)
+MQ_IMAGE_ADVANCEDSERVER_MANIFEST=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_MANIFEST_TAG)
+MQ_IMAGE_DEVSERVER_AMD64=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEVSERVER):$(MQ_AMD64_TAG)
+MQ_IMAGE_DEVSERVER_S390X=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEVSERVER):$(MQ_S390X_TAG)
+MQ_IMAGE_DEVSERVER_PPC64LE=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEVSERVER):$(MQ_PPC64LE_TAG)
+MQ_IMAGE_ADVANCEDSERVER_AMD64=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_AMD64_TAG)
+MQ_IMAGE_ADVANCEDSERVER_S390X=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_S390X_TAG)
+MQ_IMAGE_ADVANCEDSERVER_PPC64LE=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_PPC64LE_TAG)
+
 ###############################################################################
 # Build targets
 ###############################################################################
@@ -156,6 +208,9 @@ test-all: build-devjmstest test-devserver test-advancedserver
 .PHONY: devserver
 devserver: build-devserver build-devjmstest test-devserver

+.PHONY: advancedserver
+advancedserver: build-advancedserver test-advancedserver
+
 # Build incubating components
 .PHONY: incubating
 incubating: build-explorer
@@ -163,36 +218,63 @@ incubating: build-explorer
 downloads/$(MQ_ARCHIVE_DEV):
 	$(info $(SPACER)$(shell printf $(TITLE)"Downloading IBM MQ Advanced for Developers "$(MQ_VERSION)$(END)))
 	mkdir -p downloads
-ifneq "$(MQ_ARCHIVE_REPOSITORY_DEV)" "$(EMPTY)"
-	curl -u $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -X GET "$(MQ_ARCHIVE_REPOSITORY_DEV)" -o downloads/$(MQ_ARCHIVE_DEV)
+ifneq "$(BUILD_RSYNC_SERVER)" "$(EMPTY)"
+# Use key which is not stored in the repository to fetch the files from the fileserver
+	curl --fail --location $(BUILD_RSYNC_ENCRYPTED_KEY_URL) --output ./host.key.gpg
+	@echo $(BUILD_RSYNC_ENCRYPTION_PASSWORD)|gpg --batch --passphrase-fd 0 ./host.key.gpg
+	chmod 600 ./host.key
+	rsync -rv -e "ssh -o BatchMode=yes -q -o StrictHostKeyChecking=no -i ./host.key" --include="*/" --include="*.tar.gz" --exclude="*" $(BUILD_RSYNC_USER)@$(BUILD_RSYNC_SERVER):"$(BUILD_RSYNC_PATH)" downloads/$(MQ_ARCHIVE_DEV)
+	-@rm host.key.gpg host.key
 else
-	curl -L https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_ARCHIVE_DEV) -o downloads/$(MQ_ARCHIVE_DEV)
+ifneq "$(MQ_ARCHIVE_REPOSITORY_DEV)" "$(EMPTY)"
+	curl --fail --user $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) --request GET "$(MQ_ARCHIVE_REPOSITORY_DEV)" --output downloads/$(MQ_ARCHIVE_DEV)
+else
+	curl --fail --location https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_ARCHIVE_DEV) --output downloads/$(MQ_ARCHIVE_DEV)
+endif
 endif

 downloads/$(MQ_ARCHIVE):
 	$(info $(SPACER)$(shell printf $(TITLE)"Downloading IBM MQ Advanced "$(MQ_VERSION)$(END)))
 	mkdir -p downloads
+ifneq "$(BUILD_RSYNC_SERVER)" "$(EMPTY)"
+# Use key which is not stored in the repository to fetch the files from the fileserver
+	-@rm host.key.gpg host.key
+	curl --fail --location $(BUILD_RSYNC_ENCRYPTED_KEY_URL) --output ./host.key.gpg
+	@echo $(BUILD_RSYNC_ENCRYPTION_PASSWORD)|gpg --batch --passphrase-fd 0 ./host.key.gpg
+	chmod 600 ./host.key
+	rsync -rv -e "ssh -o BatchMode=yes -q -o StrictHostKeyChecking=no -i ./host.key" --include="*/" --include="*.tar.gz" --exclude="*" $(BUILD_RSYNC_USER)@$(BUILD_RSYNC_SERVER):"$(BUILD_RSYNC_PATH)" downloads/$(MQ_ARCHIVE)
+	-@rm host.key.gpg host.key
+else
 ifneq "$(MQ_ARCHIVE_REPOSITORY)" "$(EMPTY)"
-	curl -u $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -X GET "$(MQ_ARCHIVE_REPOSITORY)" -o downloads/$(MQ_ARCHIVE)
+	curl --fail --user $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) --request GET "$(MQ_ARCHIVE_REPOSITORY)" --output downloads/$(MQ_ARCHIVE)
+endif
 endif

 .PHONY: downloads
 downloads: downloads/$(MQ_ARCHIVE_DEV) downloads/$(MQ_SDK_ARCHIVE)

+.PHONY: cache-mq-tag
+cache-mq-tag:
+	@printf "MQ_MANIFEST_TAG=$(MQ_MANIFEST_TAG)\n" | tee $(PATH_TO_MQ_TAG_CACHE)
+
+###############################################################################
+# Test targets
+###############################################################################
+
 # Vendor Go dependencies for the Docker tests
 test/docker/vendor:
-	cd test/docker && dep ensure -vendor-only
+	cd test/docker && go mod vendor

 # Shortcut to just run the unit tests
 .PHONY: test-unit
 test-unit:
-	docker build --target builder --file Dockerfile-server .
+	$(COMMAND) build --target builder --file Dockerfile-server .

 .PHONY: test-advancedserver
 test-advancedserver: test/docker/vendor
-	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) on $(shell docker --version)"$(END)))
-	docker inspect $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)
-	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) EXPECTED_LICENSE=Production go test -parallel $(NUM_CPU) $(TEST_OPTS_DOCKER)
+	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) on $(shell $(COMMAND) --version)"$(END)))
+	$(COMMAND) inspect $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)
+	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) EXPECTED_LICENSE=Production DOCKER_API_VERSION=$(DOCKER_API_VERSION) go test -parallel $(NUM_CPU) -timeout $(TEST_TIMEOUT_DOCKER) $(TEST_OPTS_DOCKER)

 .PHONY: build-devjmstest
 build-devjmstest:
@@ -201,9 +283,9 @@ build-devjmstest:

 .PHONY: test-devserver
 test-devserver: test/docker/vendor
-	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_DEVSERVER):$(MQ_TAG) on $(shell docker --version)"$(END)))
-	docker inspect $(MQ_IMAGE_DEVSERVER):$(MQ_TAG)
-	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG) EXPECTED_LICENSE=Developer DEV_JMS_IMAGE=$(DEV_JMS_IMAGE) IBMJRE=true go test -parallel $(NUM_CPU) -tags mqdev $(TEST_OPTS_DOCKER)
+	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_DEVSERVER):$(MQ_TAG) on $(shell $(COMMAND) --version)"$(END)))
+	$(COMMAND) inspect $(MQ_IMAGE_DEVSERVER):$(MQ_TAG)
+	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG) EXPECTED_LICENSE=Developer DEV_JMS_IMAGE=$(DEV_JMS_IMAGE) IBMJRE=true DOCKER_API_VERSION=$(DOCKER_API_VERSION) go test -parallel $(NUM_CPU) -timeout $(TEST_TIMEOUT_DOCKER) -tags mqdev $(TEST_OPTS_DOCKER)

 .PHONY: coverage
 coverage:
@@ -211,7 +293,7 @@ coverage:

 .PHONY: test-advancedserver-cover
 test-advancedserver-cover: test/docker/vendor coverage
-	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) with code coverage on $(shell docker --version)"$(END)))
+	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) with code coverage on $(shell $(COMMAND) --version)"$(END)))
 	rm -f ./coverage/unit*.cov
 	# Run unit tests with coverage, for each package under 'internal'
 	go list -f '{{.Name}}' ./internal/... | xargs -I {} go test -cover -covermode count -coverprofile ./coverage/unit-{}.cov ./internal/{}
@@ -223,7 +305,7 @@ test-advancedserver-cover: test/docker/vendor coverage
 	rm -f ./test/docker/coverage/*.cov
 	rm -f ./coverage/docker.*
 	mkdir -p ./test/docker/coverage/
-	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)-cover TEST_COVER=true go test $(TEST_OPTS_DOCKER)
+	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)-cover TEST_COVER=true DOCKER_API_VERSION=$(DOCKER_API_VERSION) go test $(TEST_OPTS_DOCKER)
 	echo 'mode: count' > ./coverage/docker.cov
 	tail -q -n +2 ./test/docker/coverage/*.cov >> ./coverage/docker.cov
 	go tool cover -html=./coverage/docker.cov -o ./coverage/docker.html
@@ -232,55 +314,99 @@ test-advancedserver-cover: test/docker/vendor coverage
 	tail -q -n +2 ./coverage/unit.cov ./coverage/docker.cov  >> ./coverage/combined.cov
 	go tool cover -html=./coverage/combined.cov -o ./coverage/combined.html

-# Build an MQ image.  The commands used are slightly different between Docker and Podman
-define build-mq
-	$(if $(findstring docker,$(COMMAND)), @docker network create build,)
-	$(if $(findstring docker,$(COMMAND)), @docker run --rm --name $(BUILD_SERVER_CONTAINER) --network build --network-alias build --volume $(DOWNLOADS_DIR):/usr/share/nginx/html:ro --detach docker.io/nginx:alpine,)
-	$(eval EXTRA_ARGS=$(if $(findstring docker,$(COMMAND)), --network build --build-arg MQ_URL=http://build:80/$4, --volume $(DOWNLOADS_DIR):/var/downloads --build-arg MQ_URL=file:///var/downloads/$4))
-	# Build the new image
+###############################################################################
+# Build functions
+###############################################################################
+
+# Command to build the image
+# Args: imageName, imageTag, dockerfile, extraArgs, dockerfileTarget
+define build-mq-command
 	$(COMMAND) build \
 	  --tag $1:$2 \
 	  --file $3 \
-		$(EXTRA_ARGS) \
-	  --build-arg MQ_PACKAGES="$(MQ_PACKAGES)" \
+	  $4 \
 	  --build-arg IMAGE_REVISION="$(IMAGE_REVISION)" \
 	  --build-arg IMAGE_SOURCE="$(IMAGE_SOURCE)" \
 	  --build-arg IMAGE_TAG="$1:$2" \
-	  --build-arg MQM_UID=$(MQM_UID) \
 	  --label version=$(MQ_VERSION) \
 	  --label name=$1 \
 	  --label build-date=$(shell date +%Y-%m-%dT%H:%M:%S%z) \
 	  --label architecture="$(ARCH)" \
-	  --label run="docker run -d -e LICENSE=accept $1:$2" \
+	  --label run="podman run -d -e LICENSE=accept $1:$2" \
 	  --label vcs-ref=$(IMAGE_REVISION) \
 	  --label vcs-type=git \
 	  --label vcs-url=$(IMAGE_SOURCE) \
 	  $(EXTRA_LABELS) \
 	  --target $5 \
 	  .
-	$(if $(findstring docker,$(COMMAND)), @docker kill $(BUILD_SERVER_CONTAINER))
-	$(if $(findstring docker,$(COMMAND)), @docker network rm build)
 endef

-DOCKER_SERVER_VERSION=$(shell docker version --format "{{ .Server.Version }}")
-DOCKER_CLIENT_VERSION=$(shell docker version --format "{{ .Client.Version }}")
-PODMAN_VERSION=$(shell podman version --format "{{ .Version }}")
-.PHONY: command-version
-command-version:
-# If we're using Docker, then check it's recent enough to support multi-stage builds
-ifneq (,$(findstring docker,$(COMMAND)))
-	@test "$(word 1,$(subst ., ,$(DOCKER_CLIENT_VERSION)))" -ge "17" || ("$(word 1,$(subst ., ,$(DOCKER_CLIENT_VERSION)))" -eq "17" && "$(word 2,$(subst ., ,$(DOCKER_CLIENT_VERSION)))" -ge "05") || (echo "Error: Docker client 17.05 or greater is required" && exit 1)
-	@test "$(word 1,$(subst ., ,$(DOCKER_SERVER_VERSION)))" -ge "17" || ("$(word 1,$(subst ., ,$(DOCKER_SERVER_VERSION)))" -eq "17" && "$(word 2,$(subst ., ,$(DOCKER_CLIENT_VERSION)))" -ge "05") || (echo "Error: Docker server 17.05 or greater is required" && exit 1)
-endif
-ifneq (,$(findstring podman,$(COMMAND)))
-	@test "$(word 1,$(subst ., ,$(PODMAN_VERSION)))" -ge "1" || (echo "Error: Podman version 1.0 or greater is required" && exit 1)
+# Build using a separate container to host the MQ download files.
+# To minimize the layers in the resulting image, the download files can't be part of the build context.
+# The "docker build" command (and "podman build" on macOS) don't allow you to mount a directory into the build, so a
+# separate container is used to host a web server.
+# Note that for Podman, this means that you need to be using the "rootful" mode, because the rootless mode doesn't allow
+# much control of networking, so the containers can't talk to each other.
+define build-mq-using-web-server
+	$(COMMAND) network create $(BUILD_SERVER_NETWORK)
+	$(COMMAND) run \
+	  --rm \
+	  --name $(BUILD_SERVER_CONTAINER) \
+	  --network $(BUILD_SERVER_NETWORK) \
+	  --volume $(DOWNLOADS_DIR):/opt/app-root/src$(VOLUME_MOUNT_OPTIONS) \
+	  --detach \
+	  registry.access.redhat.com/ubi8/nginx-120 nginx -g "daemon off;" || ($(COMMAND) network rm $(BUILD_SERVER_NETWORK) && exit 1)
+	BUILD_SERVER_IP=$$($(COMMAND) inspect -f '{{ .NetworkSettings.Networks.$(BUILD_SERVER_NETWORK).IPAddress }}' $(BUILD_SERVER_CONTAINER)); \
+	DOCKER_BUILDKIT=0 $(call build-mq-command,$1,$2,$3,--network build --build-arg MQ_URL=http://$$BUILD_SERVER_IP:8080/$4,$5) || ($(COMMAND) rm -f $(BUILD_SERVER_CONTAINER) && $(COMMAND) network rm $(BUILD_SERVER_NETWORK) && exit 1)
+	$(COMMAND) rm -f $(BUILD_SERVER_CONTAINER)
+	$(COMMAND) network rm $(BUILD_SERVER_NETWORK)
+endef
+
+# When building with Docker, always use the web server build because you can't use bind-mounted volumes.
+# Args: imageName, imageTag, dockerfile, mqArchive, dockerfileTarget
+define build-mq-docker
+	$(call build-mq-using-web-server,$1,$2,$3,$4,$5)
+endef
+
+# Make sure we don't use VOLUME_MOUNT_OPTIONS for Podman on macOS
+ifeq "$(COMMAND)" "podman"
+	ifeq "$(shell uname -s)" "Darwin"
+		VOLUME_MOUNT_OPTIONS:=
+	endif
 endif

+# When building with Podman on macOS (Darwin), use the web server build because you can't use bind-mounted volumes with `podman build` on macOS
+# Args: imageName, imageTag, dockerfile, mqArchive, dockerfileTarget
+define build-mq-podman-Darwin
+	$(call build-mq-using-web-server,$1,$2,$3,$4,$5)
+endef
+
+# When building with Podman on Linux, just pass the downloads directory as a volume
+# Args: imageName, imageTag, dockerfile, mqArchive, dockerfileTarget
+define build-mq-podman-Linux
+	$(call build-mq-command,$1,$2,$3,--volume $(DOWNLOADS_DIR):/var/downloads$(VOLUME_MOUNT_OPTIONS) --build-arg MQ_URL=file:///var/downloads/$4,$5)
+endef
+
+# When building with Podman, just pass the downloads directory as a volume
+# Args: imageName, imageTag, dockerfile, mqArchive, dockerfileTarget
+define build-mq-podman
+	$(call build-mq-podman-$(shell uname -s),$1,$2,$3,$4,$5)
+endef
+
+# Build an MQ image.  The commands used are slightly different between Docker and Podman
+# Args: imageName, imageTag, dockerfile, mqArchive, dockerfileTarget
+define build-mq
+	$(call build-mq-$(COMMAND),$1,$2,$3,$4,$5)
+endef
+
+###############################################################################
+# Build targets
+###############################################################################
 .PHONY: build-advancedserver-host
 build-advancedserver-host: build-advancedserver

 .PHONY: build-advancedserver
-build-advancedserver: registry-login log-build-env downloads/$(MQ_ARCHIVE) command-version
+build-advancedserver: log-build-env downloads/$(MQ_ARCHIVE) command-version
 	$(info $(SPACER)$(shell printf $(TITLE)"Build $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)"$(END)))
 	$(call build-mq,$(MQ_IMAGE_ADVANCEDSERVER),$(MQ_TAG),Dockerfile-server,$(MQ_ARCHIVE),mq-server)

@@ -288,29 +414,26 @@ build-advancedserver: registry-login log-build-env downloads/$(MQ_ARCHIVE) comma
 build-devserver-host: build-devserver

 .PHONY: build-devserver
-build-devserver: registry-login log-build-env downloads/$(MQ_ARCHIVE_DEV) command-version 
+build-devserver: log-build-env downloads/$(MQ_ARCHIVE_DEV) command-version
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_DEVSERVER):$(MQ_TAG)"$(END)))
 	$(call build-mq,$(MQ_IMAGE_DEVSERVER),$(MQ_TAG),Dockerfile-server,$(MQ_ARCHIVE_DEV),mq-dev-server)

 .PHONY: build-advancedserver-cover
-build-advancedserver-cover: registry-login command-version
+build-advancedserver-cover: command-version
 	$(COMMAND) build --build-arg BASE_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) -t $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)-cover -f Dockerfile-server.cover .

 .PHONY: build-explorer
-build-explorer: registry-login downloads/$(MQ_ARCHIVE_DEV)
+build-explorer: downloads/$(MQ_ARCHIVE_DEV)
 	$(call build-mq,mq-explorer,latest-$(ARCH),incubating/mq-explorer/Dockerfile,$(MQ_ARCHIVE_DEV),mq-explorer)

 .PHONY: build-sdk
-build-sdk: registry-login downloads/$(MQ_ARCHIVE_DEV)
+build-sdk: downloads/$(MQ_ARCHIVE_DEV)
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_SDK)"$(END)))
 	$(call build-mq,mq-sdk,$(MQ_TAG),incubating/mq-sdk/Dockerfile,$(MQ_SDK_ARCHIVE),mq-sdk)

-.PHONY: registry-login
-registry-login:
-ifneq ($(REGISTRY_USER),)
-	$(COMMAND) login -u $(REGISTRY_USER) -p $(REGISTRY_PASS) registry.redhat.io
-endif
-
+###############################################################################
+# Logging targets
+###############################################################################
 .PHONY: log-build-env
 log-build-vars:
 	$(info $(SPACER)$(shell printf $(TITLE)"Build environment"$(END)))
@@ -321,8 +444,6 @@ log-build-vars:
 	@echo MQ_IMAGE_DEVSERVER=$(MQ_IMAGE_DEVSERVER)
 	@echo MQ_IMAGE_ADVANCEDSERVER=$(MQ_IMAGE_ADVANCEDSERVER)
 	@echo COMMAND=$(COMMAND)
-	@echo MQM_UID=$(MQM_UID)
-	@echo REGISTRY_USER=$(REGISTRY_USER)

 .PHONY: log-build-env
 log-build-env: log-build-vars
@@ -332,16 +453,22 @@ log-build-env: log-build-vars

 include formatting.mk

+###############################################################################
+# Push/pull targets
+###############################################################################
 .PHONY: pull-mq-archive
 pull-mq-archive:
-	curl -u $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -X GET "$(MQ_ARCHIVE_REPOSITORY)" -o downloads/$(MQ_ARCHIVE)
+	curl --fail --user $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) --request GET "$(MQ_ARCHIVE_REPOSITORY)" --output downloads/$(MQ_ARCHIVE)

 .PHONY: pull-mq-archive-dev
 pull-mq-archive-dev:
-	curl -u $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -X GET "$(MQ_ARCHIVE_REPOSITORY_DEV)" -o downloads/$(MQ_ARCHIVE_DEV)
+	curl --fail --user $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) --request GET "$(MQ_ARCHIVE_REPOSITORY_DEV)" --output downloads/$(MQ_ARCHIVE_DEV)

 .PHONY: push-advancedserver
 push-advancedserver:
+	@if [ $(MQ_DELIVERY_REGISTRY_NAMESPACE) = "master-fake" ]; then\
+		echo "Detected fake master build. Note that the push destination is set to the fake master namespace: $(MQ_DELIVERY_REGISTRY_FULL_PATH)";\
+	fi
 	$(info $(SPACER)$(shell printf $(TITLE)"Push production image to $(MQ_DELIVERY_REGISTRY_FULL_PATH)"$(END)))
 	$(COMMAND) login $(MQ_DELIVERY_REGISTRY_HOSTNAME) -u $(MQ_DELIVERY_REGISTRY_USER) -p $(MQ_DELIVERY_REGISTRY_CREDENTIAL)
 	$(COMMAND) tag $(MQ_IMAGE_ADVANCEDSERVER)\:$(MQ_TAG) $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_FULL_RELEASE_NAME)
@@ -349,6 +476,9 @@ push-advancedserver:

 .PHONY: push-devserver
 push-devserver:
+	@if [ $(MQ_DELIVERY_REGISTRY_NAMESPACE) = "master-fake" ]; then\
+		echo "Detected fake master build. Note that the push destination is set to the fake master namespace: $(MQ_DELIVERY_REGISTRY_FULL_PATH)";\
+	fi
 	$(info $(SPACER)$(shell printf $(TITLE)"Push developer image to $(MQ_DELIVERY_REGISTRY_FULL_PATH)"$(END)))
 	$(COMMAND) login $(MQ_DELIVERY_REGISTRY_HOSTNAME) -u $(MQ_DELIVERY_REGISTRY_USER) -p $(MQ_DELIVERY_REGISTRY_CREDENTIAL)
 	$(COMMAND) tag $(MQ_IMAGE_DEVSERVER)\:$(MQ_TAG) $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEV_FULL_RELEASE_NAME)
@@ -368,6 +498,38 @@ pull-devserver:
 	$(COMMAND) pull $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEV_FULL_RELEASE_NAME)
 	$(COMMAND) tag $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEV_FULL_RELEASE_NAME) $(MQ_IMAGE_DEVSERVER)\:$(MQ_TAG)

+.PHONY: push-manifest
+push-manifest: build-skopeo-container
+	$(info $(SPACER)$(shell printf $(TITLE)"** Determining the image digests **"$(END)))
+ifneq "$(LTS)" "true"
+	$(eval MQ_IMAGE_DEVSERVER_AMD64_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_DEVSERVER_AMD64) | jq -r .Digest))
+	$(eval MQ_IMAGE_DEVSERVER_S390X_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_DEVSERVER_S390X) | jq -r .Digest))
+	$(eval MQ_IMAGE_DEVSERVER_PPC64LE_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_DEVSERVER_PPC64LE) | jq -r .Digest))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_DEVSERVER_AMD64) has a digest of $(MQ_IMAGE_DEVSERVER_AMD64_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_DEVSERVER_S390X) has a digest of $(MQ_IMAGE_DEVSERVER_S390X_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_DEVSERVER_PPC64LE) has a digest of $(MQ_IMAGE_DEVSERVER_PPC64LE_DIGEST)**"$(END)))
+endif
+	$(eval MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_ADVANCEDSERVER_AMD64) | jq -r .Digest))
+	$(eval MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_ADVANCEDSERVER_S390X) | jq -r .Digest))
+	$(eval MQ_IMAGE_ADVANCEDSERVER_PPC64LE_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_ADVANCEDSERVER_PPC64LE) | jq -r .Digest))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_ADVANCEDSERVER_AMD64) has a digest of $(MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_ADVANCEDSERVER_S390X) has a digest of $(MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_ADVANCEDSERVER_PPC64LE) has a digest of $(MQ_IMAGE_ADVANCEDSERVER_PPC64LE_DIGEST)**"$(END)))
+ifneq "$(LTS)" "true"
+	$(info $(shell printf "** Calling script to create fat-manifest for $(MQ_IMAGE_DEVSERVER_MANIFEST)**"$(END)))
+	echo $(shell ./travis-build-scripts/create-manifest-list.sh -r $(MQ_DELIVERY_REGISTRY_HOSTNAME) -n $(MQ_DELIVERY_REGISTRY_NAMESPACE) -i $(MQ_IMAGE_DEVSERVER) -t $(MQ_MANIFEST_TAG) -u $(MQ_ARCHIVE_REPOSITORY_USER) -p $(MQ_ARCHIVE_REPOSITORY_CREDENTIAL)  -d "$(MQ_IMAGE_DEVSERVER_AMD64_DIGEST) $(MQ_IMAGE_DEVSERVER_S390X_DIGEST) $(MQ_IMAGE_DEVSERVER_PPC64LE_DIGEST)" $(END))
+endif
+	$(info $(shell printf "** Calling script to create fat-manifest for $(MQ_IMAGE_ADVANCEDSERVER_MANIFEST)**"$(END)))
+	echo $(shell ./travis-build-scripts/create-manifest-list.sh -r $(MQ_DELIVERY_REGISTRY_HOSTNAME) -n $(MQ_DELIVERY_REGISTRY_NAMESPACE) -i $(MQ_IMAGE_ADVANCEDSERVER) -t $(MQ_MANIFEST_TAG) -u $(MQ_ARCHIVE_REPOSITORY_USER) -p $(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -d "$(MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST) $(MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST) $(MQ_IMAGE_ADVANCEDSERVER_PPC64LE_DIGEST)" $(END))
+
+.PHONY: build-skopeo-container
+build-skopeo-container:
+	$(COMMAND) images | grep -q "skopeo"; if [ $$? != 0 ]; then $(COMMAND) build -t skopeo:latest ./docker-builds/skopeo/; fi
+
+###############################################################################
+# Other targets
+###############################################################################
+
 .PHONY: clean
 clean:
 	rm -rf ./coverage
@@ -378,6 +540,12 @@ clean:
 install-build-deps:
 	ARCH=$(ARCH) ./install-build-deps.sh

+.PHONY: install-credential-helper
+install-credential-helper:
+ifeq ($(ARCH),amd64)
+	ARCH=$(ARCH) ./travis-build-scripts/install-credential-helper.sh
+endif
+
 .PHONY: build-cov
 build-cov:
 	mkdir -p build
@@ -397,29 +565,42 @@ lint: $(addsuffix /$(wildcard *.go), $(GO_PKG_DIRS))
 	golint -set_exit_status $(sort $(dir $(wildcard $(addsuffix /*/*.go, $(GO_PKG_DIRS)))))

 .PHONY: gosec
-gosec: $(info $(SPACER)$(shell printf "Running gosec test"$(END)))
-	@gosec -fmt=json -out=gosec_results.json cmd/... internal/... 2> /dev/null ;\
-	cat "gosec_results.json" ;\
-	cat gosec_results.json | grep HIGH | grep severity > /dev/null ;\
-	if [ $$? -eq 0 ]; then \
-		printf "\nFAILURE: gosec found files containing HIGH severity issues - see results.json\n" ;\
+gosec:
+	$(info $(SPACER)$(shell printf "Running gosec test"$(END)))
+	@gosecrc=0; gosec -fmt=json -out=gosec_results.json cmd/... internal/... 2> /dev/null || gosecrc=$$?; \
+	cat gosec_results.json | jq '{"GolangErrors": (.["Golang errors"]|length>0),"Issues":(.Issues|length>0)}' | grep 'true' >/dev/null ;\
+	if [ $$? -eq 0 ] || [ $$gosecrc -ne 0 ]; then \
+		printf "FAILURE: Issues found running gosec - see gosec_results.json\n" ;\
+		cat "gosec_results.json" ;\
 		exit 1 ;\
 	else \
-		printf "\ngosec found no HIGH severity issues\n" ;\
-	fi ;\
-	cat gosec_results.json | grep MEDIUM | grep severity > /dev/null ;\
-	if [ $$? -eq 0 ]; then \
-		printf "\nFAILURE: gosec found files containing MEDIUM severity issues - see results.json\n" ;\
-		exit 1 ;\
-	else \
-		printf "\ngosec found no MEDIUM severity issues\n" ;\
-	fi ;\
-	cat gosec_results.json | grep LOW | grep severity > /dev/null;\
-	if [ $$? -eq 0 ]; then \
-		printf "\nFAILURE: gosec found files containing LOW severity issues - see results.json\n" ;\
-		exit 1;\
-	else \
-		printf "\ngosec found no LOW severity issues\n" ;\
-fi ;\
+		printf "gosec found no issues\n" ;\
+		cat "gosec_results.json" ;\
+	fi

-include formatting.mk
+.PHONY: update-release-information
+update-release-information:
+	sed -i.bak 's/ARG MQ_URL=.*-LinuxX64.tar.gz"/ARG MQ_URL="https:\/\/public.dhe.ibm.com\/ibmdl\/export\/pub\/software\/websphere\/messaging\/mqadv\/$(MQ_VERSION)-IBM-MQ-Advanced-for-Developers-Non-Install-LinuxX64.tar.gz"/g' Dockerfile-server && rm Dockerfile-server.bak
+	$(eval MQ_VERSION_1=$(shell echo '${MQ_VERSION}' | rev | cut -c 3- | rev))
+	sed -i.bak 's/IBM_MQ_.*_LINUX_X86-64_NOINST.tar.gz/IBM_MQ_${MQ_VERSION_1}_LINUX_X86-64_NOINST.tar.gz/g' docs/building.md && rm docs/building.md.bak
+	sed -i.bak 's/ibm-mqadvanced-server:.*-amd64/ibm-mqadvanced-server:$(MQ_VERSION)-amd64/g' docs/security.md
+	sed -i.bak 's/ibm-mqadvanced-server-dev.*-amd64/ibm-mqadvanced-server-dev:$(MQ_VERSION)-amd64/g' docs/security.md && rm docs/security.md.bak
+	sed -i.bak 's/MQ_IMAGE_ADVANCEDSERVER=ibm-mqadvanced-server:.*-amd64/MQ_IMAGE_ADVANCEDSERVER=ibm-mqadvanced-server:$(MQ_VERSION)-amd64/g' docs/testing.md && rm docs/testing.md.bak
+	$(eval MQ_VERSION_2=$(shell echo '${MQ_VERSION_1}' | rev | cut -c 3- | rev))
+	sed -i.bak 's/knowledgecenter\/SSFKSJ_.*\/com/knowledgecenter\/SSFKSJ_${MQ_VERSION_2}.0\/com/g' docs/usage.md && rm docs/usage.md.bak
+	$(eval MQ_VERSION_3=$(shell echo '${MQ_VERSION_1}' | sed "s/\.//g"))
+	sed -i.bak 's/MQ_..._ARCHIVE_REPOSITORY/MQ_${MQ_VERSION_3}_ARCHIVE_REPOSITORY/g' .travis.yml && rm .travis.yml.bak
+
+COMMAND_SERVER_VERSION=$(shell $(COMMAND) version --format "{{ .Server.Version }}")
+COMMAND_CLIENT_VERSION=$(shell $(COMMAND) version --format "{{ .Client.Version }}")
+PODMAN_VERSION=$(shell podman version --format "{{ .Version }}")
+.PHONY: command-version
+command-version:
+# If we're using Docker, then check it's recent enough to support multi-stage builds
+ifneq (,$(findstring docker,$(COMMAND)))
+	@test "$(word 1,$(subst ., ,$(COMMAND_CLIENT_VERSION)))" -ge "17" || ("$(word 1,$(subst ., ,$(COMMAND_CLIENT_VERSION)))" -eq "17" && "$(word 2,$(subst ., ,$(COMMAND_CLIENT_VERSION)))" -ge "05") || (echo "Error: Docker client 17.05 or greater is required" && exit 1)
+	@test "$(word 1,$(subst ., ,$(COMMAND_SERVER_VERSION)))" -ge "17" || ("$(word 1,$(subst ., ,$(COMMAND_SERVER_VERSION)))" -eq "17" && "$(word 2,$(subst ., ,$(COMMAND_CLIENT_VERSION)))" -ge "05") || (echo "Error: Docker server 17.05 or greater is required" && exit 1)
+endif
+ifneq (,$(findstring podman,$(COMMAND)))
+	@test "$(word 1,$(subst ., ,$(PODMAN_VERSION)))" -ge "1" || (echo "Error: Podman version 1.0 or greater is required" && exit 1)
+endif
--- a/NOTICES.txt
+++ b/NOTICES.txt
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # IBM MQ container

+
 [![Build Status](https://travis-ci.org/ibm-messaging/mq-container.svg?branch=master)](https://travis-ci.org/ibm-messaging/mq-container)

 **Note**: The `master` branch may be in an *unstable or even broken state* during development.
@@ -33,7 +34,7 @@ See the [default developer configuration docs](docs/developer-config.md) for the

 ### Kubernetes

-If you want to use IBM MQ in [Kubernetes](https://kubernetes.io), you can find an example [Helm](https://helm.sh/) chart here: [IBM charts](https://github.com/IBM/charts).  This can be used to run the container on a cluster, such as [IBM Cloud Private](https://www.ibm.com/cloud-computing/products/ibm-cloud-private/) or the [IBM Cloud Kubernetes Service](https://www.ibm.com/cloud/container-service).
+If you want to use IBM MQ on [Kubernetes](https://kubernetes.io), you can find an example [Helm](https://helm.sh/) chart here: [IBM MQ Sample Helm Chart](https://github.com/ibm-messaging/mq-helm).  This can be used to run the container on a Kubernetes cluster, such as the [IBM Cloud Kubernetes Service](https://www.ibm.com/cloud/container-service).

