Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KNOX-2932 - Fix TLS Ciphers issue and add kerberos support to the docker image #772

Merged
merged 1 commit into from
Jul 19, 2023
Merged

KNOX-2932 - Fix TLS Ciphers issue and add kerberos support to the docker image #772

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions gateway-docker/src/main/resources/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM openjdk:8-jre-alpine
FROM openjdk:8-jre-alpine3.8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openjdk images aren't updated anymore. see https://hub.docker.com/_/openjdk

you probably want to replace this with:

https://hub.docker.com/_/eclipse-temurin/tags?page=1&name=11-alpine

FROM eclipse-temurin:11-alpine

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for @risdenk, yeah, noticed that, unfortunately (and frustratingly) we need support for Java 8. So, until we move away from Java 8 this is the best alternative i could find.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

8-alpine exists too:

https://hub.docker.com/_/eclipse-temurin/tags?page=1&name=8-alpine

FROM eclipse-temurin:8-alpine

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, i was looking for images by openjdk this is how I landed on jre-alpine3.8. I wasn't aware of the Temurin, and reluctant to go with something that was not from openjdk. Looks like Temurin is a thing. I'll give this a try. Thanks for the inputs!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried using eclipse-temurin:8-alpine, there are TLS issues with

*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, user canceled (346):
* TLSv1.3 (IN), TLS alert, close notify (256):
* OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to localhost:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to localhost:8443

I am not sure what the different is between this base image and the openjdk one but this appears broken (atleast as far as Knox is concerned).

Let me know if you have any concerns.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openjdk just isn't even an option anymore. Its not updated period. Even switching the tag. openjdk image is just plain wrong. See https://hub.docker.com/_/openjdk

The only tags which will continue to receive updates beyond July 2022 will be Early Access builds (which are sourced from jdk.java.net), as those are not published/supported by any of the above projects.

so really can't use openjdk

related to the error you are getting - I don't know.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What command are you running to get that error? Does it happen everytime?

It looks like maybe TLS 1.3? Does Knox support TLS 1.3?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curl -vvv -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
I understand it is wrong, but better than broken, right now Knox docker is broken. We need to fix it so atleast we have a working image then we can test with different base images and see which works.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean https://issues.apache.org/jira/browse/KNOX-2932 doesn't detail anything about the docker image being broken. It talks about adding support for Kerberos - which is a new feature not necessarily meaning things are broken.

The title of the PR was updated to include "TLS Ciphers Issue" but no details as to what that means or why moving to 3.8 alpine actually fixes that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TLS issue was found while adding kerberos, this is how I noticed the image is broken. I am going to commit the changes and look for an official image that works. If you find something that work let us know I'd be happy to test.

MAINTAINER Apache Knox <[email protected]>

# Make sure required packages are available
RUN apk --no-cache add bash procps ca-certificates && update-ca-certificates
RUN apk --no-cache add bash procps ca-certificates krb5 && update-ca-certificates

# Create an knox user
RUN addgroup -S knox && adduser -S -G knox knox
Expand Down