From 41d2116ee2091e99bf95bf6c21cef416c10effcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mitchell=20B=C3=B6secke?= <mitchell.bosecke@forcorp.com>
Date: Wed, 15 Nov 2023 15:47:00 -0700
Subject: [PATCH 1/9] Added basic HTTPS support by mounting a JKS file and
 providing some environment variables.

---
 Dockerfile              |   6 ++
 README.md               |  12 +++
 config/server-https.xml | 181 ++++++++++++++++++++++++++++++++++++++++
 startup.sh              |   9 ++
 4 files changed, 208 insertions(+)
 create mode 100644 config/server-https.xml

diff --git a/Dockerfile b/Dockerfile
index 27de96d..8d2ffab 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -96,7 +96,13 @@ ENV POSTGRES_JNDI_ENABLED=false
 ENV CONFIG_DIR=/opt/config
 ENV CONFIG_OVERRIDES_DIR=/opt/config_overrides
 
+ENV HTTPS_ENABLED=false
+ENV HTTPS_KEYSTORE_FILE=/opt/keystore.jks
+ENV HTTPS_KEYSTORE_PASSWORD=changeit
+ENV HTTPS_KEY_ALIAS=server
+
 EXPOSE 8080
+EXPOSE 8443
 
 WORKDIR /tmp
 
diff --git a/README.md b/README.md
index 243da2d..c1fba2d 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@ This Dockerfile can be used to create images for all geoserver versions since 2.
   * CORS support
   * Support extensions
   * Support additional libraries
+  * Support for PostgreSQL JNDI 
+  * Support for HTTPS
 
 This README.md file covers use of official docker image, additional [build](BUILD.md) and [release](RELEASE.md) instructions are available.
 
@@ -146,6 +148,16 @@ In geoserver, you can then reference this JNDI resource using the name `java:com
 For advanced customization of the connection pool, you can provide your own customized "context.xml"
 file to Apache Tomcat by mounting it to the container at ``/opt/config_overrides/context.xml``.
 
+## How to enable HTTPS?
+
+To enable HTTPS, mount a JKS file to the container (ex. `/opt/keystore.jks`) and provide the following environment 
+variables:
+
+* ``HTTPS_ENABLED`` to `true`
+* ``HTTPS_KEYSTORE_FILE`` (defaults to `/opt/keystore.jks`)
+* ``HTTPS_KEYSTORE_PASSWORD`` (defaults to `changeit`)
+* ``HTTPS_KEY_ALIAS`` (defaults to `server`)
+
 ## How to use the docker-compose demo?
 
 The ``docker-compose-demo.yml`` to build with your own data directory and extensions.
diff --git a/config/server-https.xml b/config/server-https.xml
new file mode 100644
index 0000000..23c84cf
--- /dev/null
+++ b/config/server-https.xml
@@ -0,0 +1,181 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!-- APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    -->
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true"
+               maxParameterCount="1000"
+               >
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="${HTTPS_KEYSTORE_FILE}"
+                         certificateKeystorePassword="${HTTPS_KEYSTORE_PASSWORD}"
+                         certificateKeyAlias="${HTTPS_KEY_ALIAS}"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true"
+               maxParameterCount="1000"
+               >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    -->
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/startup.sh b/startup.sh
index 9195d26..d0964e1 100755
--- a/startup.sh
+++ b/startup.sh
@@ -111,5 +111,14 @@ if [ "${POSTGRES_JNDI_ENABLED}" = "true" ]; then
   fi
 fi
 
+if [ "${HTTPS_ENABLED}" = "true" ]; then
+  if [ ! -f "${HTTPS_KEYSTORE_FILE}" ]; then
+    echo "ERROR: HTTPS was enabled but keystore file was not mounted to container [${HTTPS_KEYSTORE_FILE}]"
+    exit 1
+  fi
+  echo "Installing [${CATALINA_HOME}/conf/server.xml] with HTTPS support using substituted environment variables"
+  envsubst < "${CONFIG_DIR}"/server-https.xml > "${CATALINA_HOME}/conf/server.xml"
+fi
+
 # start the tomcat
 exec $CATALINA_HOME/bin/catalina.sh run

