search

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle
http://openjdk.java.net
MIT License
1.14k stars 475 forks source link

Lost cacerts symlink in 8-jre-slim #360

Closed pryorda closed 4 years ago

pryorda commented 5 years ago

It appears that in one of the recent updates the cacerts symlink in ${JAVA_HOME} no longer exists. Is this expected behavior?

Using 8-jre-slim currently.

wglambert commented 5 years ago

Going through the commits https://github.com/docker-library/openjdk/pull/328 seemed like it would have been related

Looking at the version before that commit I didn't see any symlink there https://github.com/docker-library/repo-info/blob/9c9874b9a4010843b1b79974da423e76f7f5b19c/repos/openjdk/remote/8-jre-slim.md

$ docker run -it --rm openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd bash
Unable to find image 'openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd' locally
sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd: Pulling from library/openjdk
743f2d6c1f65: Pull complete 
c9d069c9f7b6: Pull complete 
25b3ee1712da: Pull complete 
Digest: sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd
Status: Downloaded newer image for openjdk@sha256:283e7c973a263cc2599711742ab06e1b95b9e56d31423d19716da346ccff76cd
root@f1fca9e5dd6b:/# ls -al ${JAVA_HOME}
total 184
drwxr-sr-x 5 root staff    121 May 24 22:36 .
drwxrwsr-x 1 root staff     36 May 24 22:36 ..
-r--r--r-- 1  501   501   1522 May 21 18:32 ASSEMBLY_EXCEPTION
-r--r--r-- 1  501   501  19274 May 21 18:32 LICENSE
-r--r--r-- 1  501   501 152511 May 21 18:32 THIRD_PARTY_README
drwxrwxr-x 2  501   501    198 May 21 18:32 bin
drwxrwxr-x 9  501   501   4096 May 21 18:32 lib
drwxrwxr-x 4  501   501     47 May 21 18:32 man
-rw-rw-r-- 1  501   501    237 May 21 18:32 release

And the current

$ docker run -it --rm openjdk:8-jre-slim bash
Unable to find image 'openjdk:8-jre-slim' locally
8-jre-slim: Pulling from library/openjdk
b8f262c62ec6: Pull complete 
377e264464dd: Pull complete 
3198ebe94151: Pull complete 
722dfeae3f41: Pull complete 
Digest: sha256:7846e284589aecedc522025d9400fcadf462aa52eecf6fe7075107679972bf3e
Status: Downloaded newer image for openjdk:8-jre-slim
root@82428c51a22d:/# ls -al ${JAVA_HOME}
total 180
drwxr-xr-x 5 root root    121 Sep 14 00:24 .
drwxr-xr-x 1 root root     23 Sep 14 00:24 ..
-r--r--r-- 1 root root   1522 Jul 11 17:25 ASSEMBLY_EXCEPTION
-r--r--r-- 1 root root  19274 Jul 11 17:25 LICENSE
-r--r--r-- 1 root root 147535 Jul 11 17:25 THIRD_PARTY_README
drwxrwxr-x 2 root root    198 Jul 11 17:25 bin
drwxrwxr-x 9 root root   4096 Jul 11 17:24 lib
drwxrwxr-x 4 root root     47 Jul 11 17:25 man
-rw-rw-r-- 1 root root    238 Jul 11 17:25 release
pryorda commented 4 years ago

Going back in time I found it in this image: 


✘2 ➜ docker run -it --rm  openjdk@sha256:80e503009472437ef3cd5b067092c7782e144b5c03f60160287572ff63b96520 bash
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/jre
ls: cannot access '/docker-java-home/jre/lib/jre': No such file or directory
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/
accessibility.properties           cmm/                               hijrah-config-umalqura.properties  jsse.jar                           meta-index                         rt.jar
amd64/                             content-types.properties           images/                            jvm.hprof.txt                      net.properties                     security/
calendars.properties               currency.data                      jar.binfmt                         logging.properties                 psfont.properties.ja               sound.properties
charsets.jar                       ext/                               jce.jar                            management/                        psfontj2d.properties               swing.properties
classlist                          flavormap.properties               jexec                              management-agent.jar               resources.jar                      tzdb.dat
root@5e6cdd70bb61:/# ls -l ${JAVA_HOME}/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Mar 18  2019 /docker-java-home/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
root@5e6cdd70bb61:/# 
09/30/19 14:59:01 MDT as dpryor@co007 in ~ at ☸️  minikube took 2s ```
yosifkit commented 4 years ago

That definitely sounds like #322 (the old image is using the debian package rather than the builds from adoptopenjdk.net/upstream):

the way OpenJDK is installed in 8 and 11 images is now quite different, and there will be some breakage expected -- I've tried to minimize that as much as possible, but there's only so much I can do here

From what I understand in #328 (and #327), the carcerts file is generated directly in the correct spot in JAVA_HOME whenever update-ca-certificates is called and so the symlink is not necessary. The usual way to add certificates to a debian system by copying them to /usr/local/share/ca-certificates/ and running update-ca-certificates should be working.

pryorda commented 4 years ago

Should the entrypoint be updated to support this? We could probably add a directory and if it has any files in it to go ahead and initiate the update-ca-certificates script. If you guys think this is a good idea I can do the PR.

Edit. Nvm I dont see an entrypoint in any of the directories.