 ## Issues and contributions

@@ -44,11 +45,12 @@ For issues relating specifically to the container image or Helm chart, please us
 The Dockerfiles and associated code and scripts are licensed under the [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0.html).
 Licenses for the products installed within the images are as follows:

- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BBZHCQ) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-BGMHFW) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced for Developers](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-CAUEQC) (International License Agreement for Non-Warranted Programs). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.
+- [IBM MQ Advanced](http://www14.software.ibm.com/cgi-bin/weblap/lap.pl?la_formnum=Z125-3301-14&li_formnum=L-APIG-CAUEBE) (International Program License Agreement). This license may be viewed from an image using the `LICENSE=view` environment variable as described above or by following the link above.

 Note: The IBM MQ Advanced for Developers license does not permit further distribution and the terms restrict usage to a developer machine.

+
 ## Copyright

-© Copyright IBM Corporation 2015, 2019
+© Copyright IBM Corporation 2015, 2022
--- a/authservice/mqhtpass/Makefile
+++ b/authservice/mqhtpass/Makefile
@@ -0,0 +1,50 @@
+# © Copyright IBM Corporation 2017, 2020
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This Makefile expects the following to be installed:
+# - gcc
+# - ldd
+# - MQ SDK (mqm_r library, plus header files)
+# - Apache Portable Runtime (apr-1 and aprutil-1 libraries, plus header files)
+
+SRC_DIR = src
+BUILD_DIR = ./build
+
+# Flags passed to the C compiler.  Need to use gnu11 to get POSIX functions needed for file locking.
+CFLAGS += -std=gnu11 -fPIC -Wall -m64
+
+LIB_APR = -L/usr/lib64 -lapr-1 -laprutil-1
+LIB_MQ = -L/opt/mqm/lib64 -lmqm_r
+
+all: $(BUILD_DIR)/mqhtpass.so $(BUILD_DIR)/htpass_test
+
+$(BUILD_DIR)/log.o : $(SRC_DIR)/log.c $(SRC_DIR)/log.h
+	mkdir -p ${dir $@}
+	gcc $(CFLAGS) -c $(SRC_DIR)/log.c -o $@
+
+$(BUILD_DIR)/htpass.o : $(SRC_DIR)/htpass.c $(SRC_DIR)/htpass.h
+	mkdir -p ${dir $@}
+	gcc $(CFLAGS) -c $(SRC_DIR)/htpass.c -I /usr/include/apr-1 -o $@
+
+$(BUILD_DIR)/htpass_test : $(BUILD_DIR)/htpass.o $(BUILD_DIR)/log.o
+	mkdir -p ${dir $@}
+	gcc $(CFLAGS) $(LIB_APR) -lpthread $(SRC_DIR)/htpass_test.c $^ -o $@
+# Run HTPasswd tests, and print log if they fail	
+	$@ || (cat htpass_test*.log && exit 1)
+
+$(BUILD_DIR)/mqhtpass.so : $(BUILD_DIR)/log.o $(BUILD_DIR)/htpass.o
+	mkdir -p ${dir $@}
+	# NOTE: rpath for libapr will be different on Ubuntu
+	gcc $(CFLAGS) -I/opt/mqm/inc -D_REENTRANT $(LIB_APR) $(LIB_MQ) -Wl,-rpath,/opt/mqm/lib64 -Wl,-rpath,/usr/lib64 -shared $(SRC_DIR)/mqhtpass.c $^ -o $@
+	ldd $@
--- a/authservice/mqhtpass/src/htpass.c
+++ b/authservice/mqhtpass/src/htpass.c
@@ -0,0 +1,145 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "log.h"
+#include "htpass.h"
+#include <linux/limits.h>
+#include <apr_general.h>
+#include <apr_errno.h>
+#include <apr_md5.h>
+
+bool htpass_valid_file(char *filename)
+{
+  bool valid = true;
+  FILE *fp;
+  char *huser;
+
+  fp = fopen(filename, "r");
+  if (fp == NULL)
+  {
+    log_errorf("Error %d opening htpasswd file '%s'", errno, filename);
+  }
+  if (fp)
+  {
+    const size_t line_size = 1024;
+    char *line = malloc(line_size);
+    while (fgets(line, line_size, fp) != NULL)
+    {
+      char *saveptr;
+      // Need to use strtok_r to be safe for multiple threads
+      huser = strtok_r(line, ":", &saveptr);
+      if (strlen(huser) >= 12)
+      {
+        log_errorf("Invalid htpasswd file for use with IBM MQ.  User '%s' is longer than twelve characters", huser);
+        valid = false;
+        break;
+      }
+    }
+    fclose(fp);
+    if (line)
+    {
+      free(line);
+    }
+  }
+  return valid;
+}
+
+char *find_hash(char *filename, char *user)
+{
+  bool found = false;
+  FILE *fp;
+  char *huser;
+  char *hash;
+
+  fp = fopen(filename, "r");
+  if (fp == NULL)
+  {
+    log_errorf("Error %d opening htpasswd file '%s'", errno, filename);
+  }
+  if (fp)
+  {
+    const size_t line_size = 1024;
+    char *line = malloc(line_size);
+    while (fgets(line, line_size, fp) != NULL)
+    {
+      char *saveptr;
+      // Need to use strtok_r to be safe for multiple threads
+      huser = strtok_r(line, ":", &saveptr);
+      if (huser && (strcmp(user, huser) == 0))
+      {
+        // Make a duplicate of the string, because we'll be keeping it
+        hash = strdup(strtok_r(NULL, " \r\n\t", &saveptr));
+        found = true;
+        break;
+      }
+    }
+    fclose(fp);
+    if (line)
+    {
+      free(line);
+    }
+  }
+  if (!found)
+  {
+    hash = NULL;
+  }
+  return hash;
+}
+
+int htpass_authenticate_user(char *filename, char *user, char *password)
+{
+  char *hash = find_hash(filename, user);
+  int result = -1;
+  if (hash == NULL)
+  {
+    result = HTPASS_INVALID_USER;
+    log_debugf("User does not exist. user=%s", user);
+  }
+  else
+  {
+    // Use the Apache Portable Runtime utilities to validate the password against the hash.
+    // Supports multiple hashing algorithms, but we should only be using bcrypt
+    apr_status_t status = apr_password_validate(password, hash);
+    // status is usually either APR_SUCCESS or APR_EMISMATCH
+    if (status == APR_SUCCESS)
+    {
+      result = HTPASS_VALID;
+      log_debugf("Correct password supplied. user=%s", user);
+    }
+    else
+    {
+      result = HTPASS_INVALID_PASSWORD;
+      log_debugf("Incorrect password supplied. user=%s", user);
+    }
+  }
+  return result;
+}
+
+bool htpass_valid_user(char *filename, char *user)
+{
+  char *hash = find_hash(filename, user);
+  bool valid = false;
+  if (hash != NULL)
+  {
+    valid = true;
+  }
+  return valid;
+}
--- a/authservice/mqhtpass/src/htpass.h
+++ b/authservice/mqhtpass/src/htpass.h
@@ -0,0 +1,49 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#ifndef _HTPASS_H
+#define _HTPASS_H
+
+#define HTPASS_VALID 0
+#define HTPASS_INVALID_USER 1
+#define HTPASS_INVALID_PASSWORD 2
+
+/**
+ * Validate an HTPasswd file for use with IBM MQ.
+ * 
+ * @param filename the HTPasswd file
+ */
+_Bool htpass_valid_file(char *filename);
+
+/**
+ * Authenticate a user, based on the supplied file name.
+ * 
+ * @param filename the HTPasswd file
+ * @param user the user name to authenticate
+ * @param password the password of the user
+ * @return HTPASS_VALID, HTPASS_INVALID_USER or HTPASS_INVALID_PASSWORD
+ */
+int htpass_authenticate_user(char *filename, char *user, char *password);
+
+/**
+ * Validate that a user exists in the password file.
+ * 
+ * @param filename the HTPasswd file
+ * @param user the user name to validate
+ */
+_Bool htpass_valid_user(char *filename, char *user);
+
+#endif
--- a/authservice/mqhtpass/src/htpass_test.c
+++ b/authservice/mqhtpass/src/htpass_test.c
@@ -0,0 +1,223 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "log.h"
+#include "htpass.h"
+
+// Headers for multi-threaded tests
+#include <pthread.h>
+
+// Start a test and log the function name
+#define test_start() printf("=== RUN: %s\n", __func__)
+
+// Indicate test has passed
+#define test_pass() printf("--- PASS: %s\n", __func__)
+
+// Indicate test has failed
+void test_fail(const char *test_name)
+{
+  printf("--- FAIL: %s\n", test_name);
+  exit(1);
+}
+
+// ----------------------------------------------------------------------------
+// Simple tests for file validation
+// ----------------------------------------------------------------------------
+
+void test_htpass_valid_file_ok()
+{
+  test_start();
+  int ok = htpass_valid_file("./src/htpass_test.htpasswd");
+  if (!ok)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_valid_file_too_long()
+{
+  test_start();
+  int ok = htpass_valid_file("./src/htpass_test_invalid.htpasswd");
+  if (ok)
+    test_fail(__func__);
+  test_pass();
+}
+
+// ----------------------------------------------------------------------------
+// Simple tests for authentication
+// ----------------------------------------------------------------------------
+
+void test_htpass_authenticate_user_fred_valid()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "fred", "passw0rd");
+  printf("%s: fred - %d\n", __func__, rc);
+  if (rc != HTPASS_VALID)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_authenticate_user_fred_invalid1()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "fred", "passw0rd ");
+  printf("%s: fred - %d\n", __func__, rc);
+  if (rc != HTPASS_INVALID_PASSWORD)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_authenticate_user_fred_invalid2()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "fred", "");
+  printf("%s: fred - %d\n", __func__, rc);
+  if (rc != HTPASS_INVALID_PASSWORD)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_authenticate_user_fred_invalid3()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "fred", "clearlywrong");
+  printf("%s: fred - %d\n", __func__, rc);
+  if (rc != HTPASS_INVALID_PASSWORD)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_authenticate_user_barney_valid()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "barney", "s3cret");
+  printf("%s: barney - %d\n", __func__, rc);
+  if (rc != HTPASS_VALID)
+    test_fail(__func__);
+  test_pass();
+}
+
+void test_htpass_authenticate_user_unknown()
+{
+  test_start();
+  int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "george", "s3cret");
+  printf("%s: barney - %d\n", __func__, rc);
+  if (rc != HTPASS_INVALID_USER)
+    test_fail(__func__);
+  test_pass();
+}
+
+// ----------------------------------------------------------------------------
+// Multi-threaded test
+// ----------------------------------------------------------------------------
+
+#define NUM_THREADS 5
+// Number of tests to perform per thread.  Higher numbers are more likely to trigger timing issue.
+#define NUM_TESTS_PER_THREAD 1000
+// Maximum number of JSON errors to report (log can get flooded)
+#define MAX_JSON_ERRORS 10
+
+// Authenticate multiple users, multiple times
+void *authenticate_many_times(void *p)
+{
+  for (int i = 0; i < NUM_TESTS_PER_THREAD; i++)
+  {
+    int rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "barney", "s3cret");
+    if (rc != HTPASS_VALID)
+      test_fail(__func__);
+    rc = htpass_authenticate_user("./src/htpass_test.htpasswd", "fred", "passw0rd");
+    if (rc != HTPASS_VALID)
+      test_fail(__func__);
+  }
+  pthread_exit(NULL);
+}
+
+void check_log_file_valid(char *filename)
+{
+  int errors = 0;
+  printf("--- Checking log file is valid\n");
+  // Check that the JSON log file isn't corrupted
+  FILE *log = fopen(filename, "r");
+  if (log == NULL)
+  {
+    test_fail(__func__);
+  }
+  const size_t line_size = 1024;
+  char *line = malloc(line_size);
+  while (fgets(line, line_size, log) != NULL)
+  {
+    if ((line[0] != '{') && (errors < MAX_JSON_ERRORS))
+    {
+      printf("*** Invalid JSON detected: %s\n", line);
+      errors++;
+    }
+  }
+  if (line)
+  {
+    free(line);
+  }
+  fclose(log);
+}
+
+// Test authenticate_user with multiple threads, each doing many authentications
+void test_htpass_authenticate_user_multithreaded(char *logfile)
+{
+  pthread_t threads[NUM_THREADS];
+  int rc;
+  test_start();
+  // Re-initialize the log to use a file for the multi-threaded test
+  log_init(logfile);
+  for (int i = 0; i < NUM_THREADS; i++)
+  {
+    printf("Creating thread %d\n", i);
+    rc = pthread_create(&threads[i], NULL, authenticate_many_times, NULL);
+    if (rc)
+    {
+      printf("Error: Unable to create thread, %d\n", rc);
+      test_fail(__func__);
+    }
+  }
+  // Wait for all the threads to complete
+  for (int i = 0; i < NUM_THREADS; i++)
+  {
+    pthread_join(threads[i], NULL);
+  }
+  check_log_file_valid(logfile);
+  test_pass();
+}
+
+// ----------------------------------------------------------------------------
+
+int main()
+{
+  // Turn on debugging for the tests
+  setenv("DEBUG", "true", true);
+  log_init("htpass_test.log");
+  test_htpass_valid_file_ok();
+  test_htpass_valid_file_too_long();
+  test_htpass_authenticate_user_fred_valid();
+  test_htpass_authenticate_user_fred_invalid1();
+  test_htpass_authenticate_user_fred_invalid2();
+  test_htpass_authenticate_user_fred_invalid3();
+  test_htpass_authenticate_user_barney_valid();
+  test_htpass_authenticate_user_unknown();
+  log_close();
+
+  // Call multi-threaded test last, because it re-initializes the log to use a file
+  test_htpass_authenticate_user_multithreaded("htpass_test_multithreaded.log");
+}
--- a/authservice/mqhtpass/src/htpass_test.htpasswd
+++ b/authservice/mqhtpass/src/htpass_test.htpasswd
@@ -0,0 +1,2 @@
+fred:$2y$05$3Fp9epsqEwWOHdyj9Ngf9.qfX34kzc9zNrdQ7kac0GmcCvQjIkAwy
+barney:$2y$05$l8EoyCQ9y2PyfUzIDDfTyu7SSaJEYB1TuHy07xZvN7xt/pR3SIw0a
--- a/authservice/mqhtpass/src/htpass_test_invalid.htpasswd
+++ b/authservice/mqhtpass/src/htpass_test_invalid.htpasswd
@@ -0,0 +1,3 @@
+fred:$2y$05$3Fp9epsqEwWOHdyj9Ngf9.qfX34kzc9zNrdQ7kac0GmcCvQjIkAwy
+barney:$2y$05$l8EoyCQ9y2PyfUzIDDfTyu7SSaJEYB1TuHy07xZvN7xt/pR3SIw0a
+namewhichisfartoolongformq:$2y$05$l8EoyCQ9y2PyfUzIDDfTyu7SSaJEYB1TuHy07xZvN7xt/pR3SIw0a
--- a/authservice/mqhtpass/src/log.c
+++ b/authservice/mqhtpass/src/log.c
@@ -0,0 +1,152 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+FILE *fp = NULL;
+int pid;
+char hostname[255];
+bool debug = false;
+
+/**
+ * Determine whether debugging is enabled or not, using an environment variable.
+ */
+void init_debug(){
+  char *debug_env = getenv("DEBUG");
+  if (debug_env != NULL)
+  {
+    // Enable debug logging if the DEBUG environment variable is set
+    if (strncmp(debug_env, "true", 4) || strncmp(debug_env, "1", 1))
+    {
+      debug = true;
+    }
+  }
+}
+
+/**
+ * Internal function to initialize the log with the given file mode.
+ */
+int log_init_internal(char *filename, const char *mode)
+{
+  int result = 0;
+  pid = getpid();
+  hostname[254] = '\0';
+  gethostname(hostname, 254);
+  if (!fp)
+  {
+    fp = fopen(filename, "a");
+    if (fp)
+    {
+      // Disable buffering for this file
+      setbuf(fp, NULL);
+    }
+    else
+    {
+      result = 1;
+    }
+  }
+  init_debug();
+  return result;
+}
+
+int log_init_reset(char *filename)
+{
+  // Open the log file for writing (overwrite if it already exists)
+  return log_init_internal(filename, "w");
+}
+
+int log_init(char *filename)
+{
+  // Open the log file file for appending
+  return log_init_internal(filename, "a");
+}
+
+void log_init_file(FILE *f)
+{
+  fp = f;
+  init_debug();
+}
+
+void log_close()
+{
+  if (fp)
+  {
+    fclose(fp);
+    fp = NULL;
+  }
+}
+
+void log_printf(const char *source_file, int source_line, const char *level, const char *format, ...)
+{
+  if (fp)
+  {
+    // If this is a DEBUG message, and debugging is off
+    if ((strncmp(level, "DEBUG", 5) == 0) && !debug)
+    {
+      return;
+    }
+    char buf[1024] = "";
+    char *cur = buf;
+    char* const end = buf + sizeof buf;
+    char date_buf[70];
+    struct tm *utc;
+    time_t t;
+    struct timeval now;
+
+    gettimeofday(&now, NULL);
+    t = now.tv_sec;
+    t = time(NULL);
+    utc = gmtime(&t);
+
+    cur += snprintf(cur, end-cur, "{");
+    cur += snprintf(cur, end-cur, "\"loglevel\":\"%s\"", level);
+    // Print ISO-8601 time and date
+    if (strftime(date_buf, sizeof date_buf, "%FT%T", utc))
+    {
+       // Round microseconds down to milliseconds, for consistency
+       cur += snprintf(cur, end-cur, ", \"ibm_datetime\":\"%s.%03ldZ\"", date_buf, now.tv_usec / 1000);
+    }
+    cur += snprintf(cur, end-cur, ", \"ibm_processId\":\"%d\"", pid);
+    cur += snprintf(cur, end-cur, ", \"host\":\"%s\"", hostname);
+    cur += snprintf(cur, end-cur, ", \"module\":\"%s:%d\"", source_file, source_line);
+    cur += snprintf(cur, end-cur, ", \"message\":\"");
+
+    if (strncmp(level, "DEBUG", 5) == 0)
+    {
+      // Add a prefix on any debug messages
+      cur += snprintf(cur, end-cur, "mqhtpass: ");
+    }
+
+    // Print log message, using varargs
+    va_list args;
+    va_start(args, format);
+    cur += vsnprintf(cur, end-cur, format, args);
+    va_end(args);
+    cur += snprintf(cur, end-cur, "\"}\n");
+
+    // Important: Just do one file write, to prevent problems with multi-threading.
+    // This only works if the log message is not too long for the buffer.
+    fprintf(fp, buf);
+  }
+}
+
--- a/authservice/mqhtpass/src/log.h
+++ b/authservice/mqhtpass/src/log.h
@@ -0,0 +1,63 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#ifndef _LOG_H
+#define _LOG_H
+
+/**
+ * Initialize the log to use the given file name, wiping any existing contents.
+ */
+int log_init_reset(char *filename);
+
+/**
+ * Initialize the log to use the given file name.
+ */
+int log_init(char *filename);
+
+/**
+ * Initialize the log with an existing file handle.
+ */
+void log_init_file(FILE *f);
+
+/**
+ * Write a message to the log file, based on a printf format string.
+ * 
+ * @param source_file the name of the source code file submitting this log message
+ * @param source_line the line of code in the source file
+ * @param level the log level, one of "DEBUG", "INFO" or "ERROR"
+ * @param format the printf format string for the message
+ */
+void log_printf(const char *source_file, int source_line, const char *level, const char *format, ...);
+
+void log_close();
+
+/**
+ * Variadic macro to write an informational message to the log file, based on a printf format string.
+ */
+#define log_infof(format,...) log_printf(__FILE__, __LINE__, "INFO", format, ##__VA_ARGS__)
+
+/**
+ * Variadic macro to write an error message to the log file, based on a printf format string.
+ */
+#define log_errorf(format,...) log_printf(__FILE__, __LINE__, "ERROR", format, ##__VA_ARGS__)
+
+/**
+ * Variadic macro to write a debug message to the log file, based on a printf format string.
+ */
+#define log_debugf(format,...) log_printf(__FILE__, __LINE__, "DEBUG", format, ##__VA_ARGS__)
+
+
+#endif
--- a/authservice/mqhtpass/src/mqhtpass.c
+++ b/authservice/mqhtpass/src/mqhtpass.c
@@ -0,0 +1,350 @@
+/*
+© Copyright IBM Corporation 2021, 2022
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This is a developer only configuration and not recommended for production usage.
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <cmqec.h>
+#include "log.h"
+#include "htpass.h"
+
+// Declare the internal functions that implement the interface
+MQZ_INIT_AUTHORITY MQStart;
+static MQZ_AUTHENTICATE_USER mqhtpass_authenticate_user;
+static MQZ_FREE_USER mqhtpass_free_user;
+static MQZ_TERM_AUTHORITY mqhtpass_terminate;
+
+#define LOG_FILE "/var/mqm/errors/mqhtpass.json"
+#define HTPASSWD_FILE "/etc/mqm/mq.htpasswd"
+#define NAME "MQ Advanced for Developers custom authentication service"
+
+static char *trim(char *s);
+
+/**
+ * Initialization and entrypoint for the dynamically loaded
+ * authorization installable service. It registers the addresses of the
+ * other functions which are to be called by the queue manager.
+ *
+ * This function is called whenever the module is loaded.  The Options
+ * field will show whether it's a PRIMARY (i.e. during qmgr startup) or
+ * SECONDARY.
+ */
+void MQENTRY MQStart(
+    MQHCONFIG hc,
+    MQLONG Options,
+    MQCHAR48 QMgrName,
+    MQLONG ComponentDataLength,
+    PMQBYTE ComponentData,
+    PMQLONG Version,
+    PMQLONG pCompCode,
+    PMQLONG pReason)
+{
+  MQLONG CC = MQCC_OK;
+  MQLONG Reason = MQRC_NONE;
+  int log_rc = 0;
+
+  if (Options == MQZIO_PRIMARY)
+  {
+    // Reset the log file.  The file could still get large if debug is turned on,
+    // but this is a simpler solution for now.
+    log_rc = log_init_reset(LOG_FILE);
+  }
+  else
+  {
+    log_rc = log_init(LOG_FILE);
+  }
+
+  if (log_rc != 0)
+  {
+    CC = MQCC_FAILED;
+    Reason = MQRC_INITIALIZATION_FAILED;
+  }
+
+  if (Options == MQZIO_PRIMARY)
+  {
+    log_infof("Initializing %s", NAME);
+  }
+  log_debugf("MQStart options=%s qmgr=%s", ((Options == MQZIO_SECONDARY) ? "Secondary" : "Primary"), trim(QMgrName));
+
+  if (!htpass_valid_file(HTPASSWD_FILE))
+  {
+    CC = MQCC_FAILED;
+    Reason = MQRC_INITIALIZATION_FAILED;
+  }
+
+  // Initialize the functions to use for each entry point
+  if (CC == MQCC_OK)
+  {
+    hc->MQZEP_Call(hc, MQZID_INIT_AUTHORITY, (PMQFUNC)MQStart, &CC, &Reason);
+  }
+  if (CC == MQCC_OK)
+  {
+    hc->MQZEP_Call(hc, MQZID_TERM_AUTHORITY, (PMQFUNC)mqhtpass_terminate, &CC, &Reason);
+  }
+  if (CC == MQCC_OK)
+  {
+    hc->MQZEP_Call(hc, MQZID_AUTHENTICATE_USER, (PMQFUNC)mqhtpass_authenticate_user, &CC, &Reason);
+  }
+  if (CC == MQCC_OK)
+  {
+    hc->MQZEP_Call(hc, MQZID_FREE_USER, (PMQFUNC)mqhtpass_free_user, &CC, &Reason);
+  }
+  *Version = MQZAS_VERSION_5;
+  *pCompCode = CC;
+  *pReason = Reason;
+  return;
+}
+
+/**
+ * Called during the connection of any application which supplies an MQCSP (Connection Security Parameters).
+ * This is the usual case.
+ * See https://www.ibm.com/support/knowledgecenter/SSFKSJ_latest/com.ibm.mq.ref.dev.doc/q095610_.html
+ */
+static void MQENTRY mqhtpass_authenticate_user_csp(
+    PMQCHAR pQMgrName,
+    PMQCSP pSecurityParms,
+    PMQZAC pApplicationContext,
+    PMQZIC pIdentityContext,
+    PMQPTR pCorrelationPtr,
+    PMQBYTE pComponentData,
+    PMQLONG pContinuation,
+    PMQLONG pCompCode,
+    PMQLONG pReason)
+{
+  char *csp_user = NULL;
+  char *csp_pass = NULL;
+
+  // Firstly, create null-terminated strings from the user credentials in the MQ CSP object
+  csp_user = malloc(pSecurityParms->CSPUserIdLength + 1);
+  if (!csp_user)
+  {
+    log_errorf("%s is unable to allocate memory for a user", NAME);
+    *pCompCode = MQCC_FAILED;
+    *pReason = MQRC_SERVICE_ERROR;
+    return;
+  }
+  strncpy(csp_user, pSecurityParms->CSPUserIdPtr, pSecurityParms->CSPUserIdLength);
+  csp_user[pSecurityParms->CSPUserIdLength] = 0;
+  csp_pass = malloc((pSecurityParms->CSPPasswordLength + 1));
+  if (!csp_pass)
+  {
+    log_errorf("%s is unable to allocate memory for a password", NAME);
+    *pCompCode = MQCC_FAILED;
+    *pReason = MQRC_SERVICE_ERROR;
+    if (csp_user)
+    {
+      free(csp_user);
+    }
+    return;
+  }
+  strncpy(csp_pass, pSecurityParms->CSPPasswordPtr, pSecurityParms->CSPPasswordLength);
+  csp_pass[pSecurityParms->CSPPasswordLength] = 0;
+  log_debugf("%s with CSP user set. user=%s", __func__, csp_user);
+  int auth_result = htpass_authenticate_user(HTPASSWD_FILE, csp_user, csp_pass);
+
+  if (auth_result == HTPASS_VALID)
+  {
+    // An OK completion code means MQ will accept this user is authenticated
+    *pCompCode = MQCC_OK;
+    *pReason = MQRC_NONE;
+    // Tell the queue manager to stop trying other authorization services.
+    *pContinuation = MQZCI_STOP;
+    memcpy(pIdentityContext->UserIdentifier, csp_user, sizeof(pIdentityContext->UserIdentifier));
+    log_debugf("Authenticated user=%s", pIdentityContext->UserIdentifier);
+  }
+  // If the htpasswd file does not have an entry for this user
+  else if (auth_result == HTPASS_INVALID_USER)
+  {
+    *pCompCode = MQCC_WARNING;
+    *pReason = MQRC_NONE;
+    // Tell the queue manager to continue trying other authorization services, as they might have the user.
+    *pContinuation = MQZCI_CONTINUE;
+    log_debugf(
+        "User authentication failed due to invalid user.  user=%s effuser=%s applname=%s csp_user=%s cc=%d reason=%d",
+        trim(pIdentityContext->UserIdentifier),
+        trim(pApplicationContext->EffectiveUserID),
+        trim(pApplicationContext->ApplName),
+        trim(csp_user),
+        *pCompCode,
+        *pReason);
+  }
+  // If the htpasswd file has an entry for this user, but the password supplied is incorrect
+  else if (auth_result == HTPASS_INVALID_PASSWORD)
+  {
+    *pCompCode = MQCC_WARNING;
+    *pReason = MQRC_NOT_AUTHORIZED;
+    // Tell the queue manager to stop trying other authorization services.
+    *pContinuation = MQZCI_STOP;
+    log_debugf(
+        "User authentication failed due to invalid password.  user=%s effuser=%s applname=%s csp_user=%s cc=%d reason=%d",
+        trim(pIdentityContext->UserIdentifier),
+        trim(pApplicationContext->EffectiveUserID),
+        trim(pApplicationContext->ApplName),
+        trim(csp_user),
+        *pCompCode,
+        *pReason);
+  }
+  if (csp_user)
+  {
+    free(csp_user);
+  }
+  if (csp_pass)
+  {
+    free(csp_pass);
+  }
+  return;
+}
+
+/**
+ * Called during the connection of any application.
+ * For more information on the parameters, see https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_latest/com.ibm.mq.ref.dev.doc/q110090_.html
+ */
+static void MQENTRY mqhtpass_authenticate_user(
+    PMQCHAR pQMgrName,
+    PMQCSP pSecurityParms,
+    PMQZAC pApplicationContext,
+    PMQZIC pIdentityContext,
+    PMQPTR pCorrelationPtr,
+    PMQBYTE pComponentData,
+    PMQLONG pContinuation,
+    PMQLONG pCompCode,
+    PMQLONG pReason)
+{
+  char *spuser = NULL;
+  // By default, return a warning, which indicates to MQ that this
+  // authorization service hasn't authenticated the user.
+  *pCompCode = MQCC_WARNING;
+  *pReason = MQRC_NONE;
+  // By default, tell the queue manager to continue trying other
+  // authorization services.
+  *pContinuation = MQZCI_CONTINUE;
+
+  if ((pSecurityParms->AuthenticationType) == MQCSP_AUTH_USER_ID_AND_PWD)
+  {
+    mqhtpass_authenticate_user_csp(pQMgrName, pSecurityParms, pApplicationContext, pIdentityContext, pCorrelationPtr, pComponentData, pContinuation, pCompCode, pReason);
+  }
+  else
+  {
+    // Password not supplied, so just check that the user ID is valid
+    spuser = malloc(sizeof(PMQCHAR12) + 1);
+    if (!spuser)
+    {
+      log_errorf("%s is unable to allocate memory to check a user", NAME);
+      *pCompCode = MQCC_FAILED;
+      *pReason = MQRC_SERVICE_ERROR;
+      return;
+    }
+    strncpy(spuser, pApplicationContext->EffectiveUserID, strlen(pApplicationContext->EffectiveUserID));
+    spuser[sizeof(PMQCHAR12)] = 0;
+    log_debugf("%s without CSP user set.  effectiveuid=%s env=%d, callertype=%d, type=%d, accttoken=%d applidentitydata=%d", __func__, spuser, pApplicationContext->Environment, pApplicationContext->CallerType, pApplicationContext->AuthenticationType, pIdentityContext->AccountingToken, pIdentityContext->ApplIdentityData);
+    if (strncmp(spuser, "mqm", 3) == 0)
+    {
+      // Special case: pass the "mqm" user on for validation up the chain
+      // A warning in the completion code means MQ will pass this to other authorization services
+      *pCompCode = MQCC_WARNING;
+      *pReason = MQRC_NONE;
+      *pContinuation = MQZCI_CONTINUE;
+    }
+    else
+    {
+      bool valid_user = htpass_valid_user(HTPASSWD_FILE, spuser);
+      if (valid_user)
+      {
+        // An OK completion code means MQ will accept this user is authenticated
+        *pCompCode = MQCC_OK;
+        *pReason = MQRC_NONE;
+        *pContinuation = MQZCI_STOP;
+        memcpy(pIdentityContext->UserIdentifier, spuser, sizeof(pIdentityContext->UserIdentifier));
+      }
+      else
+      {
+        log_debugf(
+            "User authentication failed user=%s effuser=%s applname=%s cspuser=%s cc=%d reason=%d",
+            trim(pIdentityContext->UserIdentifier),
+            trim(pApplicationContext->EffectiveUserID),
+            trim(pApplicationContext->ApplName),
+            trim(spuser),
+            *pCompCode,
+            *pReason);
+      }
+      if (spuser)
+      {
+        free(spuser);
+      }
+    }
+  }
+  return;
+}
+
+/**
+ * Called during MQDISC, as the inverse of the call to authenticate.
+ */
+static void MQENTRY mqhtpass_free_user(
+    PMQCHAR pQMgrName,
+    PMQZFP pFreeParms,
+    PMQBYTE pComponentData,
+    PMQLONG pContinuation,
+
+    PMQLONG pCompCode,
+    PMQLONG pReason)
+{
+  log_debugf("mqhtpass_freeuser()");
+  *pCompCode = MQCC_WARNING;
+  *pReason = MQRC_NONE;
+  *pContinuation = MQZCI_CONTINUE;
+}
+
+/**
+ * Called when the authorization service is terminated.
+ */
+static void MQENTRY mqhtpass_terminate(
+    MQHCONFIG hc,
+    MQLONG Options,
+    PMQCHAR pQMgrName,
+    PMQBYTE pComponentData,
+    PMQLONG pCompCode,
+    PMQLONG pReason)
+{
+  if (Options == MQZTO_PRIMARY)
+  {
+    log_infof("Terminating %s", NAME);
+    log_close();
+  }
+  else {
+    log_debugf("Terminating secondary");
+  }
+  *pCompCode = MQCC_OK;
+  *pReason = MQRC_NONE;
+}
+
+/**
+ * Remove trailing spaces from a string.
+ */
+static char *trim(char *s)
+{
+  int i;
+  for (i = strlen(s) - 1; i >= 0; i--)
+  {
+    if (s[i] == ' ')
+      s[i] = 0;
+    else
+      break;
+  }
+  return s;
+}
--- a/cmd/chkmqhealthy/main.go
+++ b/cmd/chkmqhealthy/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,12 +36,12 @@ func queueManagerHealthy() (bool, error) {
 	cmd := exec.Command("dspmq", "-n", "-m", name)
 	// Run the command and wait for completion
 	out, err := cmd.CombinedOutput()
+	fmt.Printf("%s", out)
 	if err != nil {
 		fmt.Println(err)
 		return false, err
 	}
-	fmt.Printf("%s", out)
-	if !strings.Contains(string(out), "(RUNNING)") && !strings.Contains(string(out), "(RUNNING AS STANDBY)") && !strings.Contains(string(out), "(STARTING)") {
+	if !strings.Contains(string(out), "(RUNNING)") && !strings.Contains(string(out), "(RUNNING AS STANDBY)") && !strings.Contains(string(out), "(STARTING)") && !strings.Contains(string(out), "(REPLICA)") {
 		return false, nil
 	}
 	return true, nil
--- a/cmd/chkmqready/main.go
+++ b/cmd/chkmqready/main.go
@@ -39,7 +39,7 @@ func main() {
 	}

 	// Check if the queue manager has a running listener
-	if standby, _ := ready.IsRunningAsStandbyQM(name); !standby {
+	if active, _ := ready.IsRunningAsActiveQM(name); active {
 		conn, err := net.Dial("tcp", "127.0.0.1:1414")
 		if err != nil {
 			fmt.Println(err)
@@ -49,8 +49,13 @@ func main() {
 		if err != nil {
 			fmt.Println(err)
 		}
-	} else {
+	} else if standby, _ := ready.IsRunningAsStandbyQM(name); standby {
 		fmt.Printf("Detected queue manager running in standby mode")
 		os.Exit(10)
+	} else if replica, _ := ready.IsRunningAsReplicaQM(name); replica {
+		fmt.Printf("Detected queue manager running in replica mode")
+		os.Exit(20)
+	} else {
+		os.Exit(1)
 	}
 }
--- a/cmd/chkmqstarted/main.go
+++ b/cmd/chkmqstarted/main.go
@@ -0,0 +1,58 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// chkmqstarted checks that MQ has successfully started, by checking the output of the "dspmq" command
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/ibm-messaging/mq-container/pkg/name"
+)
+
+func queueManagerStarted() (bool, error) {
+	name, err := name.GetQueueManagerName()
+	if err != nil {
+		return false, err
+	}
+	// Specify the queue manager name, just in case someone's created a second queue manager
+	// #nosec G204
+	cmd := exec.Command("dspmq", "-n", "-m", name)
+	// Run the command and wait for completion
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		fmt.Println(err)
+		return false, err
+	}
+	if !strings.Contains(string(out), "(RUNNING)") && !strings.Contains(string(out), "(RUNNING AS STANDBY)") && !strings.Contains(string(out), "(STARTING)") && !strings.Contains(string(out), "(REPLICA)") {
+		return false, nil
+	}
+	return true, nil
+}
+
+func main() {
+	started, err := queueManagerStarted()
+	if err != nil {
+		os.Exit(2)
+	}
+	if !started {
+		os.Exit(1)
+	}
+	os.Exit(0)
+}
--- a/cmd/runmqdevserver/main.go
+++ b/cmd/runmqdevserver/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,10 +19,9 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"syscall"

-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
+	"github.com/ibm-messaging/mq-container/internal/htpasswd"
 	"github.com/ibm-messaging/mq-container/pkg/containerruntimelogger"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
 	"github.com/ibm-messaging/mq-container/pkg/name"
@@ -30,27 +29,6 @@ import (

 var log *logger.Logger

-func setPassword(user string, password string) error {
-	// #nosec G204
-	cmd := exec.Command("sudo", "chpasswd")
-	stdin, err := cmd.StdinPipe()
-	if err != nil {
-		return err
-	}
-	fmt.Fprintf(stdin, "%s:%s", user, password)
-	err = stdin.Close()
-	if err != nil {
-		log.Errorf("Error closing password stdin: %v", err)
-	}
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		// Include the command output in the error
-		return fmt.Errorf("%v: %v", err.Error(), out)
-	}
-	log.Printf("Set password for \"%v\" user", user)
-	return nil
-}
-
 func getLogFormat() string {
 	return os.Getenv("LOG_FORMAT")
 }
@@ -89,11 +67,6 @@ func configureLogger() error {
 	return nil
 }

-func configureWeb(qmName string) error {
-	out := "/etc/mqm/web/installations/Installation1/angular.persistence/admin.json"
-	return mqtemplate.ProcessTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName}, log)
-}
-
 func logTerminationf(format string, args ...interface{}) {
 	logTermination(fmt.Sprintf(format, args...))
 }
@@ -104,6 +77,7 @@ func logTermination(args ...interface{}) {
 	// Write the message to the termination log.  This is not the default place
 	// that Kubernetes will look for termination information.
 	log.Debugf("Writing termination message: %v", msg)
+	// #nosec G306 - its a read by owner/s group, and pose no harm.
 	err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660)
 	if err != nil {
 		log.Debug(err)
@@ -125,16 +99,23 @@ func doMain() error {
 	}

 	adminPassword, set := os.LookupEnv("MQ_ADMIN_PASSWORD")
-	if set {
-		err = setPassword("admin", adminPassword)
+	if !set {
+		adminPassword = "passw0rd"
+		err = os.Setenv("MQ_ADMIN_PASSWORD", adminPassword)
 		if err != nil {
-			logTerminationf("Error setting admin password: %v", err)
+			logTerminationf("Error setting admin password variable: %v", err)
 			return err
 		}
 	}
+	err = htpasswd.SetPassword("admin", adminPassword, false)
+	if err != nil {
+		logTerminationf("Error setting admin password: %v", err)
+		return err
+	}
+
 	appPassword, set := os.LookupEnv("MQ_APP_PASSWORD")
 	if set {
-		err = setPassword("app", appPassword)
+		err = htpasswd.SetPassword("app", appPassword, false)
 		if err != nil {
 			logTerminationf("Error setting app password: %v", err)
 			return err
@@ -147,18 +128,6 @@ func doMain() error {
 		return err
 	}

-	name, err := name.GetQueueManagerName()
-	if err != nil {
-		logTerminationf("Error getting queue manager name: %v", err)
-		return err
-	}
-
-	err = configureWeb(name)
-	if err != nil {
-		logTermination("Error configuring admin.json")
-		return err
-	}
-
 	return nil
 }

--- a/cmd/runmqserver/crtmqvol.go
+++ b/cmd/runmqserver/crtmqvol.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,14 +17,10 @@ package main

 import (
 	"os"
-	"runtime"
-	"syscall"
-
-	"github.com/ibm-messaging/mq-container/internal/command"
 )

 func createVolume(dataPath string) error {
-	fi, err := os.Stat(dataPath)
+	_, err := os.Stat(dataPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// #nosec G301
@@ -36,25 +32,5 @@ func createVolume(dataPath string) error {
 			return err
 		}
 	}
-	fi, err = os.Stat(dataPath)
-	if err != nil {
-		return err
-	}
-	sys := fi.Sys()
-	if sys != nil && runtime.GOOS == "linux" {
-		stat := sys.(*syscall.Stat_t)
-		mqmUID, mqmGID, err := command.LookupMQM()
-		if err != nil {
-			return err
-		}
-		log.Debugf("mqm user is %v (%v)", mqmUID, mqmGID)
-		if int(stat.Uid) != mqmUID || int(stat.Gid) != mqmGID {
-			err = os.Chown(dataPath, mqmUID, mqmGID)
-			if err != nil {
-				log.Printf("Error: Unable to change ownership of %v", dataPath)
-				return err
-			}
-		}
-	}
 	return nil
 }
--- a/cmd/runmqserver/logging.go
+++ b/cmd/runmqserver/logging.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"sort"
 	"strings"
 	"sync"

@@ -45,6 +46,7 @@ func logTermination(args ...interface{}) {
 	// Write the message to the termination log.  This is not the default place
 	// that Kubernetes will look for termination information.
 	log.Debugf("Writing termination message: %v", msg)
+	// #nosec G306 - its a read by owner/s group, and pose no harm.
 	err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660)
 	if err != nil {
 		log.Debug(err)
@@ -60,8 +62,27 @@ func getLogFormat() string {
 	return os.Getenv("LOG_FORMAT")
 }

-func formatSimple(datetime string, message string) string {
-	return fmt.Sprintf("%v %v\n", datetime, message)
+// formatBasic formats a log message parsed from JSON, as "basic" text
+func formatBasic(obj map[string]interface{}) string {
+	// Emulate the MQ "MessageDetail=Extended" option, by appending inserts to the message
+	// This is important for certain messages, where key details are only available in the extended message content
+	inserts := make([]string, 0)
+	for k, v := range obj {
+		if strings.HasPrefix(k, "ibm_commentInsert") {
+			inserts = append(inserts, fmt.Sprintf("%s(%v)", strings.Replace(k, "ibm_comment", "Comment", 1), obj[k]))
+		} else if strings.HasPrefix(k, "ibm_arithInsert") {
+			if v.(float64) != 0 {
+				inserts = append(inserts, fmt.Sprintf("%s(%v)", strings.Replace(k, "ibm_arith", "Arith", 1), obj[k]))
+			}
+		}
+	}
+	sort.Strings(inserts)
+	if len(inserts) > 0 {
+		return fmt.Sprintf("%s %s [%v]\n", obj["ibm_datetime"], obj["message"], strings.Join(inserts, ", "))
+	}
+	// Convert time zone information from some logs (e.g. Liberty) for consistency
+	obj["ibm_datetime"] = strings.Replace(obj["ibm_datetime"].(string), "+0000", "Z", 1)
+	return fmt.Sprintf("%s %s\n", obj["ibm_datetime"], obj["message"])
 }

 // mirrorSystemErrorLogs starts a goroutine to mirror the contents of the MQ system error logs
@@ -82,6 +103,16 @@ func mirrorQueueManagerErrorLogs(ctx context.Context, wg *sync.WaitGroup, name s
 	return mirrorLog(ctx, wg, f, fromStart, mf, true)
 }

+// mirrorHTPasswdLogs starts a goroutine to mirror the contents of the MQ HTPasswd authorization service's log
+func mirrorHTPasswdLogs(ctx context.Context, wg *sync.WaitGroup, name string, fromStart bool, mf mirrorFunc) (chan error, error) {
+	return mirrorLog(ctx, wg, "/var/mqm/errors/mqhtpass.json", false, mf, true)
+}
+
+// mirrorWebServerLogs starts a goroutine to mirror the contents of the Liberty web server messages.log
+func mirrorWebServerLogs(ctx context.Context, wg *sync.WaitGroup, name string, fromStart bool, mf mirrorFunc) (chan error, error) {
+	return mirrorLog(ctx, wg, "/var/mqm/web/installations/Installation1/servers/mqweb/logs/messages.log", false, mf, true)
+}
+
 func getDebug() bool {
 	debug := os.Getenv("DEBUG")
 	if debug == "true" || debug == "1" {
@@ -101,14 +132,21 @@ func configureLogger(name string) (mirrorFunc, error) {
 			return nil, err
 		}
 		return func(msg string, isQMLog bool) bool {
-			obj, err := processLogMessage(msg)
-			if err == nil && isQMLog && filterQMLogMessage(obj) {
-				return false
-			}
-			if err != nil {
-				log.Printf("Failed to unmarshall JSON - %v", msg)
+			// Check if the message is JSON
+			if len(msg) > 0 && msg[0] == '{' {
+				obj, err := processLogMessage(msg)
+				if err == nil && isQMLog && filterQMLogMessage(obj) {
+					return false
+				}
+				if err != nil {
+					log.Printf("Failed to unmarshall JSON in log message - %v", msg)
+				} else {
+					fmt.Println(msg)
+				}
 			} else {
-				fmt.Println(msg)
+				// The log being mirrored isn't JSON, so wrap it in a simple JSON message
+				// MQ error logs are usually JSON, but this is useful for Liberty logs - usually expect WLP_LOGGING_MESSAGE_FORMAT=JSON to be set when mirroring Liberty logs.
+				fmt.Printf("{\"message\":\"%s\"}\n", msg)
 			}
 			return true
 		}, nil
@@ -118,15 +156,22 @@ func configureLogger(name string) (mirrorFunc, error) {
 			return nil, err
 		}
 		return func(msg string, isQMLog bool) bool {
-			// Parse the JSON message, and print a simplified version
-			obj, err := processLogMessage(msg)
-			if err == nil && isQMLog && filterQMLogMessage(obj) {
-				return false
-			}
-			if err != nil {
-				log.Printf("Failed to unmarshall JSON - %v", err)
+			// Check if the message is JSON
+			if len(msg) > 0 && msg[0] == '{' {
+				// Parse the JSON message, and print a simplified version
+				obj, err := processLogMessage(msg)
+				if err == nil && isQMLog && filterQMLogMessage(obj) {
+					return false
+				}
+				if err != nil {
+					log.Printf("Failed to unmarshall JSON in log message - %v", err)
+				} else {
+					fmt.Printf(formatBasic(obj))
+				}
 			} else {
-				fmt.Printf(formatSimple(obj["ibm_datetime"].(string), obj["message"].(string)))
+				// The log being mirrored isn't JSON, so just print it.
+				// MQ error logs are usually JSON, but this is useful for Liberty logs - usually expect WLP_LOGGING_MESSAGE_FORMAT=JSON to be set when mirroring Liberty logs.
+				fmt.Println(msg)
 			}
 			return true
 		}, nil
@@ -154,41 +199,43 @@ func filterQMLogMessage(obj map[string]interface{}) bool {
 }

 func logDiagnostics() {
-	log.Debug("--- Start Diagnostics ---")
+	if getDebug() {
+		log.Debug("--- Start Diagnostics ---")

-	// show the directory ownership/permissions
-	// #nosec G104
-	out, _, _ := command.Run("ls", "-l", "/mnt/")
-	log.Debugf("/mnt/:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/mnt/mqm")
-	log.Debugf("/mnt/mqm:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
-	log.Debugf("/mnt/mqm/data:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-log/log")
-	log.Debugf("/mnt/mqm-log/log:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-data/qmgrs")
-	log.Debugf("/mnt/mqm-data/qmgrs:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/var/mqm")
-	log.Debugf("/var/mqm:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/var/mqm/errors")
-	log.Debugf("/var/mqm/errors:\n%s", out)
-	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
-	log.Debugf("/etc/mqm:\n%s", out)
+		// show the directory ownership/permissions
+		// #nosec G104
+		out, _, _ := command.Run("ls", "-l", "/mnt/")
+		log.Debugf("/mnt/:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/mnt/mqm")
+		log.Debugf("/mnt/mqm:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
+		log.Debugf("/mnt/mqm/data:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/mnt/mqm-log/log")
+		log.Debugf("/mnt/mqm-log/log:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/mnt/mqm-data/qmgrs")
+		log.Debugf("/mnt/mqm-data/qmgrs:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/var/mqm")
+		log.Debugf("/var/mqm:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/var/mqm/errors")
+		log.Debugf("/var/mqm/errors:\n%s", out)
+		// #nosec G104
+		out, _, _ = command.Run("ls", "-l", "/etc/mqm")
+		log.Debugf("/etc/mqm:\n%s", out)

-	// Print out summary of any FDCs
-	// #nosec G204
-	cmd := exec.Command("/opt/mqm/bin/ffstsummary")
-	cmd.Dir = "/var/mqm/errors"
-	// #nosec G104
-	outB, _ := cmd.CombinedOutput()
-	log.Debugf("ffstsummary:\n%s", string(outB))
+		// Print out summary of any FDCs
+		// #nosec G204
+		cmd := exec.Command("/opt/mqm/bin/ffstsummary")
+		cmd.Dir = "/var/mqm/errors"
+		// #nosec G104
+		outB, _ := cmd.CombinedOutput()
+		log.Debugf("ffstsummary:\n%s", string(outB))

-	log.Debug("---  End Diagnostics  ---")
+		log.Debug("---  End Diagnostics  ---")
+	}
 }
--- a/cmd/runmqserver/logging_test.go
+++ b/cmd/runmqserver/logging_test.go
@@ -0,0 +1,55 @@
+/*
+© Copyright IBM Corporation 2020
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+)
+
+var formatBasicTests = []struct {
+	in          []byte
+	outContains string
+}{
+	{
+		[]byte("{\"ibm_datetime\":\"2020/06/24 00:00:00\",\"message\":\"Hello world\"}"),
+		"Hello",
+	},
+	{
+		[]byte("{\"ibm_datetime\":\"2020/06/24 00:00:00\",\"message\":\"Hello world\", \"ibm_commentInsert1\":\"foo\"}"),
+		"CommentInsert1(foo)",
+	},
+	{
+		[]byte("{\"ibm_datetime\":\"2020/06/24 00:00:00\",\"message\":\"Hello world\", \"ibm_arithInsert1\":1}"),
+		"ArithInsert1(1)",
+	},
+}
+
+func TestFormatBasic(t *testing.T) {
+	for i, table := range formatBasicTests {
+		t.Run(fmt.Sprintf("%v", i), func(t *testing.T) {
+			var inObj map[string]interface{}
+			json.Unmarshal(table.in, &inObj)
+			t.Logf("Unmarshalled: %+v", inObj)
+			out := formatBasic(inObj)
+			if !strings.Contains(out, table.outContains) {
+				t.Errorf("formatBasic() with input=%v - expected output to contain %v, got %v", string(table.in), table.outContains, out)
+			}
+		})
+	}
+}
--- a/cmd/runmqserver/main.go
+++ b/cmd/runmqserver/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,8 +24,8 @@ import (
 	"os"
 	"sync"

+	"github.com/ibm-messaging/mq-container/internal/ha"
 	"github.com/ibm-messaging/mq-container/internal/metrics"
-	"github.com/ibm-messaging/mq-container/internal/mqinimerge"
 	"github.com/ibm-messaging/mq-container/internal/ready"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 	"github.com/ibm-messaging/mq-container/pkg/containerruntimelogger"
@@ -113,12 +113,29 @@ func doMain() error {
 		return err
 	}

+	enableTraceCrtmqdir := os.Getenv("MQ_ENABLE_TRACE_CRTMQDIR")
+	if enableTraceCrtmqdir == "true" || enableTraceCrtmqdir == "1" {
+		err = startMQTrace()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
 	err = createDirStructure()
 	if err != nil {
 		logTermination(err)
 		return err
 	}

+	if enableTraceCrtmqdir == "true" || enableTraceCrtmqdir == "1" {
+		err = endMQTrace()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil
@@ -127,29 +144,55 @@ func doMain() error {
 	// Print out versioning information
 	logVersionInfo()

-	keylabel, cmsDB, p12Trust, _, err := tls.ConfigureTLSKeystores(keyDir, trustDir, keyStoreDir)
+	keyLabel, defaultCmsKeystore, defaultP12Truststore, err := tls.ConfigureDefaultTLSKeystores()
 	if err != nil {
 		logTermination(err)
 		return err
 	}

-	err = configureTLS(keylabel, cmsDB, *devFlag)
+	err = tls.ConfigureTLS(keyLabel, defaultCmsKeystore, *devFlag, log)
 	if err != nil {
 		logTermination(err)
 		return err
 	}

-	err = postInit(name, keylabel, p12Trust)
+	err = postInit(name, keyLabel, defaultP12Truststore)
 	if err != nil {
 		logTermination(err)
 		return err
 	}

-	newQM, err := createQueueManager(name)
+	if os.Getenv("MQ_NATIVE_HA") == "true" {
+		err = ha.ConfigureNativeHA(log)
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
+	enableTraceCrtmqm := os.Getenv("MQ_ENABLE_TRACE_CRTMQM")
+	if enableTraceCrtmqm == "true" || enableTraceCrtmqm == "1" {
+		err = startMQTrace()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
+	newQM, err := createQueueManager(name, *devFlag)
 	if err != nil {
 		logTermination(err)
 		return err
 	}
+
+	if enableTraceCrtmqm == "true" || enableTraceCrtmqm == "1" {
+		err = endMQTrace()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
 	var wg sync.WaitGroup
 	defer func() {
 		log.Debug("Waiting for log mirroring to complete")
@@ -171,16 +214,46 @@ func doMain() error {
 		logTermination(err)
 		return err
 	}
+	if *devFlag {
+		_, err = mirrorHTPasswdLogs(ctx, &wg, name, newQM, mf)
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+	// Recommended to use this option in conjunction with setting WLP_LOGGING_MESSAGE_FORMAT=JSON
+	mirrorWebLog := os.Getenv("MQ_ENABLE_EMBEDDED_WEB_SERVER_LOG")
+	if mirrorWebLog == "true" || mirrorWebLog == "1" {
+		_, err = mirrorWebServerLogs(ctx, &wg, name, newQM, mf)
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
 	err = updateCommandLevel()
 	if err != nil {
 		logTermination(err)
 		return err
 	}

-	err = mqinimerge.AddStanzas(name)
-	if err != nil {
-		logTermination(err)
-		return err
+	enableTraceStrmqm := os.Getenv("MQ_ENABLE_TRACE_STRMQM")
+	if enableTraceStrmqm == "true" || enableTraceStrmqm == "1" {
+		err = startMQTrace()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
+	// This is a developer image only change
+	// This workaround should be removed and handled via <crtmqm -ii>, when inimerge is ready to handle stanza ordering
+	if *devFlag {
+		err = updateQMini(name)
+		if err != nil {
+			logTermination(err)
+			return err
+		}
 	}

 	err = startQueueManager(name)
@@ -188,8 +261,9 @@ func doMain() error {
 		logTermination(err)
 		return err
 	}
-	if standby, _ := ready.IsRunningAsStandbyQM(name); !standby {
-		err = configureQueueManager()
+
+	if enableTraceStrmqm == "true" || enableTraceStrmqm == "1" {
+		err = endMQTrace()
 		if err != nil {
 			logTermination(err)
 			return err
--- a/cmd/runmqserver/mirror.go
+++ b/cmd/runmqserver/mirror.go
@@ -95,6 +95,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
 		// the file is open before the queue manager is created or started.
 		// Otherwise, there would be the potential for a nearly-full file to
 		// rotate before the goroutine had a chance to open it.
+		// #nosec G304 - no harm, we open readonly and check error.
 		f, err = os.OpenFile(path, os.O_RDONLY, 0)
 		if err != nil {
 			return nil, err
@@ -122,6 +123,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
 				return
 			}
 			log.Debugf("File exists: %v, %v", path, fi.Size())
+			// #nosec G304 - no harm, we open readonly and check error.
 			f, err = os.OpenFile(path, os.O_RDONLY, 0)
 			if err != nil {
 				log.Error(err)
@@ -169,6 +171,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
 				}
 				// Re-open file
 				log.Debugf("Re-opening error log file %v", path)
+				// #nosec G304 - no harm, we open readonly and check error.
 				f, err = os.OpenFile(path, os.O_RDONLY, 0)
 				if err != nil {
 					log.Error(err)
--- a/cmd/runmqserver/post_init.go
+++ b/cmd/runmqserver/post_init.go
@@ -22,23 +22,23 @@ import (
 )

 // postInit is run after /var/mqm is set up
-func postInit(name, keylabel string, p12Trust tls.KeyStoreData) error {
+func postInit(name, keyLabel string, p12Truststore tls.KeyStoreData) error {
 	enableWebServer := os.Getenv("MQ_ENABLE_EMBEDDED_WEB_SERVER")
 	if enableWebServer == "true" || enableWebServer == "1" {
 		// Configure the web server (if enabled)
-		keystore, err := configureWebServer(keylabel, p12Trust)
+		webKeystore, err := configureWebServer(keyLabel, p12Truststore)
 		if err != nil {
 			return err
 		}
-		// If trust-store is empty, set reference to point to the key-store
-		p12TrustStoreRef := "MQWebTrustStore"
-		if len(p12Trust.TrustedCerts) == 0 {
-			p12TrustStoreRef = "MQWebKeyStore"
+		// If trust-store is empty, set reference to point to the keystore
+		webTruststoreRef := "MQWebTrustStore"
+		if len(p12Truststore.TrustedCerts) == 0 {
+			webTruststoreRef = "MQWebKeyStore"
 		}
 		// Start the web server, in the background (if installed)
 		// WARNING: No error handling or health checking available for the web server
 		go func() {
-			err = startWebServer(keystore, p12Trust.Password, p12TrustStoreRef)
+			err = startWebServer(webKeystore, p12Truststore.Password, webTruststoreRef)
 			if err != nil {
 				log.Printf("Error starting web server: %v", err)
 			}
--- a/cmd/runmqserver/qmgr.go
+++ b/cmd/runmqserver/qmgr.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,34 +16,42 @@ limitations under the License.
 package main

 import (
-	"bytes"
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
+	"regexp"
+	"strconv"
 	"strings"

 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntime "github.com/ibm-messaging/mq-container/internal/containerruntime"
 	"github.com/ibm-messaging/mq-container/internal/mqscredact"
+	"github.com/ibm-messaging/mq-container/internal/mqversion"
 	"github.com/ibm-messaging/mq-container/internal/ready"
 )

 // createDirStructure creates the default MQ directory structure under /var/mqm
 func createDirStructure() error {
-	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-a")
+	// log file diagnostics before and after crtmqdir if DEBUG=true
+	logDiagnostics()
+	out, rc, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-a")
 	if err != nil {
-		log.Printf("Error creating directory structure: %v\n", string(out))
-		return err
+		if rc == 10 {
+			log.Printf("Warning creating directory structure: %v\n", string(out))
+		} else {
+			log.Printf("Error creating directory structure: %v\n", string(out))
+			return err
+		}
 	}
 	log.Println("Created directory structure under /var/mqm")
+	logDiagnostics()
 	return nil
 }

 // createQueueManager creates a queue manager, if it doesn't already exist.
 // It returns true if one was created (or a standby was created), or false if one already existed
-func createQueueManager(name string) (bool, error) {
+func createQueueManager(name string, devMode bool) (bool, error) {
 	log.Printf("Creating queue manager %v", name)

 	// Run 'dspmqinf' to check if 'mqs.ini' configuration file exists
@@ -66,7 +74,7 @@ func createQueueManager(name string) (bool, error) {
 	_, err = os.Stat(filepath.Join(dataDir, "qm.ini"))
 	if err != nil {
 		// If 'qm.ini' is not found - run 'crtmqm' to create a new queue manager
-		args := getCreateQueueManagerArgs(mounts, name)
+		args := getCreateQueueManagerArgs(mounts, name, devMode)
 		out, rc, err := command.Run("crtmqm", args...)
 		if err != nil {
 			log.Printf("Error %v creating queue manager: %v", rc, string(out))
@@ -105,9 +113,13 @@ func startQueueManager(name string) error {
 	out, rc, err := command.Run("strmqm", "-x", name)
 	if err != nil {
 		// 30=standby queue manager started, which is fine
+		// 94=native HA replica started, which is fine
 		if rc == 30 {
 			log.Printf("Started standby queue manager")
 			return nil
+		} else if rc == 94 {
+			log.Printf("Started replica queue manager")
+			return nil
 		}
 		log.Printf("Error %v starting queue manager: %v", rc, string(out))
 		return err
@@ -116,74 +128,20 @@ func startQueueManager(name string) error {
 	return nil
 }

-func configureQueueManager() error {
-	const configDir string = "/etc/mqm"
-	files, err := ioutil.ReadDir(configDir)
-	if err != nil {
-		log.Println(err)
-		return err
-	}
-	for _, file := range files {
-		if strings.HasSuffix(file.Name(), ".mqsc") {
-			abs := filepath.Join(configDir, file.Name())
-			// #nosec G204
-			verify := exec.Command("runmqsc", "-v", "-e")
-			// #nosec G204 - command is fixed, no injection vector
-			cmd := exec.Command("runmqsc")
-			// Read mqsc file into variable
-			// #nosec G304 - filename variable is derived from contents of 'configDir' which is a defined constant
-			mqsc, err := ioutil.ReadFile(abs)
-			if err != nil {
-				log.Printf("Error reading file %v: %v", abs, err)
-				continue
-			}
-			// Write mqsc to buffer
-			var buffer bytes.Buffer
-			_, err = buffer.Write(mqsc)
-			if err != nil {
-				log.Printf("Error writing MQSC file %v to buffer: %v", abs, err)
-				continue
-			}
-			verifyBuffer := buffer
-
-			// Buffer mqsc to stdin of runmqsc
-			cmd.Stdin = &buffer
-			verify.Stdin = &verifyBuffer
-
-			// Verify the MQSC commands
-			out, err := verify.CombinedOutput()
-			if err != nil {
-				log.Errorf("Error verifying MQSC file %v (%v):\n\t%v", file.Name(), err, formatMQSCOutput(string(out)))
-				return fmt.Errorf("Error verifying MQSC file %v (%v):\n\t%v", file.Name(), err, formatMQSCOutput(string(out)))
-			}
-
-			// Run runmqsc command
-			out, err = cmd.CombinedOutput()
-			if err != nil {
-				log.Errorf("Error running MQSC file %v (%v):\n\t%v", file.Name(), err, formatMQSCOutput(string(out)))
-				continue
-			} else {
-				// Print the runmqsc output, adding tab characters to make it more readable as part of the log
-				log.Printf("Output for \"runmqsc\" with %v:\n\t%v", abs, formatMQSCOutput(string(out)))
-			}
-		}
-	}
-	return nil
-}
-
 func stopQueueManager(name string) error {
 	log.Println("Stopping queue manager")
+	qmGracePeriod := os.Getenv("MQ_GRACE_PERIOD")
 	isStandby, err := ready.IsRunningAsStandbyQM(name)
 	if err != nil {
 		log.Printf("Error getting status for queue manager %v: %v", name, err.Error())
 		return err
 	}
-	args := []string{"-w", "-r", name}
+	args := []string{"-w", "-r", "-tp", qmGracePeriod, name}
 	if os.Getenv("MQ_MULTI_INSTANCE") == "true" {
 		if isStandby {
 			args = []string{"-x", name}
 		} else {
-			args = []string{"-s", "-w", "-r", name}
+			args = []string{"-s", "-w", "-r", "-tp", qmGracePeriod, name}
 		}
 	}
 	out, rc, err := command.Run("endmqm", args...)
@@ -199,6 +157,28 @@ func stopQueueManager(name string) error {
 	return nil
 }

+func startMQTrace() error {
+	log.Println("Starting MQ trace")
+	out, rc, err := command.Run("strmqtrc")
+	if err != nil {
+		log.Printf("Error %v starting trace: %v", rc, string(out))
+		return err
+	}
+	log.Println("Started MQ trace")
+	return nil
+}
+
+func endMQTrace() error {
+	log.Println("Ending MQ Trace")
+	out, rc, err := command.Run("endmqtrc")
+	if err != nil {
+		log.Printf("Error %v ending trace: %v", rc, string(out))
+		return err
+	}
+	log.Println("Ended MQ trace")
+	return nil
+}
+
 func formatMQSCOutput(out string) string {
 	// redact sensitive information
 	out, _ = mqscredact.Redact(out)
@@ -227,8 +207,30 @@ func getQueueManagerDataDir(mounts map[string]string, name string) string {
 	return dataDir
 }

