Export variable

Also add new tests for chkmqhealthy and privileges

.travis.yml

@@ -19,7 +19,7 @@ sudo: required
 language: go
 
 go:
-  - "1.12"
+  - "1.13.15"
 
 services:
   - docker
@@ -32,18 +32,19 @@ go_import_path: "github.com/ibm-messaging/mq-container"
 
 env:
   global:
-    - RELEASE=""
+    - RELEASE="r2"
 
 jobs:
   include:
-    - stage: build
-      name: "Basic build"
+    - stage: basic-build
       if: branch != private-master AND tag IS blank
+      name: "Basic AMD64 build"
       os: linux
       env:
         - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_920_ARCHIVE_REPOSITORY_DEV_AMD64
       script: bash -e travis-build-scripts/run.sh
-    - if: branch = private-master OR tag =~ ^release-candidate*
+    - stage: build
+      if: branch = private-master OR tag =~ ^release-candidate*
       name: "Multi-Arch AMD64 build"
       os: linux
       env:
@@ -60,16 +61,20 @@ jobs:
     #     # - MQ_ARCHIVE_REPOSITORY=$MQ_920_ARCHIVE_REPOSITORY_PPC64LE
     #     - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_920_ARCHIVE_REPOSITORY_DEV_PPC64LE
     #   script: bash -e travis-build-scripts/run.sh
-    # - if: branch = private-master OR tag =~ ^release-candidate*
-    #   name: "Multi-Arch S390X build"
-    #   os: linux-s390
-    #   env:
-    #     - BUILD_ALL=true
-    #     - TEST_OPTS_DOCKER="-run TestGoldenPathWithMetrics"
-    #     # - MQ_ARCHIVE_REPOSITORY=$MQ_920_ARCHIVE_REPOSITORY_S390X
-    #     - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_920_ARCHIVE_REPOSITORY_DEV_S390X
-    #   script: bash -e travis-build-scripts/run.sh
-
+    - stage: build
+      if: branch = private-master OR tag =~ ^release-candidate*
+      name: "Multi-Arch S390X build"
+      os: linux-s390
+      env:
+        - BUILD_ALL=true
+        - TEST_OPTS_DOCKER="-run TestGoldenPathWithMetrics"
+        - MQ_ARCHIVE_REPOSITORY=$MQ_920_ARCHIVE_REPOSITORY_S390X
+        - MQ_ARCHIVE_REPOSITORY_DEV=$MQ_920_ARCHIVE_REPOSITORY_DEV_S390X
+      script: bash -e travis-build-scripts/run.sh
+    - stage: push-manifest
+      if: branch = private-master OR tag =~ ^release-candidate*
+      name: "Push Manifest-list to registry"
+      script: make push-manifest
 before_install:
   - make install-build-deps
   - make install-credential-helper

Dockerfile-server

@@ -13,18 +13,20 @@
 # limitations under the License.
 
