diff --git a/.test/config.sh b/.test/config.sh new file mode 100644 index 00000000..274c626e --- /dev/null +++ b/.test/config.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +imageTests[openjdk]+=' + java-ca-certificates-update +' + +globalExcludeTests+=( + # nanoservcer/windowsservercore: updating local store with additional certificates is not implemented + [openjdk:nanoserver_java-ca-certificates-update]=1 + [openjdk:windowsservercore_java-ca-certificates-update]=1 +) diff --git a/.test/tests/java-ca-certificates-update/certs/README.md b/.test/tests/java-ca-certificates-update/certs/README.md new file mode 100644 index 00000000..b60d1d3a --- /dev/null +++ b/.test/tests/java-ca-certificates-update/certs/README.md @@ -0,0 +1 @@ +This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing diff --git a/.test/tests/java-ca-certificates-update/certs/server.crt b/.test/tests/java-ca-certificates-update/certs/server.crt new file mode 100644 index 00000000..73838f46 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/certs/server.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL +BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1 +aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ +kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s +N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI +hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy +Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw +me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR +w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB +o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU +r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d +kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT +DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb +WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ +CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU +ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg== +-----END CERTIFICATE----- diff --git a/.test/tests/java-ca-certificates-update/certs/server.key b/.test/tests/java-ca-certificates-update/certs/server.key new file mode 100644 index 00000000..4226cb96 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs +Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac +SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT +CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss +ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9 +jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH +TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG +yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg +SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx +qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK +d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg +rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu +PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw +Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw +buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G +Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r +BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX +mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr +ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx +XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD +Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL +6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB +ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4 +6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi +YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V +1HI3wrgh88qBEGASVY8y6rDH +-----END PRIVATE KEY----- diff --git a/.test/tests/java-ca-certificates-update/custom-entrypoint.sh b/.test/tests/java-ca-certificates-update/custom-entrypoint.sh new file mode 100755 index 00000000..9d689775 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/custom-entrypoint.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh + +exec "$@" diff --git a/.test/tests/java-ca-certificates-update/expected-std-out.txt b/.test/tests/java-ca-certificates-update/expected-std-out.txt new file mode 100644 index 00000000..dc1b0ce4 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/expected-std-out.txt @@ -0,0 +1 @@ +0101010001 diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh new file mode 100755 index 00000000..84a586c4 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/run.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +set -o pipefail + +testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")" +runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")" + +# Find Java major/minor/build/patch version +# +# https://stackoverflow.com/a/74459237/6460 +IFS='"' read -r _ java_version_string _ < <(docker run "$1" java -version 2>&1) +IFS='._' read -r \ + java_version_major \ + java_version_minor \ + java_version_build \ + java_version_patch \ + <<<"$java_version_string" + +# CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint +CMD1=date + +# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore +if [ "$java_version_major" -lt 11 ]; then + # We are working with JDK/JRE 8 + # + # `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the + # `cacerts` file between the JDK and JRE, so we'd want to check both possible locations. + CACERTS=/opt/java/openjdk/lib/security/cacerts + CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts + + CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder") +else + CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder) +fi + +# +# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint +# + +# Test run 1: No added certificates and environment