New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ubuntu java package has broken cacerts #19
Comments
@tianon should we implement the workaround to fix jdk 8 images and any children? |
I suppose, although only if it's going to be temporary for sure. Has anyone figured out what's wrong upstream to cause it? I'd feel a lot better about carrying a temporary workaround if we made sure we did our due diligence and got a patch submitted upstream so we make sure it really is only temporary. |
Looks like Update: And now I see that y'all are already talking about the the Also, it appears that the right command to run would be |
It looks like the issue is that there is no
It looks like |
I think I found the root cause here: http://anonscm.debian.org/viewvc/pkg-java/trunk/ca-certificates-java/debian/postinst.in?view=markup#l29 It looks like the postinstall script attempts to find its After the installation is complete (in particular the selection of JDK 8 as It looks like one fix would be to update the postinstall script to look for the JDK in |
Proposal: Add the workaround: RUN /var/lib/dpkg/info/ca-certificates-java.postinst configure But also add |
For the record, @yosifkit filed a patch upstream to update the lines @md5 pointed out: https://bugs.debian.org/775775 ❤️ I'm +1 on @yosifkit's proposal for now, especially since we've got a nice natural cache-bust when it's fixed upstream. 👍 |
Hello folks, I just wanted to point out that this workaround may not be necessary anymore, and thus the code for it may be able to be removed from the Dockerfile. Here's my case:
This is my Dockerfile. It was originally using a different base image but for the purpose of this example If I understand correctly, that's the same base operating system as in the OpenJDK 8 Dockerfile. Most of the contents of this Dockerfile and yours are identical, but with a bit of a writing style difference.
So yeah, it doesn't seem necessary anymore..? I'm not sure what's changed since this issue was opened last year though, but hey, food for thought. |
Hmm, that's strange -- the Debian bug is still open, and was set to severity "serious" just days ago by one of the Java maintainers. 😕 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775775#13
|
I am trying to use the workaround in Ubuntu 14.04 since it obviously has the problem. I put it in the dockerfile. The command works from terminal directly but that certainly does not help docker to build. Any sample dockerfile? |
@hayday100 from my original post, you must put
after the apt-get install command. If you do it before, then the file won't yet have been created, since it is created by installing java. |
I tried that last night too. But it certainly got stuck at the
which obviously beat the purpose of the workaround. |
@hayday100 That's not the purpose of this workaround. This workaround existed because The problem you appear to be running into is moby/moby#18180 Could you provide the output of |
Client: Server: |
It is probably irrelevant but it is a VirtualBox 5.0.14 in Windows 8.1. |
I am willing to upgrade Ubuntu if that helps but people say that this persists until Ubuntu 15.04 so that's why I am very interested in this workaround. But it looks like the workaround does not help in docker since there is not a right place for it in the dockerfile. |
It's odd that it's showing Linux for both server and client in that case.
Did you SSH into the VM to run “docker version”?
Regardless, I thought that AUFS-related bug in Boot2docker was fixed with
the 1.10 versions... Maybe it's something else, but I believe it's still
unrelated to the workaround being discussed.
|
No. It is a local VirtualBox that I installed from the ISO from scratch. |
Actually, are you running Ubuntu on your VM as opposed to Boot2docker?
|
I am creating the VM for this in case some one is interested in reproducing the error. |
Do you think that boot2docker can be an alternative for Ubuntu in light of this ca-certificates problem? |
The lack of GUI in Boot2docker will make it difficult for part 2 of the same tutorial but possible. I just don't want to chase a dead end. |
I am a docker rookie. According to my understanding, he docker server is where the images are and client is where the containers will run from the images generated. The error occurs when the docker server is trying to add a ssh certificate into the image yet the openjdk certificate is not recognized. I assume if docker is a full OS, the workaround will definitely work. But it is a mini-VM where things are built only from dockerfile following a sequential order (or at least before I know enough to tweak it). |
Hanging on
|
bilalakil: you got it precisely. The kernel must be downgraded to 3.13.0-71. There were a few hiccups while trying to do that. First, the generic kernel downgraded only to 3.13.0-79 so I had to manually download and downgrade. Then the virtualbox lost its mouse pointer. I later found that you just have to use "input -> mouse integration" to reset the pointing device. Thirdly, the docker daemon refused to start again after the downgrade and apt-get did not help. I went to the docker website and followed the longer process to reinstall docker. But finally everything works like a charm! You don't need the workaround, just a good old engine! Thanks to all! |
This is still happening on Debian and the workaround doesn't fix it |
Build your image on top of it.
at 2nd line, it will insert JAVA_HOME with a computed value ( that's why double quotes not single quotes) Credits to : jenkinsci/docker#901 |
See https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760
At this time, the latest image id aec8201c9d63 has no /etc/ssl/certs/java/cacerts file:
Note that this is not broken in java 7
$ docker run --rm -it java:openjdk-7-jdk ls -al /etc/ssl/certs/java/cacerts
...
-rw-r--r-- 1 root root 206373 Jan 1 07:13 /etc/ssl/certs/java/cacerts
This means that https cannot be used in these images (among other issues), which breaks downstream images like maven:3.2-jdk-8 (which is where I discovered the issue).
A workaround (from the linked issue) is to add command to the build, after the apt-get command:
Note that
sudo
is left off, as the image doesn't have sudo, and runs as root anyway.The text was updated successfully, but these errors were encountered: