Closed pryorda closed 4 years ago
Going through the commits https://github.com/docker-library/openjdk/pull/328 seemed like it would have been related
Looking at the version before that commit I didn't see any symlink there https://github.com/docker-library/repo-info/blob/9c9874b9a4010843b1b79974da423e76f7f5b19c/repos/openjdk/remote/8-jre-slim.md
$ docker run -it --rm openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd bash
Unable to find image 'openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd' locally
sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd: Pulling from library/openjdk
743f2d6c1f65: Pull complete
c9d069c9f7b6: Pull complete
25b3ee1712da: Pull complete
Digest: sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd
Status: Downloaded newer image for openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd
root@f1fca9e5dd6b:/# ls -al ${JAVA_HOME}
total 184
drwxr-sr-x 5 root staff 121 May 24 22:36 .
drwxrwsr-x 1 root staff 36 May 24 22:36 ..
-r--r--r-- 1 501 501 1522 May 21 18:32 ASSEMBLY_EXCEPTION
-r--r--r-- 1 501 501 19274 May 21 18:32 LICENSE
-r--r--r-- 1 501 501 152511 May 21 18:32 THIRD_PARTY_README
drwxrwxr-x 2 501 501 198 May 21 18:32 bin
drwxrwxr-x 9 501 501 4096 May 21 18:32 lib
drwxrwxr-x 4 501 501 47 May 21 18:32 man
-rw-rw-r-- 1 501 501 237 May 21 18:32 release
And the current
$ docker run -it --rm openjdk:8-jre-slim bash
Unable to find image 'openjdk:8-jre-slim' locally
8-jre-slim: Pulling from library/openjdk
b8f262c62ec6: Pull complete
377e264464dd: Pull complete
3198ebe94151: Pull complete
722dfeae3f41: Pull complete
Digest: sha256:7846e284589aecedc522025d9400fcadf462aa52eecf6fe7075107679972bf3e
Status: Downloaded newer image for openjdk:8-jre-slim
root@82428c51a22d:/# ls -al ${JAVA_HOME}
total 180
drwxr-xr-x 5 root root 121 Sep 14 00:24 .
drwxr-xr-x 1 root root 23 Sep 14 00:24 ..
-r--r--r-- 1 root root 1522 Jul 11 17:25 ASSEMBLY_EXCEPTION
-r--r--r-- 1 root root 19274 Jul 11 17:25 LICENSE
-r--r--r-- 1 root root 147535 Jul 11 17:25 THIRD_PARTY_README
drwxrwxr-x 2 root root 198 Jul 11 17:25 bin
drwxrwxr-x 9 root root 4096 Jul 11 17:24 lib
drwxrwxr-x 4 root root 47 Jul 11 17:25 man
-rw-rw-r-- 1 root root 238 Jul 11 17:25 release
Going back in time I found it in this image:
✘2 ➜ docker run -it --rm openjdk@sha256:80e503009472437ef3cd5b067092c7782e144b5c03f60160287572ff63b96520 bash
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/jre
ls: cannot access '/docker-java-home/jre/lib/jre': No such file or directory
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/
accessibility.properties cmm/ hijrah-config-umalqura.properties jsse.jar meta-index rt.jar
amd64/ content-types.properties images/ jvm.hprof.txt net.properties security/
calendars.properties currency.data jar.binfmt logging.properties psfont.properties.ja sound.properties
charsets.jar ext/ jce.jar management/ psfontj2d.properties swing.properties
classlist flavormap.properties jexec management-agent.jar resources.jar tzdb.dat
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Mar 18 2019 /docker-java-home/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
root@5e6cdd70bb61:/#
09/30/19 14:59:01 MDT as dpryor@co007 in ~ at ☸️ minikube took 2s ```
That definitely sounds like #322 (the old image is using the debian package rather than the builds from adoptopenjdk.net/upstream
):
the way OpenJDK is installed in 8 and 11 images is now quite different, and there will be some breakage expected -- I've tried to minimize that as much as possible, but there's only so much I can do here
From what I understand in #328 (and #327), the carcerts
file is generated directly in the correct spot in JAVA_HOME
whenever update-ca-certificates
is called and so the symlink is not necessary. The usual way to add certificates to a debian system by copying them to /usr/local/share/ca-certificates/
and running update-ca-certificates
should be working.
Should the entrypoint be updated to support this? We could probably add a directory and if it has any files in it to go ahead and initiate the update-ca-certificates script. If you guys think this is a good idea I can do the PR.
Edit. Nvm I dont see an entrypoint in any of the directories.
It appears that in one of the recent updates the cacerts symlink in ${JAVA_HOME} no longer exists. Is this expected behavior?
Using 8-jre-slim currently.