variable is not set. We expect CMD1 to succeed and CMD2 to fail. +docker run --rm "$1" $CMD1 >&/dev/null +echo -n $? +docker run --rm "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +# Test run 2: No added certificates, but the environment variable is set. Since there are no certificates, we still +# expect CMD1 to succeed and CMD2 to fail. +docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" $CMD1 >&/dev/null +echo -n $? +docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +# Test run 3: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not +# be activated. We expect CMD1 to succeed and CMD2 to fail. +docker run --rm --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +docker run --rm --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +# Test run 4: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed. +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null +echo -n $? + +TESTIMAGE=$1.test + +function finish { + docker rmi "$TESTIMAGE" >&/dev/null +} +trap finish EXIT HUP INT TERM + +# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect +# CMD1 to succeed and CMD2 to fail. +# +# But first, we need to create an image with an overridden entrypoint +docker build -t "$1.test" "$runDir" -f - <&/dev/null +FROM $1 +COPY custom-entrypoint.sh / +ENTRYPOINT ["/custom-entrypoint.sh"] +EOF + +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null +echo -n $? +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null +echo -n $? diff --git a/11/jdk/alpine/Dockerfile.releases.full b/11/jdk/alpine/Dockerfile.releases.full index fc3abdd4..60978d56 100644 --- a/11/jdk/alpine/Dockerfile.releases.full +++ b/11/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-11.0.19+7 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jdk/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/centos/Dockerfile.releases.full b/11/jdk/centos/Dockerfile.releases.full index 0964f7e9..c07b2040 100644 --- a/11/jdk/centos/Dockerfile.releases.full +++ b/11/jdk/centos/Dockerfile.releases.full @@ -66,5 +66,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/centos/entrypoint.sh b/11/jdk/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/11/jdk/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 41125507..027bcb31 100644 --- a/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -70,5 +70,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubuntu/focal/Dockerfile.releases.full b/11/jdk/ubuntu/focal/Dockerfile.releases.full index 0f4123d8..af3a05fe 100644 --- a/11/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/11/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jdk/ubuntu/jammy/Dockerfile.releases.full b/11/jdk/ubuntu/jammy/Dockerfile.releases.full index fd889bdf..b13df033 100644 --- a/11/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/11/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/alpine/Dockerfile.releases.full b/11/jre/alpine/Dockerfile.releases.full index c6e7a23e..0f4ff389 100644 --- a/11/jre/alpine/Dockerfile.releases.full +++ b/11/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-11.0.19+7 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jre/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/centos/Dockerfile.releases.full b/11/jre/centos/Dockerfile.releases.full index 4e4aaae9..3383dc6d 100644 --- a/11/jre/centos/Dockerfile.releases.full +++ b/11/jre/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/centos/entrypoint.sh b/11/jre/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/11/jre/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full index ee63a8fd..44812d18 100644 --- a/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/11/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -69,3 +69,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubuntu/focal/Dockerfile.releases.full b/11/jre/ubuntu/focal/Dockerfile.releases.full index 1a9e66f6..f609f93a 100644 --- a/11/jre/ubuntu/focal/Dockerfile.releases.full +++ b/11/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/11/jre/ubuntu/jammy/Dockerfile.releases.full b/11/jre/ubuntu/jammy/Dockerfile.releases.full index eadf7e29..bb06e7f3 100644 --- a/11/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/11/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/alpine/Dockerfile.releases.full b/17/jdk/alpine/Dockerfile.releases.full index 698534c3..9253f30d 100644 --- a/17/jdk/alpine/Dockerfile.releases.full +++ b/17/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-17.0.7+7 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jdk/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/centos/Dockerfile.releases.full b/17/jdk/centos/Dockerfile.releases.full index a6b49b23..edb04032 100644 --- a/17/jdk/centos/Dockerfile.releases.full +++ b/17/jdk/centos/Dockerfile.releases.full @@ -66,5 +66,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/centos/entrypoint.sh b/17/jdk/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/17/jdk/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index dfa4b3d7..913d82cc 100644 --- a/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/17/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -70,5 +70,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubuntu/focal/Dockerfile.releases.full b/17/jdk/ubuntu/focal/Dockerfile.releases.full index ce6108ce..da611416 100644 --- a/17/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/17/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jdk/ubuntu/jammy/Dockerfile.releases.full b/17/jdk/ubuntu/jammy/Dockerfile.releases.full index bde79aea..ffe3c2dd 100644 --- a/17/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/17/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -83,5 +83,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/alpine/Dockerfile.releases.full b/17/jre/alpine/Dockerfile.releases.full index 1e414ea2..16a27bb7 100644 --- a/17/jre/alpine/Dockerfile.releases.full +++ b/17/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-17.0.7+7 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jre/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/centos/Dockerfile.releases.full b/17/jre/centos/Dockerfile.releases.full index 3c6910cf..22c487c5 100644 --- a/17/jre/centos/Dockerfile.releases.full +++ b/17/jre/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/centos/entrypoint.sh b/17/jre/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/17/jre/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full index 364d0eef..fec05c4a 100644 --- a/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/17/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -69,3 +69,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubuntu/focal/Dockerfile.releases.full b/17/jre/ubuntu/focal/Dockerfile.releases.full index 2a49eaa6..2eb5c77c 100644 --- a/17/jre/ubuntu/focal/Dockerfile.releases.full +++ b/17/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/17/jre/ubuntu/jammy/Dockerfile.releases.full b/17/jre/ubuntu/jammy/Dockerfile.releases.full index e1a69aeb..35b3e94a 100644 --- a/17/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/17/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -82,3 +82,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/alpine/Dockerfile.releases.full b/20/jdk/alpine/Dockerfile.releases.full index 243b3235..bad9f4c0 100644 --- a/20/jdk/alpine/Dockerfile.releases.full +++ b/20/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-20.0.1+9 @@ -59,5 +60,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/alpine/entrypoint.sh b/20/jdk/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/20/jdk/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index 0e585ace..a2a9e579 100644 --- a/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/20/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -62,5 +62,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/ubi/ubi9-minimal/entrypoint.sh b/20/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/20/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/20/jdk/ubuntu/jammy/Dockerfile.releases.full b/20/jdk/ubuntu/jammy/Dockerfile.releases.full index ede60b85..aa557872 100644 --- a/20/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/20/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -71,5 +71,7 @@ RUN echo Verifying install ... \ && echo javac --version && javac --version \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] CMD ["jshell"] diff --git a/20/jdk/ubuntu/jammy/entrypoint.sh b/20/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/20/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jre/alpine/Dockerfile.releases.full b/20/jre/alpine/Dockerfile.releases.full index dd4de334..4e163da9 100644 --- a/20/jre/alpine/Dockerfile.releases.full +++ b/20/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk-20.0.1+9 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/alpine/entrypoint.sh b/20/jre/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/20/jre/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full index 1877aadc..8965dfb1 100644 --- a/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/20/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -61,3 +61,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/ubi/ubi9-minimal/entrypoint.sh b/20/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/20/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/20/jre/ubuntu/jammy/Dockerfile.releases.full b/20/jre/ubuntu/jammy/Dockerfile.releases.full index 8e18fda9..2bcbcfc6 100644 --- a/20/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/20/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales binutils \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit binutils \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -70,3 +70,5 @@ RUN echo Verifying install ... \ && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \ && echo java --version && java --version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/20/jre/ubuntu/jammy/entrypoint.sh b/20/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/20/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/alpine/Dockerfile.releases.full b/8/jdk/alpine/Dockerfile.releases.full index feeb69f0..a03b60d7 100644 --- a/8/jdk/alpine/Dockerfile.releases.full +++ b/8/jdk/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk8u372-b07 @@ -58,3 +59,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jdk/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/centos/Dockerfile.releases.full b/8/jdk/centos/Dockerfile.releases.full index c64fb26a..3540747d 100644 --- a/8/jdk/centos/Dockerfile.releases.full +++ b/8/jdk/centos/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/centos/entrypoint.sh b/8/jdk/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/8/jdk/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full b/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full index fef964f0..2427695b 100644 --- a/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/8/jdk/ubi/ubi9-minimal/Dockerfile.releases.full @@ -65,3 +65,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubuntu/focal/Dockerfile.releases.full b/8/jdk/ubuntu/focal/Dockerfile.releases.full index 3e2b6ff5..87832799 100644 --- a/8/jdk/ubuntu/focal/Dockerfile.releases.full +++ b/8/jdk/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -79,3 +79,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jdk/ubuntu/jammy/Dockerfile.releases.full b/8/jdk/ubuntu/jammy/Dockerfile.releases.full index 0ae226f4..bb172f7e 100644 --- a/8/jdk/ubuntu/jammy/Dockerfile.releases.full +++ b/8/jdk/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -79,3 +79,5 @@ RUN echo Verifying install ... \ && echo javac -version && javac -version \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/alpine/Dockerfile.releases.full b/8/jre/alpine/Dockerfile.releases.full index d35c8324..0e5f3e1f 100644 --- a/8/jre/alpine/Dockerfile.releases.full +++ b/8/jre/alpine/Dockerfile.releases.full @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* ENV JAVA_VERSION jdk8u372-b07 @@ -57,3 +58,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jre/alpine/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/centos/Dockerfile.releases.full b/8/jre/centos/Dockerfile.releases.full index e2a48af9..ec934d86 100644 --- a/8/jre/centos/Dockerfile.releases.full +++ b/8/jre/centos/Dockerfile.releases.full @@ -64,3 +64,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/centos/entrypoint.sh b/8/jre/centos/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/8/jre/centos/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full b/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full index c26e79d4..59a585ab 100644 --- a/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full +++ b/8/jre/ubi/ubi9-minimal/Dockerfile.releases.full @@ -64,3 +64,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubuntu/focal/Dockerfile.releases.full b/8/jre/ubuntu/focal/Dockerfile.releases.full index eb8d4365..1d4be9ae 100644 --- a/8/jre/ubuntu/focal/Dockerfile.releases.full +++ b/8/jre/ubuntu/focal/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -78,3 +78,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/8/jre/ubuntu/jammy/Dockerfile.releases.full b/8/jre/ubuntu/jammy/Dockerfile.releases.full index ccf93a70..9bc7562b 100644 --- a/8/jre/ubuntu/jammy/Dockerfile.releases.full +++ b/8/jre/ubuntu/jammy/Dockerfile.releases.full @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \ && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \ && locale-gen en_US.UTF-8 \ && rm -rf /var/lib/apt/lists/* @@ -78,3 +78,5 @@ RUN set -eux; \ RUN echo Verifying install ... \ && echo java -version && java -version \ && echo Complete. +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/dockerfile_functions.sh b/dockerfile_functions.sh index 3c5a46ed..4bc968ef 100755 --- a/dockerfile_functions.sh +++ b/dockerfile_functions.sh @@ -175,7 +175,8 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' # Select the ubuntu OS packages print_ubuntu_pkg() { - packages="tzdata curl wget ca-certificates fontconfig locales" + # p11-kit provides the `trust` binary used in certificate extraction + packages="tzdata curl wget ca-certificates fontconfig locales p11-kit" # binutils is needed on JDK13+ for jlink to work https://github.com/docker-library/openjdk/issues/351 if [[ $version -ge 13 ]]; then packages+=" binutils" @@ -227,7 +228,8 @@ print_alpine_pkg() { print_alpine_musl_pkg() { cat >> "$1" <<'EOI' # fontconfig and ttf-dejavu added to support serverside image generation by Java programs -RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ +# java-cacerts added to support adding CA certificates to the Java keystore +RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \ && rm -rf /var/cache/apk/* EOI } @@ -847,6 +849,17 @@ RUN Write-Host 'Verifying install ...'; \\ fi } +print_entrypoint() { + dir=$(dirname "$1") + + cat "scripts/entrypoint.$2.sh" > "$dir/entrypoint.sh" + chmod +x "$dir/entrypoint.sh" + cat >> "$1" < 8, set CMD["jshell"] in the Dockerfile above_8="^(9|[1-9][0-9]+)$" @@ -900,6 +913,7 @@ generate_dockerfile() { print_"${distro}"_java_install "${file}" "${pkg}" "${bld}" "${btype}" "${osfamily}" "${os}"; print_java_options "${file}" "${bld}" "${btype}"; print_test "${file}"; + print_entrypoint "${file}" "${os}" print_cmd "${file}"; fi echo "done" diff --git a/scripts/entrypoint.alpine.sh b/scripts/entrypoint.alpine.sh new file mode 100755 index 00000000..15bf4330 --- /dev/null +++ b/scripts/entrypoint.alpine.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env sh + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/scripts/entrypoint.centos.sh b/scripts/entrypoint.centos.sh new file mode 120000 index 00000000..56252861 --- /dev/null +++ b/scripts/entrypoint.centos.sh @@ -0,0 +1 @@ +entrypoint.ubi9-minimal.sh \ No newline at end of file diff --git a/scripts/entrypoint.focal.sh b/scripts/entrypoint.focal.sh new file mode 120000 index 00000000..ce5e34af --- /dev/null +++ b/scripts/entrypoint.focal.sh @@ -0,0 +1 @@ +entrypoint.alpine.sh \ No newline at end of file diff --git a/scripts/entrypoint.jammy.sh b/scripts/entrypoint.jammy.sh new file mode 120000 index 00000000..ce5e34af --- /dev/null +++ b/scripts/entrypoint.jammy.sh @@ -0,0 +1 @@ +entrypoint.alpine.sh \ No newline at end of file diff --git a/scripts/entrypoint.ubi9-minimal.sh b/scripts/entrypoint.ubi9-minimal.sh new file mode 100755 index 00000000..f2f6b5ff --- /dev/null +++ b/scripts/entrypoint.ubi9-minimal.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then + cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + CACERT=$JAVA_HOME/lib/security/cacerts + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts + fi + + # RHEL-based images already include a routine to update a java truststore from the system CA bundle within + # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. + update-ca-trust + + ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" +fi + +exec "$@"