There is a java breaking change in amd64/openjdk:8u212-jre-slim

[allamand]

Hello,

With previous version of the amd64/openjdk:8u212-jre-slim image, I was able to uses special capabilities on the java binary under a non root user.

With the new version it does not work anymore.

Steps to reproduce

$ docker run -it --cap-add IPC_LOCK amd64/openjdk:8u212-jre-slim bash
> root@4c57bb92e8bc:/# apt-get update && apt-get -qq -y install libcap2-bin 
> root@4c57bb92e8bc:/# setcap cap_ipc_lock=ep $(readlink -f $(which java))
> root@4c57bb92e8bc:/# adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
> root@4c57bb92e8bc:/# su cassandra
> cassandra@4c57bb92e8bc:/# /usr/local/openjdk-8/bin/java -version
/usr/local/openjdk-8/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
> root@4c57bb92e8bc:/#

This was working with previous version :

docker run -ti  --cap-add IPC_LOCK amd64/openjdk@sha256:e23dee130d76abe4fcd6c5c46e19d1701114b3a727ff78fa3e000c4c1c20c6be bash
> root@4c57bb92e8bb:/# apt-get update && apt-get -qq -y install libcap2-bin 
> root@4c57bb92e8bb:/# setcap cap_ipc_lock=ep $(readlink -f $(which java))
> root@4c57bb92e8bb:/# adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
> root@4c57bb92e8bb:/# su cassandra
> cassandra@4c57bb92e8bb:/# /usr/bin/java  -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
OpenJDK 64-Bit Server VM (build 25.212-b01, mixed mode)

I need help to be able to make it works again..

thanks

[wglambert]

For running as an arbitrary user I guess ibjli.so wasn't resolvable where it was, so I moved it with the rest of the *.so's. Running as root worked fine though.

Just moving that libjli.so was all that was needed

cassandra@7191ad4a367e:/$ ldd $(which java)
        linux-vdso.so.1 (0x00007ffe63321000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff7be580000)
        libjli.so => /usr/local/openjdk-8/bin/../lib/amd64/jli/libjli.so (0x00007ff7be369000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff7be165000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff7bddc6000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ff7be79d000)

FROM openjdk:8u212-jre-slim

RUN apt update && apt install -y --no-install-recommends libcap2-bin && \
        rm -rf /var/lib/apt/lists/*

RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra

RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) && \
    setcap -v cap_ipc_lock=ep $(readlink -f $(which java))

RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/

USER cassandra

CMD ["bash"]

$ docker build . -t openjdk:test
Sending build context to Docker daemon  2.048kB
Step 1/7 : FROM openjdk:8u212-jre-slim
 ---> 7c6b62cf60ee
Step 2/7 : RUN apt update && apt install -y --no-install-recommends libcap2-bin &&      rm -rf /var/lib/apt/lists/*
 ---> Using cache
 ---> dc9404d76ca8
Step 3/7 : RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
 ---> Using cache
 ---> 3c2c98eec9c8
Step 4/7 : RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) &&     setcap -v cap_ipc_lock=ep $(readlink -f $(which java))
 ---> Using cache
 ---> 106016236fc4
Step 5/7 : RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/
 ---> Using cache
 ---> 1c2220760ae7
Step 6/7 : USER cassandra
 ---> Using cache
 ---> 27e2a43575d9
Step 7/7 : CMD ["bash"]
 ---> Using cache
 ---> 54098b2f7301
Successfully built 54098b2f7301
Successfully tagged openjdk:test

$ docker run -it --rm --cap-add IPC_LOCK openjdk:test bash
cassandra@aaf47900f5c0:/$ java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)

OpenJDK:8 and 11 are now from https://adoptopenjdk.net/upstream so that's why you ran into this #322

[wglambert]

New image

$ docker run -it --rm --cap-add IPC_LOCK openjdk:new
cassandra@5bf876bcc052:/$ which java && ldd $(which java)
/usr/local/openjdk-8/bin/java
        linux-vdso.so.1 (0x00007ffc1278d000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f29fd5da000)
        libjli.so => /usr/local/openjdk-8/bin/../lib/amd64/jli/libjli.so (0x00007f29fd3c3000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f29fd1bf000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f29fce20000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f29fd7f7000)

Old image

$ docker run -it --rm --cap-add IPC_LOCK openjdk:old
cassandra@ad896befc247:/$ which java && ldd $(which java)
/usr/bin/java
        linux-vdso.so.1 (0x00007ffd977f8000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f8a3cd5a000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f8a3cb40000)
        libjli.so => not found
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8a3c93c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8a3c59d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f8a3d179000)

Dockerfile without the mv, and swapping the tag with the archived 8u212-jre-slim

FROM openjdk@sha256:24c831d6ae224380a3608a1cb2c6df17fd8242f844f7a2f9744fbc766d8300a5

RUN apt update && apt install -y --no-install-recommends libcap2-bin && \
        rm -rf /var/lib/apt/lists/*

RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra

RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) && \
    setcap -v cap_ipc_lock=ep $(readlink -f $(which java))

#RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/ 

USER cassandra

CMD ["bash"]

[tianon]

Ah, so it looks like we need to either add LD_LIBRARY_PATH or adjust /etc/ld.so.conf.d/.... 😅

[tianon]

It is odd that adding capabilities breaks the ability of libc to find the modules though (which for me works as both root and non-root). 😕

[tianon]

The symptoms are remarkably similar to https://stackoverflow.com/q/42401614/433558, although there's no reply there. 😞

[tianon]

Aha! Thanks to the Vault community for https://www.vaultproject.io/docs/configuration/storage/foundationdb.html:

The presence of the capabilities will cause the linker to ignore LD_LIBRARY_PATH, for security reasons.

So, we do need to update /etc/ld.so.conf.d. 👍

[tianon]

Confirmed that it works -- getting a PR together now.

Another interesting bit:

$ readelf -d /usr/local/openjdk-8/bin/java
...
 0x000000000000000f (RPATH)              Library rpath: [$ORIGIN/../lib/amd64/jli:$ORIGIN/../lib/amd64]
...

So this is how it's picking up the appropriate path for those .so files by default, but the $ORIGIN variable there must also be restricted with the extra capability set.

[cscetbon]

Thank you guys, when will be available the new docker image containing that fix ? I see the last one was released 4 days ago.

[allamand]

Thanks you for you're quick response & fix ;)

[tianon]

@cscetbon that'd be once docker-library/official-images#6028 is tested, reviewed, merged, and officially built/pushed (which should happen today)

[cscetbon]

@tianon thanks, it just got merged !