-func getCreateQueueManagerArgs(mounts map[string]string, name string) []string {
-	args := []string{"-q", "-p", "1414"}
+func getCreateQueueManagerArgs(mounts map[string]string, name string, devMode bool) []string {
+
+	mqversionBase := "9.2.1.0"
+
+	// use "UserExternal" only if we are 9.2.1.0 or above.
+	oaVal := "user"
+	mqVersionCheck, err := mqversion.Compare(mqversionBase)
+
+	if err != nil {
+		log.Printf("Error comparing MQ versions for oa,rc: %v", mqVersionCheck)
+	}
+	if mqVersionCheck >= 0 {
+		oaVal = "UserExternal"
+	}
+
+	//build args
+	args := []string{"-ii", "/etc/mqm/", "-ic", "/etc/mqm/", "-q", "-p", "1414"}
+
+	if os.Getenv("MQ_NATIVE_HA") == "true" {
+		args = append(args, "-lr", os.Getenv("HOSTNAME"))
+	}
+	if devMode {
+		args = append(args, "-oa", oaVal)
+	}
 	if _, ok := mounts["/mnt/mqm-log"]; ok {
 		args = append(args, "-ld", "/mnt/mqm-log/log")
 	}
@@ -247,3 +249,49 @@ func getCreateStandbyQueueManagerArgs(name string) []string {
 	args = append(args, "-v", fmt.Sprintf("DataPath=/mnt/mqm-data/qmgrs/%v", name))
 	return args
 }
+
+// updateQMini removes the original ServicecCmponent stanza so we can add a new one
+func updateQMini(qmname string) error {
+
+	val, set := os.LookupEnv("MQ_CONNAUTH_USE_HTP")
+	if !set {
+		//htpasswd mode not enabled.
+		return nil
+	}
+	bval, err := strconv.ParseBool(strings.ToLower(val))
+	if err != nil {
+		return err
+	}
+	if bval == false {
+		//htpasswd mode not enabled.
+		return nil
+	}
+
+	log.Printf("Removing existing ServiceComponent configuration")
+
+	mounts, err := containerruntime.GetMounts()
+	if err != nil {
+		log.Printf("Error getting mounts for queue manager")
+		return err
+	}
+	dataDir := getQueueManagerDataDir(mounts, qmname)
+	qmgrDir := filepath.Join(dataDir, "qm.ini")
+	//read the initial version.
+	// #nosec G304 - qmgrDir filepath is derived from dspmqinf
+	iniFileBytes, err := ioutil.ReadFile(qmgrDir)
+	if err != nil {
+		return err
+	}
+	qminiConfigStr := string(iniFileBytes)
+	if strings.Contains(qminiConfigStr, "ServiceComponent:") {
+		var re = regexp.MustCompile(`(?m)^.*ServiceComponent.*$\s^.*Service.*$\s^.*Name.*$\s^.*Module.*$\s^.*ComponentDataSize.*$`)
+		curFile := re.ReplaceAllString(qminiConfigStr, "")
+		// #nosec G304 G306 - qmgrDir filepath is derived from dspmqinf and
+		// its a read by owner/s group, and pose no harm.
+		err := ioutil.WriteFile(qmgrDir, []byte(curFile), 0660)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/cmd/runmqserver/signals.go
+++ b/cmd/runmqserver/signals.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -33,8 +33,8 @@ func signalHandler(qmgr string) chan int {
 	control := make(chan int)
 	// Use separate channels for the signals, to avoid SIGCHLD signals swamping
 	// the buffer, and preventing other signals.
-	stopSignals := make(chan os.Signal)
-	reapSignals := make(chan os.Signal)
+	stopSignals := make(chan os.Signal, 1)
+	reapSignals := make(chan os.Signal, 1)
 	signal.Notify(stopSignals, syscall.SIGTERM, syscall.SIGINT)
 	go func() {
 		for {
--- a/cmd/runmqserver/tls.go
+++ b/cmd/runmqserver/tls.go
@@ -1,163 +0,0 @@
-/*
-© Copyright IBM Corporation 2018, 2019
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package main
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/ibm-messaging/mq-container/internal/command"
-	"github.com/ibm-messaging/mq-container/internal/keystore"
-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
-	"github.com/ibm-messaging/mq-container/internal/tls"
-)
-
-// Location to store the keystores
-const keyStoreDir = "/run/runmqserver/tls/"
-
-// KeyDir is the location of the certificate keys to import
-const keyDir = "/etc/mqm/pki/keys"
-
-// TrustDir is the location of the Certifates to add
-const trustDir = "/etc/mqm/pki/trust"
-
-// configureWebTLS configures TLS for Web Console
-func configureWebTLS(label string) error {
-	// Return immediately if we have no certificate to use as identity
-	if label == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") == "" {
-		return nil
-	}
-
-	webConfigDir := "/etc/mqm/web/installations/Installation1/servers/mqweb"
-	tls := "tls.xml"
-
-	tlsConfig := filepath.Join(webConfigDir, tls)
-	newTLSConfig := filepath.Join(webConfigDir, tls+".tpl")
-	err := os.Remove(tlsConfig)
-	if err != nil {
-		return fmt.Errorf("Could not delete file %s: %v", tlsConfig, err)
-	}
-	// we symlink here to prevent issues on restart
-	err = os.Symlink(newTLSConfig, tlsConfig)
-	if err != nil {
-		return fmt.Errorf("Could not create symlink %s->%s: %v", newTLSConfig, tlsConfig, err)
-	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		return fmt.Errorf("Could not find mqm user or group: %v", err)
-	}
-	err = os.Chown(tlsConfig, mqmUID, mqmGID)
-	if err != nil {
-		return fmt.Errorf("Could change ownership of %s to mqm: %v", tlsConfig, err)
-	}
-
-	return nil
-}
-
-// configureTLSDev configures TLS for developer defaults
-func configureTLSDev() error {
-	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
-	const mqscTemplate string = mqsc + ".tpl"
-
-	if os.Getenv("MQ_DEV") == "true" {
-		err := mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{}, log)
-		if err != nil {
-			return err
-		}
-	} else {
-		_, err := os.Stat(mqsc)
-		if !os.IsNotExist(err) {
-			err = os.Remove(mqsc)
-			if err != nil {
-				log.Errorf("Error removing file %s: %v", mqsc, err)
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-// configureTLS configures TLS for queue manager
-func configureTLS(certLabel string, cmsKeystore tls.KeyStoreData, devmode bool) error {
-	log.Debug("Configuring TLS")
-
-	const mqsc string = "/etc/mqm/15-tls.mqsc"
-	const mqscTemplate string = mqsc + ".tpl"
-
-	err := mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
-		"SSLKeyR":          strings.TrimSuffix(cmsKeystore.Keystore.Filename, ".kdb"),
-		"CertificateLabel": certLabel,
-	}, log)
-	if err != nil {
-		return err
-	}
-
-	if devmode && certLabel != "" {
-		err = configureTLSDev()
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// configureWebKeyStore configures the key stores for the web console
-func configureWebKeyStore(p12TrustStore tls.KeyStoreData) (string, error) {
-	// TODO find way to supply this
-	// Override the webstore variables to hard coded defaults
-	webKeyStoreName := tls.WebDefaultLabel + ".p12"
-
-	// Check keystore exists
-	ks := filepath.Join(keyStoreDir, webKeyStoreName)
-	_, err := os.Stat(ks)
-	// Now we know if the file exists let's check whether we should have it or not.
-	// Check if we're being told to generate the certificate
-	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
-	if genHostName != "" {
-		// We've got to generate the certificate with the hostname given
-		if err == nil {
-			log.Printf("Replacing existing keystore %s - generating new certificate", ks)
-		}
-		// Keystore doesn't exist so create it and populate a certificate
-		newKS := keystore.NewPKCS12KeyStore(ks, p12TrustStore.Password)
-		err = newKS.Create()
-		if err != nil {
-			return "", fmt.Errorf("Failed to create keystore %s: %v", ks, err)
-		}
-
-		err = newKS.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
-		if err != nil {
-			return "", fmt.Errorf("Failed to generate certificate in keystore %s with DN of 'CN=%s': %v", ks, genHostName, err)
-		}
-	} else {
-		// Keystore should already exist
-		if err != nil {
-			return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
-		}
-	}
-
-	// Check truststore exists
-	_, err = os.Stat(p12TrustStore.Keystore.Filename)
-	if err != nil {
-		return "", fmt.Errorf("Failed to find existing truststore %s: %v", p12TrustStore.Keystore.Filename, err)
-	}
-
-	return webKeyStoreName, nil
-}
--- a/cmd/runmqserver/version.go
+++ b/cmd/runmqserver/version.go
@@ -20,6 +20,7 @@ import (
 	"strings"

 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/mqversion"
 )

 var (
@@ -50,7 +51,7 @@ func logImageTag() {
 }

 func logMQVersion() {
-	mqVersion, _, err := command.Run("dspmqver", "-b", "-f", "2")
+	mqVersion, err := mqversion.Get()
 	if err != nil {
 		log.Printf("Error Getting MQ version: %v", strings.TrimSuffix(string(mqVersion), "\n"))
 	}
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,19 +19,15 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
-	"os/user"
 	"path/filepath"
-	"strconv"
 	"strings"
-	"syscall"

-	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/copy"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )

-func startWebServer(keystore, keystorepw, p12TrustStoreRef string) error {
+func startWebServer(webKeystore, webkeystorePW, webTruststoreRef string) error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil && os.IsNotExist(err) {
 		log.Debug("Skipping web server, because it's not installed")
@@ -50,28 +46,10 @@ func startWebServer(keystore, keystorepw, p12TrustStoreRef string) error {
 	}

 	// TLS enabled
-	if keystore != "" {
-		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTORE="+keystore)
-		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTOREPW="+keystorepw)
-		cmd.Env = append(cmd.Env, "AMQ_WEBTRUSTSTOREREF="+p12TrustStoreRef)
-	}
-
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	u, err := user.Current()
-	if err != nil {
-		return err
-	}
-	currentUID, err := strconv.Atoi(u.Uid)
-	if err != nil {
-		return fmt.Errorf("Error converting UID to string: %v", err)
-	}
-	// Add credentials to run as 'mqm', only if we aren't already 'mqm'
-	if currentUID != uid {
-		cmd.SysProcAttr = &syscall.SysProcAttr{}
-		cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}
+	if webKeystore != "" {
+		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTORE="+webKeystore)
+		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTOREPW="+webkeystorePW)
+		cmd.Env = append(cmd.Env, "AMQ_WEBTRUSTSTOREREF="+webTruststoreRef)
 	}
 	out, err := cmd.CombinedOutput()
 	rc := cmd.ProcessState.ExitCode()
@@ -83,17 +61,32 @@ func startWebServer(keystore, keystorepw, p12TrustStoreRef string) error {
 	return nil
 }

-func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
-	// Ensure all required environment variables are set for SSO
-	requiredEnvVars := []string{
-		"MQ_WEB_ADMIN_USERS",
-		"MQ_OIDC_CLIENT_ID",
-		"MQ_OIDC_CLIENT_SECRET",
-		"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
-		"MQ_OIDC_AUTHORIZATION_ENDPOINT",
-		"MQ_OIDC_TOKEN_ENDPOINT",
-		"MQ_OIDC_JWK_ENDPOINT",
-		"MQ_OIDC_ISSUER_IDENTIFIER",
+func configureSSO(p12TrustStore tls.KeyStoreData, webKeystore string) (string, error) {
+	requiredEnvVars := []string{}
+	_, set := os.LookupEnv("MQ_ZEN_INTERNAL_ENDPOINT")
+	if !set {
+		// Ensure all required environment variables are set for SSO
+		requiredEnvVars = []string{
+			"MQ_OIDC_CLIENT_ID",
+			"MQ_OIDC_CLIENT_SECRET",
+			"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
+			"MQ_OIDC_AUTHORIZATION_ENDPOINT",
+			"MQ_OIDC_TOKEN_ENDPOINT",
+			"MQ_OIDC_JWK_ENDPOINT",
+			"MQ_OIDC_ISSUER_IDENTIFIER",
+		}
+	} else {
+		// Ensure all required environment variables are set for Zen SSO
+		requiredEnvVars = []string{
+			"MQ_ZEN_UNIQUE_USER_IDENTIFIER",
+			"MQ_ZEN_INTERNAL_ENDPOINT",
+			"MQ_ZEN_ISSUER_IDENTIFIER",
+			"MQ_ZEN_AUDIENCES",
+			"MQ_ZEN_CONTEXT_NAME",
+			"MQ_ZEN_BASE_URI",
+			"MQ_ZEN_CONTEXT_NAMESPACE",
+			"IAM_URL",
+		}
 	}
 	for _, envVar := range requiredEnvVars {
 		if len(os.Getenv(envVar)) == 0 {
@@ -119,50 +112,49 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 	}

 	// Configure SSO TLS
-	return configureWebKeyStore(p12TrustStore)
+	return tls.ConfigureWebKeystore(p12TrustStore, webKeystore)
 }

-func configureWebServer(keyLabel string, p12Trust tls.KeyStoreData) (string, error) {
-	var keystore string
+func configureWebServer(keyLabel string, p12Truststore tls.KeyStoreData) (string, error) {
+	var webKeystore string

 	// Configure TLS for Web Console first if we have a certificate to use
-	err := configureWebTLS(keyLabel)
+	err := tls.ConfigureWebTLS(keyLabel)
 	if err != nil {
-		return keystore, err
+		return "", err
 	}
 	if keyLabel != "" {
-		keystore = keyLabel + ".p12"
+		webKeystore = keyLabel + ".p12"
 	}

 	// Configure Single-Sign-On for the web server (if enabled)
 	enableSSO := os.Getenv("MQ_BETA_ENABLE_SSO")
 	if enableSSO == "true" || enableSSO == "1" {
-		keystore, err = configureSSO(p12Trust)
+		webKeystore, err = configureSSO(p12Truststore, webKeystore)
 		if err != nil {
-			return keystore, err
+			return "", err
 		}
 	} else if keyLabel == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") != "" {
-		keystore, err = configureWebKeyStore(p12Trust)
+		webKeystore, err = tls.ConfigureWebKeystore(p12Truststore, webKeystore)
+		if err != nil {
+			return "", err
+		}
 	}

 	_, err = os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
 		if os.IsNotExist(err) {
-			return keystore, nil
+			return "", nil
 		}
-		return keystore, err
+		return "", err
 	}
 	const webConfigDir string = "/etc/mqm/web"
 	_, err = os.Stat(webConfigDir)
 	if err != nil {
 		if os.IsNotExist(err) {
-			return keystore, nil
+			return "", nil
 		}
-		return keystore, err
-	}
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return keystore, err
+		return "", err
 	}
 	const prefix string = "/etc/mqm/web"
 	err = filepath.Walk(prefix, func(from string, info os.FileInfo, err error) error {
@@ -200,11 +192,8 @@ func configureWebServer(keyLabel string, p12Trust tls.KeyStoreData) (string, err
 				return err
 			}
 		}
-		err = os.Chown(to, uid, gid)
-		if err != nil {
-			return err
-		}
 		return nil
 	})
-	return keystore, err
+
+	return webKeystore, err
 }
--- a/config.env
+++ b/config.env
@@ -0,0 +1,6 @@
+###########################################################################################################################################################
+
+# MQ_VERSION is the fully qualified MQ version number to build
+MQ_VERSION ?= 9.3.0.5
+
+###########################################################################################################################################################
--- a/docker-builds/skopeo/Dockerfile
+++ b/docker-builds/skopeo/Dockerfile
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2017, 2018
+# © Copyright IBM Corporation 2020
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,13 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-[[constraint]]
-  name = "github.com/docker/docker"
-  version = "=v17.03.2-ce"
-
-[[constraint]]
-  name = "github.com/docker/go-connections"
-  version = "0.4.0"
-
-[prune]
-  go-tests = true
+FROM fedora:32
+RUN yum install skopeo -y -qq
+ENTRYPOINT [ "skopeo" ]
--- a/docs/building.md
+++ b/docs/building.md
@@ -4,37 +4,45 @@

 You need to have the following tools installed:

-* [Docker](https://www.docker.com/) V17.06.1 or later, or [Podman](https://podman.io) V1.0 or later
+* [Docker](https://www.docker.com/) 17.06.1 or later, or [Podman](https://podman.io) 1.0 or later (Podman 4.1 on macOS).  If using Podman on macOS, the you need to be in "rootful" mode to allow the use of a network during builds.  Run `podman machine init --rootful`.
 * [GNU make](https://www.gnu.org/software/make/)

 If you are working in the Windows Subsystem for Linux, follow [this guide by Microsoft to set up Docker](https://blogs.msdn.microsoft.com/commandline/2017/12/08/cross-post-wsl-interoperability-with-docker/) first.

-You will also need a [Red Hat Account](https://access.redhat.com) to be able to access the Red Hat Registry. 
-
 ## Building a production image

-This procedure works for building the MQ Continuous Delivery release, on `amd64`, `ppc64le` and `s390x` architectures.
+From MQ 9.2.X, the MQ container adds support for MQ Long Term Support (LTS) **production licensed** releases.
+
+### Building MQ 9.3 Long Term Support (LTS) and Continuous Delivery (CD)
+
+**Note**: MQ 9.3 is the latest MQ version with MQ Long Term Support (LTS), as well as being the latest Continuous Delivery (CD) version.
+
+The procedure below is for building the 9.3 release, on `amd64`, `ppc64le` and `s390x` architectures.

 1. Create a `downloads` directory in the root of this repository
-2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/) or [IBM Fix Central](https://www.ibm.com/support/fixcentral), and place the downloaded file (for example, `IBM_MQ_9.1.4_LINUX_X86-64.tar.gz`) in the `downloads` directory
-3. Login to the Red Hat Registry: `docker login registry.redhat.io` using your Customer Portal credentials.
+2. Download MQ from [IBM Passport Advantage](https://www.ibm.com/software/passportadvantage/). Identify the correct 'Long Term Support Release for Containers' eImage part number for your architecture from the 9.3.0 LTS tab at https://www.ibm.com/support/pages/downloading-ibm-mq-930
+3. Ensure the `tar.gz` file is in the `downloads` directory
 4. Run `make build-advancedserver`

-> **Warning**: Note that MQ offers two different sets of packaging on Linux: one is called "MQ for Linux" and contains RPM files for installing on Red Hat Enterprise Linux and SUSE Linux Enterprise Server; the other is for Ubuntu.  The MQ container build uses a Red Hat Universal Base Image, so you need the "MQ for Linux" RPM files.
-
 If you have an MQ archive file with a different file name, you can specify a particular file (which must be in the `downloads` directory).  You should also specify the MQ version, so that the resulting image is tagged correctly, for example:

 ```bash
 MQ_ARCHIVE=mq-1.2.3.4.tar.gz MQ_VERSION=1.2.3.4 make build-advancedserver
 ```

+### Building previous MQ Long Term Support (LTS)
+
+**Note**: MQ 9.3 is the latest MQ version with MQ Long Term Support (LTS), as well as being the latest Continuous Delivery (CD) version. Therefore, to build build 9.3.0.X, follow the [instructions above for MQ 9.3](#building-mq-93-long-term-support-lts-and-continuous-delivery-cd).
+
+However, if you wish to build the previous MQ LTS, use the [instructions](/../9.2.0.x/docs/building.md#mq-long-term-support-lts) in the `v9.2.0.x-eus` branch.
+
+
 ## Building a developer image

-Login to the Red Hat Registry: `docker login registry.redhat.io` using your Customer Portal credentials.
 Run `make build-devserver`, which will download the latest version of MQ Advanced for Developers from IBM developerWorks.  This is currently only available on the `amd64` architecture.

 You can use the environment variable `MQ_ARCHIVE_DEV` to specify an alternative local file to install from (which must be in the `downloads` directory).

 ## Installed components

-This image includes the core MQ server, Java, language packs, GSKit, and web server.  This can be configured by setting the `MQ_PACKAGES` argument to `make`.
+This image includes the core MQ server, Java, language packs, GSKit, and web server.  This is configured in the `Generate MQ package in INSTALLATION_DIR` section [here](../install-mq.sh), with the configured options being picked up at build time.
--- a/docs/developer-config.md
+++ b/docs/developer-config.md
@@ -9,14 +9,12 @@ The MQ Developer Defaults supports some customization options, these are all con
 * **MQ_DEV** - Set this to `false` to stop the default objects being created.
 * **MQ_ADMIN_PASSWORD** - Changes the password of the `admin` user. Must be at least 8 characters long.
 * **MQ_APP_PASSWORD** - Changes the password of the app user. If set, this will cause the `DEV.APP.SVRCONN` channel to become secured and only allow connections that supply a valid userid and password. Must be at least 8 characters long.
-* **MQ_TLS_KEYSTORE** - **DEPRECATED**. See section `Supplying TLS certificates` in [usage document](usage.md).  Allows you to supply the location of a PKCS#12 keystore containing a single certificate which you want to use in both the web console and the queue manager. Requires `MQ_TLS_PASSPHRASE`. When enabled the channels created will be secured using the `TLS_RSA_WITH_AES_128_CBC_SHA256` CipherSpec. *Note*: you will need to make the keystore available inside your container, this can be done by mounting a volume to your container.
-* **MQ_TLS_PASSPHRASE** - **DEPRECATED**. See section `Supplying TLS certificates` in [usage document](usage.md). Passphrase for the keystore referenced in `MQ_TLS_KEYSTORE`.

 ## Details of the default configuration

 The following users are created:

-* User **admin** for administration (in the `mqm` group).  Default password is **passw0rd**.
+* User **admin** for administration.  Default password is **passw0rd**.
 * User **app** for messaging (in a group called `mqclient`).  No password by default.

 Users in `mqclient` group have been given access connect to all queues and topics starting with `DEV.**` and have `put`, `get`, `pub`, `sub`, `browse` and `inq` permissions.
@@ -45,6 +43,6 @@ If you choose to accept the security warning, you will be presented with the log
 * **User:** admin
 * **Password:** passw0rd

-If you wish to change the password for the admin user, this can be done using the `MQ_ADMIN_PASSWORD` environment variable. If you supply a PKCS#12 keystore using the `MQ_TLS_KEYSTORE` environment variable, then the web console will be configured to use the certificate inside the keystore for HTTPS operations.
+If you wish to change the password for the admin user, this can be done using the `MQ_ADMIN_PASSWORD` environment variable.

 If you do not wish the web console to run, you can disable it by setting the environment variable `MQ_ENABLE_EMBEDDED_WEB_SERVER` to `false`.
--- a/docs/internals.md
+++ b/docs/internals.md
@@ -11,6 +11,7 @@ The resulting Docker image contains the following:
   - `runmqdevserver` - The main process for MQ Advanced for Developers
   - `chkmqhealthy` - Checks the health of the queue manager.  This can be used by (say) a Kubernetes liveness probe.
   - `chkmqready` - Checks if the queue manager is ready for work.  This can be used by (say) a Kubernetes readiness probe.
+   - `chkmqstarted` - Checks if the queue manager has successfully started.  This can be used by (say) a Kubernetes startup probe.

 ## runmqserver
 The `runmqserver` command has the following responsibilities:
--- a/docs/pluggable-connauth.md
+++ b/docs/pluggable-connauth.md
@@ -0,0 +1,29 @@
+
+### Queue Manager Connection Authentication using a htpasswd file
+
+This pluggable authentication mode is to allow developers using the mq-container developer image to define users and their credentials into a .htpasswd file.  This is in addition to the existing methods of MQ Connection Authentication (`CONNAUTH`) using Operating System or LDAP users.
+
+**Please note:**
+1. This new feature is enabled only when environment variable `--env MQ_CONNAUTH_USE_HTP=true` is set while creating a container.
+2. When enabled, the `AuthType` value of the ConnectionAuthentication (`CONNAUTH`) is ignored and htpasswd mode is used. However, the MQ authority records created using (`SETMQAUT` or `AUTHREC`) will be in effect while using the htpasswd mode.
+3. Channel Authentication records (`CHLAUTH`) will be in effect while using the htpasswd mode.
+4. Passwords should be encrypted using bcrypt (golang.org/x/crypto/bcrypt).
+5. This is developer only feature and not recommended for use in Production.
+
+### Preparing htpasswd file
+
+ 1. A default `mq.htpasswd` file is provided and placed under /etc/mqm/ directory inside the container.
+ 2. You can set the password for user `admin` by setting the environment variable `MQ_ADMIN_PASSWORD`.
+ 3. You can add user `app` into mq.htpasswd file by setting the environment variable `MQ_APP_PASSWORD`. This user `app` can be used to access `DEV.*` objects of the queue manager.
+
+#### Next Steps:
+
+Use an administrative tool or your application to connect to queue manager using the credentials defined in the mq.htpasswd file.  
+
+**Please note**: When an authentication request is made with a userid that is not defined in the `mq.htpasswd` file, then the authentication process is delegated to queue manager to handle. This will then use `IDPWOS` or `LDAP` modes for further processing.
+
+#### Troubleshooting
+
+A log file named `mqhtpass.log` is generated under `/var/mqm/errors` directory path of the container.  This file will contain all the failed connection authentication requests.  Additional information is logged to this file if the environment variable `DEBUG` is set to `true`.
+
+**Please note**: This log file will be wiped when the queue manager is next started.
--- a/docs/security.md
+++ b/docs/security.md
@@ -4,7 +4,7 @@

 ### User

-The MQ server image is run using the "mqm" user, with a fixed UID and GID of 888.
+The MQ server image is run using with UID 1001, though this can be any UID, with a fixed GID of 0 (root).

 ### Capabilities

@@ -16,24 +16,5 @@ docker run \
  --env LICENSE=accept \
  --env MQ_QMGR_NAME=QM1 \
  --detach \
-  mqadvanced-server:9.1.4.0-amd64
+  ibm-mqadvanced-server:9.3.0.5-amd64
 ```
-
-The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
-
-```sh
-docker run \
-  --cap-drop=ALL \
-  --cap-add=CHOWN \
-  --cap-add=SETUID \
-  --cap-add=SETGID \
-  --cap-add=AUDIT_WRITE \
-  --env LICENSE=accept \
-  --env MQ_QMGR_NAME=QM1 \
-  --detach \
-  mqadvanced-server-dev:9.1.4.0-amd64
-```
-
-### SELinux
-
-The SELinux label "spc_t" (super-privileged container) is needed to run the MQ container on a host with SELinux enabled.  This is due to a current limitation in how MQ data is stored on volumes, which violates the usual policy applied when using the standard "container_t" label.
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -2,10 +2,9 @@

 ## Prerequisites
 You need to ensure you have the following tools installed:
-* [Docker](https://www.docker.com/)
+* [Docker](https://www.docker.com/) 19.03 or higher (API version 1.40)
 * [GNU make](https://www.gnu.org/software/make/)
 * [Go](https://golang.org/) - only needed for running the tests
-* [dep](https://github.com/golang/dep) (official Go dependency management tool) - needed to prepare for running the tests

 ## Running the tests
 There are two main sets of tests:
@@ -14,29 +13,30 @@ There are two main sets of tests:
 2. Docker tests, which test a complete Docker image, using the Docker API

 ### Running the Docker tests
-The Docker tests can be run locally on a machine with Docker.  For example:
+
+The Docker tests can be run locally on a machine with Docker. For example:

 ```
-make test-devserver
-make test-advancedserver
+make devserver
+make advancedserver
 ```

 You can specify the image to use directly by using the `MQ_IMAGE_ADVANCEDSERVER` or `MQ_IMAGE_DEVSERVER` variables, for example:

 ```
-MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.4.0-amd64 make test-advancedserver
+MQ_IMAGE_ADVANCEDSERVER=ibm-mqadvanced-server:9.3.0.5-amd64 make test-advancedserver
 ```

-You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command::
+You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command:

 ```
 TEST_OPTS_DOCKER="-run TestGoldenPath" make test-advancedserver
 ```

-You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.4.0-amd64`:
+You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `ibm-mqadvanced-server:9.2.0.0-amd64`:

 ```
-MQ_VERSION=9.1.4.0 make test-advancedserver
+MQ_VERSION=9.2.0.0 make test-advancedserver
 ```

 ### Running the Docker tests with code coverage
@@ -48,12 +48,3 @@ make test-advancedserver-cover
 ```

 In order to generate code coverage metrics from the Docker tests, the build step creates a new Docker image with an instrumented version of the code.  Each test is then run individually, producing a coverage report each under `test/docker/coverage/`.  These individual reports are then combined.  The combined report is written to the `coverage` directory.
-
-
-### Running the Kubernetes tests
-
-For the Kubernetes tests, you need to have built the Docker image, and pushed it to the registry used by your Kubernetes cluster.  Most of the configuration used by the tests is picked up from your `kubectl` configuration, but you will typically need to specify the image details.  For example:
-
-```bash
-MQ_IMAGE=mycluster.icp:8500/default/mq-devserver make test-kubernetes-devserver
-```
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -14,7 +14,7 @@ docker run \
  --publish 1414:1414 \
  --publish 9443:9443 \
  --detach \
-  ibmcom/mq
+  icr.io/ibm-messaging/mq
 ```

 ## Running with the default configuration and a volume
@@ -34,7 +34,7 @@ docker run \
  --publish 9443:9443 \
  --detach \
  --volume qm1data:/mnt/mqm \
-  ibmcom/mq
+  icr.io/ibm-messaging/mq
 ```

 The Docker image always uses `/mnt/mqm` for MQ data, which is correctly linked for you under `/var/mqm` at runtime.  This is to handle problems with file permissions on some platforms.
@@ -51,7 +51,7 @@ docker run \
  --publish 9443:9443 \
  --publish 9157:9157 \
  --detach \
-  ibmcom/mq
+  icr.io/ibm-messaging/mq
 ```

 ## Customizing the queue manager configuration
@@ -60,23 +60,18 @@ You can customize the configuration in several ways:

 1. For getting started, you can use the [default developer configuration](developer-config.md), which is available out-of-the-box for the MQ Advanced for Developers image
 2. By creating your own image and adding your own MQSC file into the `/etc/mqm` directory on the image.  This file will be run when your queue manager is created.
-3. By using [remote MQ administration](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.adm.doc/q021090_.htm), via an MQ command server, the MQ HTTP APIs, or using a tool such as the MQ web console or MQ Explorer.
+3. By using [remote MQ administration](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.3.0/com.ibm.mq.adm.doc/q021090_.htm), via an MQ command server, the MQ HTTP APIs, or using a tool such as the MQ web console or MQ Explorer.

 Note that a listener is always created on port 1414 inside the container.  This port can be mapped to any port on the Docker host.

-The following is an *example* `Dockerfile` for creating your own pre-configured image, which adds a custom MQ configuration file, and an administrative user `alice`.  Note that it is not normally recommended to include passwords in this way:
+The following is an *example* `Dockerfile` for creating your own pre-configured image, which adds a custom MQ configuration file:

 ```dockerfile
-FROM ibmcom/mq
-USER root
-RUN useradd alice -G mqm && \
-    echo alice:passw0rd | chpasswd
-USER mqm
+FROM icr.io/ibm-messaging/mq
+USER 1001
 COPY 20-config.mqsc /etc/mqm/
 ```

-The `USER` instructions are necessary to ensure that the `useradd` and `chpasswd` commands are run as the root user.
-
 Here is an example corresponding `20-config.mqsc` script, which creates two local queues:

 ```mqsc
--- a/etc/mqm/mq.htpasswd
+++ b/etc/mqm/mq.htpasswd
@@ -0,0 +1,2 @@
+admin:$2y$05$M/C1U62RZ6q1kv4E7.S7ueNESJmFe85RsZcoMUReRXUDB8QcP3yqS
+app:$2y$05$BnbPtcjXTjk5JRJ8gzHqIuHgoQbLF3qtbPV3Q3tLyr0XJNg.7dkxW
--- a/etc/mqm/qm-service-component.ini
+++ b/etc/mqm/qm-service-component.ini
@@ -0,0 +1,11 @@
+ServiceComponent:
+    Service=AuthorizationService
+    Name=Dev.HtpAuth.Service
+    Module=/opt/mqm/lib64/mqhtpass.so
+    ComponentDataSize=0
+ServiceComponent:
+   Service=AuthorizationService
+   Name=MQSeries.UNIX.auth.service
+   Module=amqzfu
+   ComponentDataSize=0
+
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,24 @@
+module github.com/ibm-messaging/mq-container
+
+go 1.19
+
+require (
+	github.com/genuinetools/amicontained v0.4.3
+	github.com/ibm-messaging/mq-golang v2.0.0+incompatible
+	github.com/prometheus/client_golang v1.11.1
+	github.com/prometheus/client_model v0.2.0
+	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20200830195227-52f69702a001
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/prometheus/common v0.26.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
+	google.golang.org/protobuf v1.26.0-rc.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,149 @@
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/genuinetools/amicontained v0.4.3 h1:cqq9XiAHfWWY3dk8VU8bSJFu9yh8Il5coEdeTAPq72o=
+github.com/genuinetools/amicontained v0.4.3/go.mod h1:PAMZkg9CcUTa6gNyULQ6tOMTMEb2HTKJufvKeFqDw+o=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/ibm-messaging/mq-golang v2.0.0+incompatible h1:xAufRPYSzoRGaME2+x7LcW5+uvy/G3xL/3Sn3u+G/lY=
+github.com/ibm-messaging/mq-golang v2.0.0+incompatible/go.mod h1:qjsZDb7m1oKnbPeDma2JVJTKgyCA91I4bcJ1qHY+gcA=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s=
+github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.26.0-rc.1 h1:7QnIQpGRHE5RnLKnESfDoxm2dTapTZua5a0kS0A+VXQ=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20200830195227-52f69702a001 h1:AVd6O+azYjVQYW1l55IqkbL8/JxjrLtO6q4FCmV8N5c=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20200830195227-52f69702a001/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=
--- a/ha/native-ha.ini.tpl
+++ b/ha/native-ha.ini.tpl
@@ -0,0 +1,18 @@
+NativeHALocalInstance:
+  Name={{ .Name }}
+  {{ if .CertificateLabel }}
+  CertificateLabel={{ .CertificateLabel }}
+  KeyRepository={{ .KeyRepository }}
+  {{ if .CipherSpec }}
+  CipherSpec={{ .CipherSpec }}
+  {{- end }}
+  {{- end }}
+NativeHAInstance:
+  Name={{ .NativeHAInstance0_Name }}
+  ReplicationAddress={{ .NativeHAInstance0_ReplicationAddress }}
+NativeHAInstance:
+  Name={{ .NativeHAInstance1_Name }}
+  ReplicationAddress={{ .NativeHAInstance1_ReplicationAddress }}
+NativeHAInstance:
+  Name={{ .NativeHAInstance2_Name }}
+  ReplicationAddress={{ .NativeHAInstance2_ReplicationAddress }}
--- a/incubating/mqadvanced-server-dev/10-dev.mqsc.tpl
+++ b/incubating/mqadvanced-server-dev/10-dev.mqsc.tpl
@@ -40,8 +40,9 @@ SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-sto
 SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT({{ .ChckClnt }}) DESCR('Allows connection via APP channel') ACTION(REPLACE)
 SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
 SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)
+SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(MAP) MCAUSER ('mqm') DESCR ('Allow admin as MQ-admin') ACTION(REPLACE)

 * Developer authority records
-SET AUTHREC GROUP('mqclient') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
+SET AUTHREC PRINCIPAL('app') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
--- a/incubating/mqadvanced-server-dev/20-dev-tls.mqsc.tpl
+++ b/incubating/mqadvanced-server-dev/20-dev-tls.mqsc.tpl
@@ -1,4 +1,4 @@
-* © Copyright IBM Corporation 2018, 2019
+* © Copyright IBM Corporation 2018, 2022
 *
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,5 +14,5 @@
 * limitations under the License.

