-
-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: internal CA certificate mechanism does not work with non-root user #464
Comments
In the meantime, we switched to use the "good old" way of configuring the trustore with a java opt |
@rassie any ideas? |
It's a good thing this feature is opt-in, I guess. Kubernetes being mostly non- Currently, we are explicit about using system CA store for JRE's trust store, just like Both steps should still probably be possible in a non-privileged container -- there are valid reasons for updating the system CA store even without any JRE context and same reasons are valid for updating JRE's trust store. I'm not quite sure what would be the best way to proceed, but at least for the latter part, creating and using a trust store at a different filesystem location could be the way, but it doesn't help with system CA store. |
Workaround: |
This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: adoptium#464
This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: adoptium#464
This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: adoptium#464
This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: adoptium#464
* Rework CA certificate support to allow rootless containers This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: #464 * Update Dockerfiles
Please add the exact image (with tag) that you are using
eclipse-temurin:11-jre-jammy
Please add the version of Docker you are running
N/A
What happened?
As per the documentation "Can I add my internal CA certificates to the truststore?" and following implementation of #293 and #392, I wanted to mount my internal CA certificate in a container at runtime.
The issue is that the internal CA certificate is not taken into account, an error is raised at start time:
From my first investigation, this is related to the fact that we use a non-root user whereas the internal CA handling can only work if the running user is root.
Simplified Dockerfile:
And run with the following command:
Commenting out the directive to run as non-root makes it work.
In a Kubernetes context where non-root is enforced, it makes the feature unusable.
However I don't know if this even possible to make it work as non-root. If not, I guess we should at least document it.
Relevant log output
No response
The text was updated successfully, but these errors were encountered: