search

paketo-buildpacks / libjvm

A library and helper applications that form the basis for building the different Paketo-style JVM-providing buildpacks
Apache License 2.0
19 stars 20 forks source link

Unable to add container CA certificates to JVM #272

Closed Ranganathan95 closed 1 year ago

Ranganathan95 commented 1 year ago

We are using the spring boot reactive web application (bootBuildImage) and trying to add the custom certificates in ca-cert but getting this warning hence the actual cert has not been added.

Builder logs: Pulling builder image 'docker.io/paketobuildpacks/builder:0.1.334-tiny' .................................................. Pulled builder image 'paketobuildpacks/builder@sha256:dd2184255aab509bdffa753d3f671c2d1f7c79cc555e19523299c4f72dc309c5' Pulling run image 'docker.io/paketobuildpacks/run:1.3.68-tiny' .................................................. JRE - 17

Error: WARNING: Unable to add container CA certificates to JVM because /layers/paketo-buildpacks_bellsoft-liberica/jre/lib/security/cacerts is read-only

Note: For the normal spring boot app (not reactive) no issues, not sure based on the web app type the config will change. Mentioning this point whether it could be helpful to debug.

dmikusa commented 1 year ago

WARNING: Unable to add container CA certificates to JVM because /layers/paketo-buildpacks_bellsoft-liberica/jre/lib/security/cacerts is read-only

This means exactly what it's saying, we can't add certificates to the JVM's truststore because the file is not writable at the OS level.

It's unclear why that would because the case from the information you've posted. Can you provide any more details about how you're building? What is in your build.gradle file? What version of Docker are you running? What OS are you using? Is this a local dev build or in CI? Please include the full output of a build. Thanks

Ranganathan95 commented 1 year ago

Thanks, @dmikusa for the response. I'm building the image in the CI pipeline There is no explicit config in the build.gradle, Just only spring boot dependencies. we use spring boot - 2.7.8.

