Open rtm-nrcan opened 1 year ago
The version taken as is on April 24th, 2023 from GitHub: https://github.com/NRCan/gsip
Repo: https://github.com/NRCan/gsip.git
This build had issues with Certs for the Java/Maven side of the house.
[INFO] ------------------------------------------------------------------------ [ERROR] Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5: Could not transfer artifact org.apache.maven.plugins:maven-clean-plugin:pom:2.5 from/to central (https://repo.maven.apache.org/maven2): transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]
This was remedied by inserting a Maven
Certificate in the Maven/Java certificates area as follows
...
# Must get the cert for maven repo or no go!!!!
#---------------------------------------------------
COPY certs-maven/repo.maven.apache.org.crt /usr/src/gsip/
RUN keytool -noprompt -storepass changeit -keypass changeit -importcert -keystore $JAVA_HOME/lib/security/cacerts -file /usr/src/gsip/repo.maven.apache.org.crt -alias "root_cert"
...
This certificate is obtained by:
Details
TabThe export panel will look similar to that shown depending on the platform.
Typical export includes:
repo.maven.apache.org.crt
Because the underlying build systems like: maven:3.8.6-openjdk-11-slim
are getting a little on the older side, some of ca-certificates may be expired within these builds or be unacceptable within NRCan build environments. These typically originate when libraries are fetched from the CDN (Content Delivery Network).
Since we only have poor man's Podman available on our Redhat, Fedora and newer CentOS systems we tried a build using Podman on a Fedora VM.
Dockerfile.pod
is the Dockerfile
equivalent we created. It is basically identical except:
update-ca-certificates
is not performed Building is essentially the same
[roman@fedora gsip]$ podman build --tag fedora:gsip -f Dockerfile.pod .
[roman@fedora gsip]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/fedora gsip c905e2564d36 About an hour ago 285 MB
<none> <none> 938dbbf86a71 About an hour ago 626 MB
localhost/rtm/geoserver now 987abaeab2fb 5 months ago 1.22 GB
docker.io/library/ubuntu 22.04 a8780b506fa4 5 months ago 80.3 MB
docker.io/library/maven 3.8.6-openjdk-11-slim 62643abbdb7b 8 months ago 445 MB
docker.io/library/tomcat jre11-openjdk-slim-buster b92033d41e48 8 months ago 241 MB
[roman@fedora gsip]$ podman run -d -p 8080:8080 --env-file local.env --name gsip localhost/fedora:gsip
[roman@fedora gsip]$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 723/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 723/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 921/sshd: /usr/sbin
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 723/systemd-resolve
tcp6 0 0 :::8080 :::* LISTEN 10453/rootlessport
tcp6 0 0 :::9090 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 921/sshd: /usr/sbin
Results on localhost
Largely working, however when we:
GSIP is currently using 3 deprecated Azure Legacy Virtual Machines.
These machines need to be decommissioned.
This issue is being created to make notes for testing of the localhost Docker build