Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

latest 11-jdk on ubuntu jammy breaks keytool -importcert #215

Closed
ghost opened this issue May 27, 2022 · 13 comments
Closed

latest 11-jdk on ubuntu jammy breaks keytool -importcert #215

ghost opened this issue May 27, 2022 · 13 comments
Labels
Waiting on OP

Comments

@ghost
Copy link

ghost commented May 27, 2022
edited by ghost
Loading

I am using your images by using maven:3.8.5-eclipse-temurin-11 - see https://github.com/carlossg/docker-maven/blob/master/eclipse-temurin-11/Dockerfile#L1

Adding trusted certificates to the java truststore is failing on the new ubuntu jammy image

Using :11-jdk-focal

FROM eclipse-temurin:11-jdk-focal

RUN keytool -importcert -noprompt -file /usr/local/share/ca-certificates/extra/rootca.crt -cacerts -storepass changeit -alias 'custom root ca'
Certificate was added to keystore

Using :11-jdk

FROM eclipse-temurin:11-jdk

RUN keytool -importcert -noprompt -file /usr/local/share/ca-certificates/extra/rootca.crt -cacerts -storepass changeit -alias 'custom root ca'
[0.004s][warning][os,thread] Failed to start thread - pthread_create failed (EPERM) for attributes: stacksize: 1024k, guardsize: 4k, detached.
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Cannot create worker GC thread. Out of system resources.
# An error report file with more information is saved as:
# //hs_err_pid6.log
The command '/bin/sh -c keytool -importcert -noprompt -file /usr/local/share/ca-certificates/extra/rootca.crt -cacerts -storepass changeit -alias 'custom root ca'' returned a non-zero code: 1

The only statement changed between builds is the Dockerfile FROM statement
@ghost ghost mentioned this issue May 27, 2022
Open
@Monax111
Copy link

eclipse-temurin:17-jdk same problem

@carlossg
Copy link

the change to jammy was done in docker-library/official-images#12516

@karianna
Copy link
Contributor

I think if your docker engine is upgraded to the latest that resolves this issue. Can folks give that a try?

@ghost
Copy link
Author

ghost commented May 30, 2022

Will try and let you know how it goes

@strangelookingnerd
Copy link

I can confirm that updating to docker-engine 20.10.16 resolved the issue for me.

@roumigus
Copy link

Hi folks! I had a similar issue, and your discussions here and there helped me to investigate. So I figured I could share my findings:

the change to jammy was done in docker-library/official-images#12516

Yes. All eclipse-temurin:<version>-jdk became based on the latest ubuntu LTS 22.04 Jammy.
You have to specify eclipse-temurin:<version>-jdk-focal if you want to use the image with the previous ubuntu LTS 20.04 Focal as a base image.

I can confirm that updating to docker-engine 20.10.16 resolved the issue for me.

This is probably due to this PR on docker.

Latest glibc will attempt to use clone3(). As a result, most newer distro (ubuntu Jammy 22.04, but probably others) will fail unless we allow the syscall (in docker, in systemd...).

To reproduce:

$ wget "https://raw.githubusercontent.com/moby/moby/c7cd1b9436ac381747a5c52dddac5a66f97c61f8/profiles/seccomp/default.json" -O before_clone3.json
 # the seccomp profile right before PR https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594

docker run --security-opt seccomp=before_clone3.json -it --entrypoint /bin/bash eclipse-temurin:17-jdk # (should also fail with any ubuntu 22.04 really...)
root@e2a511de29d4:/# curl google.com
curl: (6) getaddrinfo() thread failed to start
root@e2a511de29d4:/#

Permanent fix:

  • upgrade docker, or expect all newer, up-to-date base images to fail in the future

Mitigation/workaround:

  • docker run --security-opt seccomp=your_policy_which_allows_clone3.json .... (docs)
  • downgrade your (base) images (the -focal should stay available for some 2years, IF the maintainers of docker's official images wait for the next ubuntu LTS to drop ubuntu Focal/20.04)

@frankjkelly
Copy link

Can someone clarify why updating docker fixes this? Thanks!