Regarding the docker version, I'll get back shortly

Build logs

Task :compileJava FROM-CACHE 03-Apr-2023 18:50:50 > Task :processResources 03-Apr-2023 18:50:50 > Task :classes 03-Apr-2023 18:50:51 > Task :bootJarMainClassName 03-Apr-2023 18:50:53 > Task :bootJar 03-Apr-2023 18:50:55
03-Apr-2023 18:50:55 > Task :bootBuildImage 03-Apr-2023 18:50:55 Building image ':2.1.1-SNAPSHOT-dacb40f' 03-Apr-2023 18:50:55
03-Apr-2023 18:51:10 > Pulling builder image 'docker.io/paketobuildpacks/builder:0.1.334-tiny' .................................................. 03-Apr-2023 18:51:10 > Pulled builder image 'paketobuildpacks/builder@sha256:dd2184255aab509bdffa753d3f671c2d1f7c79cc555e19523299c4f72dc309c5' 03-Apr-2023 18:51:14 > Pulling run image 'docker.io/paketobuildpacks/run:1.3.68-tiny' .................................................. 03-Apr-2023 18:51:14 > Pulled run image 'paketobuildpacks/run@sha256:09b0ddb324463d2aadfd9911b227a93f805962541d627767861381b0cacf3083' 03-Apr-2023 18:51:14 > Executing lifecycle version v0.16.0 03-Apr-2023 18:51:14 > Using build cache volume 'pack-cache-f0af956a078a.build' 03-Apr-2023 18:51:14
03-Apr-2023 18:51:14 > Running creator 03-Apr-2023 18:51:22 [creator] Warning: Platform requested deprecated API '0.4' 03-Apr-2023 18:51:22 [creator] ===> DETECTING 03-Apr-2023 18:51:22 [creator] 6 of 26 buildpacks participating 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/ca-certificates 3.6.0 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/bellsoft-liberica 9.11.0 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/syft 1.25.0 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/executable-jar 6.6.1 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/dist-zip 5.5.1 03-Apr-2023 18:51:22 [creator] paketo-buildpacks/spring-boot 5.23.0 03-Apr-2023 18:51:22 [creator] ===> ANALYZING 03-Apr-2023 18:51:22 [creator] Previous image with name ":2.1.1-SNAPSHOT-dacb40f" not found 03-Apr-2023 18:51:22 [creator] ===> RESTORING 03-Apr-2023 18:51:22 [creator] ===> BUILDING 03-Apr-2023 18:51:22 [creator]
03-Apr-2023 18:51:22 [creator] Paketo Buildpack for CA Certificates 3.6.0 03-Apr-2023 18:51:22 [creator] https://github.com/paketo-buildpacks/ca-certificates 03-Apr-2023 18:51:22 [creator] Launch Helper: Contributing to layer 03-Apr-2023 18:51:22 [creator] Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper 03-Apr-2023 18:51:22 [creator]
03-Apr-2023 18:51:22 [creator] Paketo Buildpack for BellSoft Liberica 9.11.0 03-Apr-2023 18:51:22 [creator] https://github.com/paketo-buildpacks/bellsoft-liberica 03-Apr-2023 18:51:22 [creator] Build Configuration: 03-Apr-2023 18:51:22 [creator] $BP_JVM_JLINK_ARGS --no-man-pages --no-header-files --strip-debug --compress=1 configure custom link arguments (--output must be omitted) 03-Apr-2023 18:51:22 [creator] $BP_JVM_JLINK_ENABLED false enables running jlink tool to generate custom JRE 03-Apr-2023 18:51:22 [creator] $BP_JVM_TYPE JRE the JVM type - JDK or JRE 03-Apr-2023 18:51:22 [creator] $BP_JVM_VERSION 11. the Java version 03-Apr-2023 18:51:22 [creator] Launch Configuration: 03-Apr-2023 18:51:22 [creator] $BPL_DEBUG_ENABLED false enables Java remote debugging support 03-Apr-2023 18:51:22 [creator] $BPL_DEBUG_PORT 8000 configure the remote debugging port 03-Apr-2023 18:51:22 [creator] $BPL_DEBUG_SUSPEND false configure whether to suspend execution until a debugger has attached 03-Apr-2023 18:51:22 [creator] $BPL_HEAP_DUMP_PATH write heap dumps on error to this path 03-Apr-2023 18:51:22 [creator] $BPL_JAVA_NMT_ENABLED true enables Java Native Memory Tracking (NMT) 03-Apr-2023 18:51:22 [creator] $BPL_JAVA_NMT_LEVEL summary configure level of NMT, summary or detail 03-Apr-2023 18:51:22 [creator] $BPL_JFR_ARGS configure custom Java Flight Recording (JFR) arguments 03-Apr-2023 18:51:22 [creator] $BPL_JFR_ENABLED false enables Java Flight Recording (JFR) 03-Apr-2023 18:51:22 [creator] $BPL_JMX_ENABLED false enables Java Management Extensions (JMX) 03-Apr-2023 18:51:22 [creator] $BPL_JMX_PORT 5000 configure the JMX port 03-Apr-2023 18:51:22 [creator] $BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation 03-Apr-2023 18:51:22 [creator] $BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation 03-Apr-2023 18:51:22 [creator] $BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation 03-Apr-2023 18:51:22 [creator] $JAVA_TOOL_OPTIONS the JVM launch flags 03-Apr-2023 18:51:23 [creator] Using Java version 11. from BP_JVM_VERSION 03-Apr-2023 18:51:23 [creator] BellSoft Liberica JRE 11.0.18: Contributing to layer 03-Apr-2023 18:51:23 [creator] Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.18+10/bellsoft-jre11.0.18+10-linux-amd64.tar.gz 03-Apr-2023 18:51:23 [creator] Verifying checksum 03-Apr-2023 18:51:23 [creator] Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jre 03-Apr-2023 18:51:25 [creator] Adding 124 container CA certificates to JVM truststore 03-Apr-2023 18:51:25 [creator] Writing env.launch/BPI_APPLICATION_PATH.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/BPI_JVM_CACERTS.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/BPI_JVM_CLASS_COUNT.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/BPI_JVM_SECURITY_PROVIDERS.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_HOME.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_TOOL_OPTIONS.append 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_TOOL_OPTIONS.delim 03-Apr-2023 18:51:25 [creator] Writing env.launch/MALLOC_ARENA_MAX.default 03-Apr-2023 18:51:25 [creator] Launch Helper: Contributing to layer 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/active-processor-count 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/java-opts 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/jvm-heap 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/link-local-dns 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/memory-calculator 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/security-providers-configurer 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/jmx 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/jfr 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/security-providers-classpath-9 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/debug-9 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/nmt 03-Apr-2023 18:51:25 [creator] Creating /layers/paketo-buildpacks_bellsoft-liberica/helper/exec.d/openssl-certificate-loader 03-Apr-2023 18:51:25 [creator] Java Security Properties: Contributing to layer 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_SECURITY_PROPERTIES.default 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_TOOL_OPTIONS.append 03-Apr-2023 18:51:25 [creator] Writing env.launch/JAVA_TOOL_OPTIONS.delim 03-Apr-2023 18:51:25 [creator]
03-Apr-2023 18:51:25 [creator] Paketo Buildpack for Syft 1.25.0 03-Apr-2023 18:51:25 [creator] https://github.com/paketo-buildpacks/syft 03-Apr-2023 18:51:25 [creator] Downloading from https://github.com/anchore/syft/releases/download/v0.73.0/syft_0.73.0_linux_amd64.tar.gz 03-Apr-2023 18:51:26 [creator] Verifying checksum 03-Apr-2023 18:51:26 [creator] Writing env.build/SYFT_CHECK_FOR_APP_UPDATE.default 03-Apr-2023 18:51:26 [creator]
03-Apr-2023 18:51:26 [creator] Paketo Buildpack for Executable JAR 6.6.1 03-Apr-2023 18:51:26 [creator] https://github.com/paketo-buildpacks/executable-jar 03-Apr-2023 18:51:27 [creator] Class Path: Contributing to layer 03-Apr-2023 18:51:27 [creator] Writing env/CLASSPATH.delim 03-Apr-2023 18:51:27 [creator] Writing env/CLASSPATH.prepend 03-Apr-2023 18:51:27 [creator] Process types: 03-Apr-2023 18:51:27 [creator] executable-jar: java org.springframework.boot.loader.JarLauncher (direct) 03-Apr-2023 18:51:27 [creator] task: java org.springframework.boot.loader.JarLauncher (direct) 03-Apr-2023 18:51:27 [creator] web: java org.springframework.boot.loader.JarLauncher (direct) 03-Apr-2023 18:51:27 [creator]