 * Set the cipherspec for dev channels
-ALTER CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12) SSLCAUTH(OPTIONAL)
-ALTER CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12) SSLCAUTH(OPTIONAL)
+ALTER CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12_OR_HIGHER) SSLCAUTH(OPTIONAL)
+ALTER CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12_OR_HIGHER) SSLCAUTH(OPTIONAL)
--- a/incubating/mqadvanced-server-dev/install-extra-packages.sh
+++ b/incubating/mqadvanced-server-dev/install-extra-packages.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # -*- mode: sh -*-
-# © Copyright IBM Corporation 2019
+# © Copyright IBM Corporation 2019, 2021
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -25,17 +25,17 @@ test -f /usr/bin/apt-get && UBUNTU=true || UBUNTU=false
 if ($UBUNTU); then
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
-    apt-get install -y --no-install-recommends sudo
+    apt-get install -y --no-install-recommends libaprutil1
    rm -rf /var/lib/apt/lists/*
 fi

 if ($YUM); then
-    yum -y install sudo
+    yum -y install apr-util-openssl
    yum -y clean all
    rm -rf /var/cache/yum/*
 fi

 if ($MICRODNF); then
-    microdnf install sudo
-    microdnf clean all
+    microdnf --disableplugin=subscription-manager install apr-util-openssl
+    microdnf --disableplugin=subscription-manager clean all
 fi
--- a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
+++ b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
@@ -36,5 +36,9 @@
    </basicRegistry>
    <variable name="httpHost" value="*"/>
    <variable name="managementMode" value="externallyprovisioned"/>
+    <variable name="mqConsoleRemoteSupportEnabled" value="false"/>
+    <variable name="mqConsoleEnableUnsafeInline" value="true"/>
+    <jndiEntry jndiName="mqConsoleDefaultCCDTHostname" value="${env.MQ_CONSOLE_DEFAULT_CCDT_HOSTNAME}"/>
+    <jndiEntry jndiName="mqConsoleDefaultCCDTPort" value="${env.MQ_CONSOLE_DEFAULT_CCDT_PORT}"/>
    <include location="tls.xml"/>
 </server>
--- a/install-build-deps.sh
+++ b/install-build-deps.sh
@@ -21,6 +21,8 @@ set -ex

 sudo curl -Lo /usr/local/bin/dep https://github.com/golang/dep/releases/download/v0.5.1/dep-linux-$ARCH
 sudo chmod +x /usr/local/bin/dep
+sudo apt-get update || :
+sudo apt-get install -y jq

-go get -u golang.org/x/lint/golint
-curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin 2.0.0 || echo "Gosec not installed. Platform may not be supported."
+go install golang.org/x/lint/golint@latest
+curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin v2.14.0 || echo "Gosec not installed. Platform may not be supported."
--- a/install-mq-server-prereqs.sh
+++ b/install-mq-server-prereqs.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # -*- mode: sh -*-
-# © Copyright IBM Corporation 2015, 2019
+# © Copyright IBM Corporation 2015, 2021
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -63,10 +63,10 @@ if ($UBUNTU); then
 fi

 if ($RPM); then
-  EXTRA_RPMS="bash bc ca-certificates file findutils gawk glibc-common grep passwd procps-ng sed shadow-utils tar util-linux which"
+  EXTRA_RPMS="bash bc ca-certificates file findutils gawk glibc-common grep ncurses-compat-libs passwd procps-ng sed shadow-utils tar util-linux which"
  # Install additional packages required by MQ, this install process and the runtime scripts
  $YUM && yum -y install --setopt install_weak_deps=false ${EXTRA_RPMS}
-  $MICRODNF && microdnf install ${EXTRA_RPMS}
+  $MICRODNF && microdnf --disableplugin=subscription-manager install ${EXTRA_RPMS}
 fi

 # Apply any bug fixes not included in base Ubuntu or MQ image.
@@ -78,4 +78,4 @@ $UBUNTU && apt-get install -y libapparmor1 libsystemd0 systemd systemd-sysv libu
 $UBUNTU && rm -rf /var/lib/apt/lists/*
 $YUM && yum -y clean all
 $YUM && rm -rf /var/cache/yum/*
-$MICRODNF && microdnf clean all
+$MICRODNF && microdnf --disableplugin=subscription-manager clean all
--- a/install-mq.sh
+++ b/install-mq.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # -*- mode: sh -*-
-# © Copyright IBM Corporation 2015, 2019
+# © Copyright IBM Corporation 2015, 2022
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,74 +18,64 @@
 # Fail on any non-zero return code
 set -ex

-mqm_uid=${1:-888}
-
-test -f /usr/bin/yum && YUM=true || YUM=false
-test -f /usr/bin/microdnf && MICRODNF=true || MICRODNF=false
 test -f /usr/bin/rpm && RPM=true || RPM=false
 test -f /usr/bin/apt-get && UBUNTU=true || UBUNTU=false

-# Download and extract the MQ installation files
-DIR_EXTRACT=/tmp/mq
-mkdir -p ${DIR_EXTRACT}
-cd ${DIR_EXTRACT}
-curl -LO $MQ_URL
-tar -zxf ./*.tar.gz
+# Download and extract the MQ unzippable server
+DIR_TMP=/tmp/mq
+mkdir -p ${DIR_TMP}
+cd ${DIR_TMP}
+curl --fail --location $MQ_URL | tar --extract --gunzip
+ls -la ${DIR_TMP}

-# Recommended: Create the mqm user ID with a fixed UID and group, so that the file permissions work between different images
-groupadd --system --gid ${mqm_uid} mqm
-useradd --system --uid ${mqm_uid} --gid mqm --groups 0 mqm
-
-# Find directory containing .deb files
-$UBUNTU && DIR_DEB=$(find ${DIR_EXTRACT} -name "*.deb" -printf "%h\n" | sort -u | head -1)
-$RPM && DIR_RPM=$(find ${DIR_EXTRACT} -name "*.rpm" -printf "%h\n" | sort -u | head -1)
-# Find location of mqlicense.sh
-MQLICENSE=$(find ${DIR_EXTRACT} -name "mqlicense.sh")
+# Generate MQ package in INSTALLATION_DIR
+export genmqpkg_inc32=0
+export genmqpkg_incadm=1
+export genmqpkg_incamqp=0
+export genmqpkg_incams=1
+export genmqpkg_inccbl=0
+export genmqpkg_inccics=0
+export genmqpkg_inccpp=0
+export genmqpkg_incdnet=0
+export genmqpkg_incjava=1
+export genmqpkg_incjre=1
+export genmqpkg_incman=0
+export genmqpkg_incmqbc=0
+export genmqpkg_incmqft=0
+export genmqpkg_incmqsf=0
+export genmqpkg_incmqxr=0
+export genmqpkg_incnls=1
+export genmqpkg_incras=1
+export genmqpkg_incsamp=1
+export genmqpkg_incsdk=0
+export genmqpkg_inctls=1
+export genmqpkg_incunthrd=0
+export genmqpkg_incweb=1
+export INSTALLATION_DIR=/opt/mqm
+${DIR_TMP}/bin/genmqpkg.sh -b ${INSTALLATION_DIR}
+ls -la ${INSTALLATION_DIR}
+rm -rf ${DIR_TMP}

 # Accept the MQ license
-${MQLICENSE} -text_only -accept
-$UBUNTU && echo "deb [trusted=yes] file:${DIR_DEB} ./" > /etc/apt/sources.list.d/IBM_MQ.list
-
-# Install MQ using the DEB packages
-$UBUNTU && apt-get update
-$UBUNTU && apt-get install -y $MQ_PACKAGES
-
-$RPM && cd $DIR_RPM && rpm -ivh $MQ_PACKAGES
-
-# Remove 32-bit libraries from 64-bit container
-# The "file" utility isn't installed by default in UBI, so only try this if it's installed
-which file && find /opt/mqm /var/mqm -type f -exec file {} \; | awk -F: '/ELF 32-bit/{print $1}' | xargs --no-run-if-empty rm -f
-
-# Remove tar.gz files unpacked by RPM postinst scripts
-find /opt/mqm -name '*.tar.gz' -delete
-
-# Recommended: Set the default MQ installation (makes the MQ commands available on the PATH)
-/opt/mqm/bin/setmqinst -p /opt/mqm -i
-
-# Clean up all the downloaded files
-$UBUNTU && rm -f /etc/apt/sources.list.d/IBM_MQ.list
-rm -rf ${DIR_EXTRACT}
+${INSTALLATION_DIR}/bin/mqlicense -accept

 # Optional: Update the command prompt with the MQ version
 $UBUNTU && echo "mq:$(dspmqver -b -f 2)" > /etc/debian_chroot

-# Remove the directory structure under /var/mqm which was created by the installer
-rm -rf /var/mqm
-
 # Create the mount point for volumes, ensuring MQ has permissions to all directories
-install --directory --mode 0775 --owner mqm --group root /mnt
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm/data
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm-log
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm-log/log
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm-data
-install --directory --mode 0775 --owner mqm --group root /mnt/mqm-data/qmgrs
+install --directory --mode 2775 --owner 1001 --group root /mnt
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm/data
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm-log
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm-log/log
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm-data
+install --directory --mode 2775 --owner 1001 --group root /mnt/mqm-data/qmgrs

 # Create the directory for MQ configuration files
-install --directory --mode 0775 --owner mqm --group root /etc/mqm
+install --directory --mode 2775 --owner 1001 --group root /etc/mqm

 # Create the directory for MQ runtime files
-install --directory --mode 0775 --owner mqm --group root /run/mqm
+install --directory --mode 2775 --owner 1001 --group root /run/mqm

 # Create a symlink for /var/mqm -> /mnt/mqm/data
 ln -s /mnt/mqm/data /var/mqm
@@ -101,8 +91,8 @@ $RPM && PAM_FILE=/etc/pam.d/password-auth
 sed -i 's/password\t\[success=1 default=ignore\]\tpam_unix\.so obscure sha512/password\t[success=1 default=ignore]\tpam_unix.so obscure sha512 minlen=8/' $PAM_FILE

 # List all the installed packages, for the build log
-$RPM && rpm -q --all || true
-$UBUNTU && dpkg --list || true
+$RPM && (rpm -q --all | sort) || true
+$UBUNTU && (dpkg --list | sort) || true

 #Update the license file to include UBI 8 instead of UBI 7
 sed -i 's/v7.0/v8.0/g' /opt/mqm/licenses/non_ibm_license.txt
@@ -110,4 +100,3 @@ sed -i 's/v7.0/v8.0/g' /opt/mqm/licenses/non_ibm_license.txt
 # Copy MQ Licenses into the correct location
 mkdir -p /licenses
 cp /opt/mqm/licenses/*.txt /licenses/
-
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,9 +20,6 @@ package command
 import (
 	"fmt"
 	"os/exec"
-	"os/user"
-	"strconv"
-	"syscall"
 )

 // Run runs an OS command.  On Linux it waits for the command to
@@ -40,33 +37,3 @@ func Run(name string, arg ...string) (string, int, error) {
 	}
 	return string(out), rc, nil
 }
-
-// RunAsMQM runs the specified command as the mqm user
-func RunAsMQM(name string, arg ...string) (string, int, error) {
-	// #nosec G204
-	cmd := exec.Command(name, arg...)
-	cmd.SysProcAttr = &syscall.SysProcAttr{}
-	uid, gid, err := LookupMQM()
-	if err != nil {
-		return "", 0, err
-	}
-	cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}
-	return Run(name, arg...)
-}
-
-// LookupMQM looks up the UID & GID of the mqm user
-func LookupMQM() (int, int, error) {
-	mqm, err := user.Lookup("mqm")
-	if err != nil {
-		return -1, -1, err
-	}
-	mqmUID, err := strconv.Atoi(mqm.Uid)
-	if err != nil {
-		return -1, -1, err
-	}
-	mqmGID, err := strconv.Atoi(mqm.Gid)
-	if err != nil {
-		return -1, -1, err
-	}
-	return mqmUID, mqmGID, nil
-}
--- a/internal/copy/copy.go
+++ b/internal/copy/copy.go
@@ -36,12 +36,15 @@ func CopyFileMode(src, dest string, perm os.FileMode) error {
 	if err != nil {
 		return fmt.Errorf("failed to open %s for copy: %v", src, err)
 	}
+	// #nosec G307 - local to this function, pose no harm.
 	defer in.Close()

+	// #nosec G304 - this func creates based on the input filemode.
 	out, err := os.OpenFile(dest, os.O_CREATE|os.O_WRONLY, perm)
 	if err != nil {
 		return fmt.Errorf("failed to open %s for copy: %v", dest, err)
 	}
+	// #nosec G307 - local to this function, pose no harm.
 	defer out.Close()

 	_, err = io.Copy(out, in)
--- a/internal/ha/ha.go
+++ b/internal/ha/ha.go
@@ -0,0 +1,68 @@
+/*
+© Copyright IBM Corporation 2020, 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package ha contains code for high availability
+package ha
+
+import (
+	"os"
+
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
+	"github.com/ibm-messaging/mq-container/internal/tls"
+	"github.com/ibm-messaging/mq-container/pkg/logger"
+)
+
+// ConfigureNativeHA configures native high availability
+func ConfigureNativeHA(log *logger.Logger) error {
+
+	file := "/etc/mqm/native-ha.ini"
+	templateFile := file + ".tpl"
+
+	templateMap := map[string]string{}
+	templateMap["Name"] = os.Getenv("HOSTNAME")
+	templateMap["NativeHAInstance0_Name"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_0_NAME")
+	templateMap["NativeHAInstance1_Name"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_1_NAME")
+	templateMap["NativeHAInstance2_Name"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_2_NAME")
+	templateMap["NativeHAInstance0_ReplicationAddress"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_0_REPLICATION_ADDRESS")
+	templateMap["NativeHAInstance1_ReplicationAddress"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_1_REPLICATION_ADDRESS")
+	templateMap["NativeHAInstance2_ReplicationAddress"] = os.Getenv("MQ_NATIVE_HA_INSTANCE_2_REPLICATION_ADDRESS")
+
+	if os.Getenv("MQ_NATIVE_HA_TLS") == "true" {
+		keyLabel, _, _, err := tls.ConfigureHATLSKeystore()
+		if err != nil {
+			return err
+		}
+		templateMap["CertificateLabel"] = keyLabel
+
+		keyRepository, ok := os.LookupEnv("MQ_NATIVE_HA_KEY_REPOSITORY")
+		if !ok {
+			keyRepository = "/run/runmqserver/ha/tls/key"
+		}
+		templateMap["KeyRepository"] = keyRepository
+
+		cipherSpec, ok := os.LookupEnv("MQ_NATIVE_HA_CIPHERSPEC")
+		if ok {
+			templateMap["CipherSpec"] = cipherSpec
+		}
+	}
+
+	err := mqtemplate.ProcessTemplateFile(templateFile, file, templateMap, log)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/internal/htpasswd/htpasswd.go
+++ b/internal/htpasswd/htpasswd.go
@@ -0,0 +1,113 @@
+/*
+© Copyright IBM Corporation 2020, 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//This is a developer only configuration and not recommended for production usage.
+
+package htpasswd
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+type mapHtPasswd map[string]string
+
+func encryptPassword(password string) (string, error) {
+	passwordBytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(passwordBytes), nil
+}
+
+// SetPassword sets encrypted password for the user into htpasswd file
+func SetPassword(user string, password string, isTest bool) error {
+
+	if len(strings.TrimSpace(user)) == 0 || len(strings.TrimSpace(password)) == 0 {
+		return fmt.Errorf("UserId or Password are empty")
+	}
+
+	passwords := mapHtPasswd(map[string]string{})
+
+	// Read the password file
+	err := passwords.ReadHtPasswordFile(isTest)
+	if err != nil {
+		return err
+	}
+
+	pwd, err := encryptPassword(password)
+	if err != nil {
+		return err
+	}
+	// Set the new password
+	passwords[user] = pwd
+
+	// Update the password file
+	return passwords.updateHtPasswordFile(isTest)
+}
+
+// GetBytes return the Bytes representation of the htpassword file
+func (htpfile mapHtPasswd) GetBytes() (passwordBytes []byte) {
+	passwordBytes = []byte{}
+	for name, hash := range htpfile {
+		passwordBytes = append(passwordBytes, []byte(name+":"+hash+"\n")...)
+	}
+	return passwordBytes
+}
+
+// ReadHtPasswordFile parses the htpasswd file
+func (htpfile mapHtPasswd) ReadHtPasswordFile(isTest bool) error {
+
+	file := "/etc/mqm/mq.htpasswd"
+	if isTest {
+		file = "my.htpasswd"
+	}
+
+	pwdsBytes, err := ioutil.ReadFile(file)
+	if err != nil {
+		return err
+	}
+
+	lines := strings.Split(string(pwdsBytes), "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if len(line) == 0 {
+			continue
+		}
+		parts := strings.Split(line, ":")
+		if len(parts) != 2 {
+			continue
+		}
+		for i, part := range parts {
+			parts[i] = strings.TrimSpace(part)
+		}
+		htpfile[parts[0]] = parts[1]
+	}
+	return nil
+}
+
+func (htpfile mapHtPasswd) updateHtPasswordFile(isTest bool) error {
+
+	file := "/etc/mqm/mq.htpasswd"
+	if isTest {
+		file = "my.htpasswd"
+	}
+	// #nosec G306 - its a read by owner/s group, and pose no harm.
+	return ioutil.WriteFile(file, htpfile.GetBytes(), 0660)
+}
--- a/internal/keystore/keystore.go
+++ b/internal/keystore/keystore.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -105,14 +105,6 @@ func (ks *KeyStore) Create() error {
 		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
 	}

-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	err = os.Chown(ks.Filename, mqmUID, mqmGID)
-	if err != nil {
-		return err
-	}
 	return nil
 }

@@ -130,14 +122,6 @@ func (ks *KeyStore) CreateStash() error {
 		}
 		return err
 	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	err = os.Chown(stashFile, mqmUID, mqmGID)
-	if err != nil {
-		return err
-	}
 	return nil
 }

--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -23,9 +23,10 @@ import (
 	"net/http"
 	"time"

-	"github.com/ibm-messaging/mq-container/pkg/logger"
 	"github.com/ibm-messaging/mq-container/internal/ready"
+	"github.com/ibm-messaging/mq-container/pkg/logger"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 )

 const (
@@ -34,6 +35,8 @@ const (

 var (
 	metricsEnabled = false
+	// #nosec G112 - this needs investigation to find reasonable timeout.
+	// git-issue 233 to cover this..
 	metricsServer  = &http.Server{Addr: ":" + defaultPort}
 )

@@ -83,7 +86,7 @@ func startMetricsGathering(qmName string, log *logger.Logger) error {
 	}

 	// Setup HTTP server to handle requests from Prometheus
-	http.Handle("/metrics", prometheus.Handler())
+	http.Handle("/metrics", promhttp.Handler())
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(200)
 		// #nosec G104
--- a/internal/mqinimerge/mqat.ini
+++ b/internal/mqinimerge/mqat.ini
@@ -1,20 +0,0 @@
-#*******************************************************************#
-#* Module Name: mqat.ini                                           *#
-#* Type       : IBM MQ queue manager configuration file            *#
-#  Function   : Define the configuration of application activity   *#
-#*              trace for a single queue manager.                  *#
-#*******************************************************************#
-
-# Global settings stanza, default values
-AllActivityTrace:
-  ActivityInterval=1
-  ActivityCount=100
-  TraceLevel=MEDIUM
-  TraceMessageData=0
-  StopOnGetTraceMsg=ON
-  SubscriptionDelivery=BATCHED
-
-# Prevent the sample activity trace program from generating data
-ApplicationTrace:
-  ApplName=amqsact*
-  Trace=OFF
--- a/internal/mqinimerge/mqinimerge.go
+++ b/internal/mqinimerge/mqinimerge.go
@@ -1,352 +0,0 @@
-/*
-© Copyright IBM Corporation 2018, 2019
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package mqinimerge merges user-supplied INI files into qm.ini and mqat.ini
-package mqinimerge
-
-import (
-	"bufio"
-	"bytes"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/ibm-messaging/mq-container/pkg/mqini"
-)
-
-var qmgrDir string
-
-var stanzasQMINI []string
-var stanzasMQATINI []string
-
-// AddStanzas reads supplied MQ INI configuration files and updates the stanzas
-// in the queue manager's INI configuration files.
-func AddStanzas(qmname string) error {
-	// Find the qmgr directory.
-	qm, err := mqini.GetQueueManager(qmname)
-	if err != nil {
-		return err
-	}
-	qmgrDir = mqini.GetDataDirectory(qm)
-	// Find the users ini configuration file
-	files, err := getIniFileList()
-	if err != nil {
-		return err
-	}
-	if len(files) > 1 {
-		msg := fmt.Sprintf("[ %v ]", files)
-		return errors.New("Only a single INI file can be provided. Following INI files were found:" + msg)
-	}
-	if len(files) == 0 {
-		// No INI file update required.
-		return nil
-	}
-
-	//read user supplied config file.
-	iniFileBytes, err := ioutil.ReadFile(files[0])
-	if err != nil {
-		return err
-	}
-	userconfig := string(iniFileBytes)
-	if len(userconfig) == 0 {
-		return nil
-	}
-
-	// Prepare a list of all supported stanzas
-	PopulateAllAvailableStanzas()
-
-	// Update the qmgr ini file with user config.
-	qminiConfiglist, qmatConfiglist, err := PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		return err
-	}
-	err = writeConfigStanzas(qminiConfiglist, qmatConfiglist)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// PopulateAllAvailableStanzas initializes the INI stanzas prescribed by MQ specification.
-func PopulateAllAvailableStanzas() {
-	stanzasQMINI = []string{"ExitPath",
-		"Log",
-		"Service",
-		"ServiceComponent",
-		"Channels",
-		"TCP",
-		"ApiExitLocal",
-		"AccessMode",
-		"RestrictedMode",
-		"XAResourceManager",
-		"DefaultBindType",
-		"SSL",
-		"DiagnosticMessages",
-		"Filesystem",
-		"Security",
-		"TuningParameters",
-		"ExitPropertiesLocal",
-		"LU62",
-		"NETBIOS"}
-
-	stanzasMQATINI = []string{"AllActivityTrace", "ApplicationTrace"}
-}
-
-// getIniFileList checks for the user supplied INI file in `/etc/mqm` directory.
-func getIniFileList() ([]string, error) {
-	fileList := []string{}
-	err := filepath.Walk("/etc/mqm", func(path string, f os.FileInfo, err error) error {
-		if strings.HasSuffix(path, ".ini") {
-			fileList = append(fileList, path)
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-	return fileList, nil
-}
-
-// PrepareConfigStanzasToWrite Reads through the user supplied INI config file and prepares list of
-// updates to be written into corresponding mq ini files (qm.ini and/or mqat.ini files)
-func PrepareConfigStanzasToWrite(userconfig string) ([]string, []string, error) {
-	var qminiConfigStr string
-	var mqatiniConfigStr string
-
-	//read the initial version.
-	// #nosec G304 - qmgrDir filepath is derived from dspmqinf
-	iniFileBytes, err := ioutil.ReadFile(filepath.Join(qmgrDir, "qm.ini"))
-	if err != nil {
-		return nil, nil, err
-	}
-	qminiConfigStr = string(iniFileBytes)
-	qminiConfiglist := strings.Split(qminiConfigStr, "\n")
-
-	// #nosec G304 - qmgrDir filepath is derived from dspmqinf
-	iniFileBytes, err = ioutil.ReadFile(filepath.Join(qmgrDir, "mqat.ini"))
-	if err != nil {
-		return nil, nil, err
-	}
-	mqatiniConfigStr = string(iniFileBytes)
-	qmatConfiglist := strings.Split(mqatiniConfigStr, "\n")
-
-	stanzaListMerge := make(map[string]strings.Builder)
-	stanzaListAppend := make(map[string]strings.Builder)
-	var sbAppend strings.Builder
-	var sbMerger strings.Builder
-
-	scanner := bufio.NewScanner(strings.NewReader(userconfig))
-	scanner.Split(bufio.ScanLines)
-	consumetoAppend := false
-	consumeToMerge := false
-	var stanza string
-
-	// Read through the user file and prepare what we want.
-	for scanner.Scan() {
-		//if this is comment or an empty line, ignore it.
-		if strings.HasPrefix(scanner.Text(), "#") || len(strings.TrimSpace(scanner.Text())) == 0 {
-			continue
-		}
-		//thumb rule - all stanzas have ":".
-		if strings.Contains(scanner.Text(), ":") {
-			stanza = strings.TrimSpace(scanner.Text())
-			consumetoAppend = false
-			consumeToMerge = false
-
-			// Check if this stanza exists in the qm.ini/mqat.ini files
-			if strings.Contains(qminiConfigStr, stanza) ||
-				(strings.Contains(mqatiniConfigStr, stanza) && !(strings.Contains(stanza, "ApplicationTrace"))) {
-				consumeToMerge = true
-				sbMerger = strings.Builder{}
-
-				stanzaListMerge[stanza] = sbMerger
-			} else {
-				consumetoAppend = true
-				sbAppend = strings.Builder{}
-				stanzaListAppend[stanza] = sbAppend
-			}
-		} else {
-			if consumetoAppend {
-				sb := stanzaListAppend[stanza]
-				_, err := sb.WriteString(scanner.Text() + "\n")
-				if err != nil {
-					return nil, nil, err
-				}
-				stanzaListAppend[stanza] = sb
-			}
-			if consumeToMerge {
-				sb := stanzaListMerge[stanza]
-				_, err := sb.WriteString(scanner.Text() + "\n")
-				if err != nil {
-					return nil, nil, err
-				}
-				stanzaListMerge[stanza] = sb
-			}
-		}
-	}
-
-	// do merge.
-	if len(stanzaListMerge) > 0 {
-		for key := range stanzaListMerge {
-			toWrite, filename := ValidateStanzaToWrite(key)
-			if toWrite {
-				attrList := stanzaListMerge[key]
-				switch filename {
-				case "qm.ini":
-					qminiConfiglist, err = prepareStanzasToMerge(key, attrList, qminiConfiglist)
-					if err != nil {
-						return nil, nil, err
-					}
-				case "mqat.ini":
-					qmatConfiglist, err = prepareStanzasToMerge(key, attrList, qmatConfiglist)
-					if err != nil {
-						return nil, nil, err
-					}
-				default:
-				}
-			}
-		}
-	}
-
-	// do append.
-	if len(stanzaListAppend) > 0 {
-		for key := range stanzaListAppend {
-			attrList := stanzaListAppend[key]
-			if strings.Contains(strings.Join(stanzasMQATINI, ", "), strings.TrimSuffix(strings.TrimSpace(key), ":")) {
-				qmatConfiglist = prepareStanzasToAppend(key, attrList, qmatConfiglist)
-			} else {
-				qminiConfiglist = prepareStanzasToAppend(key, attrList, qminiConfiglist)
-			}
-		}
-	}
-
-	return qminiConfiglist, qmatConfiglist, nil
-}
-
-// ValidateStanzaToWrite validates stanza to be written and the file it belongs to.
-func ValidateStanzaToWrite(stanza string) (bool, string) {
-	stanza = strings.TrimSuffix(strings.TrimSpace(stanza), ":")
-	if strings.Contains(strings.Join(stanzasQMINI, ", "), stanza) {
-		return true, "qm.ini"
-	} else if strings.Contains(strings.Join(stanzasMQATINI, ", "), stanza) {
-		return true, "mqat.ini"
-	} else {
-		return false, ""
-	}
-}
-
-// prepareStanzasToAppend Prepares list of stanzas that are to be appended into qm ini files(qm.ini/mqat.ini)
-func prepareStanzasToAppend(key string, attrList strings.Builder, iniConfigList []string) []string {
-	newVal := key + "\n" + attrList.String()
-	list := strings.Split(newVal, "\n")
-	iniConfigList = append(iniConfigList, list...)
-	return iniConfigList
-}
-
-// prepareStanzasToMerge Prepares list of stanzas that are to be updated into qm ini files(qm.ini/mqat.ini)
-// These stanzas are already present in mq ini files and their values have to be updated with user supplied ini.
-func prepareStanzasToMerge(key string, attrList strings.Builder, iniConfigList []string) ([]string, error) {
-
-	pos := -1
-	//find the index of current stanza in qm's ini file.
-	for i := 0; i < len(iniConfigList); i++ {
-		if strings.Contains(iniConfigList[i], key) {
-			pos = i
-			break
-		}
-	}
-
-	var appList strings.Builder
-	lineScanner := bufio.NewScanner(strings.NewReader(attrList.String()))
-	lineScanner.Split(bufio.ScanLines)
-
-	//Now go through the array and merge the values.
-	for lineScanner.Scan() {
-		attrLine := lineScanner.Text()
-		keyvalue := strings.Split(attrLine, "=")
-		merged := false
-		for i := pos + 1; i < len(iniConfigList); i++ {
-			if strings.HasPrefix(iniConfigList[i], "#") {
-				continue
-			}
-			if strings.Contains(iniConfigList[i], ":") {
-				break
-			}
-			if strings.Contains(iniConfigList[i], keyvalue[0]) {
-				iniConfigList[i] = attrLine
-				merged = true
-				break
-			}
-		}
-		//If this is not merged, then its a new parameter in existing stanza.
-		if !merged && len(strings.TrimSpace(attrLine)) > 0 {
-			_, err := appList.WriteString(attrLine)
-			if err != nil {
-				return nil, err
-			}
-			merged = false
-		}
-
-		if len(appList.String()) > 0 {
-			temp := make([]string, pos+1)
-			for i := 0; i < pos+1; i++ {
-				temp[i] = iniConfigList[i]
-			}
-			list := strings.Split(appList.String(), "\n")
-			temp = append(temp, list...)
-			temp1 := iniConfigList[pos+1:]
-			iniConfigList = append(temp, temp1...)
-		}
-
-	}
-	return iniConfigList, nil
-}
-
-// writeFileIfChanged writes the specified data to the specified file path
-// (just like ioutil.WriteFile), but first checks if this is needed
-func writeFileIfChanged(path string, data []byte, perm os.FileMode) error {
-	// #nosec G304 - internal utility using file name derived from dspmqinf
-	current, err := ioutil.ReadFile(path)
-	if err != nil {
-		return err
-	}
-	// Only write the new file if the it's different from the current file
-	if !bytes.Equal(current, data) {
-		err = ioutil.WriteFile(path, data, perm)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// writeConfigStanzas writes the INI file updates into corresponding MQ INI files.
-func writeConfigStanzas(qmConfig []string, atConfig []string) error {
-	err := writeFileIfChanged(filepath.Join(qmgrDir, "qm.ini"), []byte(strings.Join(qmConfig, "\n")), 0644)
-	if err != nil {
-		return err
-	}
-
-	err = writeFileIfChanged(filepath.Join(qmgrDir, "mqat.ini"), []byte(strings.Join(atConfig, "\n")), 0644)
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/internal/mqinimerge/mqinimerge_test.go
+++ b/internal/mqinimerge/mqinimerge_test.go
@@ -1,256 +0,0 @@
-/*
-© Copyright IBM Corporation 2018, 2019
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package mqinimerge
-
-import (
-	"bufio"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestIniFileStanzas(t *testing.T) {
-	PopulateAllAvailableStanzas()
-
-	checkReturns("ApiExitLocal", true, true, t)
-	checkReturns("Channels", true, true, t)
-	checkReturns("TCP", true, true, t)
-	checkReturns("ServiceComponent", true, true, t)
-	checkReturns("Service", true, true, t)
-	checkReturns("AccessMode", true, true, t)
-	checkReturns("RestrictedMode", true, true, t)
-	checkReturns("XAResourceManager", true, true, t)
-	checkReturns("SSL", true, true, t)
-	checkReturns("Security", true, true, t)
-	checkReturns("TuningParameters", true, true, t)
-	checkReturns("ABC", false, false, t)
-	checkReturns("#1234ABD", true, false, t)
-	checkReturns("AllActivityTrace", false, true, t)
-	checkReturns("ApplicationTrace", false, true, t)
-	checkReturns("xyz123abvc", false, false, t)
-}
-
-func TestIniFile1Update(t *testing.T) {
-	iniFileBytes, err := ioutil.ReadFile("test1qm.ini")
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	userconfig := string(iniFileBytes)
-	qmConfig, atConfig, err := PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	if len(atConfig) == 0 {
-		t.Errorf("Unexpected stanza file update: mqat.ini[%s]\n", atConfig)
-	}
-	if len(qmConfig) == 0 {
-		t.Errorf("Expected stanza file not found: qm.ini\n")
-	}
-
-	count := 0
-	//we want this line to be present exactly one.
-	for _, item := range qmConfig {
-		item = strings.TrimSpace(item)
-		if strings.Contains(item, "mylib") {
-			count++
-		}
-	}
-	if count != 1 {
-		t.Errorf("Expected stanza line not found or appeared more than once in updated string. line=mylib\n config=%s\n count=%d\n", strings.Join(qmConfig, "\n"), count)
-	}
-}
-
-func TestIniFile2Update(t *testing.T) {
-	iniFileBytes, err := ioutil.ReadFile("test2qm.ini")
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	userconfig := string(iniFileBytes)
-	qmConfig, atConfig, err := PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	if len(atConfig) == 0 {
-		t.Errorf("Expected stanza file not found: mqat.ini\n")
-	}
-	if len(qmConfig) == 0 {
-		t.Errorf("Expected stanza file not found: qm.ini\n")
-	}
-
-	count := 0
-	//we want this line to be present exactly one.
-	for _, item := range atConfig {
-		item = strings.TrimSpace(item)
-		if strings.Contains(item, "amqsget") {
-			count++
-		}
-	}
-	if count != 1 {
-		t.Errorf("Expected stanza line not found or appeared more than once in updated string. line=amqsget, Config:%s\n", strings.Join(atConfig, "\n"))
-	}
-}
-
-func TestIniFile3Update(t *testing.T) {
-	i := 0
-	iniFileBytes, err := ioutil.ReadFile("test3qm.ini")
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	userconfig := string(iniFileBytes)
-	qmConfig, atConfig, err := PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	if len(qmConfig) == 0 {
-		t.Errorf("Unexpected stanza file update: qm.ini[%s]\n", atConfig)
-	}
-	if len(atConfig) == 0 {
-		t.Errorf("Expected stanza file not found: mqat.ini\n")
-	}
-
-	qmConfigStr := strings.Join(qmConfig, "\n")
-	atConfigStr := strings.Join(atConfig, "\n")
-
-	scanner := bufio.NewScanner(strings.NewReader(userconfig))
-	scanner.Split(bufio.ScanLines)
-	for scanner.Scan() {
-		line := scanner.Text()
-		i++
-		//first 20 lines of test3qm.ini shall go into qm.ini file and rest into mqat.ini file.
-		if i < 20 {
-			if !strings.Contains(qmConfigStr, strings.TrimSpace(line)) {
-				t.Errorf("Expected stanza line not found in updated string. line=%s\n, Stanza:%s\n", line, qmConfigStr)
-			}
-		} else if i > 20 {
-			if !strings.Contains(atConfigStr, line) {
-				t.Errorf("Expected stanza line not found in updated string. line=%s\n, Stanza:%s\n", line, atConfigStr)
-			}
-		}
-	}
-}
-
-func TestIniFile4Update(t *testing.T) {
-	iniFileBytes, err := ioutil.ReadFile("test1qm.ini")
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-
-	//First merge
-	userconfig := string(iniFileBytes)
-	qmConfig, atConfig, err := PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	if len(atConfig) == 0 {
-		t.Errorf("Expected stanza file not found: mqat.ini\n")
-	}
-	if len(qmConfig) == 0 {
-		t.Errorf("Expected stanza file not found: qm.ini\n")
-	}
-
-	//second merge.
-	qmConfig, atConfig, err = PrepareConfigStanzasToWrite(userconfig)
-	if err != nil {
-		t.Errorf("Unexpected error: [%s]\n", err.Error())
-	}
-	if len(atConfig) == 0 {
-		t.Errorf("Expected stanza file not found: mqat.ini\n")
-	}
-	if len(qmConfig) == 0 {
-		t.Errorf("Expected stanza file not found: qm.ini\n")
-	}
-
-	count := 0
-	//we just did a double merge, however we want this line to be present exactly one.
-	for _, item := range qmConfig {
-		item = strings.TrimSpace(item)
-		if strings.Contains(item, "mylib") {
-			count++
-		}
-	}
-
-	if count != 1 {
-		t.Errorf("Expected stanza line not found or appeared more than once in updated string. line=mylib\n config=%s\n count=%d\n", strings.Join(qmConfig, "\n"), count)
-	}
-}
-
-func checkReturns(stanza string, isqmini bool, shouldexist bool, t *testing.T) {
-	exists, filename := ValidateStanzaToWrite(stanza)
-	if exists != shouldexist {
-		t.Errorf("Stanza should exist %t but found was %t", shouldexist, exists)
-	}
-
-	if shouldexist {
-		if isqmini {
-			if filename != "qm.ini" {
-				t.Errorf("Expected filename:qm.ini for stanza:%s. But got %s", stanza, filename)
-			}
-		} else {
-			if filename != "mqat.ini" {
-				t.Errorf("Expected filename:mqat.ini for stanza:%s. But got %s", stanza, filename)
-			}
-		}
-	}
-}
-
-var writeFileIfChangedTests = []struct {
-	before []byte
-	after  []byte
-	same   bool
-}{
-	{[]byte("ABC€"), []byte("ABC€"), true},
-	{[]byte("ABC€"), []byte("ABC$"), false},
-	{[]byte("ABC€"), []byte("BBC€"), false},
-}
-
-func TestWriteFileIfChanged(t *testing.T) {
-	tmpFile := filepath.Join(os.TempDir(), t.Name())
-	t.Logf("Using temp file %v", tmpFile)
-	for i, table := range writeFileIfChangedTests {
-		t.Run(fmt.Sprintf("%v", i), func(t *testing.T) {
-			err := ioutil.WriteFile(tmpFile, table.before, 0600)
-			time.Sleep(time.Second * 1)
-			defer os.Remove(tmpFile)
-			fi, err := os.Stat(tmpFile)
-			if err != nil {
-				t.Fatal(err)
-			}
-			beforeMod := fi.ModTime()
-			err = writeFileIfChanged(tmpFile, table.after, 0600)
-			if err != nil {
-				t.Error(err)
-			}
-			fi, err = os.Stat(tmpFile)
-			if err != nil {
-				t.Error(err)
-			}
-			afterMod := fi.ModTime()
-			if table.same {
-				if beforeMod != afterMod {
-					t.Errorf("Expected file timestamps to be the same (%v); got %v", beforeMod, afterMod)
-				}
-			} else {
-				if beforeMod == afterMod {
-					t.Errorf("Expected file timestamp to be different got %v and %v", beforeMod, afterMod)
-				}
-			}
-		})
-	}
-}
--- a/internal/mqinimerge/qm.ini
+++ b/internal/mqinimerge/qm.ini
@@ -1,45 +0,0 @@
-#*******************************************************************#
-#* Module Name: qm.ini                                             *#
-#* Type       : IBM MQ queue manager configuration file            *#
-#  Function   : Define the configuration of a single queue manager *#
-#*                                                                 *#
-#*******************************************************************#
-#* Notes      :                                                    *#
-#* 1) This file defines the configuration of the queue manager     *#
-#*                                                                 *#
-#*******************************************************************#
-ExitPath:
-   ExitsDefaultPath=C:\ProgramData\IBM\MQ\exits
-   ExitsDefaultPath64=C:\ProgramData\IBM\MQ\exits64
-InstanceData:
-   InstanceID=1562831591
-   Startup=ServiceManual
-#*                                                                 *#
-#*                                                                 *#
-Log:
-   LogPrimaryFiles=3
-   LogSecondaryFiles=2
-   LogFilePages=4096
-   LogType=CIRCULAR
-   LogBufferPages=0
-   LogPath=C:\ProgramData\IBM\MQ\log\INI1\
-   LogWriteIntegrity=TripleWrite
-Service:
-   Name=AuthorizationService
-   EntryPoints=14
-ServiceComponent:
-   Service=AuthorizationService
-   Name=MQSeries.WindowsNT.auth.service
-   Module=amqzfu.dll
-   ComponentDataSize=0
-Channels:
-   ChlauthEarlyAdopt=Y
-TCP:
-   SndBuffSize=0
-   RcvBuffSize=0
-   RcvSndBuffSize=0
-   RcvRcvBuffSize=0
-   ClntSndBuffSize=0
-   ClntRcvBuffSize=0
-   SvrSndBuffSize=0
-   SvrRcvBuffSize=0
--- a/internal/mqinimerge/test1qm.ini
+++ b/internal/mqinimerge/test1qm.ini
@@ -1,5 +0,0 @@
-ApiExitLocal:   
-  Sequence=1
-  Function=EntryPoint
-  Module=/opt/mqm/exitlib.so
-  Name=mylib
--- a/internal/mqinimerge/test2qm.ini
+++ b/internal/mqinimerge/test2qm.ini
@@ -1,7 +0,0 @@
-AllActivityTrace:
-  ActivityInterval=11
-  ActivityCount=1
-  TraceLevel=INFO
-ApplicationTrace:
-  ApplName=amqsget
-  Trace=ON
--- a/internal/mqinimerge/test3qm.ini
+++ b/internal/mqinimerge/test3qm.ini
@@ -1,23 +0,0 @@
-ApiExitLocal:   
-  Sequence=1
-  Function=EntryPoint
-  Module=/opt/foo/foo.so
-  Name=FooExit
-Channels:
-   MQIBindType=FASTPATH
-Log:
-   LogPrimaryFiles=30
-   LogType=CIRCULAR
-   LogPath=/ProgramfILES/IBM/MQ/log/INI1/
-TCP:
-   SndBuffSize=4095
-   RcvBuffSize=4095
-   RcvSndBuffSize=4095
-   RcvRcvBuffSize=4095
-   ClntSndBuffSize=2049
-   ClntRcvBuffSize=2049
-   SvrSndBuffSize=2049
-   SvrRcvBuffSize=2049 
-ApplicationTrace:
-  ApplName=amqsput
-  Trace=ON
--- a/internal/mqtemplate/mqtemplate.go
+++ b/internal/mqtemplate/mqtemplate.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -22,7 +22,6 @@ import (
 	"path"
 	"text/template"

