corretto / corretto-8-docker Goto Github PK
View Code? Open in Web Editor NEWDockerfiles for Amazon Corretto 8
License: MIT No Attribution
Dockerfiles for Amazon Corretto 8
License: MIT No Attribution
Docker-security scanning listed many major and critical vulnerabilities at:
https://hub.docker.com/_/amazoncorretto/scans/library/amazoncorretto/8
Is there a plan to address these in the official image?
Hi Team,
we need ALAS2-2019-1153 security vulnerability to be fixed.
Because OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. (CVE-2018-0734 )
Hello,
I see that there is a debian flavor under contrib/debian/Dockerfile but do not see the docker image in dockerhub. Can the debian image be published as well to dockerhub?
Thanks,
An
Attempting to play around with Corretto and experiencing issue path:
ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Can you please help me resolve this issue? Thank you.
In addition to the JDK, used to BUILD an application, you guys should provide a JRE version for only the RUNTIME.
Users can use the image using a Multi-stage build. That way, the Runtime image should be much smaller.
Let's add a test framework so that we can verify the image between releases. This will help with #20 .
The amazoncorretto docker development has been fully migrated to the new corretto/corretto-docker repository. This repository will be archived.
For each open issue under this repository, the Corretto team will replicate it on behalf of the requester under the new repository.
When 8u212 becomes available today, we should also update it here.
Hi I am trying to build the amazon corretto image based on the docker file for correttot-8-docker.
But I am getting below error.
[INFO] DOCKER> [91mcurl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.proxy
It is not able to download the java rpm through corporate proxy
The current Dockerfile builds 8.202.08.1 while 8.202.08.2 has been released later the same day, but not reflected in the Dockerfile.
Issue reported at https://twitter.com/chanezon/status/1062832736547700737
issue in https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/docker-install.html … cc @arungupta
docker build -t amazon-corretto-8 [email protected]:corretto/corretto-8-docker.git
unable to prepare context: unable to 'git clone' to temporary context directory: error fetching:
[email protected]: Permission denied (publickey).
An issue in Corretto 8 Docker Images
Changes to the docker file
FROM amazonlinux:2
ARG rpm_x64=java-1.8.0-amazon-corretto-1.8.0_232.b09-1.amzn2.0.1.x86_64.rpm
ARG rpm_aarch64=java-1.8.0-amazon-corretto-1.8.0_232.b09-1.amzn2.0.1.aarch64.rpm
Failed dependencies:
Get the following error when try to build the docker image
error: Failed dependencies:
dejavu-sans-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
dejavu-sans-mono-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
dejavu-serif-fonts is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
giflib is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
jpackage-utils is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libGL.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libX11.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXext.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXi.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXrender.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXtst.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libXxf86vm.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2(ALSA_0.9)(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libasound.so.2(ALSA_0.9.0rc4)(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libatk-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libcairo.so.2()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libfontconfig.so.1()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libfreetype.so.6()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgdk-x11-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgdk_pixbuf-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgif.so.4()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libgtk-x11-2.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpango-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpangocairo-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
libpangoft2-1.0.so.0()(64bit) is needed by java-1.8.0-amazon-corretto-1:1.8.0_232.b09-1.amzn2.0.1.x86_64
The command '/bin/sh -c set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all' returned a non-zero code: 1
Hi,
we're seeing that amazoncorretto:8u232
was released a couple of hours ago to docker hub (https://hub.docker.com/_/amazoncorretto?tab=tags) but amazoncorretto:8
and amazoncorretto:latest
we're not updated accordingly and still are on 8u222.
Same is true for amazoncorretto:11
This is not what I would expect from these tags. Is there something wrong in the publishing pipeline?
As amazoncorretto is not installed via Amazon Linux Repo but manually as a rpm package with a different package name -devel
it can't be picked up by security scanners that there is a vulnerable outdated version.
Is there a reason as to why you manually download rpm packages rather than using the packages distributed by the Amazon Linux repo?