 ARG BASE_IMAGE=registry.redhat.io/ubi8/ubi-minimal
-ARG BASE_TAG=8.2-301.1593113563
+ARG BASE_TAG=8.2-349
+ARG GO_WORKDIR=/go/src/github.com/ibm-messaging/mq-container
+ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/9.2.0.0-IBM-MQ-Advanced-for-Developers-Non-Install-LinuxX64.tar.gz"
 ###############################################################################
 # Build stage to build Go code
 ###############################################################################
-FROM registry.redhat.io/ubi8/go-toolset:1.13.4-22 as builder
-# FROM docker.io/centos/go-toolset-7-centos7 as builder
+FROM golang:1.13.15 as builder
 # The URL to download the MQ installer from in tar.gz format
-# This assumes an archive containing the MQ RPM install packages
-ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/mqadv_dev912_linux_x86-64.tar.gz"
+# This assumes an archive containing the MQ Non-Install packages
+ARG MQ_URL
 ARG IMAGE_REVISION="Not specified"
 ARG IMAGE_SOURCE="Not specified"
 ARG IMAGE_TAG="Not specified"
+ARG GO_WORKDIR
 USER 0
 COPY install-mq.sh /usr/local/bin/
 RUN mkdir /opt/mqm \
@@ -32,13 +34,12 @@ RUN mkdir /opt/mqm \
   && sleep 1 \
   && INSTALL_SDK=1 install-mq.sh \
   && chown -R 1001:root /opt/mqm/*
-WORKDIR /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/
+WORKDIR $GO_WORKDIR/
 COPY cmd/ ./cmd
 COPY internal/ ./internal
 COPY pkg/ ./pkg
 COPY vendor/ ./vendor
-ENV PATH="${PATH}:/opt/rh/go-toolset-1.11/root/usr/bin" \
-    CGO_CFLAGS="-I/opt/mqm/inc/" \
+ENV CGO_CFLAGS="-I/opt/mqm/inc/" \
     CGO_LDFLAGS_ALLOW="-Wl,-rpath.*"
 RUN go build -ldflags "-X \"main.ImageCreated=$(date --iso-8601=seconds)\" -X \"main.ImageRevision=$IMAGE_REVISION\" -X \"main.ImageSource=$IMAGE_SOURCE\" -X \"main.ImageTag=$IMAGE_TAG\"" ./cmd/runmqserver/
 RUN go build ./cmd/chkmqready/
@@ -58,11 +59,10 @@ RUN go vet ./cmd/... ./internal/...
 ###############################################################################
 FROM $BASE_IMAGE:$BASE_TAG AS mq-server
 # The MQ packages to install - see install-mq.sh for default value
-ARG MQ_URL="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/mqadv_dev914_linux_x86-64.tar.gz"
-ARG MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesWeb*.rpm MQSeriesAMS-*.rpm"
-#ARG MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-web ibmmq-ams"
+ARG MQ_URL
 ARG BASE_IMAGE
 ARG BASE_TAG
+ARG GO_WORKDIR
 LABEL summary="IBM MQ Advanced Server"
 LABEL description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises"
 LABEL vendor="IBM"
@@ -89,15 +89,15 @@ RUN env \
 # Create a directory for runtime data from runmqserver
 RUN mkdir -p /run/runmqserver \
   && chown 1001:root /run/runmqserver
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/runmqserver /usr/local/bin/
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/chkmq* /usr/local/bin/
+COPY --from=builder $GO_WORKDIR/runmqserver /usr/local/bin/
+COPY --from=builder $GO_WORKDIR/chkmq* /usr/local/bin/
 COPY NOTICES.txt /opt/mqm/licenses/notices-container.txt
 # Copy web XML files
 COPY web /etc/mqm/web
 COPY etc/mqm/*.tpl /etc/mqm/
 RUN chmod ug+x /usr/local/bin/runmqserver \
   && chown 1001:root /usr/local/bin/*mq* \
-  && chmod ug+xs /usr/local/bin/chkmq* \
+  && chmod ug+x /usr/local/bin/chkmq* \
   && chown -R 1001:root /etc/mqm/* \
   && install --directory --mode 2775 --owner 1001 --group root /run/runmqserver \
   && touch /run/termination-log \
@@ -120,6 +120,7 @@ ENTRYPOINT ["runmqserver"]
 FROM mq-server AS mq-dev-server
 ARG BASE_IMAGE
 ARG BASE_TAG
+ARG GO_WORKDIR
 # Enable MQ developer default configuration
 ENV MQ_DEV=true
 LABEL summary="IBM MQ Advanced for Developers Server"
@@ -134,7 +135,7 @@ LABEL io.k8s.description="Simplify, accelerate and facilitate the reliable excha
 LABEL base-image=$BASE_IMAGE
 LABEL base-image-release=$BASE_TAG
 USER 0
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/amqpas* /opt/mqm/lib64/
+COPY --from=builder $GO_WORKDIR/amqpas* /opt/mqm/lib64/
 COPY etc/mqm/*.ini /etc/mqm/
 COPY etc/mqm/mq.htpasswd /etc/mqm/
 RUN chmod 0660 /etc/mqm/mq.htpasswd
@@ -145,7 +146,7 @@ RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
 # Create a directory for runtime data from runmqserver
 RUN mkdir -p /run/runmqdevserver \
   && chown 1001:root /run/runmqdevserver
-COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/runmqdevserver /usr/local/bin/
+COPY --from=builder $GO_WORKDIR/runmqdevserver /usr/local/bin/
 # Copy template files
 COPY incubating/mqadvanced-server-dev/*.tpl /etc/mqm/
 # Copy web XML files for default developer configuration

