search

docker-library / tomcat

Docker Official Image packaging for Apache Tomcat
https://tomcat.apache.org
Apache License 2.0
617 stars 745 forks source link

Can an entrypoint be provided for Java truststore set-up? #314

Open vlk-charles opened 3 weeks ago

vlk-charles commented 3 weeks ago

303 disabled the upstream entrypoint, which is __cacert_entrypoint.sh (at least in eclipse-temurin:8-jdk-jammy). This script can help set up the Java truststore. Can the functionality be reintroduced? It seems to me like setting up the truststore before Tomcat start-up would be a common use case. The script even acknowledges and deals with the issue for which it was bypassed:

#!/usr/bin/env bash
# Sheband needs to be `bash`, see https://github.com/adoptium/containers/issues/415 for details

However, I just found a recent change that switches this to sh again.

#!/usr/bin/env sh
# Converted to POSIX shell to avoid the need for bash in the image
tianon commented 3 weeks ago

See https://github.com/docker-library/docs/pull/2338#issuecomment-1593765498 for my opinions about that entrypoint (also, we support more than just eclipse-temurin here, so it would be inconsistent behavior). There's some more recent in https://github.com/docker-library/docs/pull/2445#issuecomment-2137979552 and an even better / more generic proposal in https://github.com/adoptium/containers/issues/573.

vlk-charles commented 3 weeks ago

Just FYI, this is what I am doing in my Dockerfile now:

FROM tomcat:9.0-jdk8
ENTRYPOINT ["/__cacert_entrypoint.sh"]
CMD ["catalina.sh", "run"]
ENV USE_SYSTEM_CA_CERTS=1
...

and then if I want custom certificates at container run time, I mount a volume over /usr/local/share/ca-certificates (or /certificates).