search

OpenLiberty / ci.docker

Eclipse Public License 1.0
44 stars 59 forks source link

SVT: Enabling ARG SEC_SSO_PROVIDERS in Dockerfile causes conflicts with jakarta ee10 features #389

Open rumanaHaque opened 1 year ago

rumanaHaque commented 1 year ago

I am testing the OIDC in WebSphere Liberty Operator using this test case:

SVT: Test SSO with OIDC provider with WLO 1.1.0 using RH-SSO and new Jakarta-ee10 features

276

As part of this test case, I have enabled these features in my server.xml

<featureManager>
    <!-- <feature>jakartaee-10.0</feature>
    <feature>jakartaee-9.1</feature>
    <feature>microProfile-5.0</feature> -->
    <feature>appClientSupport-2.0</feature>
        <feature>appSecurity-5.0</feature>
        <feature>cdi-4.0</feature>
        <feature>enterpriseBeans-4.0</feature>
        <feature>ldapRegistry-3.0</feature>
        <feature>localConnector-1.0</feature>
        <feature>mdb-4.0</feature>
        <feature>messaging-3.1</feature>
        <feature>messagingClient-3.0</feature>
        <feature>messagingSecurity-3.0</feature>
        <feature>messagingServer-3.0</feature>
        <feature>pages-3.1</feature>
        <feature>persistence-3.1</feature>
        <feature>restfulWS-3.1</feature>
        <feature>xmlWS-4.0</feature>    
        <!-- <feature>socialLogin-1.0</feature> -->
    </featureManager>

Also - I have these settings in my Dockerfile:

# Optional functionality
ARG TLS=true
#ARG SEC_SSO_PROVIDERS="oauth oidc facebook google github twitter linkedin"
# Optional functionality
ARG TLS=true
#ARG SEC_SSO_PROVIDERS="oauth oidc facebook google github twitter linkedin"
ARG SEC_SSO_PROVIDERS="oidc"
#ARG OPENJ9_SCC=false
ARG VERBOSE=true

# trust certificates from well known CA's
ENV SEC_TLS_TRUSTDEFAULTCERTS=true

# trust certificates from within the cluster, such as Red Hat SSO.
ENV SEC_IMPORT_K8S_CERTS=true

Having the ARG SEC_SSO_PROVIDERS="oidc" in my Dockerfile is causing conflicts when I start my server - with the following error:

product = Open Liberty 23.0.0.2-beta (wlp-1.0.73.cl230120230123-2118)
wlp.install.dir = /opt/ol/wlp/
server.output.dir = /opt/ol/wlp/output/defaultServer/
java.home = /opt/java/openjdk
java.version = 17.0.5
java.runtime = IBM Semeru Runtime Open Edition (17.0.5+8)
os = Linux (5.4.0-144-generic; amd64) (en_US)
process = 1@012c31d435e1
Classpath = /opt/ol/wlp/bin/tools/ws-server.jar:/opt/ol/wlp/bin/tools/ws-javaagent.jar
Java Library path = /opt/java/openjdk/lib/default:/opt/java/openjdk/lib:/usr/lib64:/usr/lib
********************************************************************************
[3/20/23, 20:03:21:930 UTC] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager      A CWWKE0001I: The server defaultServer has been launched.
[3/20/23, 20:03:22:309 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[3/20/23, 20:03:22:356 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/open-default
-port.xml
[3/20/23, 20:03:22:357 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/sso-features
.xml
[3/20/23, 20:03:22:359 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/sso-oidc.xml
[3/20/23, 20:03:22:364 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/tls.xml
[3/20/23, 20:03:22:365 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/trustDefaul
t.xml
[3/20/23, 20:03:22:502 UTC] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager      I CWWKE0002I: The kernel started after 0.772 seconds
[3/20/23, 20:03:22:582 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      I CWWKF0007I: Feature update started.
[3/20/23, 20:03:24:120 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0044E: The persistence-3.1 and appSecurity-2.0 features cannot be loaded at the same time. The persistence-3.1 feature of Ja
karta EE 10 is incompatible with the appSecurity-2.0 feature of Java EE 6. The persistence-3.1 and appSecurity-2.0 configured features include an incompatible combination of features. Your configuration is not supported. Update t
he configuration to use features that support either the Jakarta EE or Java EE programming models, but not both.
[3/20/23, 20:03:24:126 UTC] 0000002a com.ibm.ws.logging.internal.impl.IncidentImpl        I FFDC1015I: An FFDC Incident has been created: "java.lang.IllegalArgumentException: Unable to load conflicting versions of feature
s "com.ibm.websphere.appserver.eeCompatible-10.0" and "com.ibm.websphere.appserver.eeCompatible-6.0". The feature dependency chains that led to the conflict are: io.openliberty.persistence-3.1 -> io.openliberty.persistenceContai
ner-3.1 -> io.openliberty.xmlBinding.internal-4.0 -> io.openliberty.jakarta.xmlBinding-4.0 -> com.ibm.websphere.appserver.eeCompatible-10.0 and com.ibm.websphere.appserver.appSecurity-2.0 -> com.ibm.websphere.appserver.eeCompatib
le-6.0 com.ibm.ws.kernel.feature.internal.FeatureManager reportErrors" at ffdc_23.03.20_20.03.24.0.log
[3/20/23, 20:03:24:128 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0033E: The singleton features servlet-6.0 and servlet-3.1 cannot be loaded at the same time. The configured features pages-
3.1 and socialLogin-1.0 include one or more features that cause the conflict. Your configuration is not supported; update server.xml to remove incompatible features.
[3/20/23, 20:03:24:136 UTC] 0000002a com.ibm.ws.logging.internal.impl.IncidentImpl        I FFDC1015I: An FFDC Incident has been created: "java.lang.IllegalArgumentException: Unable to load conflicting versions of feature
s "com.ibm.websphere.appserver.servlet-6.0" and "com.ibm.websphere.appserver.servlet-3.1". The feature dependency chains that led to the conflict are: io.openliberty.pages-3.1 -> com.ibm.websphere.appserver.servlet-6.0 and com.i
bm.websphere.appserver.socialLogin-1.0 -> io.openliberty.socialLogin1.0.internal.ee-6.0 -> com.ibm.websphere.appserver.servlet-3.1 com.ibm.ws.kernel.feature.internal.FeatureManager reportErrors" at ffdc_23.03.20_20.03.24.1.log
[3/20/23, 20:03:24:136 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0033E: The singleton features com.ibm.websphere.appserver.transaction-2.0 and com.ibm.websphere.appserver.transaction-1.1 ca
nnot be loaded at the same time. The configured features persistence-3.1 and persistence-3.1 include one or more features that cause the conflict.
rumanaHaque commented 1 year ago

If I comment out the ARG SEC_SSO_PROVIDERS="oidc" line in my Dockerfile - and rebuild the image - then there are no conflicts at server startup.

leochr commented 1 year ago

Setting SEC_SSO_PROVIDERS also enables the following features: appSecurity-2.0, socialLogin-1.0

This is added to the container at /config/configDropins/defaults/sso-features.xml by features.sh

appSecurity-2.0 is causing conflict with the Jakarta EE10 features.

So a workaround would be to add an empty file to replace it. Make sure to add the features, including socialLogin-1.0, to your server.xml.

1) Create an empty server config file : empty-config.xml:

<server/>

2) Add it to application's Dockerfile after RUN features.sh

COPY --chown=1001:0  empty-config.xml /config/configDropins/defaults/sso-features.xml

FYI @rumanaHaque

rumanaHaque commented 1 year ago

Thanks @leochr I was able to use this workaround, and successfully start my server without any conflicts.

rumanaHaque commented 1 year ago

@leochr Do you know if this has already been fixed in the current Liberty builds?

leochr commented 1 year ago

@rumanaHaque not yet, but we plan to add a flag to skip adding the SSO features. Let you know when it's added

rumanaHaque commented 1 year ago

@leochr - Do you know if this defect has been fixed yet in the current Liberty builds? I am writing an Open Liberty blog which uses the same configuration, and was hoping I don't have to use the workaround as mentioned in this defect. Please let me know. Thanks.

leochr commented 1 year ago

@rumanaHaque It's not in a release yet. We'll target 4Q to address this