-	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
 )

@@ -45,37 +44,19 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l
 				log.Error(err)
 				return err
 			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
 		} else {
 			return err
 		}
 	}
-	// #nosec G302
+
+	// #nosec G302 G304 G306 - its a read by owner/s group, and pose no harm.
 	f, err := os.OpenFile(destFile, os.O_CREATE|os.O_WRONLY, 0660)
+	// #nosec G307 - local to this function, pose no harm.
 	defer f.Close()
 	err = t.Execute(f, data)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	err = os.Chown(destFile, mqmUID, mqmGID)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
 	return nil
 }
--- a/internal/mqversion/mqversion.go
+++ b/internal/mqversion/mqversion.go
@@ -0,0 +1,97 @@
+/*
+© Copyright IBM Corporation 2020
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package mqversion
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/ibm-messaging/mq-container/internal/command"
+)
+
+// Get will return the current MQ version
+func Get() (string, error) {
+	mqVersion, _, err := command.Run("dspmqver", "-b", "-f", "2")
+	if err != nil {
+		return "", fmt.Errorf("Error Getting MQ version: %v", err)
+	}
+	return strings.TrimSpace(mqVersion), nil
+}
+
+// Compare returns an integer comparing two MQ version strings lexicographically. The result will be 0 if currentVersion==checkVersion, -1 if currentVersion < checkVersion, and +1 if currentVersion > checkVersion
+func Compare(checkVersion string) (int, error) {
+	currentVersion, err := Get()
+	if err != nil {
+		return 0, err
+	}
+
+	currentVRMF, err := parseVRMF(currentVersion)
+	if err != nil {
+		return 0, err
+	}
+	compareVRMF, err := parseVRMF(checkVersion)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse compare version: %w", err)
+	}
+	return currentVRMF.compare(*compareVRMF), nil
+}
+
+type vrmf [4]int
+
+func (v vrmf) String() string {
+	return fmt.Sprintf("%d.%d.%d.%d", v[0], v[1], v[2], v[3])
+}
+
+func (v vrmf) compare(to vrmf) int {
+	for idx := 0; idx < 4; idx++ {
+		if v[idx] < to[idx] {
+			return -1
+		}
+		if v[idx] > to[idx] {
+			return 1
+		}
+	}
+	return 0
+}
+
+func parseVRMF(vrmfString string) (*vrmf, error) {
+	versionParts := strings.Split(vrmfString, ".")
+	if len(versionParts) != 4 {
+		return nil, fmt.Errorf("incorrect number of parts to version string: expected 4, got %d", len(versionParts))
+	}
+	vmrfPartNames := []string{"version", "release", "minor", "fix"}
+	parsed := vrmf{}
+	for idx, value := range versionParts {
+		partName := vmrfPartNames[idx]
+		if value == "" {
+			return nil, fmt.Errorf("empty %s found in VRMF", partName)
+		}
+		val, err := strconv.Atoi(value)
+		if err != nil {
+			return nil, fmt.Errorf("non-numeric %s found in VRMF", partName)
+		}
+		if val < 0 {
+			return nil, fmt.Errorf("negative %s found in VRMF", partName)
+		}
+		if idx == 0 && val == 0 {
+			return nil, fmt.Errorf("zero value for version not allowed")
+		}
+		parsed[idx] = val
+	}
+	return &parsed, nil
+}
--- a/internal/mqversion/mqversion_test.go
+++ b/internal/mqversion/mqversion_test.go
@@ -0,0 +1,147 @@
+/*
+© Copyright IBM Corporation 2020
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package mqversion
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestCompareLower(t *testing.T) {
+	checkVersion := "99.99.99.99"
+	mqVersionCheck, err := Compare(checkVersion)
+	if err != nil {
+		t.Fatalf("Failed to compare MQ versions: %v", err)
+	}
+	if mqVersionCheck != -1 {
+		t.Errorf("MQ version compare result failed. Expected -1, Got %v", mqVersionCheck)
+	}
+}
+
+func TestCompareHigher(t *testing.T) {
+	checkVersion := "1.1.1.1"
+	mqVersionCheck, err := Compare(checkVersion)
+	if err != nil {
+		t.Fatalf("Failed to compare MQ versions: %v", err)
+	}
+	if mqVersionCheck != 1 {
+		t.Errorf("MQ version compare result failed. Expected 1, Got %v", mqVersionCheck)
+	}
+}
+
+func TestCompareEqual(t *testing.T) {
+	checkVersion, err := Get()
+	if err != nil {
+		t.Fatalf("Failed to get current MQ version: %v", err)
+	}
+	mqVersionCheck, err := Compare(checkVersion)
+	if err != nil {
+		t.Fatalf("Failed to compare MQ versions: %v", err)
+	}
+	if mqVersionCheck != 0 {
+		t.Errorf("MQ version compare result failed. Expected 0, Got %v", mqVersionCheck)
+	}
+}
+
+func TestVersionValid(t *testing.T) {
+	checkVersion, err := Get()
+	if err != nil {
+		t.Fatalf("Failed to get current MQ version: %v", err)
+	}
+	_, err = parseVRMF(checkVersion)
+	if err != nil {
+		t.Fatalf("Validation of MQ version failed: %v", err)
+	}
+}
+
+func TestValidVRMF(t *testing.T) {
+	validVRMFs := map[string]vrmf{
+		"1.0.0.0":         {1, 0, 0, 0},
+		"10.0.0.0":        {10, 0, 0, 0},
+		"1.10.0.0":        {1, 10, 0, 0},
+		"1.0.10.0":        {1, 0, 10, 0},
+		"1.0.0.10":        {1, 0, 0, 10},
+		"999.998.997.996": {999, 998, 997, 996},
+	}
+	for test, expect := range validVRMFs {
+		t.Run(test, func(t *testing.T) {
+			parsed, err := parseVRMF(test)
+			if err != nil {
+				t.Fatalf("Unexpectedly failed to parse VRMF '%s': %s", test, err.Error())
+			}
+			if *parsed != expect {
+				t.Fatalf("VRMF not parsed as expected. Expected '%v', got '%v'", parsed, expect)
+			}
+		})
+	}
+}
+
+func TestInvalidVRMF(t *testing.T) {
+	invalidVRMFs := []string{
+		"not-a-number",
+		"9.8.7.string",
+		"0.1.2.3",
+		"1.0.0.-10",
+	}
+	for _, test := range invalidVRMFs {
+		t.Run(test, func(t *testing.T) {
+			parsed, err := parseVRMF(test)
+			if err == nil {
+				t.Fatalf("Expected error when parsing VRMF '%s', but got none.  VRMF returned: %v", test, parsed)
+			}
+		})
+	}
+}
+
+func TestCompare(t *testing.T) {
+	tests := []struct {
+		current string
+		compare string
+		expect  int
+	}{
+		{"1.0.0.1", "1.0.0.1", 0},
+		{"1.0.0.1", "1.0.0.0", 1},
+		{"1.0.0.1", "1.0.0.2", -1},
+		{"9.9.9.9", "10.0.0.0", -1},
+		{"9.9.9.9", "9.10.0.0", -1},
+		{"9.9.9.9", "9.9.10.0", -1},
+		{"9.9.9.9", "9.9.9.10", -1},
+	}
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("%s-%s", test.current, test.compare), func(t *testing.T) {
+			baseVRMF, err := parseVRMF(test.current)
+			if err != nil {
+				t.Fatalf("Could not parse base version '%s': %s", test.current, err.Error())
+			}
+			compareVRMF, err := parseVRMF(test.compare)
+			if err != nil {
+				t.Fatalf("Could not parse current version '%s': %s", test.current, err.Error())
+			}
+			result := baseVRMF.compare(*compareVRMF)
+			if result != test.expect {
+				t.Fatalf("Expected %d but got %d when comparing '%s' with '%s'", test.expect, result, test.current, test.compare)
+			}
+			if test.expect == 0 {
+				return
+			}
+			resultReversed := compareVRMF.compare(*baseVRMF)
+			if resultReversed != test.expect*-1 {
+				t.Fatalf("Expected %d but got %d when comparing '%s' with '%s'", test.expect*-1, resultReversed, test.compare, test.current)
+			}
+		})
+	}
+}
--- a/internal/ready/ready.go
+++ b/internal/ready/ready.go
@@ -53,6 +53,7 @@ func Clear() error {
 // Set lets any subsequent calls to `CheckReady` know that the queue
 // manager has finished its configuration step
 func Set() error {
+	// #nosec G306 - this gives permissions to owner/s group only.
 	return ioutil.WriteFile(fileName, []byte("1"), 0770)
 }

@@ -76,6 +77,11 @@ func IsRunningAsStandbyQM(name string) (bool, error) {
 	return isRunningQM(name, "(RUNNING AS STANDBY)")
 }

+// IsRunningAsReplicaQM returns true if the queue manager is running in replica mode
+func IsRunningAsReplicaQM(name string) (bool, error) {
+	return isRunningQM(name, "(REPLICA)")
+}
+
 func isRunningQM(name string, status string) (bool, error) {
 	out, _, err := command.Run("dspmq", "-n", "-m", name)
 	if err != nil {
--- a/internal/tls/tls.go
+++ b/internal/tls/tls.go
--- a/internal/tls/tls_web.go
+++ b/internal/tls/tls_web.go
@@ -0,0 +1,97 @@
+/*
+© Copyright IBM Corporation 2019, 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package tls
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/ibm-messaging/mq-container/internal/keystore"
+)
+
+// webKeystoreDefault is the name of the default web server Keystore
+const webKeystoreDefault = "default.p12"
+
+// ConfigureWebTLS configures TLS for the web server
+func ConfigureWebTLS(keyLabel string) error {
+
+	// Return immediately if we have no certificate to use as identity
+	if keyLabel == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") == "" {
+		return nil
+	}
+
+	webConfigDir := "/etc/mqm/web/installations/Installation1/servers/mqweb"
+	tls := "tls.xml"
+
+	tlsConfig := filepath.Join(webConfigDir, tls)
+	newTLSConfig := filepath.Join(webConfigDir, tls+".tpl")
+
+	err := os.Remove(tlsConfig)
+	if err != nil {
+		return fmt.Errorf("Failed to delete file %s: %v", tlsConfig, err)
+	}
+
+	// Symlink here to prevent issues on restart
+	err = os.Symlink(newTLSConfig, tlsConfig)
+	if err != nil {
+		return fmt.Errorf("Failed to create symlink %s->%s: %v", newTLSConfig, tlsConfig, err)
+	}
+
+	return nil
+}
+
+// ConfigureWebKeyStore configures the Web Keystore
+func ConfigureWebKeystore(p12Truststore KeyStoreData, webKeystore string) (string, error) {
+
+	if webKeystore == "" {
+		webKeystore = webKeystoreDefault
+	}
+	webKeystoreFile := filepath.Join(keystoreDirDefault, webKeystore)
+
+	// Check if a new self-signed certificate should be generated
+	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
+	if genHostName != "" {
+
+		// Create the Web Keystore
+		newWebKeystore := keystore.NewPKCS12KeyStore(webKeystoreFile, p12Truststore.Password)
+		err := newWebKeystore.Create()
+		if err != nil {
+			return "", fmt.Errorf("Failed to create Web Keystore %s: %v", webKeystoreFile, err)
+		}
+
+		// Generate a new self-signed certificate in the Web Keystore
+		err = newWebKeystore.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
+		if err != nil {
+			return "", fmt.Errorf("Failed to generate certificate in Web Keystore %s with DN of 'CN=%s': %v", webKeystoreFile, genHostName, err)
+		}
+
+	} else {
+		// Check Web Keystore already exists
+		_, err := os.Stat(webKeystoreFile)
+		if err != nil {
+			return "", fmt.Errorf("Failed to find existing Web Keystore %s: %v", webKeystoreFile, err)
+		}
+	}
+
+	// Check Web Truststore already exists
+	_, err := os.Stat(p12Truststore.Keystore.Filename)
+	if err != nil {
+		return "", fmt.Errorf("Failed to find existing Web Truststore %s: %v", p12Truststore.Keystore.Filename, err)
+	}
+
+	return webKeystore, nil
+}
--- a/internal/user/user.go
+++ b/internal/user/user.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,66 +16,26 @@ limitations under the License.
 package user

 import (
-	"fmt"
-	"os/user"
-	"strings"
-
-	"github.com/ibm-messaging/mq-container/internal/command"
+	"golang.org/x/sys/unix"
 )

 // User holds information on primary and supplemental OS groups
 type User struct {
-	UID             string
-	Name            string
-	PrimaryGID      string
-	SupplementalGID []string
+	UID             int
+	PrimaryGID      int
+	SupplementalGID []int
 }

 // GetUser returns the current user and group information
 func GetUser() (User, error) {
-	u, err := user.Current()
+	u := User{
+		UID:        unix.Geteuid(),
+		PrimaryGID: unix.Getgid(),
+	}
+	groups, err := unix.Getgroups()
 	if err != nil {
-		return User{}, err
+		return u, err
 	}
-	g, err := getCurrentUserGroups()
-	if err != nil {
-		return User{}, err
-	}
-	if err != nil && len(g) == 0 {
-		return User{
-			UID:             u.Uid,
-			Name:            u.Name,
-			PrimaryGID:      u.Gid,
-			SupplementalGID: []string{},
-		}, nil
-	}
-	// Look for the primary group in the list of group IDs
-	for i, v := range g {
-		if v == u.Gid {
-			// Remove the element from the slice
-			g = append(g[:i], g[i+1:]...)
-		}
-	}
-	return User{
-		UID:             u.Uid,
-		Name:            u.Name,
-		PrimaryGID:      u.Gid,
-		SupplementalGID: g,
-	}, nil
-}
-
-func getCurrentUserGroups() ([]string, error) {
-	var nilArray []string
-	out, _, err := command.Run("id", "--groups")
-	if err != nil {
-		return nilArray, err
-	}
-
-	out = strings.TrimSpace(out)
-	if out == "" {
-		return nilArray, fmt.Errorf("Unable to determine groups for current user")
-	}
-
-	groups := strings.Split(out, " ")
-	return groups, nil
+	u.SupplementalGID = groups
+	return u, nil
 }
--- a/manifests/README.md
+++ b/manifests/README.md
@@ -1,7 +1,7 @@
 Fat manifests
 =============

-These are the fat manifests used by Docker Hub and Docker store to handle images with multiple CPU architectures.
+These are the fat manifests used by Docker Hub to handle images with multiple CPU architectures.

 They are used in conjunction with [manifest-tool](https://github.com/estesp/manifest-tool), for example:

--- a/manifests/dockerstore/manifest-9.1.1.yaml
+++ b/manifests/dockerstore/manifest-9.1.1.yaml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018
+# © Copyright IBM Corporation 2020
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,18 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-image: ibmcorp/mqadvanced-server-dev:9.1.1.0
+image: ibmcom/mq:9.1.5.0-r1
 manifests:
-  - image: ibmcorp/mqadvanced-server-dev:9.1.1.0-x86_64
+  - image: ibmcom/mq:9.1.5.0-r1-amd64
    platform:
      architecture: amd64
      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.1.0-ppc64le
+  - image: ibmcom/mq:9.1.5.0-r1-ppc64le
    platform:
      architecture: ppc64le
      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.1.0-s390x
+  - image: ibmcom/mq:9.1.5.0-r1-s390x
    platform:
      architecture: s390x
-      os: linux
-
+      os: linux
--- a/manifests/dockerhub/manifest-9.2.0.yaml
+++ b/manifests/dockerhub/manifest-9.2.0.yaml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018
+# © Copyright IBM Corporation 2018, 2020
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,18 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-image: ibmcorp/mqadvanced-server-dev:9.1.0.0
+image: ibmcom/mq:9.2.0.0-r1
 manifests:
-  - image: ibmcorp/mqadvanced-server-dev:9.1.0.0-x86_64
+  - image: ibmcom/mq:9.2.0.0-r1-amd64
    platform:
      architecture: amd64
      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.0.0-ppc64le
-    platform:
-      architecture: ppc64le
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.0.0-s390x
-    platform:
-      architecture: s390x
-      os: linux
-
--- a/manifests/dockerhub/manifest-latest.yaml
+++ b/manifests/dockerhub/manifest-latest.yaml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018, 2019
+# © Copyright IBM Corporation 2018, 2020
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,15 +14,7 @@

 image: ibmcom/mq:latest
 manifests:
-  - image: ibmcom/mq:9.1.4.0-r1-amd64
+  - image: ibmcom/mq:9.2.0.0-r1-amd64
    platform:
      architecture: amd64
      os: linux
-  - image: ibmcom/mq:9.1.4.0-r1-ppc64le
-    platform:
-      architecture: ppc64le
-      os: linux
-  - image: ibmcom/mq:9.1.4.0-r1-s390x
-    platform:
-      architecture: s390x
-      os: linux
--- a/manifests/dockerstore/manifest-9.1.2-UBI.yaml
+++ b/manifests/dockerstore/manifest-9.1.2-UBI.yaml
@@ -1,28 +0,0 @@
-# © Copyright IBM Corporation 2019
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-image: ibmcorp/mqadvanced-server-dev:9.1.2.0-UBI
-manifests:
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-UBI-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-UBI-ppc64le
-    platform:
-      architecture: ppc64le
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-UBI-s390x
-    platform:
-      architecture: s390x
-      os: linux
--- a/manifests/dockerstore/manifest-9.1.2.yaml
+++ b/manifests/dockerstore/manifest-9.1.2.yaml
@@ -1,29 +0,0 @@
-# © Copyright IBM Corporation 2018, 2019
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-image: ibmcorp/mqadvanced-server-dev:9.1.2.0
-manifests:
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-x86_64
-    platform:
-      architecture: amd64
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-ppc64le
-    platform:
-      architecture: ppc64le
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-s390x
-    platform:
-      architecture: s390x
-      os: linux
-
--- a/manifests/dockerstore/manifest-9.1.3.yaml
+++ b/manifests/dockerstore/manifest-9.1.3.yaml
@@ -1,28 +0,0 @@
-# © Copyright IBM Corporation 2019
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-image: ibmcorp/mqadvanced-server-dev:9.1.3.0-r3
-manifests:
-  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-r3-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-r3-ppc64le
-    platform:
-      architecture: ppc64le
-      os: linux
-  - image: ibmcorp/mqadvanced-server-dev:9.1.3.0-r3-s390x
-    platform:
-      architecture: s390x
-      os: linux
--- a/pkg/containerruntimelogger/logruntime.go
+++ b/pkg/containerruntimelogger/logruntime.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -45,11 +45,14 @@ func LogContainerDetails(log *logger.Logger) error {
 		log.Printf("Base image: %v", bi)
 	}
 	u, err := user.GetUser()
+	if err != nil {
+		log.Printf("Error: %v\nUser:\n  uid: %v\n  gid: %v\n  supGid: %v", err, u.UID, u.PrimaryGID, u.SupplementalGID)
+	}
 	if err == nil {
 		if len(u.SupplementalGID) == 0 {
-			log.Printf("Running as user ID %v (%v) with primary group %v", u.UID, u.Name, u.PrimaryGID)
+			log.Printf("Running as user ID %v with primary group %v", u.UID, u.PrimaryGID)
 		} else {
-			log.Printf("Running as user ID %v (%v) with primary group %v, and supplementary groups %v", u.UID, u.Name, u.PrimaryGID, strings.Join(u.SupplementalGID, ","))
+			log.Printf("Running as user ID %v with primary group %v, and supplementary groups %v", u.UID, u.PrimaryGID, strings.Trim(strings.Join(strings.Fields(fmt.Sprint(u.SupplementalGID)), ","), "[]"))
 		}
 	}
 	caps, err := containerruntime.GetCapabilities()
--- a/pkg/logger/logger.go
+++ b/pkg/logger/logger.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -117,14 +117,22 @@ func (l *Logger) log(level string, msg string) {
 // Debug logs a line as debug
 func (l *Logger) Debug(args ...interface{}) {
 	if l.debug {
-		l.log(debugLevel, fmt.Sprint(args...))
+		if l.json {
+			l.log(debugLevel, fmt.Sprint(args...))
+		} else {
+			l.log(debugLevel, "DEBUG: "+fmt.Sprint(args...))
+		}
 	}
 }

 // Debugf logs a line as debug using format specifiers
 func (l *Logger) Debugf(format string, args ...interface{}) {
 	if l.debug {
-		l.log(debugLevel, fmt.Sprintf(format, args...))
+		if l.json {
+			l.log(debugLevel, fmt.Sprintf(format, args...))
+		} else {
+			l.log(debugLevel, fmt.Sprintf("DEBUG: "+format, args...))
+		}
 	}
 }

