Remove ENV ROOT_PASSWORD from Dockerfiles, fix HEALTHCHECK default, add CDDL headers

[Copilot]

ENV ROOT_PASSWORD="password" in both Dockerfiles triggers the Docker lint rule SecretsUsedInArgOrEnv. Removing it breaks the HEALTHCHECK because Docker daemon spawns that process independently — it does not inherit exports from run.sh, only ENV instructions and -e flags from docker run.

Changes

• Dockerfile / Dockerfile-alpine

  • Remove ENV ROOT_PASSWORD="password"; replace with explanatory comment
  • Fix HEALTHCHECK to use shell parameter expansion so it works with or without -e ROOT_PASSWORD:

    --bindPassword "${ROOT_PASSWORD:-password}"

  • Add CDDL header — Copyright 2026 3A Systems, LLC.

• run.sh

  • Add CDDL header (Portions copyright 2026 3A Systems, LLC.) after shebang
  • No logic changes — `export ****** remains as-is

Behaviour

Invocation	HEALTHCHECK uses	run.sh sets
docker run (no -e)	password (shell fallback)	password
docker run -e ROOT_PASSWORD=secret	secret	secret

Original prompt

Problem

Both opendj-packages/opendj-docker/Dockerfile and opendj-packages/opendj-docker/Dockerfile-alpine have ENV ROOT_PASSWORD="password" which triggers the Docker lint warning:

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ROOT_PASSWORD")
https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Required Changes

1. opendj-packages/opendj-docker/Dockerfile

Add CDDL header at the top (same style as https://github.com/OpenIdentityPlatform/OpenIDM/blob/1df435f73a70f50e51a99c1623b64da01c88bc0b/Dockerfile):

# The contents of this file are subject to the terms of the Common Development and
# Distribution License (the License). You may not use this file except in compliance with the
# License.
#
# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
# specific language governing permission and limitations under the License.
#
# When distributing Covered Software, include this CDDL Header Notice in each file and include
# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
# Header, with the fields enclosed by brackets [] replaced by your own identifying
# information: "Portions copyright [year] [name of copyright owner]".
#
# Copyright 2026 3A Systems, LLC.

Remove line 11 (ENV ROOT_PASSWORD="password") and replace with a comment:

# ROOT_PASSWORD should be passed at runtime via: docker run -e ROOT_PASSWORD=...
# Default value if not provided: "password"

Change the HEALTHCHECK line (currently line 53) from:

HEALTHCHECK --interval=30s --timeout=30s --start-period=1s --retries=3 CMD opendj/bin/ldapsearch --hostname localhost --port $LDAPS_PORT --bindDN "$ROOT_USER_DN" --bindPassword $ROOT_PASSWORD --useSsl --trustAll --baseDN "" --searchScope base "(objectClass=*)" 1.1

to:

HEALTHCHECK --interval=30s --timeout=30s --start-period=1s --retries=3 CMD opendj/bin/ldapsearch --hostname localhost --port $LDAPS_PORT --bindDN "$ROOT_USER_DN" --bindPassword "${ROOT_PASSWORD:-password}" --useSsl --trustAll --baseDN "" --searchScope base "(objectClass=*)" 1.1

The key change is $ROOT_PASSWORD → "${ROOT_PASSWORD:-password}" so the shell fallback provides the default when the variable is not set via -e.

2. opendj-packages/opendj-docker/Dockerfile-alpine

Add the same CDDL header at the top:

# The contents of this file are subject to the terms of the Common Development and
# Distribution License (the License). You may not use this file except in compliance with the
# License.
#
# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
# specific language governing permission and limitations under the License.
#
# When distributing Covered Software, include this CDDL Header Notice in each file and include
# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
# Header, with the fields enclosed by brackets [] replaced by your own identifying
# information: "Portions copyright [year] [name of copyright owner]".
#
# Copyright 2026 3A Systems, LLC.

Same changes as Dockerfile: remove ENV ROOT_PASSWORD="password", replace with comment, fix HEALTHCHECK with "${ROOT_PASSWORD:-password}".

3. opendj-packages/opendj-docker/run.sh

Add CDDL copyright notice right after the shebang line. The file already has comments starting at line 2. Add the CDDL header after the shebang but before the existing comments. Since this is a modification of an existing file, use "Portions copyright":

#!/usr/bin/env bash
# The contents of this file are subject to the terms of the Common Development and
# Distribution License (the License). You may not use this file except in compliance with the
# License.
#
# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
# specific language governing permission and limitations under the License.
#
# When distributing Covered Software, include this CDDL Header Notice in each file and include
# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
# Header, with the fields enclosed by brackets [] replaced by your own identifying
# information: "Portions copyright [year] [name of copyright owner]".
#
# Portions copyright 2026 3A Systems, LLC.

Keep run.sh logic exactly as the original master version (do NOT add Docker secrets support). The current master content of run.sh lines 31-32 is:

export PASSWORD=${ROOT_PASSWORD:-password}
echo "Password set to $PASSWORD"

This must remain unchanged. Do not add any /run/secrets/root_password logic.

Summary of all changes

File	Change
opendj-packages/opendj-docker/Dockerfile	Add CDDL header with "Copyright 2026 3A Systems, LLC.", remove ENV ROOT_PASSWORD="password" (replace with comment), fix HEALTHCHECK to use...

This pull request was created from Copilot chat.