Makefile

@@ -37,7 +37,9 @@ MQ_ARCHIVE_DEV ?= $(MQ_VERSION)-IBM-MQ-Advanced-for-Developers-Non-Install-$(MQ_
 # MQ_SDK_ARCHIVE specifies the archive to use for building the golang programs.  Defaults vary on developer or advanced.
 MQ_SDK_ARCHIVE ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # Options to `go test` for the Docker tests
-TEST_OPTS_DOCKER ?=
+TEST_OPTS_DOCKER ?= 
+# Timeout for the Docker tests
+TEST_TIMEOUT_DOCKER ?= 30m
 # MQ_IMAGE_ADVANCEDSERVER is the name of the built MQ Advanced image
 MQ_IMAGE_ADVANCEDSERVER ?=ibm-mqadvanced-server
 # MQ_IMAGE_DEVSERVER is the name of the built MQ Advanced for Developers image
@@ -60,6 +62,8 @@ REGISTRY_USER ?=
 REGISTRY_PASS ?=
 # ARCH is the platform architecture (e.g. amd64, ppc64le or s390x)
 ARCH ?= $(if $(findstring x86_64,$(shell uname -m)),amd64,$(shell uname -m))
+# Tag to use for fat-manifest 
+MQ_MANIFEST_TAG=$(MQ_VERSION)
 
 ###############################################################################
 # Other variables
@@ -71,7 +75,7 @@ MQ_ARCHIVE_DEV_TYPE=Linux
 BUILD_SERVER_CONTAINER=build-server
 # NUM_CPU is the number of CPUs available to Docker.  Used to control how many
 # test run in parallel
-NUM_CPU = $(or $(shell docker info --format "{{ .NCPU }}"),2)
+NUM_CPU ?= $(or $(shell docker info --format "{{ .NCPU }}"),2)
 # BASE_IMAGE_TAG is a normalized version of BASE_IMAGE, suitable for use in a Docker tag
 BASE_IMAGE_TAG=$(lastword $(subst /, ,$(subst :,-,$(BASE_IMAGE))))
 #BASE_IMAGE_TAG=$(subst /,-,$(subst :,-,$(BASE_IMAGE)))
@@ -113,10 +117,19 @@ endif
 ifneq "$(RELEASE)" "$(EMPTY)"
 	MQ_TAG=$(MQ_VERSION)-$(RELEASE)-$(ARCH)
 	EXTRA_LABELS=--label release=$(RELEASE)
+	MQ_MANIFEST_TAG=$(MQ_VERSION)-$(RELEASE)
 endif
 MQ_IMAGE_FULL_RELEASE_NAME=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)
 MQ_IMAGE_DEV_FULL_RELEASE_NAME=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG)
 
+#setup variables for fat-manifests
+MQ_IMAGE_DEVSERVER_MANIFEST=$(MQ_IMAGE_DEVSERVER):$(MQ_MANIFEST_TAG)
+MQ_IMAGE_ADVANCEDSERVER_MANIFEST=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_MANIFEST_TAG)
+MQ_IMAGE_DEVSERVER_AMD64=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEVSERVER):$(MQ_MANIFEST_TAG)-amd64
+MQ_IMAGE_DEVSERVER_S390X=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEVSERVER):$(MQ_MANIFEST_TAG)-s390x
+MQ_IMAGE_ADVANCEDSERVER_AMD64=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_MANIFEST_TAG)-amd64
+MQ_IMAGE_ADVANCEDSERVER_S390X=$(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_MANIFEST_TAG)-s390x
+
 ###############################################################################
 # Build targets
 ###############################################################################
@@ -133,6 +146,9 @@ test-all: build-devjmstest test-devserver test-advancedserver
 .PHONY: devserver
 devserver: build-devserver build-devjmstest test-devserver
 
