There is a java breaking change in amd64/openjdk:8u212-jre-slim #331
Comments
|
For running as an arbitrary user I guess Just moving that cassandra@7191ad4a367e:/$ ldd $(which java)
linux-vdso.so.1 (0x00007ffe63321000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff7be580000)
libjli.so => /usr/local/openjdk-8/bin/../lib/amd64/jli/libjli.so (0x00007ff7be369000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff7be165000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff7bddc6000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff7be79d000)FROM openjdk:8u212-jre-slim
RUN apt update && apt install -y --no-install-recommends libcap2-bin && \
rm -rf /var/lib/apt/lists/*
RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) && \
setcap -v cap_ipc_lock=ep $(readlink -f $(which java))
RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/
USER cassandra
CMD ["bash"]$ docker build . -t openjdk:test
Sending build context to Docker daemon 2.048kB
Step 1/7 : FROM openjdk:8u212-jre-slim
---> 7c6b62cf60ee
Step 2/7 : RUN apt update && apt install -y --no-install-recommends libcap2-bin && rm -rf /var/lib/apt/lists/*
---> Using cache
---> dc9404d76ca8
Step 3/7 : RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
---> Using cache
---> 3c2c98eec9c8
Step 4/7 : RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) && setcap -v cap_ipc_lock=ep $(readlink -f $(which java))
---> Using cache
---> 106016236fc4
Step 5/7 : RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/
---> Using cache
---> 1c2220760ae7
Step 6/7 : USER cassandra
---> Using cache
---> 27e2a43575d9
Step 7/7 : CMD ["bash"]
---> Using cache
---> 54098b2f7301
Successfully built 54098b2f7301
Successfully tagged openjdk:test$ docker run -it --rm --cap-add IPC_LOCK openjdk:test bash
cassandra@aaf47900f5c0:/$ java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)OpenJDK:8 and 11 are now from https://adoptopenjdk.net/upstream so that's why you ran into this #322 |
|
New image $ docker run -it --rm --cap-add IPC_LOCK openjdk:new
cassandra@5bf876bcc052:/$ which java && ldd $(which java)
/usr/local/openjdk-8/bin/java
linux-vdso.so.1 (0x00007ffc1278d000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f29fd5da000)
libjli.so => /usr/local/openjdk-8/bin/../lib/amd64/jli/libjli.so (0x00007f29fd3c3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f29fd1bf000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f29fce20000)
/lib64/ld-linux-x86-64.so.2 (0x00007f29fd7f7000)Old image $ docker run -it --rm --cap-add IPC_LOCK openjdk:old
cassandra@ad896befc247:/$ which java && ldd $(which java)
/usr/bin/java
linux-vdso.so.1 (0x00007ffd977f8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f8a3cd5a000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f8a3cb40000)
libjli.so => not found
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8a3c93c000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8a3c59d000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8a3d179000)Dockerfile without the FROM openjdk@sha256:24c831d6ae224380a3608a1cb2c6df17fd8242f844f7a2f9744fbc766d8300a5
RUN apt update && apt install -y --no-install-recommends libcap2-bin && \
rm -rf /var/lib/apt/lists/*
RUN adduser --disabled-password --no-create-home --gecos '' --disabled-login cassandra
RUN setcap cap_ipc_lock=ep $(readlink -f $(which java)) && \
setcap -v cap_ipc_lock=ep $(readlink -f $(which java))
#RUN mv /usr/local/openjdk-8/lib/amd64/jli/libjli.so /lib/x86_64-linux-gnu/
USER cassandra
CMD ["bash"] |
|
Ah, so it looks like we need to either add |
|
It is odd that adding capabilities breaks the ability of libc to find the modules though (which for me works as both root and non-root). 😕 |
|
The symptoms are remarkably similar to https://stackoverflow.com/q/42401614/433558, although there's no reply there. 😞 |
|
Aha! Thanks to the Vault community for https://www.vaultproject.io/docs/configuration/storage/foundationdb.html:
So, we do need to update |
|
Confirmed that it works -- getting a PR together now. Another interesting bit: $ readelf -d /usr/local/openjdk-8/bin/java
...