@frankjkelly frankjkelly mentioned this issue May 31, 2022
Closed
@carlossg carlossg mentioned this issue May 31, 2022
Closed
@karianna
Copy link
Contributor

karianna commented Jun 1, 2022

Can someone clarify why updating docker fixes this? Thanks!

#215 (comment) explains it.

@b-fein b-fein mentioned this issue Jun 5, 2022
Merged
This was referenced Jun 7, 2022
Closed
Closed
@gotson gotson mentioned this issue Jun 15, 2022
Closed
5 tasks
@elefeint elefeint mentioned this issue Jun 22, 2022
Merged
@keeganwitt keeganwitt mentioned this issue Jun 25, 2022
Closed
@pvlugter pvlugter mentioned this issue Jul 7, 2022
Merged
Closed
DiCanio added a commit to medizininformatik-initiative/feasibility-backend that referenced this issue Jul 26, 2022
@DiCanio
Switch to Focal Base Image
194bc83 
Non-Focal images require a current docker installation
due to changes explained here:
adoptium/containers#215 (comment)

Since we do not really have access to where this image will
run, opting for a more generous approach should be fine.
@jeanp413 jeanp413 mentioned this issue Jul 26, 2022
Closed
@keeganwitt keeganwitt mentioned this issue Jul 26, 2022
Closed
@coffee-squirrel coffee-squirrel mentioned this issue Aug 4, 2022
Open
@alex-xage alex-xage mentioned this issue Aug 12, 2022
Closed
DiCanio added a commit to medizininformatik-initiative/feasibility-backend that referenced this issue Aug 16, 2022
@DiCanio
Switch to Focal Base Image
e3e8552 
Non-Focal images require a current docker installation
due to changes explained here:
adoptium/containers#215 (comment)

Since we do not really have access to where this image will
run, opting for a more generous approach should be fine.
@am11 am11 mentioned this issue Aug 18, 2022
Merged
@jheinitz jheinitz mentioned this issue Sep 15, 2022
Closed
@alexanderkiel alexanderkiel mentioned this issue Sep 15, 2022
Closed
@keeganwitt keeganwitt mentioned this issue Sep 19, 2022
Closed
@hashhar hashhar mentioned this issue Sep 23, 2022
Closed
@thc202 thc202 mentioned this issue Sep 30, 2022
Closed
1 task
@keeganwitt
Copy link

Hi folks! I had a similar issue, and your discussions here and there helped me to investigate. So I figured I could share my findings:

the change to jammy was done in docker-library/official-images#12516

Yes. All eclipse-temurin:<version>-jdk became based on the latest ubuntu LTS 22.04 Jammy. You have to specify eclipse-temurin:<version>-jdk-focal if you want to use the image with the previous ubuntu LTS 20.04 Focal as a base image.

I can confirm that updating to docker-engine 20.10.16 resolved the issue for me.

This is probably due to this PR on docker.

Latest glibc will attempt to use clone3(). As a result, most newer distro (ubuntu Jammy 22.04, but probably others) will fail unless we allow the syscall (in docker, in systemd...).

To reproduce:

$ wget "https://raw.githubusercontent.com/moby/moby/c7cd1b9436ac381747a5c52dddac5a66f97c61f8/profiles/seccomp/default.json" -O before_clone3.json
 # the seccomp profile right before PR https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594

docker run --security-opt seccomp=before_clone3.json -it --entrypoint /bin/bash eclipse-temurin:17-jdk # (should also fail with any ubuntu 22.04 really...)
root@e2a511de29d4:/# curl google.com
curl: (6) getaddrinfo() thread failed to start
root@e2a511de29d4:/#

Permanent fix:

  • upgrade docker, or expect all newer, up-to-date base images to fail in the future

Mitigation/workaround:

  • docker run --security-opt seccomp=your_policy_which_allows_clone3.json .... (docs)
  • downgrade your (base) images (the -focal should stay available for some 2years, IF the maintainers of docker's official images wait for the next ubuntu LTS to drop ubuntu Focal/20.04)

This is excellent research! To expand on this just a little bit:

glibc 2.34 and newer contain this commit, which defaults to using clone3. Ubuntu Jammy ships with 2.35, and thus contains this change in behavior. This was not available for Docker until PR 42681 (fix for 42680). Which is available starting with version 20.10.10.