From a8029b3eba77a18449c39b73b8ce655f5ab41e41 Mon Sep 17 00:00:00 2001
From: Andreas Schmitz <schmitz@terrestris.de>
Date: Tue, 14 May 2024 15:45:04 +0200
Subject: [PATCH 2/9] fix: allow unicode filenames

---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a1b7568..0dc3d34 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,7 +32,7 @@ ENV CATALINA_OPTS="\$EXTRA_JAVA_OPTS \
 # init
 RUN apt update \
     && apt -y upgrade \
-    && apt install -y --no-install-recommends openssl unzip gdal-bin wget curl openjdk-11-jdk gettext \
+    && apt install -y --no-install-recommends locales openssl unzip gdal-bin wget curl openjdk-11-jdk gettext \
     && apt clean \
     && rm -rf /var/cache/apt/* \
     && rm -rf /var/lib/apt/lists/*
@@ -105,6 +105,8 @@ EXPOSE 8080
 
 WORKDIR /tmp
 
+RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
+
 RUN echo "Installing GeoServer $GS_VERSION $GS_BUILD"
 
 COPY --from=download /tmp/geoserver $CATALINA_HOME/webapps/geoserver

From 5857fa382b677297a4dbdba3ad9d6854aae5f882 Mon Sep 17 00:00:00 2001
From: Dirk Mennecke <dirk.mennecke@ipsyscon.de>
Date: Fri, 24 May 2024 15:06:12 +0200
Subject: [PATCH 3/9] Replace line breaks and run startup script with bash

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a1b7568..867d537 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -142,9 +142,9 @@ RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
 
 # GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories
 # See also CIS Docker benchmark and docker best practices
-RUN chmod +x /opt/*.sh
+RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh
 
-ENTRYPOINT ["/opt/startup.sh"]
+ENTRYPOINT ["bash", "/opt/startup.sh"]
 
 WORKDIR /opt
 

From 96e081901bc75d325faeb10c26b082d88b643aae Mon Sep 17 00:00:00 2001
From: Dirk Mennecke <dirk.mennecke@ipsyscon.de>
Date: Fri, 24 May 2024 15:08:01 +0200
Subject: [PATCH 4/9] Edit startup.sh to handle credentials update

---
 startup.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/startup.sh b/startup.sh
index 5e76d30..99f260e 100755
--- a/startup.sh
+++ b/startup.sh
@@ -142,4 +142,8 @@ if [ ! "${ENABLE_DEFAULT_SHUTDOWN}" = "true" ]; then
   REPLACEMENT=
 fi
 
+if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then
+    /bin/sh /opt/update_credentials.sh
+fi
+
 exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true

From 119ec88b8fa1fdbf4bea0e0408f4574946b9506e Mon Sep 17 00:00:00 2001
From: Dirk Mennecke <dirk.mennecke@ipsyscon.de>
Date: Fri, 24 May 2024 15:10:05 +0200
Subject: [PATCH 5/9] Add update_credentials script

---
 update_credentials.sh | 71 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 update_credentials.sh

diff --git a/update_credentials.sh b/update_credentials.sh
new file mode 100644
index 0000000..599ae9f
--- /dev/null
+++ b/update_credentials.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Credits to https://github.com/meggsimum/geoserver-docker/ and https://github.com/kartoza/docker-geoserver
+
+echo "Updating GeoServer Credentials ..."
+
+if [ ${DEBUG} ]; then
+  set -e
+  set -x
+fi;
+
+# copy over default security folder to data dir (if not existing)
+if [ ! -d "${GEOSERVER_DATA_DIR}security" ]; then
+  cp -r ${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security" ${GEOSERVER_DATA_DIR}
+fi
+
+GEOSERVER_ADMIN_USER=${GEOSERVER_ADMIN_USER:-admin}
+GEOSERVER_ADMIN_PASSWORD=${GEOSERVER_ADMIN_PASSWORD:-geoserver}
+
+# templates to use as base for replacement
+USERS_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/usergroup/default/users.xml"
+echo "USING USERS XML ORIGINAL:" $USERS_XML_ORIG
+ROLES_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/role/default/roles.xml"
+echo "USING ROLES XML ORIGINAL:" $ROLES_XML_ORIG
+
+# final users.xml file GeoServer data dir
+USERS_XML=${USERS_XML:-${GEOSERVER_DATA_DIR}security/usergroup/default/users.xml}
+echo "SETTING USERS XML:" $USERS_XML
+# final roles.xml file GeoServer data dir
+ROLES_XML=${ROLES_XML:-${GEOSERVER_DATA_DIR}security/role/default/roles.xml}
+echo "SETTING ROLES XML:" . $ROLES_XML
+
+CLASSPATH=$CATALINA_HOME/webapps/$APP_PATH_PREFIX"geoserver/WEB-INF/lib/"
+
+# tmp files
+TMP_USERS=/tmp/users.xml
+TMP_ROLES=/tmp/roles.xml
+
+make_hash(){
+  NEW_PASSWORD=$1
+  (echo "digest1:" && java -classpath $(find $CLASSPATH -regex ".*jasypt-[0-9]\.[0-9]\.[0-9].*jar") org.jasypt.intf.cli.JasyptStringDigestCLI digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="$NEW_PASSWORD" verbose=0) | tr -d '\n'
+}
+
+# create PW hash for given password
+PWD_HASH=$(make_hash $GEOSERVER_ADMIN_PASSWORD)
+
+# USERS.XML SETUP
+# <user enabled="true" name="admin" password="digest1:D9miJH/hVgfxZJscMafEtbtliG0ROxhLfsznyWfG38X2pda2JOSV4POi55PQI4tw"/>
+cat $USERS_XML_ORIG | sed -e "s/ name=\".*\" / name=\"${GEOSERVER_ADMIN_USER}\" /" | sed -e "s|password=\".*\"/|password=\"${PWD_HASH}\"\/|" > $TMP_USERS
+if [ $? -eq 0 ]
+then
+    mv $TMP_USERS $USERS_XML
+    echo "Successfully replaced $USERS_XML"
+else
+    echo "CAUTION: Abort update_credentials.sh due to error while creating users.xml. File at $USERS_XML keeps untouched"
+    exit
+fi
+
+# ROLES.XML SETUP
+# <userRoles username="admin">
+cat $ROLES_XML_ORIG | sed -e "s/ username=\".*\"/ username=\"${GEOSERVER_ADMIN_USER}\"/" > $TMP_ROLES
+if [ $? -eq 0 ]
+then
+    mv $TMP_ROLES $ROLES_XML
+    echo "Successfully replaced $ROLES_XML"
+else
+    echo "CAUTION: Abort update_credentials.sh due to error while creating roles.xml. File at $ROLES_XML keeps untouched"
+    exit
+fi
+
+echo "... DONE updating GeoServer Credentials ..."
\ No newline at end of file

From 37362a3c43fafd297e24f60030d994b14c39a292 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20B=C3=BChner?= <buehner@terrestris.de>
Date: Wed, 29 May 2024 12:54:11 +0200
Subject: [PATCH 6/9] feat: ignore pg data when using compose example

---
 .dockerignore | 1 +
 .gitignore    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.dockerignore b/.dockerignore
index 567609b..9f878ab 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,2 @@
 build/
+postgis/
diff --git a/.gitignore b/.gitignore
index 92bc551..99ff525 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 *.iml
 *.idea
-
+postgis/

From ef8d2afa959de2be189b5d97017714410fd002b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20B=C3=BChner?= <buehner@terrestris.de>
Date: Wed, 29 May 2024 13:17:17 +0200
Subject: [PATCH 7/9] chore: use latest tomcat and geoserver versions

---
 Dockerfile              |  6 +++---
 README.md               | 24 ++++++++++++------------
 RELEASE.md              | 10 +++++-----
 build/release.sh        |  2 +-
 docker-compose-demo.yml |  2 +-
 5 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0dc3d34..da3f891 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM ubuntu:22.04 as tomcat
 
-ARG TOMCAT_VERSION=9.0.86
+ARG TOMCAT_VERSION=9.0.89
 ARG CORS_ENABLED=false
 ARG CORS_ALLOWED_ORIGINS=*
 ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS
@@ -56,7 +56,7 @@ RUN apt purge -y  \
 
