From 626dd410fae1f041b0ac98abdab2ea33c92cf054 Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Fri, 19 May 2023 10:57:17 +0200 Subject: [PATCH] Add support for custom CA certificates This adds the capability to add custom CA certificates for Java truststore. Fixes: #293 --- 11/jdk/alpine/Dockerfile.releases.full | 5 +++- 11/jdk/alpine/entrypoint.sh | 22 ++++++++++++++++++ 11/jdk/centos/Dockerfile.releases.full | 2 ++ 11/jdk/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 11/jdk/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 11/jdk/ubuntu/focal/Dockerfile.releases.full | 4 +++- 11/jdk/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 11/jdk/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 11/jdk/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 11/jre/alpine/Dockerfile.releases.full | 5 +++- 11/jre/alpine/entrypoint.sh | 22 ++++++++++++++++++ 11/jre/centos/Dockerfile.releases.full | 2 ++ 11/jre/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 11/jre/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 11/jre/ubuntu/focal/Dockerfile.releases.full | 4 +++- 11/jre/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 11/jre/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 11/jre/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 17/jdk/alpine/Dockerfile.releases.full | 5 +++- 17/jdk/alpine/entrypoint.sh | 22 ++++++++++++++++++ 17/jdk/centos/Dockerfile.releases.full | 2 ++ 17/jdk/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 17/jdk/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 17/jdk/ubuntu/focal/Dockerfile.releases.full | 4 +++- 17/jdk/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 17/jdk/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 17/jdk/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 17/jre/alpine/Dockerfile.releases.full | 5 +++- 17/jre/alpine/entrypoint.sh | 22 ++++++++++++++++++ 17/jre/centos/Dockerfile.releases.full | 2 ++ 17/jre/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 17/jre/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 17/jre/ubuntu/focal/Dockerfile.releases.full | 4 +++- 17/jre/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 17/jre/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 17/jre/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 20/jdk/alpine/Dockerfile.releases.full | 5 +++- 20/jdk/alpine/entrypoint.sh | 22 ++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 20/jdk/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 20/jdk/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 20/jdk/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 20/jre/alpine/Dockerfile.releases.full | 5 +++- 20/jre/alpine/entrypoint.sh | 22 ++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 20/jre/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 20/jre/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 20/jre/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 8/jdk/alpine/Dockerfile.releases.full | 5 +++- 8/jdk/alpine/entrypoint.sh | 22 ++++++++++++++++++ 8/jdk/centos/Dockerfile.releases.full | 2 ++ 8/jdk/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 8/jdk/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 8/jdk/ubuntu/focal/Dockerfile.releases.full | 4 +++- 8/jdk/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 8/jdk/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 8/jdk/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ 8/jre/alpine/Dockerfile.releases.full | 5 +++- 8/jre/alpine/entrypoint.sh | 22 ++++++++++++++++++ 8/jre/centos/Dockerfile.releases.full | 2 ++ 8/jre/centos/entrypoint.sh | 23 +++++++++++++++++++ .../ubi/ubi9-minimal/Dockerfile.releases.full | 2 ++ 8/jre/ubi/ubi9-minimal/entrypoint.sh | 23 +++++++++++++++++++ 8/jre/ubuntu/focal/Dockerfile.releases.full | 4 +++- 8/jre/ubuntu/focal/entrypoint.sh | 22 ++++++++++++++++++ 8/jre/ubuntu/jammy/Dockerfile.releases.full | 4 +++- 8/jre/ubuntu/jammy/entrypoint.sh | 22 ++++++++++++++++++ dockerfile_functions.sh | 17 ++++++++++++-- scripts/entrypoint.alpine.sh | 22 ++++++++++++++++++ scripts/entrypoint.centos.sh | 1 + scripts/entrypoint.focal.sh | 1 + scripts/entrypoint.jammy.sh | 1 + scripts/entrypoint.ubi9-minimal.sh | 23 +++++++++++++++++++ 78 files changed, 971 insertions(+), 24 deletions(-) create mode 100755 11/jdk/alpine/entrypoint.sh create mode 100755 11/jdk/centos/entrypoint.sh create mode 100755 11/jdk/ubi/ubi9-minimal/entrypoint.sh create mode 100755 11/jdk/ubuntu/focal/entrypoint.sh create mode 100755 11/jdk/ubuntu/jammy/entrypoint.sh create mode 100755 11/jre/alpine/entrypoint.sh create mode 100755 11/jre/centos/entrypoint.sh create mode 100755 11/jre/ubi/ubi9-minimal/entrypoint.sh create mode 100755 11/jre/ubuntu/focal/entrypoint.sh create mode 100755 11/jre/ubuntu/jammy/entrypoint.sh create mode 100755 17/jdk/alpine/entrypoint.sh create mode 100755 17/jdk/centos/entrypoint.sh create mode 100755 17/jdk/ubi/ubi9-minimal/entrypoint.sh