-
-
Notifications
You must be signed in to change notification settings - Fork 96
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rework CA certificate support to allow rootless containers (#538)
* Rework CA certificate support to allow rootless containers This patch includes several improvements and simplifications in CA certificate handling: * Support for CA certificates in containers running as a non-root user * Support for CA certificates in containers running with read-only filesystem * Unification of Docker entrypoint scripts into one * Entrypoint script now exports CACERT environment variable to point to the used truststore file Docs updates at https://github.com/docker-library/official-images/ pending. Possibly fixes: #464 * Update Dockerfiles
- Loading branch information
Showing
53 changed files
with
3,294 additions
and
795 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing | ||
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing |
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
0101010001 | ||
01010100010101010001 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,89 @@ | ||
#!/usr/bin/env bash | ||
# Shebang needs to be `bash`, see https://github.com/adoptium/containers/issues/415 for details | ||
#!/usr/bin/env sh | ||
# Converted to POSIX shell to avoid the need for bash in the image | ||
|
||
set -e | ||
|
||
# JDK truststore location | ||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ | ||
if [ ! -w /tmp ]; then | ||
echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." | ||
exit 1 | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
# Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, | ||
# we'll use a temporary truststore. | ||
if [ ! -w "$CACERT" ]; then | ||
# We cannot write to the JVM truststore, so we create a temporary one | ||
CACERT_NEW=$(mktemp) | ||
echo "Using a temporary truststore at $CACERT_NEW" | ||
cp $CACERT $CACERT_NEW | ||
CACERT=$CACERT_NEW | ||
# If we use a custom truststore, we need to make sure that the JVM uses it | ||
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" | ||
fi | ||
|
||
# RHEL-based images already include a routine to update a java truststore from the system CA bundle within | ||
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. | ||
update-ca-trust | ||
tmp_store=$(mktemp) | ||
|
||
# Copy full system CA store to a temporary location | ||
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" | ||
|
||
# Add the system CA certificates to the JVM truststore. | ||
keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null | ||
|
||
# Import the additional certificate into JVM truststore | ||
for i in /certificates/*crt; do | ||
if [ ! -f "$i" ]; then | ||
continue | ||
fi | ||
keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null | ||
done | ||
|
||
ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" | ||
# Add additional certificates to the system CA store. This requires write permissions to several system | ||
# locations, which is not possible in a container with read-only filesystem and/or non-root container. | ||
if [ "$(id -u)" -eq 0 ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then | ||
|
||
# UBI/CentOS | ||
if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then | ||
cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ | ||
fi | ||
|
||
# Ubuntu/Alpine | ||
if [ -d /usr/local/share/ca-certificates/ ]; then | ||
cp -a /certificates/* /usr/local/share/ca-certificates/ | ||
fi | ||
fi | ||
|
||
# UBI/CentOS | ||
if which update-ca-trust >/dev/null; then | ||
update-ca-trust | ||
fi | ||
|
||
# Ubuntu/Alpine | ||
if which update-ca-certificates >/dev/null; then | ||
update-ca-certificates | ||
fi | ||
else | ||
# If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, | ||
# but since the JVM is the primary focus here, we can live with that. | ||
true | ||
fi | ||
fi | ||
|
||
# Let's provide a variable with the correct path for tools that want or need to use it | ||
export CACERT | ||
|
||
exec "$@" |
Oops, something went wrong.