 FROM tomcat as download
 
-ARG GS_VERSION=2.24.1
+ARG GS_VERSION=2.25.1
 ARG GS_BUILD=release
 ARG WAR_ZIP_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/geoserver-${GS_VERSION}-war.zip
 ENV GEOSERVER_VERSION=$GS_VERSION
@@ -72,7 +72,7 @@ RUN echo "Downloading GeoServer ${GS_VERSION} ${GS_BUILD}" \
 
 FROM tomcat as install
 
-ARG GS_VERSION=2.24.1
+ARG GS_VERSION=2.25.1
 ARG GS_BUILD=release
 ARG STABLE_PLUGIN_URL=https://downloads.sourceforge.net/project/geoserver/GeoServer/${GS_VERSION}/extensions
 ARG COMMUNITY_PLUGIN_URL=''
diff --git a/README.md b/README.md
index 92afca9..d5ec45e 100644
--- a/README.md
+++ b/README.md
@@ -18,20 +18,20 @@ This README.md file covers use of official docker image, additional [build](BUIL
 To pull an official image use ``docker.osgeo.org/geoserver:{{VERSION}}``, e.g.:
 
 ```shell
-docker pull docker.osgeo.org/geoserver:2.24.1
+docker pull docker.osgeo.org/geoserver:2.25.1
 ```
 All the images can be found at: [https://repo.osgeo.org](https://repo.osgeo.org/#browse/browse:geoserver-docker:v2/geoserver/tags) and the latest stable and maintenance version numbers can be obtained from [https://geoserver.org/download/](https://geoserver.org/download/)
 
 Afterwards you can run the pulled image locally with:
 
 ```shell
-docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.24.1
+docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.25.1
 ```
 
 Or if you want to start the container daemonized, use e.g.:
 
 ```shell
-docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.24.1
+docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.25.1
 ```
 
 Check <http://localhost/geoserver> to see the geoserver page,
@@ -48,7 +48,7 @@ To use an external folder as your geoserver data directory.
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/absolute/path/on/host",target=/opt/geoserver_data/,type=bind \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 An empty data directory will be populated on first use. You can easily update GeoServer while
@@ -63,7 +63,7 @@ The environment variable `SKIP_DEMO_DATA` can be set to `true` to create an empt
 ```shell
 docker run -it -p 80:8080 \
   --env SKIP_DEMO_DATA=true \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 ## How to issue a redirect from the root ("/") to GeoServer web interface ("/geoserver/web")?
@@ -84,8 +84,8 @@ The ``startup.sh`` script allows some customization on startup:
   * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)**
 * ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``.
 
-The CORS variables customize tomcat's `web.xml` file. If you need more customization, 
-you can provide your own customized `web.xml` file to tomcat by mounting it into the container 
+The CORS variables customize tomcat's `web.xml` file. If you need more customization,
+you can provide your own customized `web.xml` file to tomcat by mounting it into the container
 at `/opt/config_overrides/web.xml`.
 
 Example installing wps and ysld extensions:
@@ -93,7 +93,7 @@ Example installing wps and ysld extensions:
 ```shell
 docker run -it -p 80:8080 \
   --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS="wps,ysld" \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 The list of extensions (taken from SourceForge download page):
@@ -118,7 +118,7 @@ If you want to add geoserver extensions/libs, place the respective jar files in
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/libs/on/host",target=/opt/additional_libs,type=bind \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 ## How to add additional fonts to the docker image (e.g. for SLD styling)?
@@ -128,7 +128,7 @@ If you want to add custom fonts (the base image only contains 26 fonts) by using
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/fonts/on/host",target=/opt/additional_fonts,type=bind \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 **Note:** Do not change the target value!
@@ -163,7 +163,7 @@ Example:
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/path/to/my/server.xml",target=/opt/config_overrides/server.xml,type=bind \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
 ## How to use the docker-compose demo?
@@ -183,7 +183,7 @@ Following is the list of the all the environment variables that can be passed do
 | VAR NAME | DESCRIPTION | SAMPLE VALUE |
 |--------------|-----------|------------|
 | PATH | Used by geoserver internally to find all the libs | `/usr/local/sbin:/usr/local/bin:` |
-| CATALINA_HOME | CATALINA home path | `/opt/apache-tomcat-9.0.86` |
+| CATALINA_HOME | CATALINA home path | `/opt/apache-tomcat-9.0.89` |
 | EXTRA_JAVA_OPTS | Used to pass params to the JAVA environment. Check [ref](https://docs.oracle.com/en/java/javase/11/tools/java.html) | `-Xms256m -Xmx1g` |
 | CORS_ENABLED | CORS enabled configuration | `false` |
 | CORS_ALLOWED_ORIGINS | CORS origins configuration | `*` |
diff --git a/RELEASE.md b/RELEASE.md
index ec50fa8..806b83d 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -7,7 +7,7 @@ OSGeo maintains geoserver-docker.osgeo.org repository for publishing. The result
 Build locally:
 
 ```shell
-docker build -t geoserver-docker.osgeo.org/geoserver:2.24.1 .
+docker build -t geoserver-docker.osgeo.org/geoserver:2.25.1 .
 ```
 
 Login using with osgeo user id:
@@ -19,7 +19,7 @@ docker login geoserver-docker.osgeo.org
 Push to osgeo repository:
 
 ```shell
-docker push geoserver-docker.osgeo.org/geoserver:2.24.1
+docker push geoserver-docker.osgeo.org/geoserver:2.25.1
 ```
 
 ## How to automate release?
@@ -34,10 +34,10 @@ The third, optional, is used to supply the jenkins build number - triggering a n
 
 Examples:
 
-`./release.sh build 2.24.1`
+`./release.sh build 2.25.1`
 
-`./release.sh publish 2.24.1`
+`./release.sh publish 2.25.1`
 
-`./release.sh buildandpublish 2.24.1`
+`./release.sh buildandpublish 2.25.1`
 
 `./release.sh buildandpublish 2.24-SNAPSHOT 1234`
diff --git a/build/release.sh b/build/release.sh
index a946b43..b740716 100755
--- a/build/release.sh
+++ b/build/release.sh
@@ -9,7 +9,7 @@ function usage() {
   echo "$0 <mode> <version> [<build>]"
   echo ""
   echo " mode : The mode. Choose one of 'build', 'publish' or 'buildandpublish'"
-  echo " version : The released version to build an docker image for (eg: 2.24.1, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
+  echo " version : The released version to build an docker image for (eg: 2.25.1, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
   echo " build : Build number (optional)"
 }
 
diff --git a/docker-compose-demo.yml b/docker-compose-demo.yml
index 8de1fc4..d5f49db 100644
--- a/docker-compose-demo.yml
+++ b/docker-compose-demo.yml
@@ -4,7 +4,7 @@ services:
     build:
       context: .
       args:
-        - GEOSERVER_VERSION=2.24.1
+        - GEOSERVER_VERSION=2.25.1
         - CORS_ENABLED=true
         - CORS_ALLOWED_METHODS=GET,POST,PUT,HEAD,OPTIONS
     ports:

From c0d6edd74d3bfe79d45f1a17a683adecdaf6a32d Mon Sep 17 00:00:00 2001
From: Dirk Mennecke <dirk.mennecke@ipsyscon.de>
Date: Thu, 6 Jun 2024 09:41:36 +0200
Subject: [PATCH 8/9] Update readme

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 92afca9..9c20627 100644
--- a/README.md
+++ b/README.md
@@ -204,6 +204,8 @@ Following is the list of the all the environment variables that can be passed do
 | SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` |
 | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` |
 | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` |
+| GEOSERVER_ADMIN_USER | Admin username |  |
+| GEOSERVER_ADMIN_PASSWORD | Admin password |  |
 
 The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up).
 | VAR NAME | DESCRIPTION | SAMPLE VALUE |

From 6d965d2f6104f96fa36254a266cebc2769965a95 Mon Sep 17 00:00:00 2001
From: Dirk Mennecke <dirk.mennecke@ipsyscon.de>
Date: Thu, 6 Jun 2024 12:55:08 +0200
Subject: [PATCH 9/9] Update README environment variables

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9c20627..eb3fb84 100644
--- a/README.md
+++ b/README.md
@@ -204,7 +204,7 @@ Following is the list of the all the environment variables that can be passed do
 | SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` |
 | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` |
 | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` |
-| GEOSERVER_ADMIN_USER | Admin username |  |
+| GEOSERVER_ADMIN_USER | Admin username |   |
 | GEOSERVER_ADMIN_PASSWORD | Admin password |  |
 
 The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up).