create mode 100755 17/jdk/ubuntu/focal/entrypoint.sh create mode 100755 17/jdk/ubuntu/jammy/entrypoint.sh create mode 100755 17/jre/alpine/entrypoint.sh create mode 100755 17/jre/centos/entrypoint.sh create mode 100755 17/jre/ubi/ubi9-minimal/entrypoint.sh create mode 100755 17/jre/ubuntu/focal/entrypoint.sh create mode 100755 17/jre/ubuntu/jammy/entrypoint.sh create mode 100755 20/jdk/alpine/entrypoint.sh create mode 100755 20/jdk/ubi/ubi9-minimal/entrypoint.sh create mode 100755 20/jdk/ubuntu/jammy/entrypoint.sh create mode 100755 20/jre/alpine/entrypoint.sh create mode 100755 20/jre/ubi/ubi9-minimal/entrypoint.sh create mode 100755 20/jre/ubuntu/jammy/entrypoint.sh create mode 100755 8/jdk/alpine/entrypoint.sh create mode 100755 8/jdk/centos/entrypoint.sh create mode 100755 8/jdk/ubi/ubi9-minimal/entrypoint.sh create mode 100755 8/jdk/ubuntu/focal/entrypoint.sh create mode 100755 8/jdk/ubuntu/jammy/entrypoint.sh create mode 100755 8/jre/alpine/entrypoint.sh create mode 100755 8/jre/centos/entrypoint.sh create mode 100755 8/jre/ubi/ubi9-minimal/entrypoint.sh create mode 100755 8/jre/ubuntu/focal/entrypoint.sh create mode 100755 8/jre/ubuntu/jammy/entrypoint.sh create mode 100755 scripts/entrypoint.alpine.sh create mode 120000 scripts/entrypoint.centos.sh create mode 120000 scripts/entrypoint.focal.sh create mode 120000 scripts/entrypoint.jammy.sh create mode 100755 scripts/entrypoint.ubi9-minimal.sh diff --git a/11/jdk/alpine/Dockerfile.releases.full b/11/jdk/alpine/Dockerfile.releases.full index 053cc8d04..4bf06a281 100644 --- a/11/jdk/alpine/Dockerfile.releases.full +++ b/11/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-11.0.19+7 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jdk/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/centos/Dockerfile.releases.full b/11/jdk/centos/Dockerfile.releases.full index 8dc0bedce..14474a8ed 100644 --- a/11/jdk/centos/Dockerfile.releases.full +++ b/11/jdk/centos/Dockerfile.releases.full @@ -66,5 +66,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/centos/entrypoint.sh b/11/jdk/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/11/jdk/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 1f7004e3f..09db81b3f 100644 --- a/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -70,5 +70,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubuntu/focal/Dockerfile.releases.full b/11/jdk/ubuntu/focal/Dockerfile.releases.full index 74a1183d8..6920b7676 100644 --- a/11/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/11/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubuntu/jammy/Dockerfile.releases.full b/11/jdk/ubuntu/jammy/Dockerfile.releases.full index 6d94bef09..7c11bcd8d 100644 --- a/11/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/11/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/alpine/Dockerfile.releases.full b/11/jre/alpine/Dockerfile.releases.full index 273d78b75..c3f8b8ada 100644 --- a/11/jre/alpine/Dockerfile.releases.full +++ b/11/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-11.0.19+7 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jre/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/centos/Dockerfile.releases.full b/11/jre/centos/Dockerfile.releases.full index 7e883678a..0674369e8 100644 --- a/11/jre/centos/Dockerfile.releases.full +++ b/11/jre/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/centos/entrypoint.sh b/11/jre/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/11/jre/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full index 7126ef52d..ff2a5e568 100644 --- a/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -69,3 +69,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubuntu/focal/Dockerfile.releases.full b/11/jre/ubuntu/focal/Dockerfile.releases.full index 350b5325c..b8da1f14f 100644 --- a/11/jre/ubuntu/focal/Dockerfile.releases.full +++ b/11/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubuntu/jammy/Dockerfile.releases.full b/11/jre/ubuntu/jammy/Dockerfile.releases.full index e2c4b53cb..ee5e5aa5c 100644 --- a/11/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/11/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/alpine/Dockerfile.releases.full b/17/jdk/alpine/Dockerfile.releases.full index f81add30e..271b90e53 100644 --- a/17/jdk/alpine/Dockerfile.releases.full +++ b/17/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-17.0.7+7 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jdk/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/centos/Dockerfile.releases.full b/17/jdk/centos/Dockerfile.releases.full index 4d933edfb..09dcb5b82 100644 --- a/17/jdk/centos/Dockerfile.releases.full +++ b/17/jdk/centos/Dockerfile.releases.full @@ -66,5 +66,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/centos/entrypoint.sh b/17/jdk/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/17/jdk/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 464dff152..51a9ac274 100644 --- a/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -70,5 +70,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubuntu/focal/Dockerfile.releases.full b/17/jdk/ubuntu/focal/Dockerfile.releases.full index 1ccde6cfe..e8ea0128c 100644 --- a/17/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/17/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubuntu/jammy/Dockerfile.releases.full b/17/jdk/ubuntu/jammy/Dockerfile.releases.full index 14ad50ae2..25f9e1119 100644 --- a/17/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/17/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/alpine/Dockerfile.releases.full b/17/jre/alpine/Dockerfile.releases.full index a86eba13d..18cc15e3f 100644 --- a/17/jre/alpine/Dockerfile.releases.full +++ b/17/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-17.0.7+7 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jre/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/centos/Dockerfile.releases.full b/17/jre/centos/Dockerfile.releases.full index 96943e844..7633a815b 100644 --- a/17/jre/centos/Dockerfile.releases.full +++ b/17/jre/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/centos/entrypoint.sh b/17/jre/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/17/jre/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full index b78544aa0..ad94a1f2b 100644 --- a/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -69,3 +69,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubuntu/focal/Dockerfile.releases.full b/17/jre/ubuntu/focal/Dockerfile.releases.full index 9e165410a..50f13e4ad 100644 --- a/17/jre/ubuntu/focal/Dockerfile.releases.full +++ b/17/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubuntu/jammy/Dockerfile.releases.full b/17/jre/ubuntu/jammy/Dockerfile.releases.full index a3ed96af2..2bc1bde34 100644 --- a/17/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/17/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/alpine/Dockerfile.releases.full b/20/jdk/alpine/Dockerfile.releases.full index e5c06c149..2450e8504 100644 --- a/20/jdk/alpine/Dockerfile.releases.full +++ b/20/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-20.0.1+9 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/alpine/entrypoint.sh b/20/jdk/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/20/jdk/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 5d5efe1c3..e548f551a 100644 --- a/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -62,5 +62,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/ubi/ubi9-minimal/entrypoint.sh b/20/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/20/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/ubuntu/jammy/Dockerfile.releases.full b/20/jdk/ubuntu/jammy/Dockerfile.releases.full index 75313ba9d..36e882d70 100644 --- a/20/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/20/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -71,5 +71,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/ubuntu/jammy/entrypoint.sh b/20/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/20/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jre/alpine/Dockerfile.releases.full b/20/jre/alpine/Dockerfile.releases.full index 50487c7a8..1e8adaf47 100644 --- a/20/jre/alpine/Dockerfile.releases.full +++ b/20/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-20.0.1+9 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/alpine/entrypoint.sh b/20/jre/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/20/jre/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full index 3b9538f04..5881ca720 100644 --- a/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -61,3 +61,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/ubi/ubi9-minimal/entrypoint.sh b/20/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/20/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/20/jre/ubuntu/jammy/Dockerfile.releases.full b/20/jre/ubuntu/jammy/Dockerfile.releases.full index 13877af7e..0eafb5cc5 100644 --- a/20/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/20/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -70,3 +70,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/ubuntu/jammy/entrypoint.sh b/20/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/20/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/alpine/Dockerfile.releases.full b/8/jdk/alpine/Dockerfile.releases.full index d4986c430..04b4af946 100644 --- a/8/jdk/alpine/Dockerfile.releases.full +++ b/8/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk8u372-b07 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jdk/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/centos/Dockerfile.releases.full b/8/jdk/centos/Dockerfile.releases.full index 978847f27..3a848c84d 100644 --- a/8/jdk/centos/Dockerfile.releases.full +++ b/8/jdk/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/centos/entrypoint.sh b/8/jdk/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/8/jdk/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 