+.PHONY: advancedserver
+advancedserver: build-advancedserver test-advancedserver
+
 # Build incubating components
 .PHONY: incubating
 incubating: build-explorer
@@ -169,7 +185,7 @@ test-unit:
 test-advancedserver: test/docker/vendor
 	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) on $(shell docker --version)"$(END)))
 	docker inspect $(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG)
-	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) EXPECTED_LICENSE=Production go test -parallel $(NUM_CPU) $(TEST_OPTS_DOCKER)
+	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_ADVANCEDSERVER):$(MQ_TAG) EXPECTED_LICENSE=Production go test -parallel $(NUM_CPU) -timeout $(TEST_TIMEOUT_DOCKER) $(TEST_OPTS_DOCKER)
 
 .PHONY: build-devjmstest
 build-devjmstest:
@@ -179,8 +195,9 @@ build-devjmstest:
 .PHONY: test-devserver
 test-devserver: test/docker/vendor
 	$(info $(SPACER)$(shell printf $(TITLE)"Test $(MQ_IMAGE_DEVSERVER):$(MQ_TAG) on $(shell docker --version)"$(END)))
+	
 	docker inspect $(MQ_IMAGE_DEVSERVER):$(MQ_TAG)
-	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG) EXPECTED_LICENSE=Developer DEV_JMS_IMAGE=$(DEV_JMS_IMAGE) IBMJRE=true go test -parallel $(NUM_CPU) -tags mqdev $(TEST_OPTS_DOCKER)
+	cd test/docker && TEST_IMAGE=$(MQ_IMAGE_DEVSERVER):$(MQ_TAG) EXPECTED_LICENSE=Developer DEV_JMS_IMAGE=$(DEV_JMS_IMAGE) IBMJRE=true go test -parallel $(NUM_CPU) -timeout $(TEST_TIMEOUT_DOCKER) -tags mqdev $(TEST_OPTS_DOCKER)
 
 .PHONY: coverage
 coverage:
@@ -342,6 +359,26 @@ pull-devserver:
 	$(COMMAND) pull $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEV_FULL_RELEASE_NAME)
 	$(COMMAND) tag $(MQ_DELIVERY_REGISTRY_FULL_PATH)/$(MQ_IMAGE_DEV_FULL_RELEASE_NAME) $(MQ_IMAGE_DEVSERVER)\:$(MQ_TAG)
 
+.PHONY: push-manifest
+push-manifest: build-skopeo-container
+	$(info $(SPACER)$(shell printf $(TITLE)"** Determining the image digests **"$(END)))
+	$(eval MQ_IMAGE_DEVSERVER_AMD64_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux --override-arch s390x  inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_DEVSERVER_AMD64) | jq -r .Digest))
+	$(eval MQ_IMAGE_DEVSERVER_S390X_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_DEVSERVER_S390X) | jq -r .Digest))
+	$(eval MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_ADVANCEDSERVER_AMD64) | jq -r .Digest))
+	$(eval MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST=$(shell $(COMMAND) run skopeo:latest --override-os linux inspect --creds $(MQ_ARCHIVE_REPOSITORY_USER):$(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) docker://$(MQ_IMAGE_ADVANCEDSERVER_S390X) | jq -r .Digest))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_DEVSERVER_AMD64) has a digest of $(MQ_IMAGE_DEVSERVER_AMD64_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_DEVSERVER_S390X) has a digest of $(MQ_IMAGE_DEVSERVER_S390X_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_ADVANCEDSERVER_AMD64) has a digest of $(MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST)**"$(END)))
+	$(info $(shell printf "** Determined the built $(MQ_IMAGE_ADVANCEDSERVER_S390X) has a digest of $(MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST)**"$(END)))
+	$(info $(shell printf "** Calling script to create fat-manifest for $(MQ_IMAGE_DEVSERVER_MANIFEST)**"$(END)))
+	echo $(shell ./travis-build-scripts/create-manifest-list.sh -r $(MQ_DELIVERY_REGISTRY_HOSTNAME) -n $(MQ_DELIVERY_REGISTRY_NAMESPACE) -i $(MQ_IMAGE_DEVSERVER) -t $(MQ_MANIFEST_TAG) -u $(MQ_ARCHIVE_REPOSITORY_USER) -p $(MQ_ARCHIVE_REPOSITORY_CREDENTIAL)  -d "$(MQ_IMAGE_DEVSERVER_AMD64_DIGEST) $(MQ_IMAGE_DEVSERVER_S390X_DIGEST)" $(END))
+	$(info $(shell printf "** Calling script to create fat-manifest for $(MQ_IMAGE_ADVANCEDSERVER_MANIFEST)**"$(END)))
+	echo $(shell ./travis-build-scripts/create-manifest-list.sh -r $(MQ_DELIVERY_REGISTRY_HOSTNAME) -n $(MQ_DELIVERY_REGISTRY_NAMESPACE) -i $(MQ_IMAGE_ADVANCEDSERVER) -t $(MQ_MANIFEST_TAG) -u $(MQ_ARCHIVE_REPOSITORY_USER) -p $(MQ_ARCHIVE_REPOSITORY_CREDENTIAL) -d "$(MQ_IMAGE_ADVANCEDSERVER_AMD64_DIGEST) $(MQ_IMAGE_ADVANCEDSERVER_S390X_DIGEST)" $(END))
+	
+.PHONY: build-skopeo-container
+build-skopeo-container:
+	$(COMMAND) images | grep -q "skopeo"; if [ $$? != 0 ]; then docker build -t skopeo:latest ./docker-builds/skopeo/; fi
+
 .PHONY: clean
 clean:
 	rm -rf ./coverage