03-Apr-2023 18:51:27 [creator] Paketo Buildpack for Spring Boot 5.23.0 03-Apr-2023 18:51:27 [creator] https://github.com/paketo-buildpacks/spring-boot 03-Apr-2023 18:51:27 [creator] Build Configuration: 03-Apr-2023 18:51:27 [creator] $BP_SPRING_CLOUD_BINDINGS_DISABLED false whether to contribute Spring Boot cloud bindings support 03-Apr-2023 18:51:27 [creator] Launch Configuration: 03-Apr-2023 18:51:27 [creator] $BPL_SPRING_CLOUD_BINDINGS_DISABLED false whether to auto-configure Spring Boot environment properties from bindings 03-Apr-2023 18:51:27 [creator] $BPL_SPRING_CLOUD_BINDINGS_ENABLED true Deprecated - whether to auto-configure Spring Boot environment properties from bindings 03-Apr-2023 18:51:28 [creator] Creating slices from layers index 03-Apr-2023 18:51:28 [creator] dependencies (99.2 MB) 03-Apr-2023 18:51:28 [creator] spring-boot-loader (258.6 KB) 03-Apr-2023 18:51:28 [creator] snapshot-dependencies (0.0 B) 03-Apr-2023 18:51:28 [creator] application (1.5 MB) 03-Apr-2023 18:51:28 [creator] Launch Helper: Contributing to layer 03-Apr-2023 18:51:28 [creator] Creating /layers/paketo-buildpacks_spring-boot/helper/exec.d/spring-cloud-bindings 03-Apr-2023 18:51:28 [creator] Spring Cloud Bindings 1.11.0: Contributing to layer 03-Apr-2023 18:51:28 [creator] Downloading from https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-bindings/1.11.0/spring-cloud-bindings-1.11.0.jar 03-Apr-2023 18:51:29 [creator] Verifying checksum 03-Apr-2023 18:51:29 [creator] Copying to /layers/paketo-buildpacks_spring-boot/spring-cloud-bindings 03-Apr-2023 18:51:29 [creator] Web Application Type: Contributing to layer 03-Apr-2023 18:51:29 [creator] Reactive web application detected 03-Apr-2023 18:51:29 [creator] Writing env.launch/BPL_JVM_THREAD_COUNT.default 03-Apr-2023 18:51:29 [creator] 4 application slices 03-Apr-2023 18:51:29 [creator] Image labels: 03-Apr-2023 18:51:29 [creator] org.springframework.boot.version 03-Apr-2023 18:51:29 [creator] ===> EXPORTING 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/ca-certificates:helper' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/bellsoft-liberica:helper' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/bellsoft-liberica:java-security-properties' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/bellsoft-liberica:jre' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/executable-jar:classpath' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/spring-boot:helper' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/spring-boot:spring-cloud-bindings' 03-Apr-2023 18:51:29 [creator] Adding layer 'paketo-buildpacks/spring-boot:web-application-type' 03-Apr-2023 18:51:30 [creator] Adding 5/5 app layer(s) 03-Apr-2023 18:51:30 [creator] Adding layer 'buildpacksio/lifecycle:launcher' 03-Apr-2023 18:51:30 [creator] Adding layer 'buildpacksio/lifecycle:config' 03-Apr-2023 18:51:30 [creator] Adding layer 'buildpacksio/lifecycle:process-types' 03-Apr-2023 18:51:30 [creator] Adding label 'io.buildpacks.lifecycle.metadata' 03-Apr-2023 18:51:30 [creator] Adding label 'io.buildpacks.build.metadata' 03-Apr-2023 18:51:30 [creator] Adding label 'io.buildpacks.project.metadata' 03-Apr-2023 18:51:30 [creator] Adding label 'org.springframework.boot.version' 03-Apr-2023 18:51:30 [creator] Setting default process type 'web' 03-Apr-2023 18:51:30 [creator] Saving :2.1.1-SNAPSHOT-dacb40f... 03-Apr-2023 18:51:32 [creator] *** Images (3ad551071e6a): 03-Apr-2023 18:51:32 [creator] :2.1.1-SNAPSHOT-dacb40f 03-Apr-2023 18:51:32 [creator] Adding cache layer 'paketo-buildpacks/syft:syft' 03-Apr-2023 18:51:38
03-Apr-2023 18:51:38 Successfully built image ':2.1.1-SNAPSHOT-dacb40f'

dmikusa commented 1 year ago

I'm building the image in the CI pipeline

I would talk with your CI administrator or someone that knows how Docker is set up in your CI. Docker in CI is not often as free and permissive as it is when running on your Desktop. Only your administrator or someone familiar with that CI system will know how Docker is set up though.

anthonydahanne commented 1 year ago

a workaround for you would be to bind the CA certs at runtime, hoping that your runtime environment won't suffer from missing write rights

dmikusa commented 1 year ago

Closing as there has been no update.