Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Checksum - magic ADD #47

Open
subdavis opened this issue Aug 24, 2017 · 1 comment
Open

Verify Checksum - magic ADD #47

subdavis opened this issue Aug 24, 2017 · 1 comment

Comments

@subdavis
Copy link

subdavis commented Aug 24, 2017
edited

Because of the "magic" ADD, your tgz is being unpacked prematurely. see https://www.ctl.io/developers/blog/post/dockerfile-add-vs-copy/. This means that there is no file for the checksum to verify. Replace ADD with WGET...

Step 7/21 : ADD http://www.us.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE} /tmp/
Downloading [==================================================>]  34.05MB/34.05MB
 ---> 917bfbd79471
Removing intermediate container 47eac95d4e8d
Step 8/21 : ADD https://dist.apache.org/repos/dist/release/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE}.md5 /tmp/
Downloading      74B
 ---> c6400a6cf8d8
Removing intermediate container 906298a3ca79
Step 9/21 : WORKDIR /tmp
 ---> 623ea82c854b
Removing intermediate container 7fa0b041357f
Step 10/21 : RUN echo "networkaddress.cache.ttl=30" >> $JAVA_HOME/jre/lib/security/java.security
 ---> Running in e33f31ac57b5
 ---> 8bcf5378cba3
Removing intermediate container e33f31ac57b5
Step 11/21 : RUN echo VERIFY CHECKSUM: &&   gpg --print-md MD5 ${KAFKA_RELEASE_ARCHIVE} 2>/dev/null &&   cat ${KAFKA_RELEASE_ARCHIVE}.md5
 ---> Running in 214a69a3272d
VERIFY CHECKSUM:
The command '/bin/sh -c echo VERIFY CHECKSUM: &&   gpg --print-md MD5 ${KAFKA_RELEASE_ARCHIVE} 2>/dev/null &&   cat ${KAFKA_RELEASE_ARCHIVE}.md5' returned a non-zero code: 2

I'm suggesting you replace those with...

WORKDIR /tmp
RUN wget -q http://www.us.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE} 
RUN wget -q https://dist.apache.org/repos/dist/release/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE}.md5
@ches
Copy link
Owner

ches commented Aug 30, 2017

Hi, thanks for reporting, but I have not observed this issue—take for example the latest automated build on Docker Hub where you'll see in the build log output that the checksum is indeed being computed/printed from the tgz.

As the article you linked says,

Interestingly, the URL download and archive unpacking features cannot be used together. Any archives copied via URL will NOT be automatically unpacked.

So unless something has changed quite recently in Docker, there should not be premature unpacking occurring. Perhaps you can tell me if there is any more to reproducing the problem? I see an additional step for modifying java.security in your output so perhaps you have some modifications.

I'm not so bothered by the concerns of "magic" that article takes an opinionated stance on, personally. There's a reasonable argument there for curl/wget to pipeline commands and reduce layers, but that doesn't apply if I want to keep the step of saving the archive on disk to verify its digest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ches @subdavis