cmd/chkmqhealthy/main.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,11 +36,11 @@ func queueManagerHealthy() (bool, error) {
 	cmd := exec.Command("dspmq", "-n", "-m", name)
 	// Run the command and wait for completion
 	out, err := cmd.CombinedOutput()
+	fmt.Printf("%s", out)
 	if err != nil {
 		fmt.Println(err)
 		return false, err
 	}
-	fmt.Printf("%s", out)
 	if !strings.Contains(string(out), "(RUNNING)") && !strings.Contains(string(out), "(RUNNING AS STANDBY)") && !strings.Contains(string(out), "(STARTING)") {
 		return false, nil
 	}

docker-builds/skopeo/Dockerfile

@@ -0,0 +1,17 @@
+# © Copyright IBM Corporation 2020
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM fedora:32
+RUN yum install skopeo -y -qq
+ENTRYPOINT [ "skopeo" ]

docs/testing.md

@@ -14,17 +14,19 @@ There are two main sets of tests:
 2. Docker tests, which test a complete Docker image, using the Docker API
 
 ### Running the Docker tests
-The Docker tests can be run locally on a machine with Docker.  For example:
+ 
+The Docker tests can be run locally on a machine with Docker. For example:
 
 ```
-make test-devserver
-make test-advancedserver
+make devserver
+make advancedserver
 ```
 
