GSIP - Docker Testing Prior to Legacy Azure Deactivation

[rtm-nrcan]

GSIP is currently using 3 deprecated Azure Legacy Virtual Machines.
These machines need to be decommissioned.

This issue is being created to make notes for testing of the localhost Docker build

[rtm-nrcan]

Ubuntu Docker

The version taken as is on April 24th, 2023 from GitHub: https://github.com/NRCan/gsip
Repo: https://github.com/NRCan/gsip.git

This build had issues with Certs for the Java/Maven side of the house.

[INFO] ------------------------------------------------------------------------ [ERROR] Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5: Could not transfer artifact org.apache.maven.plugins:maven-clean-plugin:pom:2.5 from/to central (https://repo.maven.apache.org/maven2): transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

This was remedied by inserting a Maven Certificate in the Maven/Java certificates area as follows

...
# Must get the cert for maven repo or no go!!!!
#---------------------------------------------------
COPY certs-maven/repo.maven.apache.org.crt /usr/src/gsip/
RUN keytool -noprompt -storepass changeit -keypass changeit -importcert -keystore $JAVA_HOME/lib/security/cacerts -file /usr/src/gsip/repo.maven.apache.org.crt -alias "root_cert"
...

This certificate is obtained by:

• Using the repo link from the error and placing it in the browser
• Clicking on the SSL lock or crossed out lock symbol beside the URL
• This brings up the Certificate Viewer
• Click on the Details Tab
• Export the Certificate

The export panel will look similar to that shown depending on the platform.

Typical export includes:

1. Name the certificate - In our case repo.maven.apache.org.crt
2. Ensure that the cert is in Base64 Ascii
3. Save the file

Because the underlying build systems like: maven:3.8.6-openjdk-11-slim are getting a little on the older side, some of ca-certificates may be expired within these builds or be unacceptable within NRCan build environments. These typically originate when libraries are fetched from the CDN (Content Delivery Network).

Resulting Ubuntu Build

Fedora/CentOS/RedHat Podman Version

Since we only have poor man's Podman available on our Redhat, Fedora and newer CentOS systems we tried a build using Podman on a Fedora VM.

Dockerfile.pod is the Dockerfile equivalent we created. It is basically identical except:

• We do not load our NRCan and NRCan chain certs
• Some of the CDN (Content Distrib Network) certs are also not loaded
• update-ca-certificates is not performed

Building is essentially the same

[roman@fedora gsip]$ podman build --tag fedora:gsip -f Dockerfile.pod .

[roman@fedora gsip]$ podman images
REPOSITORY                TAG                        IMAGE ID      CREATED            SIZE
localhost/fedora          gsip                       c905e2564d36  About an hour ago  285 MB
<none>                    <none>                     938dbbf86a71  About an hour ago  626 MB
localhost/rtm/geoserver   now                        987abaeab2fb  5 months ago       1.22 GB
docker.io/library/ubuntu  22.04                      a8780b506fa4  5 months ago       80.3 MB
docker.io/library/maven   3.8.6-openjdk-11-slim      62643abbdb7b  8 months ago       445 MB
docker.io/library/tomcat  jre11-openjdk-slim-buster  b92033d41e48  8 months ago       241 MB

[roman@fedora gsip]$ podman run -d -p 8080:8080 --env-file local.env --name gsip localhost/fedora:gsip

[roman@fedora gsip]$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      723/systemd-resolve 
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      723/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      921/sshd: /usr/sbin 
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      723/systemd-resolve 
tcp6       0      0 :::8080                 :::*                    LISTEN      10453/rootlessport  
tcp6       0      0 :::9090                 :::*                    LISTEN      1/systemd           
tcp6       0      0 :::22                   :::*                    LISTEN      921/sshd: /usr/sbin 

Results on localhost

Largely working, however when we:

• Click on the map
• Click the resulting highlighted resource
• We get an exception generated when JSONLDHELPER attempts to get some resource info
• This occurs on both the Docker and Podman localhost versions
• This does not occur on the Azure Legacy site