From 6de6f41c376a85f8565d24c6a64cb8fdeba5787a Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Mon, 3 Jun 2024 10:59:07 +0200 Subject: [PATCH] Address comments on the "rootless CA certs" patch Address the following problems with #538: 1. Correct the shell selection for entrypoint, Ubuntu flavours still need explicit `bash` for variables with dots in their names 2. Change unhelpful exported variable name (changed from `CACERT` to `JRE_CACERTS_PATH`) 3. Change `which` to more-POSIX-compatible `command -v` 4. More cleanup 5. Explicitely use `TMPDIR` when available instead of hard-coded `/tmp` --- .../tests/java-ca-certificates-update/run.sh | 2 +- 11/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 11/jdk/centos/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubuntu/focal/Dockerfile | 2 +- 11/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubuntu/jammy/Dockerfile | 2 +- 11/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 11/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 11/jre/centos/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubuntu/focal/Dockerfile | 2 +- 11/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubuntu/jammy/Dockerfile | 2 +- 11/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 17/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 17/jdk/centos/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubuntu/focal/Dockerfile | 2 +- 17/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubuntu/jammy/Dockerfile | 2 +- 17/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 17/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 17/jre/centos/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubuntu/focal/Dockerfile | 2 +- 17/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubuntu/jammy/Dockerfile | 2 +- 17/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 21/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 21/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 21/jdk/ubuntu/jammy/Dockerfile | 2 +- 21/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 21/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 21/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 21/jre/ubuntu/jammy/Dockerfile | 2 +- 21/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 22/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 22/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 22/jdk/ubuntu/jammy/Dockerfile | 2 +- 22/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 22/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 22/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 22/jre/ubuntu/jammy/Dockerfile | 2 +- 22/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 8/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 8/jdk/centos/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubuntu/focal/Dockerfile | 2 +- 8/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubuntu/jammy/Dockerfile | 2 +- 8/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 8/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 8/jre/centos/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubuntu/focal/Dockerfile | 2 +- 8/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubuntu/jammy/Dockerfile | 2 +- 8/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- config/hotspot.yml | 6 +++ docker_templates/entrypoint.sh | 39 +++++++++++-------- docker_templates/ubuntu.Dockerfile.j2 | 4 +- generate_dockerfiles.py | 2 + 63 files changed, 1016 insertions(+), 707 deletions(-) mode change 100755 => 100644 docker_templates/entrypoint.sh diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh index 7c883fa19..3ad348b53 100755 --- a/.test/tests/java-ca-certificates-update/run.sh +++ b/.test/tests/java-ca-certificates-update/run.sh @@ -10,7 +10,7 @@ CMD1=date # CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to # point to the Java keystore. -CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder") +CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder") # For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script # by the `finish` trap function. diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jdk/alpine/entrypoint.sh +++ b/11/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/centos/entrypoint.sh b/11/jdk/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jdk/centos/entrypoint.sh +++ b/11/jdk/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/focal/Dockerfile b/11/jdk/ubuntu/focal/Dockerfile index b4a2286a3..c76f99a27 100644 --- a/11/jdk/ubuntu/focal/Dockerfile +++ b/11/jdk/ubuntu/focal/Dockerfile @@ -100,6 +100,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jdk/ubuntu/focal/entrypoint.sh +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/jammy/Dockerfile b/11/jdk/ubuntu/jammy/Dockerfile index 8493bffa7..aec104372 100644 --- a/11/jdk/ubuntu/jammy/Dockerfile +++ b/11/jdk/ubuntu/jammy/Dockerfile @@ -100,6 +100,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jdk/ubuntu/jammy/entrypoint.sh +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jre/alpine/entrypoint.sh +++ b/11/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/centos/entrypoint.sh b/11/jre/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jre/centos/entrypoint.sh +++ b/11/jre/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/focal/Dockerfile b/11/jre/ubuntu/focal/Dockerfile index 7b72337ac..9f63c996d 100644 --- a/11/jre/ubuntu/focal/Dockerfile +++ b/11/jre/ubuntu/focal/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jre/ubuntu/focal/entrypoint.sh +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/jammy/Dockerfile b/11/jre/ubuntu/jammy/Dockerfile index c9d67d7cb..d2fda1570 100644 --- a/11/jre/ubuntu/jammy/Dockerfile +++ b/11/jre/ubuntu/jammy/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/11/jre/ubuntu/jammy/entrypoint.sh +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jdk/alpine/entrypoint.sh +++ b/17/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/centos/entrypoint.sh b/17/jdk/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jdk/centos/entrypoint.sh +++ b/17/jdk/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/focal/Dockerfile b/17/jdk/ubuntu/focal/Dockerfile index c4f9c82bf..03376e611 100644 --- a/17/jdk/ubuntu/focal/Dockerfile +++ b/17/jdk/ubuntu/focal/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jdk/ubuntu/focal/entrypoint.sh +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/jammy/Dockerfile b/17/jdk/ubuntu/jammy/Dockerfile index 18beaa010..73dd839be 100644 --- a/17/jdk/ubuntu/jammy/Dockerfile +++ b/17/jdk/ubuntu/jammy/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jdk/ubuntu/jammy/entrypoint.sh +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jre/alpine/entrypoint.sh +++ b/17/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/centos/entrypoint.sh b/17/jre/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jre/centos/entrypoint.sh +++ b/17/jre/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/focal/Dockerfile b/17/jre/ubuntu/focal/Dockerfile index 0d050c98b..497eb19a4 100644 --- a/17/jre/ubuntu/focal/Dockerfile +++ b/17/jre/ubuntu/focal/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jre/ubuntu/focal/entrypoint.sh +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/jammy/Dockerfile b/17/jre/ubuntu/jammy/Dockerfile index 951147b38..ce4e6f5dd 100644 --- a/17/jre/ubuntu/jammy/Dockerfile +++ b/17/jre/ubuntu/jammy/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/17/jre/ubuntu/jammy/entrypoint.sh +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/alpine/entrypoint.sh b/21/jdk/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jdk/alpine/entrypoint.sh +++ b/21/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubi/ubi9-minimal/entrypoint.sh b/21/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubuntu/jammy/Dockerfile b/21/jdk/ubuntu/jammy/Dockerfile index fb7d8197d..0a0d84718 100644 --- a/21/jdk/ubuntu/jammy/Dockerfile +++ b/21/jdk/ubuntu/jammy/Dockerfile @@ -99,6 +99,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/21/jdk/ubuntu/jammy/entrypoint.sh b/21/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jdk/ubuntu/jammy/entrypoint.sh +++ b/21/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/alpine/entrypoint.sh b/21/jre/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jre/alpine/entrypoint.sh +++ b/21/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubi/ubi9-minimal/entrypoint.sh b/21/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubuntu/jammy/Dockerfile b/21/jre/ubuntu/jammy/Dockerfile index 1a456e5b8..78549c8d5 100644 --- a/21/jre/ubuntu/jammy/Dockerfile +++ b/21/jre/ubuntu/jammy/Dockerfile @@ -94,4 +94,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/21/jre/ubuntu/jammy/entrypoint.sh b/21/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/21/jre/ubuntu/jammy/entrypoint.sh +++ b/21/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/alpine/entrypoint.sh b/22/jdk/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jdk/alpine/entrypoint.sh +++ b/22/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubi/ubi9-minimal/entrypoint.sh b/22/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubuntu/jammy/Dockerfile b/22/jdk/ubuntu/jammy/Dockerfile index f77d1c3cc..b4aec6628 100644 --- a/22/jdk/ubuntu/jammy/Dockerfile +++ b/22/jdk/ubuntu/jammy/Dockerfile @@ -93,6 +93,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/22/jdk/ubuntu/jammy/entrypoint.sh b/22/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jdk/ubuntu/jammy/entrypoint.sh +++ b/22/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/alpine/entrypoint.sh b/22/jre/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jre/alpine/entrypoint.sh +++ b/22/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubi/ubi9-minimal/entrypoint.sh b/22/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubuntu/jammy/Dockerfile b/22/jre/ubuntu/jammy/Dockerfile index 28f2117e9..9920eb707 100644 --- a/22/jre/ubuntu/jammy/Dockerfile +++ b/22/jre/ubuntu/jammy/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/22/jre/ubuntu/jammy/entrypoint.sh b/22/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/22/jre/ubuntu/jammy/entrypoint.sh +++ b/22/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jdk/alpine/entrypoint.sh +++ b/8/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/centos/entrypoint.sh b/8/jdk/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jdk/centos/entrypoint.sh +++ b/8/jdk/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/focal/Dockerfile b/8/jdk/ubuntu/focal/Dockerfile index f48185f2c..85beefb70 100644 --- a/8/jdk/ubuntu/focal/Dockerfile +++ b/8/jdk/ubuntu/focal/Dockerfile @@ -96,4 +96,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jdk/ubuntu/focal/entrypoint.sh +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/jammy/Dockerfile b/8/jdk/ubuntu/jammy/Dockerfile index 2b4802316..3f64e880e 100644 --- a/8/jdk/ubuntu/jammy/Dockerfile +++ b/8/jdk/ubuntu/jammy/Dockerfile @@ -96,4 +96,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jdk/ubuntu/jammy/entrypoint.sh +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jre/alpine/entrypoint.sh +++ b/8/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/centos/entrypoint.sh b/8/jre/centos/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jre/centos/entrypoint.sh +++ b/8/jre/centos/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/focal/Dockerfile b/8/jre/ubuntu/focal/Dockerfile index 086434ffd..b305b9357 100644 --- a/8/jre/ubuntu/focal/Dockerfile +++ b/8/jre/ubuntu/focal/Dockerfile @@ -95,4 +95,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jre/ubuntu/focal/entrypoint.sh +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/jammy/Dockerfile b/8/jre/ubuntu/jammy/Dockerfile index bde0a5788..adb63ee59 100644 --- a/8/jre/ubuntu/jammy/Dockerfile +++ b/8/jre/ubuntu/jammy/Dockerfile @@ -95,4 +95,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..aa5738b12 100755 --- a/8/jre/ubuntu/jammy/entrypoint.sh +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/config/hotspot.yml b/config/hotspot.yml index bc89374dc..9a82ca203 100644 --- a/config/hotspot.yml +++ b/config/hotspot.yml @@ -21,18 +21,24 @@ configurations: - directory: ubuntu/jammy image: ubuntu:22.04 architectures: [aarch64, arm, ppc64le, s390x, x64] + # `bash` is required for Ubuntu-based images to correctly resolve + # environment variables.with.dots.in.them. + shebang: /bin/bash os: ubuntu - directory: ubuntu/focal architectures: [aarch64, arm, ppc64le, s390x, x64] image: ubuntu:20.04 deprecated: 20 + shebang: /bin/bash os: ubuntu - directory: centos architectures: [aarch64, ppc64le, x64] image: centos:7 deprecated: 20 + # CentOS's `/bin/sh` does not sanitize dotted variable names, so `bash` is unneeded + shebang: /bin/sh os: centos - directory: ubi/ubi9-minimal diff --git a/docker_templates/entrypoint.sh b/docker_templates/entrypoint.sh old mode 100755 new mode 100644 index dfa0f703f..aa5738b12 --- a/docker_templates/entrypoint.sh +++ b/docker_templates/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/docker_templates/ubuntu.Dockerfile.j2 b/docker_templates/ubuntu.Dockerfile.j2 index 05dac147a..a74e892a6 100644 --- a/docker_templates/ubuntu.Dockerfile.j2 +++ b/docker_templates/ubuntu.Dockerfile.j2 @@ -43,5 +43,5 @@ ENV JAVA_VERSION {{ java_version }} {% endif %} {% include 'partials/version-check.j2' %} COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] -{% include 'partials/jshell.j2' %} \ No newline at end of file +ENTRYPOINT ["{{ shebang }}", "/__cacert_entrypoint.sh"] +{% include 'partials/jshell.j2' %} diff --git a/generate_dockerfiles.py b/generate_dockerfiles.py index 5c786bebf..4890dbe7d 100644 --- a/generate_dockerfiles.py +++ b/generate_dockerfiles.py @@ -54,6 +54,7 @@ def archHelper(arch, os_name): directory = configuration["directory"] architectures = configuration["architectures"] os_name = configuration["os"] + shebang = configuration.get("shebang", "") base_image = configuration["image"] deprecated = configuration.get("deprecated", None) versions = configuration.get( @@ -140,6 +141,7 @@ def archHelper(arch, os_name): arch_data=arch_data, os_family=os_family, os=os_name, + shebang=shebang, ) print("Writing Dockerfile to", output_directory)