 You can specify the image to use directly by using the `MQ_IMAGE_ADVANCEDSERVER` or `MQ_IMAGE_DEVSERVER` variables, for example:
 
 ```
 MQ_IMAGE_ADVANCEDSERVER=ibm-mqadvanced-server:9.2.0.0-amd64 make test-advancedserver
+```
 
 You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command:
 

test/docker/docker_api_test.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -1433,3 +1433,44 @@ func TestTraceStrmqm(t *testing.T) {
 		t.Fatalf("No trace files found in trace directory /var/mqm/trace. RC=%d.", rc)
 	}
 }
+
+// utilTestHealthCheck is used by TestHealthCheck* to run a container with
+// privileges enabled or disabled.  Otherwise the same as the golden path tests.
+func utilTestHealthCheck(t *testing.T, nonewpriv bool) {
+	t.Parallel()
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	containerConfig := container.Config{
+		Env: []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+	hostConfig := getDefaultHostConfig(t, cli)
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("no-new-privileges:%v", nonewpriv))
+	id := runContainerWithHostConfig(t, cli, &containerConfig, hostConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	rc, out := execContainer(t, cli, id, "", []string{"chkmqhealthy"})
+	t.Log(out)
+	if rc != 0 {
+		t.Errorf("Expected chkmqhealthy to return with exit code 0; got \"%v\"", rc)
+		t.Logf("Output from chkmqhealthy:\n%v", out)
+	}
+	// Stop the container cleanly
+	stopContainer(t, cli, id)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy, when running in a container where no new privileges are
+// allowed (i.e. setuid is disabled)
+func TestHealthCheckWithNoNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, true)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy when running in a container where new privileges are
+// allowed (i.e. setuid is allowed)
+// See https://github.com/ibm-messaging/mq-container/issues/428
+func TestHealthCheckWithNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, false)
+}

test/docker/docker_api_test_util.go

@@ -267,20 +267,8 @@ func generateRandomUID() string {
 	return fmt.Sprint(rand.Intn(max-min) + min)
 }
 
-// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
-// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
-// environment variable.
-func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
-	if containerConfig.Image == "" {
-		containerConfig.Image = imageName()
-	}
-	// Always run as a random user, unless the test has specified otherwise
-	if containerConfig.User == "" {
-		containerConfig.User = generateRandomUID()
-	}
-	// if coverage
-	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
-	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+// getDefaultHostConfig creates a HostConfig and populates it with the defaults used in testing
+func getDefaultHostConfig(t *testing.T, cli *client.Client) *container.HostConfig {
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
@@ -299,6 +287,37 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 	} else {
 		t.Logf("Detected MQ Advanced image - dropping all capabilities")
 	}
+	return &hostConfig
+}
+
+// runContainerWithHostConfig creates and starts a container, using the supplied HostConfig.
+// Note that a default HostConfig can be created using getDefaultHostConfig.
+func runContainerWithHostConfig(t *testing.T, cli *client.Client, containerConfig *container.Config, hostConfig *container.HostConfig) string {
+	if containerConfig.Image == "" {
+		containerConfig.Image = imageName()
+	}
+	// Always run as a random user, unless the test has specified otherwise
+	if containerConfig.User == "" {
+		containerConfig.User = generateRandomUID()
+	}
+	// if coverage
+	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
+	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+	networkingConfig := network.NetworkingConfig{}
+	t.Logf("Running container (%s)", containerConfig.Image)
+	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	startContainer(t, cli, ctr.ID)
+	return ctr.ID
+}
+
+// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
+// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
+// environment variable.
+func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
+	hostConfig := getDefaultHostConfig(t, cli)
 	for _, p := range ports {
 		port := nat.Port(fmt.Sprintf("%v/tcp", p))
 		hostConfig.PortBindings[port] = []nat.PortBinding{
@@ -307,14 +326,7 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 			},
 		}
 	}
-	networkingConfig := network.NetworkingConfig{}
-	t.Logf("Running container (%s)", containerConfig.Image)