As of now I only see downsides to the manual installation process:
Right now there are two trust stores in the Docker image:
/etc/pki/ca-trust/extracted/java/cacerts
/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
Amazon Corretto 8 is using the latter:
Inaccessible trust store: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/jssecacerts
trustStore is: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
But importing the for example the rds-combined-ca-bundle.pem
with keytool
to /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
doesn't work as only the first certificate in the bundle is imported. Possible solutions would be either to split rds-combined-ca-bundle.pem
to separate certificates and import them one-by-one or to convert the bundle to PKCS#7...
https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html
It is a lot easier to import rds-combined-ca-bundle.pem
to /etc/pki/ca-trust/extracted/java/cacerts
:
QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: add it as a new file to directory /etc/pki/ca-trust/source/anchors/ run update-ca-trust extract
https://www.systutorials.com/docs/linux/man/8-update-ca-trust/
ADD rds-combined-ca-bundle.pem /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
RUN update-ca-trust extract \
&& ln -fs /etc/pki/ca-trust/extracted/java/cacerts ${JAVA_HOME}/jre/lib/security/cacerts
Is there a good reason NOT to link ${JAVA_HOME}/jre/lib/security/cacerts
to /etc/pki/ca-trust/extracted/java/cacerts
per default in the Docker image?
Related to corretto/corretto-8#171.
I see that Ubunto and RHEL support is planned for the Corrretto 8 GA drop in 1Q. Are there any plans to add other supported UNIX distributions such as SUSE?
Hi there,
the lookup for the key C554E802F4545B60919A0A87BD93DF06B540D62A fails
Lookup via web gives a "No results found"
http://ha.pool.sks-keyservers.net/pks/lookup?search=C554E802F4545B60919A0A87BD93DF06B540D62A&fingerprint=on&op=index
% docker build .
Sending build context to Docker daemon 163.3kB
Step 1/9 : FROM amazonlinux:2
---> b94321659aca
Step 2/9 : ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
---> Running in 763a22513282
Removing intermediate container 763a22513282
---> 48b547be5cf1
Step 3/9 : ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
---> Running in 92c4b8389045
Removing intermediate container 92c4b8389045
---> 5408469d1224
Step 4/9 : ARG key_x64=C554E802F4545B60919A0A87BD93DF06B540D62A
---> Running in 4d1ead876785
Removing intermediate container 4d1ead876785
---> bd32ad937e18
Step 5/9 : ARG rpm_aarch64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-4.aarch64.rpm
---> Running in 7940284d22e7
Removing intermediate container 7940284d22e7
---> f4f710e08495
Step 6/9 : ARG path_aarch64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.4
---> Running in cf1c1def4a3a
Removing intermediate container cf1c1def4a3a
---> a7942a3e2665
Step 7/9 : ARG key_aarch64=826272FACCCCC8E76897C26CE9B1F93E1A158134
---> Running in e3b3063e5e10
Removing intermediate container e3b3063e5e10
---> de9c44f857b2
Step 8/9 : RUN set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all
---> Running in 3b3230d7ca95
+ case "$(uname -p)" in
++ uname -p
+ rpm=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ path=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
+ key=C554E802F4545B60919A0A87BD93DF06B540D62A
+ curl -O https://d3pxv6yz143wms.cloudfront.net/8.222.10.1/java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 111M 100 111M 0 0 12.7M 0 0:00:08 0:00:08 --:--:-- 17.4M
++ mktemp -d
+ export GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys C554E802F4545B60919A0A87BD93DF06B540D62A
gpg: keyring `/tmp/tmp.jzzxTOi6f0/secring.gpg' created
gpg: keyring `/tmp/tmp.jzzxTOi6f0/pubring.gpg' created
gpg: requesting key B540D62A from hkp server ha.pool.sks-keyservers.net
gpg: keyserver timed out
gpg: keyserver receive failed: Keyserver error
The command '/bin/sh -c set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all' returned a non-zero code: 2
best regards,
Serbest
Remove binary files from history.
Despite being delted git clone takes 76 Mb
>docker build -t amazon-corretto-8 github.com/corretto/corretto-8-docker
Sending build context to Docker daemon 76.71MB
Step 1/3 : FROM amazonlinux:2
consider using force-push from new local repo, or use tool like filter-branch, rebase -i
or BFG to remove binary bloat
JAVA_HOME currently points to /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64
, but JVM actually resides in /usr/lib/jvm/java-1.8.0-amazon-corretto
:
sh-4.2# echo $JAVA_HOME
/usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64
sh-4.2# ls $JAVA_HOME
ls: cannot access /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64: No such file or directory
sh-4.2# ls /usr/lib/jvm/java-1.8.0-amazon-corretto
ASSEMBLY_EXCEPTION LICENSE THIRD_PARTY_README bin include javafx-src.zip jre lib man src.zip version.txt
On Amazon Linux 2, jre/lib/security/cacerts is a symlink to /etc/pki/java/cacerts. This enables update-ca-trust to update the java runtime's trust store. However, this image does not do this so updating the system trust stores via update-ca-trust does not update the java trust store.
My current workaround is to copy /etc/pki/ca-trust/extracted/java/cacerts over the JVM's cacerts file after running update-ca-trust.
I print some chinese words into the file using log4j2. When I want to see the content of file by using "tail" ,I found that all of the chinese words in the file are “???”.
I'm wondering where this comes from
ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_232.b09-1.x86_64.rpm
ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.232.09.1
ARG key_x64=E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19
I'd expect the RPM's to be from corretto.aws (which is the "site" that AWS lists), not an unmapped cloudfront distro. However, the one you have above is relocatable (yay), and their one isn't.
Any idea? I've made a lambda layer based on the above rpm's (hence relocatable), so I'm going to need to watch your stuff to make sure I bump versions as needed
Thanks
Hi, it seems the used base image amazonlinux:2 has publicly known vulnerabilities since at least Sep 19th that have fixes available that are not yet part of the latest image which was published 25days ago.
See upstream issue at https://forums.aws.amazon.com/thread.jspa?threadID=310554&tstart=0
Do you monitor corretto images for security issues? Is there something that should be improved in the publishing process?
I cannot build the Dockerfile anymore because the gpg key seems to be missing.
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19
results in
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key F6C9FC19 from hkp server ha.pool.sks-keyservers.net
gpgkeys: key E8EB406377AD2B9E9A4765D19CB3BC6FF6C9FC19 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
http://ha.pool.sks-keyservers.net/pks/lookup?search=0xF6C9FC19&op=vindex
How can I add a user to my image, if I don't want to runn the app as root?
Do you plan on building an Alpine based docker image? This is much smaller and perfect for microservices running on ECS.
See https://github.com/docker-library/repo-info/blob/master/repos/amazoncorretto/local/8.md
$ docker run --rm amazoncorretto:8 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=05cbf6b80a21
HOME=/root
$ docker run --rm amazoncorretto:11 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=c56b19925283
JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
HOME=/root
Could this be made available on Docker Hub? I think it would be quite straightforward to set up an Automated Build repository over there that builds from this repository
Hello support team
I'm facing the following problem addressing the Amazon Linux 2 Security Advisory: ALAS-2020-1406.
I updated my dockerfile to following the Security Advisory by adding yum update openssl.
https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html
Unfortunately the images scanning keeps showing me the high risk vulnerability. I simplified my docker file almost to zero custom code.
Here is my base image docker file
# ---- Base Node ----
FROM amazoncorretto AS base
# set working directory
# Create app directory
RUN yum update kernel --assumeyes
RUN yum update libarchive --assumeyes
RUN yum update openssl --assumeyes
RUN yum update sqlite --assumeyes
previously. I opened an technical assistance request on through AWS support system but was
redirected to AWS JDK team. They believe that the issue is with the base image itself. As the base image amazoncorretto may not have the required packages for update in the mirror list, it was unable find the new patch for openssl. I see the CVE mentioned has been released on 2020-03-25 21:45 Pacific.
The image build is done on my local machine
Docker engine version:
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:03:51 2017
OS/Arch: darwin/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:29 2017
OS/Arch: linux/amd64
Experimental: false
Hi,
I've noticed that you provide some pre-release packages of Corretto 8 via https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html also for aarch64.
Just wanted to ask if we will see official images in Docker Hub within the next weeks or months?
Thank you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.