4a1abb6fc..ae4d6c8d6 100644 --- a/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubuntu/focal/Dockerfile.releases.full b/8/jdk/ubuntu/focal/Dockerfile.releases.full index 5c85578c6..e6d8e1c9d 100644 --- a/8/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/8/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -79,3 +79,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubuntu/jammy/Dockerfile.releases.full b/8/jdk/ubuntu/jammy/Dockerfile.releases.full index 700b54659..8b89e60b3 100644 --- a/8/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/8/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -79,3 +79,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/alpine/Dockerfile.releases.full b/8/jre/alpine/Dockerfile.releases.full index 313f0e526..10dc3b08b 100644 --- a/8/jre/alpine/Dockerfile.releases.full +++ b/8/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk8u372-b07 @@ -57,3 +58,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jre/alpine/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/centos/Dockerfile.releases.full b/8/jre/centos/Dockerfile.releases.full index 87eb02085..6878825e7 100644 --- a/8/jre/centos/Dockerfile.releases.full +++ b/8/jre/centos/Dockerfile.releases.full @@ -64,3 +64,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/centos/entrypoint.sh b/8/jre/centos/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/8/jre/centos/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full index 4eef706f1..329085065 100644 --- a/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -64,3 +64,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubuntu/focal/Dockerfile.releases.full b/8/jre/ubuntu/focal/Dockerfile.releases.full index 248dd63df..06d4ecddb 100644 --- a/8/jre/ubuntu/focal/Dockerfile.releases.full +++ b/8/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -78,3 +78,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubuntu/jammy/Dockerfile.releases.full b/8/jre/ubuntu/jammy/Dockerfile.releases.full index 8d81b6b05..812315c1c 100644 --- a/8/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/8/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -78,3 +78,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/dockerfile_functions.sh b/dockerfile_functions.sh index df1f8387f..dcc7b6a4e 100755 --- a/dockerfile_functions.sh +++ b/dockerfile_functions.sh @@ -175,7 +175,7 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # Select the ubuntu OS packages print_ubuntu_pkg() { - packages="tzdata curl wget ca-certificates fontconfig locales" + packages="tzdata curl wget ca-certificates fontconfig locales p11-kit" # binutils is needed on JDK13+ for jlink to work https://github.com/docker-library/openjdk/issues/351 if [[ $version -ge 13 ]]; then packages+=" binutils" @@ -227,7 +227,8 @@ print_alpine_pkg() { print_alpine_musl_pkg() { cat >> "$1" <<'EOI' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* EOI } @@ -847,6 +848,17 @@ RUN Write-Host 'Verifying install ...'; \\ fi } +print_entrypoint() { + dir=$(dirname "$1") + + cat "scripts/entrypoint.$2.sh" > "$dir/entrypoint.sh" + chmod +x "$dir/entrypoint.sh" + cat >> "$1" < 8, set CMD["jshell"] in the Dockerfile above_8="^(9|[1-9][0-9]+)$" @@ -900,6 +912,7 @@ generate_dockerfile() { print_"${distro}"_java_install "${file}" "${pkg}" "${bld}" "${btype}" "${osfamily}" "${os}"; print_java_options "${file}" "${bld}" "${btype}"; print_test "${file}"; + print_entrypoint "${file}" "${os}" print_cmd "${file}"; fi echo "done" diff --git a/scripts/entrypoint.alpine.sh b/scripts/entrypoint.alpine.sh new file mode 100755 index 000000000..61d5a265c --- /dev/null +++ b/scripts/entrypoint.alpine.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + + cp -a /certificates/* /usr/local/share/ca-certificates/ + update-ca-certificates + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/scripts/entrypoint.centos.sh b/scripts/entrypoint.centos.sh new file mode 120000 index 000000000..562528611 --- /dev/null +++ b/scripts/entrypoint.centos.sh @@ -0,0 +1 @@ +entrypoint.ubi9-minimal.sh \ No newline at end of file diff --git a/scripts/entrypoint.focal.sh b/scripts/entrypoint.focal.sh new file mode 120000 index 000000000..ce5e34af9 --- /dev/null +++ b/scripts/entrypoint.focal.sh @@ -0,0 +1 @@ +entrypoint.alpine.sh \ No newline at end of file diff --git a/scripts/entrypoint.jammy.sh b/scripts/entrypoint.jammy.sh new file mode 120000 index 000000000..ce5e34af9 --- /dev/null +++ b/scripts/entrypoint.jammy.sh @@ -0,0 +1 @@ +entrypoint.alpine.sh \ No newline at end of file diff --git a/scripts/entrypoint.ubi9-minimal.sh b/scripts/entrypoint.ubi9-minimal.sh new file mode 100755 index 000000000..269c7b928 --- /dev/null +++ b/scripts/entrypoint.ubi9-minimal.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -e + +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + update-ca-trust + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@"