-	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, &hostConfig, &networkingConfig, t.Name())
-	if err != nil {
-		t.Fatal(err)
-	}
-	startContainer(t, cli, ctr.ID)
-	return ctr.ID
+	return runContainerWithHostConfig(t, cli, containerConfig, hostConfig)
 }
 
 // runContainer creates and starts a container.  If no image is specified in
@@ -526,6 +538,7 @@ func waitForContainer(t *testing.T, cli *client.Client, ID string, timeout time.
 
 // execContainer runs a command in a running container, and returns the exit code and output
 func execContainer(t *testing.T, cli *client.Client, ID string, user string, cmd []string) (int, string) {
+	t.Logf("Running command: %v", cmd)
 	config := types.ExecConfig{
 		User:        user,
 		Privileged:  false,

travis-build-scripts/build.sh

@@ -23,7 +23,7 @@ echo 'Building Developer image...' && echo -en 'travis_fold:start:build-devserve
 make build-devserver
 echo -en 'travis_fold:end:build-devserver\\r'
 if [ "$BUILD_ALL" = true ] ; then
-    if [ "$ARCH" = "amd64" ] ; then
+    if [[ "$ARCH" = "amd64" || "$ARCH" = "s390x" ]] ; then
         echo 'Building Production image...' && echo -en 'travis_fold:start:build-advancedserver\\r'
         make build-advancedserver
         echo -en 'travis_fold:end:build-advancedserver\\r'

travis-build-scripts/create-manifest-list.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# © Copyright IBM Corporation 2020
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+usage="
+Usage: create-image-manifest.sh -r hyc-mq-container-team-docker-local.artifactory.swg-devops.com -n foo -i ibm-mqadvanced-server-dev -t test -d \"sha256:038ad492532b099c324b897ce9da31ae0be312a1d0063f6456f2e3143cc4f4b8 sha256:754f466cf2cfc5183ac705689ce6720f27fecd07c97970ba3ec48769acba067d\"
+
+Where:
+-r - The image registry hostname
+-n - The image registry namespace
+-i - The image name
+-t - The desired top level manifest tag
+-d - A space separated list of sha256 image digests to be included
+"
+
+GREEN="\033[32m"
+RED="\033[31m"
+BLUE="\033[34m"
+PURPLE="\033[35m"
+AQUA="\033[36m"
+
+END="\033[0m"
+
+UNDERLINE="\033[4m"
+BOLD="\033[1m"
+ITALIC="\033[3m"
+TITLE=${BLUE}${BOLD}${UNDERLINE}
+STEPTITLE=${BLUERIGHTARROW}" "${BOLD}${ITALIC}
+SUBSTEPTITLE=${MINIARROW}${MINIARROW}${MINIARROW}" "${ITALIC}
+RIGHTARROW="\xE2\x96\xB6"
+MINIARROW="\xE2\x96\xBB"
+BLUERIGHTARROW=${BLUE}${RIGHTARROW}${END}
+GREENRIGHTARROW=${GREEN}${RIGHTARROW}${END}
+
+ERROR=${RED}
+
+TICK="\xE2\x9C\x94"
+CROSS="\xE2\x9C\x97"
+GREENTICK=${GREEN}${TICK}${END}
+REDCROSS=${RED}${CROSS}${END}
+
+
+SPACER="\n\n"
+
+while getopts r:n:i:t:d:h:u:p: flag
+do
+    case "${flag}" in
+        r) REGISTRY=${OPTARG};;
+        n) NAMESPACE=${OPTARG};;
+        i) IMAGE=${OPTARG};;
+        t) TAG=${OPTARG};;
+        d) DIGESTS=${OPTARG};;
+        u) USER=${OPTARG};;
+        p) CREDENTIAL=${OPTARG};;
+    esac
+done
+
+if [[ -z $REGISTRY || -z $NAMESPACE || -z $IMAGE || -z $TAG || -z $DIGESTS ]] ; then 
+  printf "${REDCROSS} ${ERROR}Missing parameter!${END}\n"
+  printf "${ERROR}$usage${END}\n"
+  exit 1
+fi
+
+# Docker CLI manifest commands require experimental features to be turned on
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+MANIFESTS=""
+for digest in $DIGESTS ; do \
+  MANIFESTS+=" $REGISTRY/$NAMESPACE/$IMAGE@$digest"
+done
+
+docker login $REGISTRY -u $USER -p $CREDENTIAL
+docker manifest create $REGISTRY/$NAMESPACE/$IMAGE:$TAG $MANIFESTS > /dev/null
+MANIFEST_DIGEST=$(docker manifest push --purge $REGISTRY/$NAMESPACE/$IMAGE:$TAG)
+
+echo $MANIFEST_DIGEST

travis-build-scripts/push.sh

@@ -32,7 +32,7 @@ function push_developer {
 }
 
 function push_production {
-    if [ "$ARCH" = "amd64" ] ; then
+    if [[ "$ARCH" = "amd64" || "$ARCH" = "s390x" ]] ; then
         echo 'Pushing Production image...' && echo -en 'travis_fold:start:push-advancedserver\\r'
         make push-advancedserver
         echo -en 'travis_fold:end:push-advancedserver\\r'

travis-build-scripts/test.sh

@@ -16,11 +16,14 @@
 
 set -e
 
+# Use verbose test output
+export TEST_OPTS_DOCKER="-v"
+
 echo 'Testing Developer image...' && echo -en 'travis_fold:start:test-devserver\\r'
 make test-devserver
 echo -en 'travis_fold:end:test-devserver\\r'
 if [ "$BUILD_ALL" = true ] ; then
-    if [ "$ARCH" = "amd64" ] ; then
+    if [[ "$ARCH" = "amd64" || "$ARCH" = "s390x" ]] ; then
         echo 'Testing Production image...' && echo -en 'travis_fold:start:test-advancedserver\\r'
         make test-advancedserver
         echo -en 'travis_fold:end:test-advancedserver\\r'