--- a/source-branch.env
+++ b/source-branch.env
@@ -0,0 +1,7 @@
+###########################################################################################################################################################
+
+# SOURCE_BRANCH is the repository branch name for this release stream. 
+# It should be updated when a new release fork is created but not for testing of personal builds or pre-fork updates.
+SOURCE_BRANCH ?= v9.3.0.x
+
+###########################################################################################################################################################
--- a/test/docker/Gopkg.lock
+++ b/test/docker/Gopkg.lock
@@ -1,114 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  branch = "master"
-  name = "github.com/Azure/go-ansiterm"
-  packages = [
-    ".",
-    "winterm"
-  ]
-  revision = "d6e3b3328b783f23731bc4d058875b0371ff8109"
-
-[[projects]]
-  name = "github.com/Microsoft/go-winio"
-  packages = ["."]
-  revision = "7da180ee92d8bd8bb8c37fc560e673e6557c392f"
-  version = "v0.4.7"
-
-[[projects]]
-  name = "github.com/Sirupsen/logrus"
-  packages = ["."]
-  revision = "c155da19408a8799da419ed3eeb0cb5db0ad5dbc"
-  version = "v1.0.5"
-
-[[projects]]
-  name = "github.com/docker/distribution"
-  packages = [
-    "digest",
-    "reference"
-  ]
-  revision = "48294d928ced5dd9b378f7fd7c6f5da3ff3f2c89"
-  version = "v2.6.2"
-
-[[projects]]
-  name = "github.com/docker/docker"
-  packages = [
-    "api/types",
-    "api/types/blkiodev",
-    "api/types/container",
-    "api/types/events",
-    "api/types/filters",
-    "api/types/mount",
-    "api/types/network",
-    "api/types/reference",
-    "api/types/registry",
-    "api/types/strslice",
-    "api/types/swarm",
-    "api/types/time",
-    "api/types/versions",
-    "api/types/volume",
-    "client",
-    "pkg/jsonlog",
-    "pkg/jsonmessage",
-    "pkg/stdcopy",
-    "pkg/term",
-    "pkg/term/windows",
-    "pkg/tlsconfig"
-  ]
-  revision = "f5ec1e2936dcbe7b5001c2b817188b095c700c27"
-  version = "v17.03.2-ce"
-
-[[projects]]
-  name = "github.com/docker/go-connections"
-  packages = [
-    "nat",
-    "sockets",
-    "tlsconfig"
-  ]
-  revision = "3ede32e2033de7505e6500d6c868c2b9ed9f169d"
-  version = "v0.3.0"
-
-[[projects]]
-  name = "github.com/docker/go-units"
-  packages = ["."]
-  revision = "0dadbb0345b35ec7ef35e228dabb8de89a65bf52"
-  version = "v0.3.2"
-
-[[projects]]
-  name = "github.com/pkg/errors"
-  packages = ["."]
-  revision = "645ef00459ed84a119197bfb8d8205042c6df63d"
-  version = "v0.8.0"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/crypto"
-  packages = ["ssh/terminal"]
-  revision = "88942b9c40a4c9d203b82b3731787b672d6e809b"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/net"
-  packages = [
-    "context",
-    "context/ctxhttp",
-    "proxy"
-  ]
-  revision = "6078986fec03a1dcc236c34816c71b0e05018fda"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/sys"
-  packages = [
-    "unix",
-    "windows"
-  ]
-  revision = "13d03a9a82fba647c21a0ef8fba44a795d0f0835"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  inputs-digest = "c792836365447209421d5dc68a75fa77063408b8a6a2f9325b976581a0d60107"
-  solver-name = "gps-cdcl"
-  solver-version = 1
--- a/test/docker/devconfig_test.go
+++ b/test/docker/devconfig_test.go
@@ -1,7 +1,7 @@
 // +build mqdev

 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -34,7 +34,7 @@ import (
 func TestDevGoldenPath(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -43,6 +43,7 @@ func TestDevGoldenPath(t *testing.T) {
 		Env: []string{
 			"LICENSE=accept",
 			"MQ_QMGR_NAME=" + qm,
+			"DEBUG=true",
 		},
 	}
 	id := runContainerWithPorts(t, cli, &containerConfig, []int{9443})
@@ -68,7 +69,7 @@ func TestDevGoldenPath(t *testing.T) {
 func TestDevSecure(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -81,16 +82,16 @@ func TestDevSecure(t *testing.T) {
 			"LICENSE=accept",
 			"MQ_QMGR_NAME=" + qm,
 			"MQ_APP_PASSWORD=" + appPassword,
-			"MQ_TLS_KEYSTORE=/var/tls/server.p12",
-			"MQ_TLS_PASSPHRASE=" + tlsPassPhrase,
 			"DEBUG=1",
+			"WLP_LOGGING_MESSAGE_FORMAT=JSON",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER_LOG=true",
 		},
 		Image: imageName(),
 	}
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
-			tlsDir(t, false) + ":/var/tls",
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
 		},
 		// Assign a random port for the web server on the host
 		// TODO: Don't do this for all tests
@@ -130,7 +131,7 @@ func TestDevSecure(t *testing.T) {
 func TestDevWebDisabled(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -145,7 +146,7 @@ func TestDevWebDisabled(t *testing.T) {
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
 	t.Run("Web", func(t *testing.T) {
-		_, dspmqweb := execContainer(t, cli, id, "mqm", []string{"dspmqweb"})
+		_, dspmqweb := execContainer(t, cli, id, "", []string{"dspmqweb"})
 		if !strings.Contains(dspmqweb, "Server mqweb is not running.") && !strings.Contains(dspmqweb, "MQWB1125I") {
 			t.Errorf("Expected dspmqweb to say 'Server is not running' or 'MQWB1125I'; got \"%v\"", dspmqweb)
 		}
@@ -161,7 +162,7 @@ func TestDevWebDisabled(t *testing.T) {
 func TestDevConfigDisabled(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -176,7 +177,7 @@ func TestDevConfigDisabled(t *testing.T) {
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
 	waitForWebReady(t, cli, id, insecureTLSConfig)
-	rc, _ := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "echo 'display qlocal(DEV*)' | runmqsc"})
+	rc, _ := execContainer(t, cli, id, "", []string{"bash", "-c", "echo 'display qlocal(DEV*)' | runmqsc"})
 	if rc == 0 {
 		t.Errorf("Expected DEV queues to be missing")
 	}
--- a/test/docker/devconfig_test_util.go
+++ b/test/docker/devconfig_test_util.go
@@ -1,7 +1,7 @@
 // +build mqdev

 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -48,8 +48,9 @@ var insecureTLSConfig *tls.Config = &tls.Config{
 }

 func waitForWebReady(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.Config) {
+	t.Logf("%s Waiting for web server to be ready", time.Now().Format(time.RFC3339))
 	httpClient := http.Client{
-		Timeout: time.Duration(3 * time.Second),
+		Timeout: time.Duration(10 * time.Second),
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
 		},
@@ -63,13 +64,13 @@ func waitForWebReady(t *testing.T, cli *client.Client, ID string, tlsConfig *tls
 		case <-time.After(1 * time.Second):
 			req, err := http.NewRequest("GET", url, nil)
 			req.SetBasicAuth("admin", defaultAdminPassword)
-			resp, err := httpClient.Do(req.WithContext(ctx))
+			resp, err := httpClient.Do(req)
 			if err == nil && resp.StatusCode == http.StatusOK {
-				t.Log("MQ web server is ready")
+				t.Logf("%s MQ web server is ready", time.Now().Format(time.RFC3339))
 				return
 			}
 		case <-ctx.Done():
-			t.Fatal("Timed out waiting for web server to become ready")
+			t.Fatalf("%s Timed out waiting for web server to become ready", time.Now().Format(time.RFC3339))
 		}
 	}
 }
@@ -82,7 +83,7 @@ func tlsDir(t *testing.T, unixPath bool) string {
 // runJMSTests runs a container with a JMS client, which connects to the queue manager container with the specified ID
 func runJMSTests(t *testing.T, cli *client.Client, ID string, tls bool, user, password string) {
 	containerConfig := container.Config{
-		// -e MQ_PORT_1414_TCP_ADDR=9.145.14.173 -e MQ_USERNAME=app -e MQ_PASSWORD=passw0rd -e MQ_CHANNEL=DEV.APP.SVRCONN -e MQ_TLS_KEYSTORE=/tls/test.p12 -e MQ_TLS_PASSPHRASE=passw0rd -v /Users/arthurbarr/go/src/github.com/ibm-messaging/mq-container/test/tls:/tls msgtest
+		// -e MQ_PORT_1414_TCP_ADDR=9.145.14.173 -e MQ_USERNAME=app -e MQ_PASSWORD=passw0rd -e MQ_CHANNEL=DEV.APP.SVRCONN -e MQ_TLS_TRUSTSTORE=/tls/test.p12 -e MQ_TLS_PASSPHRASE=passw0rd -v /Users/arthurbarr/go/src/github.com/ibm-messaging/mq-container/test/tls:/tls msgtest
 		Env: []string{
 			"MQ_PORT_1414_TCP_ADDR=" + getIPAddress(t, cli, ID),
 			"MQ_USERNAME=" + user,
--- a/test/docker/docker_api_test.go
+++ b/test/docker/docker_api_test.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@ import (
 func TestLicenseNotSet(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -55,7 +55,7 @@ func TestLicenseNotSet(t *testing.T) {
 func TestLicenseView(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -75,6 +75,29 @@ func TestLicenseView(t *testing.T) {
 	}
 }

+//Start a container with qm grace set to x seconds
+//Check that when the container is stopped that the command endmqm has option -tp and x
+func TestEndMQMOpts(t *testing.T) {
+	t.Parallel()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	containerConfig := container.Config{
+		Env: []string{"LICENSE=accept", "MQ_GRACE_PERIOD=27"},
+	}
+
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	killContainer(t, cli, id, "SIGTERM")
+	_, out := execContainer(t, cli, id, "", []string{"bash", "-c", "ps -ef | grep 'endmqm -w -r -tp 27'"})
+	t.Log(out)
+	if !strings.Contains(out, "endmqm -w -r -tp 27") {
+		t.Errorf("Expected endmqm options endmqm -w -r -tp 27; got \"%v\"", out)
+	}
+}
+
 // TestGoldenPath starts a queue manager successfully when metrics are enabled
 func TestGoldenPathWithMetrics(t *testing.T) {
 	t.Parallel()
@@ -91,7 +114,7 @@ func TestGoldenPathNoMetrics(t *testing.T) {

 // Actual test function for TestGoldenPathNoMetrics & TestGoldenPathWithMetrics
 func goldenPath(t *testing.T, metric bool) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -114,7 +137,7 @@ func goldenPath(t *testing.T, metric bool) {
 func TestSecurityVulnerabilities(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -148,7 +171,7 @@ func TestSecurityVulnerabilities(t *testing.T) {

 func utilTestNoQueueManagerName(t *testing.T, hostName string, expectedName string) {
 	search := "QMNAME(" + expectedName + ")"
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -159,7 +182,7 @@ func utilTestNoQueueManagerName(t *testing.T, hostName string, expectedName stri
 	id := runContainer(t, cli, &containerConfig)
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
-	_, out := execContainer(t, cli, id, "mqm", []string{"dspmq"})
+	_, out := execContainer(t, cli, id, "", []string{"dspmq"})
 	if !strings.Contains(out, search) {
 		t.Errorf("Expected result of running dspmq to contain name=%v, got name=%v", search, out)
 	}
@@ -194,7 +217,7 @@ func TestWithVolumeNoMetrics(t *testing.T) {

 // Actual test function for TestWithVolumeNoMetrics & TestWithVolumeAndMetrics
 func withVolume(t *testing.T, metric bool) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -238,7 +261,7 @@ func withVolume(t *testing.T, metric bool) {

 // TestWithSplitVolumesLogsData starts a queue manager with separate log/data mounts
 func TestWithSplitVolumesLogsData(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -258,7 +281,7 @@ func TestWithSplitVolumesLogsData(t *testing.T) {

 // TestWithSplitVolumesLogsOnly starts a queue manager with a separate log mount
 func TestWithSplitVolumesLogsOnly(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -276,7 +299,7 @@ func TestWithSplitVolumesLogsOnly(t *testing.T) {

 // TestWithSplitVolumesDataOnly starts a queue manager with a separate data mount
 func TestWithSplitVolumesDataOnly(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -297,7 +320,7 @@ func TestWithSplitVolumesDataOnly(t *testing.T) {
 func TestNoVolumeWithRestart(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -317,7 +340,7 @@ func TestNoVolumeWithRestart(t *testing.T) {
 // where `runmqserver -i` is run to initialize the storage.  Then the
 // container can be run as normal.
 func TestVolumeRequiresRoot(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -380,7 +403,7 @@ func TestVolumeRequiresRoot(t *testing.T) {
 func TestCreateQueueManagerFail(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -391,9 +414,7 @@ func TestCreateQueueManagerFail(t *testing.T) {
 		FROM %v
 		USER root
 		RUN echo '#!/bin/bash\nexit 999' > /opt/mqm/bin/crtmqm
-		RUN chown mqm:mqm /opt/mqm/bin/crtmqm
-		RUN chmod 6550 /opt/mqm/bin/crtmqm
-		USER mqm`, imageName())},
+		USER 1001`, imageName())},
 	}
 	tag := createImage(t, cli, files)
 	defer deleteImage(t, cli, tag)
@@ -415,7 +436,7 @@ func TestCreateQueueManagerFail(t *testing.T) {
 func TestStartQueueManagerFail(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -426,9 +447,7 @@ func TestStartQueueManagerFail(t *testing.T) {
 		FROM %v
 		USER root
 		RUN echo '#!/bin/bash\ndltmqm $@ && strmqm $@' > /opt/mqm/bin/strmqm
-		RUN chown mqm:mqm /opt/mqm/bin/strmqm
-		RUN chmod 6550 /opt/mqm/bin/strmqm
-		USER mqm`, imageName())},
+		USER 1001`, imageName())},
 	}
 	tag := createImage(t, cli, files)
 	defer deleteImage(t, cli, tag)
@@ -453,7 +472,7 @@ func TestStartQueueManagerFail(t *testing.T) {
 func TestVolumeUnmount(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -487,12 +506,12 @@ func TestVolumeUnmount(t *testing.T) {
 		t.Fatalf("Expected umount to work with rc=0, got %v. Output was: %s", rc, out)
 	}
 	time.Sleep(3 * time.Second)
-	rc, _ = execContainer(t, cli, ctr.ID, "mqm", []string{"chkmqhealthy"})
+	rc, _ = execContainer(t, cli, ctr.ID, "", []string{"chkmqhealthy"})
 	if rc == 0 {
 		t.Errorf("Expected chkmqhealthy to fail")
-		_, df := execContainer(t, cli, ctr.ID, "mqm", []string{"df"})
+		_, df := execContainer(t, cli, ctr.ID, "", []string{"df"})
 		t.Logf(df)
-		_, ps := execContainer(t, cli, ctr.ID, "mqm", []string{"ps", "-ef"})
+		_, ps := execContainer(t, cli, ctr.ID, "", []string{"ps", "-ef"})
 		t.Logf(ps)
 	}
 }
@@ -502,7 +521,7 @@ func TestVolumeUnmount(t *testing.T) {
 func TestZombies(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -518,14 +537,14 @@ func TestZombies(t *testing.T) {
 	waitForReady(t, cli, id)
 	// Kill an MQ process with children.  After it is killed, its children
 	// will be adopted by PID 1, and should then be reaped when they die.
-	_, out := execContainer(t, cli, id, "mqm", []string{"pkill", "--signal", "kill", "-c", "amqzxma0"})
+	_, out := execContainer(t, cli, id, "", []string{"pkill", "--signal", "kill", "-c", "amqzxma0"})
 	if out == "0" {
 		t.Log("Failed to kill process 'amqzxma0'")
-		_, out := execContainer(t, cli, id, "root", []string{"ps", "-lA"})
+		_, out := execContainer(t, cli, id, "", []string{"ps", "-lA"})
 		t.Fatalf("Here is a list of currently running processes:\n%s", out)
 	}
 	time.Sleep(3 * time.Second)
-	_, out = execContainer(t, cli, id, "mqm", []string{"bash", "-c", "ps -lA | grep '^. Z'"})
+	_, out = execContainer(t, cli, id, "", []string{"bash", "-c", "ps -lA | grep '^. Z'"})
 	if out != "" {
 		count := strings.Count(out, "\n") + 1
 		t.Errorf("Expected zombies=0, got %v", count)
@@ -539,7 +558,7 @@ func TestZombies(t *testing.T) {
 func TestMQSC(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -552,7 +571,7 @@ func TestMQSC(t *testing.T) {
 		  RUN rm -f /etc/mqm/*.mqsc
 		  ADD test.mqsc /etc/mqm/
 		  RUN chmod 0660 /etc/mqm/test.mqsc
-		  USER mqm`, imageName())},
+		  USER 1001`, imageName())},
 		{"test.mqsc", "DEFINE QLOCAL(test)"},
 	}
 	tag := createImage(t, cli, files)
@@ -565,7 +584,16 @@ func TestMQSC(t *testing.T) {
 	id := runContainer(t, cli, &containerConfig)
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
-	rc, mqscOutput := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test)' | runmqsc"})
+
+	rc := -1
+	mqscOutput := ""
+	for i := 0; i < 60; i++ {
+		rc, mqscOutput = execContainer(t, cli, id, "", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test)' | runmqsc"})
+		if rc == 0 {
+			return
+		}
+		time.Sleep(1 * time.Second)
+	}
 	if rc != 0 {
 		r := regexp.MustCompile("AMQ[0-9][0-9][0-9][0-9]E")
 		t.Fatalf("Expected runmqsc to exit with rc=0, got %v with error %v", rc, r.FindString(mqscOutput))
@@ -577,7 +605,7 @@ func TestMQSC(t *testing.T) {
 func TestLargeMQSC(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -595,7 +623,7 @@ func TestLargeMQSC(t *testing.T) {
          RUN rm -f /etc/mqm/*.mqsc
          ADD test.mqsc /etc/mqm/
          RUN chmod 0660 /etc/mqm/test.mqsc
-          USER mqm`, imageName())},
+          USER 1001`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
@@ -609,7 +637,15 @@ func TestLargeMQSC(t *testing.T) {
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)

-	rc, mqscOutput := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test" + strconv.Itoa(numQueues) + ")' | runmqsc"})
+	rc := -1
+	mqscOutput := ""
+	for i := 0; i < 60; i++ {
+		rc, mqscOutput = execContainer(t, cli, id, "", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test" + strconv.Itoa(numQueues) + ")' | runmqsc"})
+		if rc == 0 {
+			return
+		}
+		time.Sleep(1 * time.Second)
+	}
 	if rc != 0 {
 		r := regexp.MustCompile("AMQ[0-9][0-9][0-9][0-9]E")
 		t.Fatalf("Expected runmqsc to exit with rc=0, got %v with error %v", rc, r.FindString(mqscOutput))
@@ -621,7 +657,7 @@ func TestLargeMQSC(t *testing.T) {
 func TestRedactValidMQSC(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -667,7 +703,7 @@ func TestRedactValidMQSC(t *testing.T) {
 		  RUN rm -f /etc/mqm/*.mqsc
 		  ADD test.mqsc /etc/mqm/
 		  RUN chmod 0660 /etc/mqm/test.mqsc
-		  USER mqm`, imageName())},
+		  USER 1001`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
@@ -699,7 +735,7 @@ func TestRedactValidMQSC(t *testing.T) {
 func TestRedactInvalidMQSC(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -739,7 +775,7 @@ func TestRedactInvalidMQSC(t *testing.T) {
 		  RUN rm -f /etc/mqm/*.mqsc
 		  ADD test.mqsc /etc/mqm/
 		  RUN chmod 0660 /etc/mqm/test.mqsc
-		  USER mqm`, imageName())},
+		  USER 1001`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
@@ -772,7 +808,7 @@ func TestRedactInvalidMQSC(t *testing.T) {
 // tries to start a container based on that image, and checks that container terminates
 func TestInvalidMQSC(t *testing.T) {
 	t.Parallel()
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -785,7 +821,7 @@ func TestInvalidMQSC(t *testing.T) {
 		RUN rm -f /etc/mqm/*.mqsc
 		ADD mqscTest.mqsc /etc/mqm/
 		RUN chmod 0660 /etc/mqm/mqscTest.mqsc
-		USER mqm`, imageName())},
+		USER 1001`, imageName())},
 		{"mqscTest.mqsc", "DEFINE INVALIDLISTENER('TEST.LISTENER.TCP') TRPTYPE(TCP) PORT(1414) CONTROL(QMGR) REPLACE"},
 	}
 	tag := createImage(t, cli, files)
@@ -804,13 +840,194 @@ func TestInvalidMQSC(t *testing.T) {
 	expectTerminationMessage(t, cli, id)
 }

+func TestSimpleMQIniMerge(t *testing.T) {
+	t.Parallel()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var files = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+		FROM %v
+		USER root
+		ADD test1.ini /etc/mqm/
+		RUN chmod 0660 /etc/mqm/test1.ini
+		USER 1001`, imageName())},
+		{"test1.ini",
+			"Log:\n   LogSecondaryFiles=28"},
+	}
+	tag := createImage(t, cli, files)
+	defer deleteImage(t, cli, tag)
+
+	containerConfig := container.Config{
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+		Image: tag,
+	}
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+
+	catIniFileCommand := fmt.Sprintf("cat /var/mqm/qmgrs/qm1/qm.ini")
+	_, test := execContainer(t, cli, id, "", []string{"bash", "-c", catIniFileCommand})
+	merged := strings.Contains(test, "LogSecondaryFiles=28")
+
+	if !merged {
+		t.Error("ERROR: The Files are not merged correctly")
+	}
+
+}
+func TestMultipleIniMerge(t *testing.T) {
+	t.Parallel()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var files = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+		FROM %v
+		USER root
+		ADD test1.ini /etc/mqm/
+		ADD test2.ini /etc/mqm/
+		ADD test3.ini /etc/mqm/
+		RUN chmod 0660 /etc/mqm/test1.ini
+		RUN chmod 0660 /etc/mqm/test2.ini
+		RUN chmod 0660 /etc/mqm/test3.ini
+		USER 1001`, imageName())},
+		{"test1.ini",
+			"Log:\n LogSecondaryFiles=28"},
+		{"test2.ini",
+			"Log:\n LogSecondaryFiles=28"},
+		{"test3.ini",
+			"ApplicationTrace:\n   ApplName=amqsact*\n   Trace=OFF"},
+	}
+	tag := createImage(t, cli, files)
+	defer deleteImage(t, cli, tag)
+
+	containerConfig := container.Config{
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+		Image: tag,
+	}
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+
+	catIniFileCommand := fmt.Sprintf("cat /var/mqm/qmgrs/qm1/qm.ini")
+	_, test := execContainer(t, cli, id, "", []string{"bash", "-c", catIniFileCommand})
+
+	//checks that no duplicates are created by adding 2 ini files with the same line
+	numberOfDuplicates := strings.Count(test, "LogSecondaryFiles=28")
+
+	newStanza := strings.Contains(test, "ApplicationTrace:\n   ApplName=amqsact*")
+
+	if (numberOfDuplicates > 1) || !newStanza {
+		t.Error("ERROR: The Files are not merged correctly")
+	}
+}
+
+func TestMQIniMergeOnTheSameVolumeButTwoContainers(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var filesFirstContainer = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+		FROM %v
+		USER root
+		ADD test1.ini /etc/mqm/
+		RUN chmod 0660 /etc/mqm/test1.ini
+		USER 1001`, imageName())},
+		{"test1.ini",
+			"ApplicationTrace:\n   ApplName=amqsact*\n   Trace=OFF"},
+	}
+	firstImage := createImage(t, cli, filesFirstContainer)
+	defer deleteImage(t, cli, firstImage)
+	vol := createVolume(t, cli, t.Name())
+	defer removeVolume(t, cli, vol.Name)
+
+	containerConfig := container.Config{
+		Image: firstImage,
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			vol.Name + ":/mnt/mqm",
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr1, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	startContainer(t, cli, ctr1.ID)
+	waitForReady(t, cli, ctr1.ID)
+
+	catIniFileCommand := fmt.Sprintf("cat /var/mqm/qmgrs/qm1/qm.ini")
+	_, test := execContainer(t, cli, ctr1.ID, "", []string{"bash", "-c", catIniFileCommand})
+	addedStanza := strings.Contains(test, "ApplicationTrace:\n   ApplName=amqsact*\n   Trace=OFF")
+
+	if addedStanza != true {
+		t.Error("ERROR: The Files are not merged correctly")
+	}
+	// Delete the first container
+	cleanContainer(t, cli, ctr1.ID)
+
+	var filesSecondContainer = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+		FROM %v
+		USER root
+		ADD test1.ini /etc/mqm/
+		RUN chmod 0660 /etc/mqm/test1.ini
+		USER 1001`, imageName())},
+		{"test1.ini",
+			"Log:\n   LogBufferPages=128"},
+	}
+
+	secondImage := createImage(t, cli, filesSecondContainer)
+	defer deleteImage(t, cli, secondImage)
+
+	containerConfig2 := container.Config{
+		Image: secondImage,
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+
+	ctr2, err := cli.ContainerCreate(context.Background(), &containerConfig2, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr2.ID)
+	startContainer(t, cli, ctr2.ID)
+	waitForReady(t, cli, ctr2.ID)
+
+	_, test2 := execContainer(t, cli, ctr2.ID, "", []string{"bash", "-c", catIniFileCommand})
+	changedStanza := strings.Contains(test2, "LogBufferPages=128")
+	//check if stanza that was merged in the first container doesnt exist in this one.
+	firstMergedStanza := strings.Contains(test2, "ApplicationTrace:\n   ApplName=amqsact*\n   Trace=OFF")
+
+	if !changedStanza || firstMergedStanza {
+		t.Error("ERROR: The Files are not merged correctly after removing first container")
+	}
+
+}
+
 // TestReadiness creates a new image with large amounts of MQSC in, to
 // ensure that the readiness check doesn't pass until configuration has finished.
 // WARNING: This test is sensitive to the speed of the machine it's running on.
 func TestReadiness(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -828,7 +1045,7 @@ func TestReadiness(t *testing.T) {
 		RUN rm -f /etc/mqm/*.mqsc
 		ADD test.mqsc /etc/mqm/
 		RUN chmod 0660 /etc/mqm/test.mqsc
-		USER mqm`, imageName())},
+		USER 1001`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
@@ -841,20 +1058,27 @@ func TestReadiness(t *testing.T) {
 	id := runContainer(t, cli, &containerConfig)
 	defer cleanContainer(t, cli, id)
 	queueCheckCommand := fmt.Sprintf("echo 'DISPLAY QLOCAL(test%v)' | runmqsc", numQueues)
-	_, mqsc := execContainer(t, cli, id, "root", []string{"cat", "/etc/mqm/test.mqsc"})
+	_, mqsc := execContainer(t, cli, id, "", []string{"cat", "/etc/mqm/test.mqsc"})
 	t.Log(mqsc)
 	for {
-		readyRC, _ := execContainer(t, cli, id, "mqm", []string{"chkmqready"})
-		queueCheckRC, queueCheckOut := execContainer(t, cli, id, "mqm", []string{"bash", "-c", queueCheckCommand})
-		t.Logf("readyRC=%v,queueCheckRC=%v\n", readyRC, queueCheckRC)
-
+		readyRC, _ := execContainer(t, cli, id, "", []string{"chkmqready"})
 		if readyRC == 0 {
+			queueCheckRC := -1
+			queueCheckOut := ""
+			for i := 1; i < 60; i++ {
+				queueCheckRC, queueCheckOut = execContainer(t, cli, id, "", []string{"bash", "-c", queueCheckCommand})
+				t.Logf("readyRC=%v,queueCheckRC=%v\n", readyRC, queueCheckRC)
+				if queueCheckRC == 0 {
+					break
+				}
+				time.Sleep(1 * time.Second)
+			}
 			if queueCheckRC != 0 {
 				r := regexp.MustCompile("AMQ[0-9][0-9][0-9][0-9]E")
 				t.Fatalf("Runmqsc returned %v with error %v. chkmqready returned %v when MQSC had not finished", queueCheckRC, r.FindString(queueCheckOut), readyRC)
 			} else {
 				// chkmqready says OK, and the last queue exists, so return
-				_, runmqsc := execContainer(t, cli, id, "root", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test1)' | runmqsc"})
+				_, runmqsc := execContainer(t, cli, id, "", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test1)' | runmqsc"})
 				t.Log(runmqsc)
 				return
 			}
@@ -863,9 +1087,10 @@ func TestReadiness(t *testing.T) {
 }

 func TestErrorLogRotation(t *testing.T) {
+	t.Skipf("Skipping %v until test defect fixed", t.Name())
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -903,7 +1128,7 @@ func TestErrorLogRotation(t *testing.T) {
 	for {
 		execContainer(t, cli, id, "fred", []string{"bash", "-c", "/opt/mqm/samp/bin/amqsput FAKE"})

-		_, atoiStr := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "wc -c < " + filepath.Join(dir, "AMQERR02.json")})
+		_, atoiStr := execContainer(t, cli, id, "", []string{"bash", "-c", "wc -c < " + filepath.Join(dir, "AMQERR02.json")})
 		amqerr02size, _ := strconv.Atoi(atoiStr)

 		if amqerr02size > 0 {
@@ -911,7 +1136,7 @@ func TestErrorLogRotation(t *testing.T) {
 			break
 		}
 	}
-	_, out := execContainer(t, cli, id, "root", []string{"ls", "-l", dir})
+	_, out := execContainer(t, cli, id, "", []string{"ls", "-l", dir})
 	t.Log(out)
 	stopContainer(t, cli, id)
 	b := copyFromContainer(t, cli, id, filepath.Join(dir, "AMQERR01.json"))
@@ -955,7 +1180,7 @@ func TestJSONLogFormatNoMetrics(t *testing.T) {

 // Actual test function for TestJSONLogFormatWithMetrics & TestJSONLogFormatNoMetrics
 func jsonLogFormat(t *testing.T, metric bool) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -991,7 +1216,7 @@ func jsonLogFormat(t *testing.T, metric bool) {
 func TestBadLogFormat(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1015,7 +1240,7 @@ func TestBadLogFormat(t *testing.T) {
 func TestMQJSONDisabled(t *testing.T) {
 	t.SkipNow()
 	t.Parallel()
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1043,7 +1268,7 @@ func TestCorrectLicense(t *testing.T) {
 		t.Fatal("Required test environment variable 'EXPECTED_LICENSE' was not set.")
 	}

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1055,7 +1280,7 @@ func TestCorrectLicense(t *testing.T) {
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)

-	rc, license := execContainer(t, cli, id, "mqm", []string{"dspmqver", "-f", "8192", "-b"})
+	rc, license := execContainer(t, cli, id, "", []string{"dspmqver", "-f", "8192", "-b"})
 	if rc != 0 {
 		t.Fatalf("Failed to get license string. RC=%d. Output=%s", rc, license)
 	}
@@ -1068,7 +1293,7 @@ func TestCorrectLicense(t *testing.T) {
 func TestVersioning(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1185,3 +1410,109 @@ func TestVersioning(t *testing.T) {

 	}
 }
+
+func TestTraceStrmqm(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_ENABLE_TRACE_STRMQM=1",
+		},
+	}
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+
+	rc, _ := execContainer(t, cli, id, "", []string{"bash", "-c", "ls -A /var/mqm/trace | grep .TRC"})
+	if rc != 0 {
+		t.Fatalf("No trace files found in trace directory /var/mqm/trace. RC=%d.", rc)
+	}
+}
+
+// utilTestHealthCheck is used by TestHealthCheck* to run a container with
+// privileges enabled or disabled.  Otherwise the same as the golden path tests.
+func utilTestHealthCheck(t *testing.T, nonewpriv bool) {
+	t.Parallel()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	containerConfig := container.Config{
+		Env: []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+	hostConfig := getDefaultHostConfig(t, cli)
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("no-new-privileges:%v", nonewpriv))
+	id := runContainerWithHostConfig(t, cli, &containerConfig, hostConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	rc, out := execContainer(t, cli, id, "", []string{"chkmqhealthy"})
+	t.Log(out)
+	if rc != 0 {
+		t.Errorf("Expected chkmqhealthy to return with exit code 0; got \"%v\"", rc)
+		t.Logf("Output from chkmqhealthy:\n%v", out)
+	}
+	// Stop the container cleanly
+	stopContainer(t, cli, id)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy, when running in a container where no new privileges are
+// allowed (i.e. setuid is disabled)
+func TestHealthCheckWithNoNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, true)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy when running in a container where new privileges are
+// allowed (i.e. setuid is allowed)
+// See https://github.com/ibm-messaging/mq-container/issues/428
+func TestHealthCheckWithNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, false)
+}
+
+// utilTestStartedCheck is used by TestStartedCheck* to run a container with
+// privileges enabled or disabled.  Otherwise the same as the golden path tests.
+func utilTestStartedCheck(t *testing.T, nonewpriv bool) {
+	t.Parallel()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	containerConfig := container.Config{
+		Env: []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+	hostConfig := getDefaultHostConfig(t, cli)
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("no-new-privileges:%v", nonewpriv))
+	id := runContainerWithHostConfig(t, cli, &containerConfig, hostConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	rc, out := execContainer(t, cli, id, "", []string{"chkmqstarted"})
+	t.Log(out)
+	if rc != 0 {
+		t.Errorf("Expected chkmqstarted to return with exit code 0; got \"%v\"", rc)
+		t.Logf("Output from chkmqstarted:\n%v", out)
+	}
+	// Stop the container cleanly
+	stopContainer(t, cli, id)
+}
+
+// TestStartedCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqstarted, when running in a container where no new privileges are
+// allowed (i.e. setuid is disabled)
+func TestStartedCheckWithNoNewPrivileges(t *testing.T) {
+	utilTestStartedCheck(t, true)
+}
+
+// TestStartedCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqstarted when running in a container where new privileges are
+// allowed (i.e. setuid is allowed)
+// See https://github.com/ibm-messaging/mq-container/issues/428
+func TestStartedCheckWithNewPrivileges(t *testing.T) {
+	utilTestStartedCheck(t, false)
+}
--- a/test/docker/docker_api_test_util.go
+++ b/test/docker/docker_api_test_util.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math/rand"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -259,20 +260,15 @@ func cleanContainer(t *testing.T, cli *client.Client, ID string) {
 	}
 }

-// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
-// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
-// environment variable.
-func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
-	if containerConfig.Image == "" {
-		containerConfig.Image = imageName()
-	}
-	// Always run as the "mqm" user, unless the test has specified otherwise
-	if containerConfig.User == "" {
-		containerConfig.User = "mqm"
-	}
-	// if coverage
-	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
-	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+func generateRandomUID() string {
+	rand.Seed(time.Now().UnixNano())
+	min := 1000
+	max := 9999
+	return fmt.Sprint(rand.Intn(max-min) + min)
+}
+
+// getDefaultHostConfig creates a HostConfig and populates it with the defaults used in testing
+func getDefaultHostConfig(t *testing.T, cli *client.Client) *container.HostConfig {
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
@@ -281,15 +277,9 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 		CapDrop: []string{
 			"ALL",
 		},
+		Privileged: false,
 	}
 	if devImage(t, cli) {
-		t.Logf("Detected MQ Advanced for Developers image — adding extra Linux capabilities to container")
-		hostConfig.CapAdd = []string{
-			"CHOWN",
-			"SETUID",
-			"SETGID",
-			"AUDIT_WRITE",
-		}
 		// Only needed for a RHEL-based image
 		if baseImage(t, cli) != "ubuntu" {
 			hostConfig.CapAdd = append(hostConfig.CapAdd, "DAC_OVERRIDE")
@@ -297,6 +287,62 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 	} else {
 		t.Logf("Detected MQ Advanced image - dropping all capabilities")
 	}
+	return &hostConfig
+}
+
+// runContainerWithHostConfig creates and starts a container, using the supplied HostConfig.
+// Note that a default HostConfig can be created using getDefaultHostConfig.
+func runContainerWithHostConfig(t *testing.T, cli *client.Client, containerConfig *container.Config, hostConfig *container.HostConfig) string {
+	if containerConfig.Image == "" {
+		containerConfig.Image = imageName()
+	}
+	// Always run as a random user, unless the test has specified otherwise
+	if containerConfig.User == "" {
+		containerConfig.User = generateRandomUID()
+	}
+	// if coverage
+	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
+	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+	networkingConfig := network.NetworkingConfig{}
+	t.Logf("Running container (%s)", containerConfig.Image)
+	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	startContainer(t, cli, ctr.ID)
+	return ctr.ID
+}
+
+// runContainerWithAllConfig creates and starts a container, using the supplied ContainerConfig, HostConfig,
+// NetworkingConfig, and container name (or the value of t.Name if containerName="").
+func runContainerWithAllConfig(t *testing.T, cli *client.Client, containerConfig *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) string {
+	if containerName == "" {
+		containerName = t.Name()
+	}
+	if containerConfig.Image == "" {
+		containerConfig.Image = imageName()
+	}
+	// Always run as a random user, unless the test has specified otherwise
+	if containerConfig.User == "" {
+		containerConfig.User = generateRandomUID()
+	}
+	// if coverage
+	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
+	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+	t.Logf("Running container (%s)", containerConfig.Image)
+	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, networkingConfig, containerName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	startContainer(t, cli, ctr.ID)
+	return ctr.ID
+}
+
+// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
+// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
+// environment variable.
+func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
+	hostConfig := getDefaultHostConfig(t, cli)
 	for _, p := range ports {
 		port := nat.Port(fmt.Sprintf("%v/tcp", p))
 		hostConfig.PortBindings[port] = []nat.PortBinding{
@@ -305,14 +351,7 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 			},
 		}
 	}
-	networkingConfig := network.NetworkingConfig{}
-	t.Logf("Running container (%s)", containerConfig.Image)
-	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, &hostConfig, &networkingConfig, t.Name())
-	if err != nil {
-		t.Fatal(err)
-	}
-	startContainer(t, cli, ctr.ID)
-	return ctr.ID
+	return runContainerWithHostConfig(t, cli, containerConfig, hostConfig)
 }

 // runContainer creates and starts a container.  If no image is specified in
@@ -509,9 +548,14 @@ func getCoverageExitCode(t *testing.T, orig int64) int64 {
 func waitForContainer(t *testing.T, cli *client.Client, ID string, timeout time.Duration) int64 {
 	c, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-	rc, err := cli.ContainerWait(c, ID)
-	if err != nil {
+	t.Logf("Waiting for container for %s", timeout)
+	okC, errC := cli.ContainerWait(c, ID, container.WaitConditionNotRunning)
+	var rc int64
+	select {
+	case err := <-errC:
 		t.Fatal(err)
+	case ok := <-okC:
+		rc = ok.StatusCode
 	}
 	if coverage() {
 		// COVERAGE: When running coverage, the exit code is written to a file,
@@ -524,6 +568,7 @@ func waitForContainer(t *testing.T, cli *client.Client, ID string, timeout time.

 // execContainer runs a command in a running container, and returns the exit code and output
 func execContainer(t *testing.T, cli *client.Client, ID string, user string, cmd []string) (int, string) {
+	t.Logf("Running command: %v", cmd)
 	config := types.ExecConfig{
 		User:        user,
 		Privileged:  false,
@@ -539,7 +584,7 @@ func execContainer(t *testing.T, cli *client.Client, ID string, user string, cmd
 	if err != nil {
 		t.Fatal(err)
 	}
-	hijack, err := cli.ContainerExecAttach(context.Background(), resp.ID, config)
+	hijack, err := cli.ContainerExecAttach(context.Background(), resp.ID, types.ExecStartCheck{})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -592,19 +637,24 @@ func execContainer(t *testing.T, cli *client.Client, ID string, user string, cmd
 }

 func waitForReady(t *testing.T, cli *client.Client, ID string) {
+
 	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()

 	for {
 		select {
 		case <-time.After(1 * time.Second):
-			rc, _ := execContainer(t, cli, ID, "mqm", []string{"chkmqready"})
+			rc, _ := execContainer(t, cli, ID, "", []string{"chkmqready"})
+
 			if rc == 0 {
 				t.Log("MQ is ready")
 				return
 			} else if rc == 10 {
 				t.Log("MQ Readiness: Queue Manager Running as Standby")
 				return
+			} else if rc == 20 {
+				t.Log("MQ Readiness: Queue Manager Running as Replica")
+				return
 			}
 		case <-ctx.Done():
 			t.Fatal("Timed out waiting for container to become ready")
@@ -641,7 +691,7 @@ func removeNetwork(t *testing.T, cli *client.Client, ID string) {
 }

 func createVolume(t *testing.T, cli *client.Client, name string) types.Volume {
-	v, err := cli.VolumeCreate(context.Background(), volume.VolumesCreateBody{
+	v, err := cli.VolumeCreate(context.Background(), volume.VolumeCreateBody{
 		Driver:     "local",
 		DriverOpts: map[string]string{},
 		Labels:     map[string]string{},
@@ -781,12 +831,23 @@ func copyFromContainer(t *testing.T, cli *client.Client, id string, file string)
 }

 func getPort(t *testing.T, cli *client.Client, ID string, port int) string {
-	i, err := cli.ContainerInspect(context.Background(), ID)
-	if err != nil {
-		t.Fatal(err)
+	var inspectInfo types.ContainerJSON
+	var err error
+	for attemptsRemaining := 3; attemptsRemaining > 0; attemptsRemaining-- {
+		inspectInfo, err = cli.ContainerInspect(context.Background(), ID)
+		if err != nil {
+			t.Fatal(err)
+		}
+		portNat := nat.Port(fmt.Sprintf("%d/tcp", port))
+		if inspectInfo.NetworkSettings.Ports[portNat] == nil || len(inspectInfo.NetworkSettings.Ports[portNat]) == 0 {
+			t.Log("Container port not yet bound")
+			time.Sleep(1 * time.Second)
+			continue
+		}
+		return inspectInfo.NetworkSettings.Ports[portNat][0].HostPort
 	}
-	portNat := nat.Port(fmt.Sprintf("%d/tcp", port))
-	return i.NetworkSettings.Ports[portNat][0].HostPort
+	t.Fatal("Failed to get port")
+	return ""
 }

 func countLines(t *testing.T, r io.Reader) int {
@@ -819,3 +880,12 @@ func countTarLines(t *testing.T, b []byte) int {
 	}
 	return total
 }
+
+func getMQVersion(t *testing.T, cli *client.Client) (string, error) {
+	inspect, _, err := cli.ImageInspectWithRaw(context.Background(), imageName())
+	if err != nil {
+		return "", err
+	}
+	version := inspect.ContainerConfig.Labels["version"]
+	return version, nil
+}
--- a/test/docker/go.mod
+++ b/test/docker/go.mod
@@ -0,0 +1,40 @@
+module github.com/ibm-messaging/mq-container/test/docker
+
+go 1.19
+
+require (
+	// Note: This is not actually Docker v17.12!
+	// Go modules require the use of semver, but Docker does not use semver and has not
+	// [opted-in to use Go modules](https://github.com/golang/go/wiki/Modules#can-a-module-consume-a-package-that-has-not-opted-in-to-modules)
+	// This means that when you `go get` Docker, you need to do so based on a commit,
+	// e.g. `go get -v github.com/docker/docker@420b1d36250f9cfdc561f086f25a213ecb669b6f`,
+	// which uses the commit for [Docker v19.03.15](https://github.com/moby/moby/releases/tag/v19.03.15)
+	// Go will then find the latest tag with a semver-compatible tag.  In Docker's case,
+	// v17.12.0 is valid semver, but v18.09 and v19.03 are not.
+	// Also note: Docker v20.10 is valid semver, but the v20.10 client API requires use of Docker API
+	// version 1.41 on the server, which is currently too new for the version of Docker in Travis (Ubuntu Bionic)
+	github.com/docker/docker v17.12.0-ce-rc1.0.20210128214336-420b1d36250f+incompatible
+	github.com/docker/go-connections v0.4.0
+)
+
+require (
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/containerd/containerd v1.6.3 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
+	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
+	google.golang.org/grpc v1.46.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gotest.tools v2.2.0+incompatible // indirect
+)
--- a/test/docker/go.sum
+++ b/test/docker/go.sum
@@ -0,0 +1,199 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
+github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/containerd/containerd v1.6.3 h1:JfgUEIAH07xDWk6kqz0P3ArZt+KJ9YeihSC9uyFtSKg=
+github.com/containerd/containerd v1.6.3/go.mod h1:gCVGrYRYFm2E8GmuUIbj/NGD7DLZQLzSJQazjVKDOig=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
+github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v17.12.0-ce-rc1.0.20210128214336-420b1d36250f+incompatible h1:nhVo1udYfMj0Jsw0lnqrTjjf33aLpdgW9Wve9fHVzhQ=
+github.com/docker/docker v17.12.0-ce-rc1.0.20210128214336-420b1d36250f+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec=
+github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=
+golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
+golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa h1:I0YcKz0I7OAhddo7ya8kMnvprhcWM045PmkBdMO9zN0=
+google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.46.0 h1:oCjezcn6g6A75TGoKYBPgKmVBLexhYLM6MebdrPApP8=
+google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/test/docker/mq_multi_instance_test.go
+++ b/test/docker/mq_multi_instance_test.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2019
+© Copyright IBM Corporation 2019, 2020

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -32,7 +32,8 @@ var miEnv = []string{
 // TestMultiInstanceStartStop creates 2 containers in a multi instance queue manager configuration
 // and starts/stop them checking we always have an active and standby
 func TestMultiInstanceStartStop(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	t.Skipf("Skipping %v until test defect fixed", t.Name())
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -74,7 +75,7 @@ func TestMultiInstanceStartStop(t *testing.T) {
 // TestMultiInstanceContainerStop starts 2 containers in a multi instance queue manager configuration,
 // stops the active queue manager, then checks to ensure the backup queue manager becomes active
 func TestMultiInstanceContainerStop(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -108,7 +109,7 @@ func TestMultiInstanceContainerStop(t *testing.T) {
 func TestMultiInstanceRace(t *testing.T) {
 	t.Skipf("Skipping %v until file lock is implemented", t.Name())

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -154,7 +155,7 @@ func TestMultiInstanceRace(t *testing.T) {
 // mounts, then checks to ensure that the container terminates with the expected message
 func TestMultiInstanceNoSharedMounts(t *testing.T) {
 	t.Parallel()
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -173,7 +174,7 @@ func TestMultiInstanceNoSharedMounts(t *testing.T) {
 // TestMultiInstanceNoSharedLogs starts 2 multi instance queue managers without providing a shared log
 // mount, then checks to ensure that the container terminates with the expected message
 func TestMultiInstanceNoSharedLogs(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -195,7 +196,7 @@ func TestMultiInstanceNoSharedLogs(t *testing.T) {
 // TestMultiInstanceNoSharedData starts 2 multi instance queue managers without providing a shared data
 // mount, then checks to ensure that the container terminates with the expected message
 func TestMultiInstanceNoSharedData(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -217,7 +218,7 @@ func TestMultiInstanceNoSharedData(t *testing.T) {
 // TestMultiInstanceNoMounts starts 2 multi instance queue managers without providing a shared data
 // mount, then checks to ensure that the container terminates with the expected message
 func TestMultiInstanceNoMounts(t *testing.T) {
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/docker/mq_multi_instance_test_util.go
+++ b/test/docker/mq_multi_instance_test_util.go
@@ -76,7 +76,7 @@ func getActiveStandbyQueueManager(t *testing.T, cli *client.Client, qm1aId strin
 }

 func getQueueManagerStatus(t *testing.T, cli *client.Client, containerID string, queueManagerName string) string {
-	_, dspmqOut := execContainer(t, cli, containerID, "mqm", []string{"bash", "-c", "dspmq", "-m", queueManagerName})
+	_, dspmqOut := execContainer(t, cli, containerID, "", []string{"bash", "-c", "dspmq", "-m", queueManagerName})
 	regex := regexp.MustCompile(`STATUS\(.*\)`)
 	status := regex.FindString(dspmqOut)
 	status = strings.TrimSuffix(strings.TrimPrefix(status, "STATUS("), ")")
--- a/test/docker/mq_native_ha_test.go
+++ b/test/docker/mq_native_ha_test.go
@@ -0,0 +1,219 @@
+/*
+© Copyright IBM Corporation 2021, 2022
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"testing"
+
+	"github.com/docker/docker/client"
+)
+
+// TestNativeHABasic creates 3 containers in a Native HA queue manager configuration
+// and ensures the queue manger and replicas start as expected
+func TestNativeHABasic(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmVolumes := []string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		vol := createVolume(t, cli, containerNames[i])
+		defer removeVolume(t, cli, vol.Name)
+		qmVolumes = append(qmVolumes, vol.Name)
+
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		hostConfig := getHostConfig(t, 1, "", "", vol.Name)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		qmReplicaIDs[i] = ctr
+	}
+
+	waitForReadyHA(t, cli, qmReplicaIDs)
+
+	_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+}
+
+// TestNativeHAFailover creates 3 containers in a Native HA queue manager configuration,
+// stops the active queue manager, checks a replica becomes active, and ensures the stopped
+// queue manager comes back as a replica
+func TestNativeHAFailover(t *testing.T) {
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmVolumes := []string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		vol := createVolume(t, cli, containerNames[i])
+		defer removeVolume(t, cli, vol.Name)
+		qmVolumes = append(qmVolumes, vol.Name)
+
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		hostConfig := getHostConfig(t, 1, "", "", vol.Name)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		qmReplicaIDs[i] = ctr
+	}
+
+	waitForReadyHA(t, cli, qmReplicaIDs)
+
+	haStatus, err := getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stopContainer(t, cli, haStatus.Active)
+	waitForFailoverHA(t, cli, haStatus.Replica)
+	startContainer(t, cli, haStatus.Active)
+	waitForReady(t, cli, haStatus.Active)
+
+	_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+}
+
+// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
+// with HA TLS enabled, and ensures the queue manger and replicas start as expected
+func TestNativeHASecure(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true")
+		hostConfig := getNativeHASecureHostConfig(t)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		qmReplicaIDs[i] = ctr
+	}
+
+	waitForReadyHA(t, cli, qmReplicaIDs)
+
+	_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+}
+
+// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
+// with HA TLS enabled, overrides the default CipherSpec, and ensures the queue manger
+// and replicas start as expected
+func TestNativeHASecureCipherSpec(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_AES_256_GCM_SHA384")
+		hostConfig := getNativeHASecureHostConfig(t)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		qmReplicaIDs[i] = ctr
+	}
+
+	waitForReadyHA(t, cli, qmReplicaIDs)
+
+	_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+}
--- a/test/docker/mq_native_ha_test_util.go
+++ b/test/docker/mq_native_ha_test_util.go
@@ -0,0 +1,149 @@
+/*
+© Copyright IBM Corporation 2021
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+)
+
+const defaultHAPort = 9414
+
+// HAReplicaStatus represents the Active/Replica/Replica container status of the queue manager
+type HAReplicaStatus struct {
+	Active  string
+	Replica [2]string
+}
+
+func createBridgeNetwork(cli *client.Client, t *testing.T) (types.NetworkCreateResponse, error) {
+	return cli.NetworkCreate(context.Background(), t.Name(), types.NetworkCreate{})
+}
+
+func removeBridgeNetwork(cli *client.Client, networkID string) error {
+	return cli.NetworkRemove(context.Background(), networkID)
+}
+
+func getNativeHAContainerConfig(containerName string, replicaNames [3]string, haPort int) container.Config {
+	return container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=QM1",
+			"AMQ_CLOUD_PAK=true",
+			"MQ_NATIVE_HA=true",
+			fmt.Sprintf("HOSTNAME=%s", containerName),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_0_NAME=%s", replicaNames[0]),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_1_NAME=%s", replicaNames[1]),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_2_NAME=%s", replicaNames[2]),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_0_REPLICATION_ADDRESS=%s(%d)", replicaNames[0], haPort),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_1_REPLICATION_ADDRESS=%s(%d)", replicaNames[1], haPort),
+			fmt.Sprintf("MQ_NATIVE_HA_INSTANCE_2_REPLICATION_ADDRESS=%s(%d)", replicaNames[2], haPort),
+		},
+	}
+}
+
+func getNativeHASecureHostConfig(t *testing.T) container.HostConfig {
+	return container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			filepath.Join(getCwd(t, true), "../tls") + ":/etc/mqm/ha/pki/keys/ha",
+		},
+	}
+}
+
+func getNativeHANetworkConfig(networkID string) network.NetworkingConfig {
+	return network.NetworkingConfig{
+		EndpointsConfig: map[string]*network.EndpointSettings{
+			networkID: &network.EndpointSettings{},
+		},
+	}
+}
+
+func getActiveReplicaInstances(t *testing.T, cli *client.Client, qmReplicaIDs [3]string) (HAReplicaStatus, error) {
+
+	var actives []string
+	var replicas []string
+
+	for _, id := range qmReplicaIDs {
+		qmReplicaStatus := getQueueManagerStatus(t, cli, id, "QM1")
+		if qmReplicaStatus == "Running" {
+			actives = append(actives, id)
+		} else if qmReplicaStatus == "Replica" {
+			replicas = append(replicas, id)
+		} else {
+			err := fmt.Errorf("Expected status to be Running or Replica, got status: %s", qmReplicaStatus)
+			return HAReplicaStatus{}, err
+		}
+	}
+
+	if len(actives) != 1 || len(replicas) != 2 {
+		err := fmt.Errorf("Expected 1 Active and 2 Replicas, got: %d Active and %d Replica", len(actives), len(replicas))
+		return HAReplicaStatus{}, err
+	}
+
+	return HAReplicaStatus{actives[0], [2]string{replicas[0], replicas[1]}}, nil
+}
+
+func waitForReadyHA(t *testing.T, cli *client.Client, qmReplicaIDs [3]string) {
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	for {
+		select {
+		case <-time.After(1 * time.Second):
+			for _, id := range qmReplicaIDs {
+				rc, _ := execContainer(t, cli, id, "", []string{"chkmqready"})
+				if rc == 0 {
+					t.Log("MQ is ready")
+					rc, _ := execContainer(t, cli, id, "", []string{"chkmqstarted"})
+					if rc == 0 {
+						t.Log("MQ has started")
+						return
+					}
+				}
+			}
+		case <-ctx.Done():
+			t.Fatal("Timed out waiting for HA Queue Manager to become ready")
+		}
+	}
+}
+
+func waitForFailoverHA(t *testing.T, cli *client.Client, replicas [2]string) {
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	for {
+		select {
+		case <-time.After(1 * time.Second):
+			for _, id := range replicas {
+				if status := getQueueManagerStatus(t, cli, id, "QM1"); status == "Running" {
+					return
+				}
+			}
+		case <-ctx.Done():
+			t.Fatal("Timed out waiting for Native HA Queue Manager to failover to an available replica")
+		}
+	}
+}
--- a/test/docker/mqmetric_test.go
+++ b/test/docker/mqmetric_test.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -28,7 +28,7 @@ import (
 func TestGoldenPathMetric(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -55,7 +55,7 @@ func TestGoldenPathMetric(t *testing.T) {
 func TestMetricNames(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -100,7 +100,7 @@ func TestMetricLabels(t *testing.T) {
 	t.Parallel()

 	requiredLabels := []string{"qmgr"}
-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -148,7 +148,7 @@ func TestMetricLabels(t *testing.T) {
 func TestRapidFirePrometheus(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -182,7 +182,7 @@ func TestRapidFirePrometheus(t *testing.T) {
 func TestSlowPrometheus(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -213,7 +213,7 @@ func TestSlowPrometheus(t *testing.T) {
 func TestContainerRestart(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -261,7 +261,7 @@ func TestContainerRestart(t *testing.T) {
 func TestQMRestart(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -286,12 +286,12 @@ func TestQMRestart(t *testing.T) {

 	// Restart just the QM (to simulate a lost connection)
 	t.Log("Stopping queue manager\n")
-	rc, out := execContainer(t, cli, id, "mqm", []string{"endmqm", "-w", "-r", defaultMetricQMName})
+	rc, out := execContainer(t, cli, id, "", []string{"endmqm", "-w", "-r", defaultMetricQMName})
 	if rc != 0 {
 		t.Fatalf("Failed to stop the queue manager. rc=%d, err=%s", rc, out)
 	}
 	t.Log("starting queue manager\n")
-	rc, out = execContainer(t, cli, id, "mqm", []string{"strmqm", defaultMetricQMName})
+	rc, out = execContainer(t, cli, id, "", []string{"strmqm", defaultMetricQMName})
 	if rc != 0 {
 		t.Fatalf("Failed to start the queue manager. rc=%d, err=%s", rc, out)
 	}
@@ -319,7 +319,7 @@ func TestQMRestart(t *testing.T) {
 func TestValidValues(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -355,7 +355,7 @@ func TestValidValues(t *testing.T) {
 func TestChangingValues(t *testing.T) {
 	t.Parallel()

-	cli, err := client.NewEnvClient()
+	cli, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/messaging/Dockerfile
+++ b/test/messaging/Dockerfile
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018, 2019
+# © Copyright IBM Corporation 2018, 2022
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,22 +15,24 @@
 ###############################################################################
 # Application build environment (Maven)
 ###############################################################################
-FROM docker.io/maven:3-ibmjava as builder
-COPY pom.xml /usr/src/mymaven/
-WORKDIR /usr/src/mymaven
+FROM registry.access.redhat.com/ubi8/openjdk-8 as builder
+COPY pom.xml .
+#WORKDIR /usr/src/mymaven
 # Download dependencies separately, so Docker caches them
 RUN mvn dependency:go-offline install
 # Copy source
-COPY src /usr/src/mymaven/src
+COPY src .
 # Run the main build
 RUN mvn --offline install
 # Print a list of all the files (useful for debugging)
-RUN find /usr/src/mymaven
+RUN find .

 ###############################################################################
 # Application runtime (JRE only, no build environment)
 ###############################################################################
-FROM docker.io/ibmjava:8-jre
-COPY --from=builder /usr/src/mymaven/target/*.jar /opt/app/
-COPY --from=builder /usr/src/mymaven/target/lib/*.jar /opt/app/
+# OpenJDK is not technically supported with the MQ client, but is good enough for these tests
+FROM registry.access.redhat.com/ubi8/openjdk-8-runtime
+COPY --from=builder /home/jboss/target/*.jar /opt/app/
+COPY --from=builder /home/jboss/target/lib/*.jar /opt/app/
+USER 1001
 ENTRYPOINT ["java", "-classpath", "/opt/app/*", "org.junit.platform.console.ConsoleLauncher", "-p", "com.ibm.mqcontainer.test", "--details", "verbose"]
--- a/test/messaging/pom.xml
+++ b/test/messaging/pom.xml
@@ -1,5 +1,5 @@
 <!--
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -26,25 +26,25 @@ limitations under the License.
    <dependency>
      <groupId>com.ibm.mq</groupId>
      <artifactId>com.ibm.mq.allclient</artifactId>
-      <version>9.1.3.0</version>
+      <version>9.3.0.0</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>org.junit.jupiter</groupId>
      <artifactId>junit-jupiter-api</artifactId>
-      <version>5.5.2</version>
+      <version>5.8.2</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>org.junit.jupiter</groupId>
      <artifactId>junit-jupiter-engine</artifactId>
-      <version>5.5.2</version>
+      <version>5.8.2</version>
      <scope>runtime</scope>
    </dependency>
    <dependency>
      <groupId>org.junit.platform</groupId>
      <artifactId>junit-platform-console-standalone</artifactId>
-      <version>1.5.2</version>
+      <version>1.8.2</version>
      <scope>runtime</scope>
    </dependency>
  </dependencies>
@@ -65,5 +65,9 @@ limitations under the License.
        </executions>
      </plugin>
    </plugins>
-</build>
+  </build>
+  <properties>
+      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+      <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+  </properties>
 </project>
--- a/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
+++ b/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2021

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,7 +15,7 @@ limitations under the License.
 */
 package com.ibm.mqcontainer.test;

-import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.*;

 import java.io.FileInputStream;
 import java.io.IOException;
@@ -32,9 +32,12 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;

+import com.ibm.mq.MQException;
+import com.ibm.mq.constants.MQConstants;
 import com.ibm.mq.jms.MQConnectionFactory;
 import com.ibm.mq.jms.MQQueue;
 import com.ibm.msg.client.wmq.WMQConstants;
+import com.ibm.msg.client.jms.DetailedJMSSecurityRuntimeException;

 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
@@ -57,27 +60,18 @@ class JMSTests {
    static SSLSocketFactory createSSLSocketFactory() throws IOException, GeneralSecurityException {
        KeyStore ts=KeyStore.getInstance("jks");
        ts.load(new FileInputStream(TRUSTSTORE), PASSPHRASE.toCharArray());
-        // KeyManagerFactory kmf=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        TrustManagerFactory tmf=TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ts);
-        // tmf.init();
        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
-        // Security.setProperty("crypto.policy", "unlimited");
        ctx.init(null, tmf.getTrustManagers(), null);
        return ctx.getSocketFactory();
    }

-    static JMSContext create(String channel, String addr, String user, String password) throws JMSException, IOException, GeneralSecurityException {
-        LOGGER.info(String.format("Connecting to %s/TCP/%s(1414) as %s", channel, addr, user));
+    static MQConnectionFactory createMQConnectionFactory(String channel, String addr) throws JMSException, IOException, GeneralSecurityException {
        MQConnectionFactory factory = new MQConnectionFactory();
        factory.setTransportType(WMQConstants.WMQ_CM_CLIENT);
        factory.setChannel(channel);
        factory.setConnectionNameList(String.format("%s(1414)", addr));
-        // If a password is set, make sure it gets sent to the queue manager for authentication
-        if (password != null) {
-            factory.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
-        }
-        // factory.setClientReconnectOptions(WMQConstants.WMQ_CLIENT_RECONNECT);
        if (TRUSTSTORE == null) {
            LOGGER.info("Not using TLS");
        }
@@ -94,12 +88,33 @@ class JMSTests {
                 factory.setSSLCipherSuite("TLS_RSA_WITH_AES_128_CBC_SHA256");
            }
        }
-        // Give up if unable to reconnect for 10 minutes
-        // factory.setClientReconnectTimeout(600);
-        // LOGGER.info(String.format("user=%s pw=%s", user, password));
+        return factory;
+    }
+
+    /**
+     * Create a JMSContext with the supplied user and password.
+     */
+    static JMSContext create(String channel, String addr, String user, String password) throws JMSException, IOException, GeneralSecurityException {
+        LOGGER.info(String.format("Connecting to %s/TCP/%s(1414) as %s", channel, addr, user));
+        MQConnectionFactory factory = createMQConnectionFactory(channel, addr);
+        // If a password is set, make sure it gets sent to the queue manager for authentication
+        if (password != null) {
+            factory.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
+        }
+        LOGGER.info(String.format("CSP authentication: %s", factory.getBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP)));
        return factory.createContext(user, password);
    }

+    /**
+     * Create a JMSContext with the default user identity (from the OS)
+     */
+    static JMSContext create(String channel, String addr) throws JMSException, IOException, GeneralSecurityException {
+        LOGGER.info(String.format("Connecting to %s/TCP/%s(1414) as OS user '%s'", channel, addr, System.getProperty("user.name")));
+        MQConnectionFactory factory = createMQConnectionFactory(channel, addr);
+        LOGGER.info(String.format("CSP authentication: %s", factory.getBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP)));
+        return factory.createContext();
+    }
+
    @BeforeAll
    private static void waitForQueueManager() {
        for (int i = 0; i < 20; i++) {
@@ -116,28 +131,34 @@ class JMSTests {
        }
    }

-    @BeforeEach
-    void connect() throws Exception {
-        context = create(CHANNEL, ADDR, USER, PASSWORD);
-    }
-
    @Test
-    void succeedingTest(TestInfo t) throws JMSException {
+    void putGetTest(TestInfo t) throws Exception {
+        context = create(CHANNEL, ADDR, USER, PASSWORD);
        Queue queue = new MQQueue("DEV.QUEUE.1");
        context.createProducer().send(queue, t.getDisplayName());
        Message m = context.createConsumer(queue).receive();
        assertNotNull(m.getBody(String.class));
    }

-    // @Test
-    // void failingTest() {
-    //     fail("a failing test");
-    // }
-
    @Test
-    @Disabled("for demonstration purposes")
-    void skippedTest() {
-        // not executed
+    void defaultIdentityTest(TestInfo t) throws Exception {
+        LOGGER.info(String.format("Password='%s'", PASSWORD));
+        try {
+            // Don't pass a user/password, which should cause the default identity to be used
+            context = create(CHANNEL, ADDR);
+        } catch (DetailedJMSSecurityRuntimeException ex) {
+            Throwable cause = ex.getCause();
+            assertNotNull(cause);
+            assertTrue(cause instanceof MQException);
+            assertEquals(MQConstants.MQRC_NOT_AUTHORIZED, ((MQException)cause).getReason());
+            return;
+        }
+        // The default developer config allows any user to appear as "app", and use a blank password.  This is done with the MCAUSER on the channel.
+        // If this test is run on a queue manager without a password set, then it should be possible to connect without exception.
+        // If this test is run on a queue manager with a password set, then an exception should be thrown, because this test doesn't send a password.
+        if ((PASSWORD != null) && (PASSWORD != "")) {
+            fail("Exception not thrown");
+        }
    }

    @AfterEach
@@ -146,9 +167,4 @@ class JMSTests {
            context.close();
        }
    }
-
-    @AfterAll
-    static void tearDownAll() {
-    }
-
 }
--- a/test/tls/client-trust.jks
+++ b/test/tls/client-trust.jks
--- a/test/tls/generate-test-cert.sh
+++ b/test/tls/generate-test-cert.sh
@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/bin/bash -ex
 # -*- mode: sh -*-
-# © Copyright IBM Corporation 2018
+# © Copyright IBM Corporation 2018, 2021
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ PASSWORD=passw0rd
 openssl req \
       -newkey rsa:2048 -nodes -keyout ${KEY} \
       -subj "/CN=localhost" \
+       -addext "subjectAltName = DNS:localhost" \
       -x509 -days 3650 -out ${CERT}

 # Add the key and certificate to a PKCS #12 key store, for the server to use
--- a/Show More
+++ b/Show More