@keeganwitt
Copy link

keeganwitt commented Oct 14, 2022
edited
Loading

Just out of curiosity, has anyone had success with the seccomp workaround?

Merged
denkv added a commit to hobbit-project/platform that referenced this issue Oct 24, 2022
@denkv
Newer base Docker images fail to run with older Docker daemon
145b4d0 
github.com/adoptium/containers/issues/215#issuecomment-1142046045
@thc202 thc202 mentioned this issue Oct 31, 2022
Closed
1 task
@derkoe
Copy link

derkoe commented Nov 7, 2022

@keeganwitt I have tried it, but it seems that you cannot override the base seccom profile (this is hard-coded). Here is the relevant change in Docker moby/moby#42681

@ruibaby ruibaby mentioned this issue Dec 4, 2022
Closed
@niwinz niwinz mentioned this issue Mar 15, 2023
Closed
@hggh hggh mentioned this issue Mar 28, 2023
Open
@audacioustux audacioustux mentioned this issue Apr 8, 2023
Closed
flamingbear added a commit to nasa/harmony-regression-tests that referenced this issue Apr 14, 2023
@flamingbear
Change base image from Jammy to Focal
14d9cb9 
This is so that the ancient docker on the build agents can spawn threads.  I
don't 100% understand but this link
adoptium/containers#215 (comment)
implies a problem with glibc and starting threads.  There is an alternative
workaround, but this seemed fastest and easiest for at least the next 2 years

DAS-1764
@flamingbear flamingbear mentioned this issue Apr 14, 2023
Merged
1 task
lrtfm added a commit to lrtfm/firedrake-dockerfile that referenced this issue May 11, 2023
@lrtfm
Revert ubuntu to 20.04 as 22.04 issue on docker
d8a95b9 
1. moby/moby#42680
2. adoptium/containers#215 (comment)
3. moby/moby#34454 (comment)
@XZhouQD XZhouQD mentioned this issue Jun 27, 2023
Closed
@schmunk42 schmunk42 mentioned this issue Jul 3, 2023
Closed
@roll roll mentioned this issue Jul 11, 2023
Closed
@XZhouQD XZhouQD mentioned this issue Jul 24, 2023
Closed
@yaohwu
Copy link

yaohwu commented Aug 25, 2023
edited
Loading

@keeganwitt I have tried it, but it seems that you cannot override the base seccom profile (this is hard-coded). Here is the relevant change in Docker moby/moby#42681

I also tried it.
Using the lastest default.json or the default.json after the commit, both of them failed.

# the latest file
wget https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json -O clone3_default.json

# or the fixed issue committed file
wget https://raw.githubusercontent.com/berrange/moby/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594/profiles/seccomp/default.json -O clone3_default.json

cat clone3_default.json | grep clone3

docker run --security-opt seccomp=clone3_default.json -it --entrypoint /bin/bash eclipse-temurin:8u362-b09-jdk-jammy@sha256:8f16a677c2270ba982f998b8eb3869a4bfbe0aa385ebf786d33ce23d3e4ff3bc

curl www.baidu.com
image

My docker is binary linux 20.10.9

image

@kevincai kevincai mentioned this issue Aug 28, 2023
Closed
@miton18 miton18 mentioned this issue Sep 21, 2023
Closed
2 tasks
@AnyOfYou AnyOfYou mentioned this issue Oct 21, 2023
Closed
@krimsonkla krimsonkla mentioned this issue Nov 19, 2023
Closed
@carhartl
Copy link

If you cannot update Docker a workaround is described here (Option 3): https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2

@jsknnr jsknnr mentioned this issue Jan 31, 2024
Closed
@bgruening bgruening mentioned this issue May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Waiting on OP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@carhartl @carlossg @keeganwitt @derkoe @karianna @yaohwu @Monax111 @strangelookingnerd @frankjkelly @roumigus