0x000000000000000f (RPATH) Library rpath: [$ORIGIN/../lib/amd64/jli:$ORIGIN/../lib/amd64]
...So this is how it's picking up the appropriate path for those |
|
Thank you guys, when will be available the new docker image containing that fix ? I see the last one was released 4 days ago. |
|
Thanks you for you're quick response & fix ;) |
|
@cscetbon that'd be once docker-library/official-images#6028 is tested, reviewed, merged, and officially built/pushed (which should happen today) |
|
@tianon thanks, it just got merged ! |
allamand
pushed a commit
to Orange-OpenSource/cassandra-image
that referenced
this issue
Jun 6, 2019
- This MR has been accepted docker-library/official-images#6028; - which resolves this problem docker-library/openjdk#331 (comment); Signed-off-by: sebastien allamand <sebastien.allamand@orange.com>
9 tasks
mpfz0r
pushed a commit
to Graylog2/graylog-docker
that referenced
this issue
Jul 26, 2022
* Switch from 'openjdk' to 'eclipse-temurin' for base images. The 'openjdk' images are being retired/discontinued. Since Eclipse Temurin was previously selected for other Graylog uses, it is a natural replacement for the official Graylog images. Ubuntu Jammy, selected as the OS variant here (and by the Temurin project for non-specific tags), will have standard support until April 2027. Refs: * docker-library/openjdk#505 * Graylog2/graylog2-server#11467 * https://github.com/Graylog2/graylog2-server/blob/bf001c5a039380e0afadc9f570d070d2b70ee578/.github/workflows/build.yml#L18 * Fix loading of SO for non-root users. This is something that was being done in the 'openjdk' images, but isn't (currently) with Temurin. Without this the following error will occur: 'java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory'. Refs: * https://github.com/docker-library/openjdk/blob/da594d91b0364d5f1a32e0ce6b4d3fd8a9116844/8/jdk/slim-bullseye/Dockerfile#L105 * docker-library/openjdk#331 (comment) * Mention that prior Graylog images were based on 'openjdk' images. * July Graylog images have already been released, so assume August.
mpfz0r
pushed a commit
to Graylog2/graylog2-server
that referenced
this issue
Jul 29, 2022
…age. The 'openjdk' images are being retired/discontinued. Since Eclipse Temurin was previously selected for other Graylog uses, it is a natural replacement for the official Graylog images. Ubuntu Jammy, selected as the OS variant here (and by the Temurin project for non-specific tags), will have standard support until April 2027. This also includes a fix for non-root SO loading that was being done in the 'openjdk' images, but isn't (currently) with Temurin. Without it the following error will occur: 'java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory'. Refs: * docker-library/openjdk#505 * #11467 * https://github.com/Graylog2/graylog2-server/blob/bf001c5a039380e0afadc9f570d070d2b70ee578/.github/workflows/build.yml#L18 * https://github.com/docker-library/openjdk/blob/da594d91b0364d5f1a32e0ce6b4d3fd8a9116844/8/jdk/slim-bullseye/Dockerfile#L105 * docker-library/openjdk#331 (comment)
9 tasks
mpfz0r
pushed a commit
to Graylog2/graylog2-server
that referenced
this issue
Jul 29, 2022
…age. (#13002) The 'openjdk' images are being retired/discontinued. Since Eclipse Temurin was previously selected for other Graylog uses, it is a natural replacement for the official Graylog images. Ubuntu Jammy, selected as the OS variant here (and by the Temurin project for non-specific tags), will have standard support until April 2027. This also includes a fix for non-root SO loading that was being done in the 'openjdk' images, but isn't (currently) with Temurin. Without it the following error will occur: 'java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory'. Refs: * docker-library/openjdk#505 * #11467 * https://github.com/Graylog2/graylog2-server/blob/bf001c5a039380e0afadc9f570d070d2b70ee578/.github/workflows/build.yml#L18 * https://github.com/docker-library/openjdk/blob/da594d91b0364d5f1a32e0ce6b4d3fd8a9116844/8/jdk/slim-bullseye/Dockerfile#L105 * docker-library/openjdk#331 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
With previous version of the amd64/openjdk:8u212-jre-slim image, I was able to uses special capabilities on the java binary under a non root user.
With the new version it does not work anymore.
Steps to reproduce
This was working with previous version :
I need help to be able to make it works again..
thanks
The text was updated successfully, but these errors were encountered: