-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
latest 11-jdk on ubuntu jammy breaks keytool -importcert #215
Comments
eclipse-temurin:17-jdk same problem |
the change to jammy was done in docker-library/official-images#12516 |
I think if your docker engine is upgraded to the latest that resolves this issue. Can folks give that a try? |
Will try and let you know how it goes |
I can confirm that updating to docker-engine 20.10.16 resolved the issue for me. |
Hi folks! I had a similar issue, and your discussions here and there helped me to investigate. So I figured I could share my findings:
Yes. All
This is probably due to this PR on docker. Latest glibc will attempt to use clone3(). As a result, most newer distro (ubuntu Jammy 22.04, but probably others) will fail unless we allow the syscall (in docker, in systemd...). To reproduce: $ wget "https://raw.githubusercontent.com/moby/moby/c7cd1b9436ac381747a5c52dddac5a66f97c61f8/profiles/seccomp/default.json" -O before_clone3.json
# the seccomp profile right before PR https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594
docker run --security-opt seccomp=before_clone3.json -it --entrypoint /bin/bash eclipse-temurin:17-jdk # (should also fail with any ubuntu 22.04 really...)
root@e2a511de29d4:/# curl google.com
curl: (6) getaddrinfo() thread failed to start
root@e2a511de29d4:/# Permanent fix:
Mitigation/workaround:
|
Can someone clarify why updating docker fixes this? Thanks! |
#215 (comment) explains it. |
Non-Focal images require a current docker installation due to changes explained here: adoptium/containers#215 (comment) Since we do not really have access to where this image will run, opting for a more generous approach should be fine.
Non-Focal images require a current docker installation due to changes explained here: adoptium/containers#215 (comment) Since we do not really have access to where this image will run, opting for a more generous approach should be fine.
This is excellent research! To expand on this just a little bit: glibc 2.34 and newer contain this commit, which defaults to using |
Just out of curiosity, has anyone had success with the seccomp workaround? |
github.com/adoptium/containers/issues/215#issuecomment-1142046045
@keeganwitt I have tried it, but it seems that you cannot override the base seccom profile (this is hard-coded). Here is the relevant change in Docker moby/moby#42681 |
This is so that the ancient docker on the build agents can spawn threads. I don't 100% understand but this link adoptium/containers#215 (comment) implies a problem with glibc and starting threads. There is an alternative workaround, but this seemed fastest and easiest for at least the next 2 years DAS-1764
I also tried it.
My docker is binary linux 20.10.9 |
If you cannot update Docker a workaround is described here (Option 3): https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 |
I am using your images by using maven:3.8.5-eclipse-temurin-11 - see https://github.com/carlossg/docker-maven/blob/master/eclipse-temurin-11/Dockerfile#L1
Adding trusted certificates to the java truststore is failing on the new ubuntu jammy image
Using :11-jdk-focal
Using :11-jdk
The only statement changed between builds is the Dockerfile FROM statement
The text was updated successfully, but these errors were encountered: