wasdev / ci.docker Goto Github PK

View Code? Open in Web Editor NEW

124.0 124.0 121.0 42.97 MB

Build scripts for Docker images (Dockerfiles) and Docker related utilities for WebSphere Liberty.

License: Apache License 2.0

Shell 92.09% Dockerfile 7.91%

containers docker websphere-liberty

ci.docker's People

Contributors

Stargazers

Watchers

Forkers

psftw jhidalgo3 mdbishop thikade chonamara daviddewell1973 irobins gabrielmancini jasonreich sethuma vgrubor1 mfalhi thaihau jjacobso gnavea sidgoyal kavisuresh srisudha clarkja dzainea soggiest adityai hintcnuie chenjun3092 andrija1987 srkadiyala kevinsmithsgc chakri442 wildone jaredburck gizmodemente manifestlifeinc eagleyinfz nextdynamic sagh0900 se35710 dibbles fly891583770 hi5san jamiecoleman92 jdjamsa1 avayahan ddefrancesco sumit-chakraborty naumanna gt5chow tangxr wraschke arthurdm sunilgubbi sagaranilkumar dacleyra kishor013 leochr dazavala aguibert mrglavas kishkulk janakisundar abhishekdas02 cienciadedadosebigdata robsonsamp eds-satish davidg251 brutif utle frawa rachelwrq dibyadevops heldyyusliar renjibabu zech-hein justeenr jonnathanlopez atgreen yushan-lin zhanglm2004 popsorinv channyboy crpotter ymanton alvinso msolberg manudiy kvenkatramreddy 3v1lw1th1n ibakshay praveenanumasu nmittles ashu-mehra dslemp miyukiuchida1 rodrigoieh jimbarlow goolte-lab marobbo nottycode labelcs jjakub megapruts

ci.docker's Issues

Warning message when pulling Liberty Profile image

Pulling the latest Websphere Liberty image shows the following warning:

Status: Downloaded newer image for websphere-liberty:latest
docker.io/library/websphere-liberty: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.

Seems like the image needs to be refreshed with a more recent version.

symlink for /opt/ibm/wlp/usr/shared

Just based on the distributed session/hazelcast steps:

https://github.com/WASdev/ci.docker#session-caching

COPY --from=hazelcast/hazelcast --chown=1001:0 /opt/hazelcast/lib/*.jar /opt/ibm/wlp/usr/shared/resources/hazelcast/

docker hub websphere-liberty image port forwarding not working

Our services are failing with latest docker hub image, old versions working fine.

jaxb-2.2 feature cannot be downloaded to /opt/ibm/wlp/installTmp

I have an existing Dockerfile that used to work, but now it is bombing out on an installUtility step as follows:

The server requires the following additional features: appsecurity-2.0 jsf-2.2 servlet-3.1 ssl-1.0 openidconnectserver-1.0 localconnector-1.0 cdi-1.2 jdbc-4.1 jsonp-1.0 websocket-1.1 jaxrs-2.0.  Installing features from the repository ...
Establishing a connection to the configured repositories ...
This process might take several minutes to complete.

Successfully connected to all configured repositories.

Preparing assets for installation. This process might take several minutes to complete.

Additional Liberty features must be installed for this server.

To install the additional features, review and accept the feature license agreement:
The --acceptLicense argument was found. This indicates that you have
accepted the terms of the license agreement.


Step 1 of 46: Downloading ssl-1.0 ...
Step 2 of 46: Installing ssl-1.0 ...
Step 3 of 46: Downloading appSecurity-2.0 ...
Step 4 of 46: Installing appSecurity-2.0 ...
Step 5 of 46: Downloading el-3.0 ...
Step 6 of 46: Installing el-3.0 ...
Step 7 of 46: Downloading servlet-3.1 ...
Step 8 of 46: Installing servlet-3.1 ...
Step 9 of 46: Downloading jsp-2.3 ...
Step 10 of 46: Installing jsp-2.3 ...
Step 11 of 46: Downloading jsf-2.2 ...
Step 12 of 46: Installing jsf-2.2 ...
Step 13 of 46: Cleaning up temporary files ...

CWWKF1283E: The com.ibm.websphere.appserver.internal.optional.jaxb-2.2 feature cannot be downloaded to /opt/ibm/wlp/installTmp. Ensure that the temporary directory exists and is writeable, and run the command again.

Is it related to the recent move to non-root images?

The Dockerfile starts with FROM websphere-liberty:18.0.0.3-kernel, adds the app, and calls InstallUtility to install just the features we need.

The current list of features is this (though it needs to get updated for 18.0.0.3):

    <featureManager>
        <feature>localConnector-1.0</feature>
        <feature>jaxrs-2.1</feature>
        <feature>openidConnectServer-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>transportSecurity-1.0</feature>
        <feature>cdi-2.0</feature>
        <feature>jsonp-1.1</feature>
        <feature>jsf-2.3</feature>
        <feature>servlet-4.0</feature>
        <feature>websocket-1.1</feature>
        <feature>jdbc-4.1</feature>
        <feature>jaxb-2.2</feature>
        <feature>mpOpenAPI-1.0</feature>
    </featureManager>

When I updated the Dockerfile to start from 18.0.0.3-microProfile1 it started working. I wasn't sure if it a defect or not and so I raise it here.

Tags for liberty versions

Hello,

Do you have an option to select Liberty version when pulling Docker image? If no, could it be possible to have more tags depending on Liberty version ?

We are currently relying on webProfile7 but we don't have any option to select the liberty version.

Thanks
Regards
Gael

The latest kernel image breaks images that override the /opt/ibm/docker/docker-server script

We override the docker-server script because we need to set many environment variables in order for our application to work properly. Unfortunately, the recent commit that added an ENTRYPOINT to the kernel docker file. broke us.

Specifically, when we try to start after building an image using the latest webpshere-liberty images, the container fails to start with:

CWWKE0013E: Unknown option: /opt/ibm/wlp/bin/server

Usage: /opt/ibm/wlp/bin/server action serverName [options]

    serverName
	A locally unique name for the server; the name can be constructed
	using Unicode alphanumeric characters (for example, A-Za-z0-9), the
	underscore (_), dash (-), plus (+) and period (.). A server name
	cannot begin with a dash (-) or period (.).

Actions:

    create
	Create a new server if the specified server does not exist. The
	--template option can be used to specify a template to use when
	creating a new server.

    debug
	Run the named server in the console foreground after a debugger
	connects to the debug port (default: 7777).

    dump
	Dump diagnostic information from the server into an archive. The
	--archive option can be used.  The --include option can be used with
	the "heap", "system" and "thread" values.

    help
	Print help information.

    javadump
	Dump diagnostic information from the server JVM. The --include
	option can be used with the "heap" and "system" values.

    list
	List the Liberty profile application servers that are defined.

    package
	Package a server to an archive. The --archive option can be used.
	The --include option can be used with values "all", "usr", "minify",
	"wlp", "runnable", "all,runnable", and "minify,runnable". The values
	"runnable" and "all,runnable" are equivalent. The "runnable" value
	works with "jar" type archives only.

    pause
	Pause all the components in the server that can be paused. You can
	pause a subset of the components by specifying the components on the
	--target option.

    registerWinService
	Register the server specified as a Windows Service program.

    resume
	Resume all paused components in the server. You can specify the
	--target option to resume specific paused components.

    run
	Run the named server in the console foreground.

    start
	Start the named server.

    startWinService
	Start the server specified as a Windows Service program.
	It must be registered before starting.

    status
	Check the status of the named server.

    stop
	Stop the running instance of the named server.

    stopWinService
	Stop the server specified as a Windows Service program.

    unregisterWinService
	Unregister the server specified as a Windows Service program.

    version
	Show server version information and exit.

Options:

    --archive="path to the target archive file"
	Specify the archive target to be generated by the package or dump
	action. The target can be specified either as an absolute path or
	as a relative path. If this option is omitted, the archive file will
	be created in the server output directory. The target file name
	extension might influence the format of the generated archive.
	The default archive format for the package action is "pax" on z/OS
	and "zip" on all other platforms.
	Archive format "jar" will produce a self-extracting jar similar to
	the original installer archive.
	Archive format "jar" combined with "runnable" on the --include option
	produces a runnable jar file that can run the Liberty server from
	the jar file by using java -jar.

    --clean
	Clean all cached information related to this server instance.

    --include=value,value,...
	A comma-delimited list of values. The valid values vary depending on
	the action.

    --os=value,value,...
	Specifies the operating systems that you want the packaged server to
	support. Supply a comma-separated list. The default value is any,
	indicating that the server is to be deployable to any operating
	system supported by the source.
	To specify that an operating system is not to be supported, prefix it
	with a minus sign ("-"). For a list of operating system values, refer
	to the OSGi Alliance web site at the following URL:
	http://www.osgi.org/Specifications/Reference#os
	This option applies only to the package operation, and can be used
	only with the --include=minify option. If you exclude an operating
	system, you cannot later include it if you repeat the minify
	operation on the archive.

    --target=value,value
	Specifies a comma-delimited list of components that you can pause or
	resume.

    --template="templateName"
	Specify the name of the template to use when creating a new server.

Support for alternative locales

The base Ubuntu image only includes the locales C, C.UTF-8 and POSIX. We should document how to create images with alternative locales. The proposal is to include commented out steps in our production-install scripts and also document how to layer on top of our Docker Hub images to add locales. For example:

FROM websphere-liberty:webProfile7
RUN apt-get update \
  && apt-get install -y language-pack-pt-base \
  && rm -rf /var/lib/apt/lists/*
ENV LANG pt_BR.UTF-8

Container does not respond to SIGTERM

Using docker stop can result in the timeout being triggered which then kills the container. This halts any restart policy that may be in place.

The issue is described here: https://labs.ctl.io/gracefully-stopping-docker-containers/

Broken Link in main Readme.md

The main README.md has a broken link in the first line. When you click on WebSphere Application Server Liberty link, it will redirect you to a page that does not exist leading to a 404 error.

Instead a proposed change is to change this link to the docker's page in their documentation for this package that can be accessed via this link: https://docs.docker.com/samples/library/websphere-liberty/

Allow for toggle of keystore generation

At the moment we always generate a keystore, unless one is already present inside /config/configDropins/defaults/keystore.xml

We should add an environment variable, KEYSTORE_REQUIRED (to be consistent with Open Liberty) to toggle this generation.

restConnector-2.0 feature missing from websphere-liberty docker image

The restConnector-2.0 feature is part of the webProfile zip so should be included in the websphere-liberty docker image.

Profile7 vs. Java 8?

Can you simply confirm that "profile7" is actually JRE 8? It appears via the dependency chain that profile7 relies on kernel and kernel relies on jre8.

Update keystore snippet

Our runtime script currently explicitly writes a keystore XML snippet

However, we can update this code to take advantage of the keystore_password environment variable that Liberty listens to. This is being done in Open Liberty

Update documentation to use EE7 sample

As reported by @arun-gupta via @notatibm, the websphere-liberty documentation on Docker Hub is still using an EE6 example that conveniently made available a zip containing server config. We should update this to use EE7 (probably just by updating the application deployment sample). /cc @lauracowen

javaee7 feature info doesn't match

--- features_javaee7.txt    2016-03-31 16:38:01.206186893 +0100
+++ javaee7.txt 2016-03-31 12:50:29.897535653 +0100
@@ -1,14 +1,31 @@
+appClientSupport-1.0
 appSecurity-2.0
+batch-1.0
 beanValidation-1.1
 cdi-1.2
 collectiveMember-1.0
+concurrent-1.0
 distributedMap-1.0
+ejb-3.2
+ejbHome-3.2
 ejbLite-3.2
+ejbPersistentTimer-3.2
+ejbRemote-3.2
 el-3.0
 federatedRegistry-1.0
+j2eeManagement-1.1
+jacc-1.5
+jaspic-1.1
+javaMail-1.5
+javaee-7.0
+jaxb-2.2
 jaxrs-1.1
 jaxrs-2.0
 jaxrsClient-2.0
+jaxws-2.2
+jca-1.6
+jca-1.7
+jcaInboundSecurity-1.0
 jdbc-4.0
 jdbc-4.1
 jndi-1.0
@@ -21,6 +38,7 @@
 ldapRegistry-3.0
 localConnector-1.0
 managedBeans-1.0
+mdb-3.2
 monitor-1.0
 requestTiming-1.0
 restConnector-1.0
@@ -28,6 +46,9 @@
 servlet-3.1
 sessionDatabase-1.0
 ssl-1.0
+wasJmsClient-2.0
+wasJmsSecurity-1.0
+wasJmsServer-1.0
 webCache-1.0
 webProfile-7.0
 websocket-1.1

Include microProfile2 into javaee8

Often users of javaee8 will want to use one or more specs from microprofile2, so we should include those features as well.

FFDC issue with WebSphere MQ Resource Adapter

It's not clear whether this issue is due to base WebSphere Liberty or the WebSphere MQ Resource Adapter, but I found it is simple to reproduce:

Dockerfile

FROM websphere-liberty:microProfile

ADD https://jitpack.io/com/github/WASdev/sample.servlet/2.1.0/sample.servlet-2.1.0.war /config/apps/
ADD http://repo1.maven.org/maven2/com/ibm/mq/wmq.jmsra/9.1.0.0/wmq.jmsra-9.1.0.0.rar /config/wmq.jmsra.rar
COPY server.xml /config/server.xml

RUN installUtility install --acceptLicense defaultServer

server.xml

<!--
       Copyright 2017 IBM Corp All Rights Reserved

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-->

<server description="Portfolio server">
    <featureManager>
        <feature>microProfile-1.3</feature> <!-- defines mpJwt-1.0, among others -->
        <feature>jdbc-4.1</feature>
        <feature>jms-2.0</feature>
        <feature>jca-1.7</feature>
        <feature>jndi-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>managedBeans-1.0</feature>
        <feature>logstashCollector-1.0</feature>
        <feature>mpMetrics-1.1</feature>
    </featureManager>

    <logging traceSpecification="*=info" consoleLogLevel="INFO"/>

    <httpEndpoint httpPort="9080" httpsPort="9443" host="*" id="defaultHttpEndpoint"/>

    <resourceAdapter id="mq" location="/config/wmq.jmsra.rar"/>

    <webApplication id="SampleServlet" name="SampleServlet" location="sample.servlet-2.1.0.war" contextRoot="/sample"/>
</server>

Failure at runtime:

docker run -e LICENSE=accept websphere-bug:latest
Launching defaultServer (WebSphere Application Server 18.0.0.1/wlp-1.0.20.cl180120180309-2209) on IBM J9 VM, version 8.0.5.16 - pxa6480sr5fp16-20180524_01(SR5 FP16) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[INFO    ] TRAS3001I: The following messages are hidden from the console.log and messages.log files: [CWWKE0100I]
[INFO    ] CWWKE0002I: The kernel started after 1.862 seconds
[INFO    ] CWWKF0007I: Feature update started.
[INFO    ] CWWKS0007I: The security service is starting...
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host *  (IPv4) port 9080.
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications.
[INFO    ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO    ] DYNA1071I: The cache provider default is being used.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO    ] CWPKI0802I: Creating the SSL certificate. This may take a few seconds.
[INFO    ] CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
[INFO    ] CWWKS1123I: The collective authentication plugin with class name NullCollectiveAuthenticationPlugin has been activated. 
[INFO    ] CWWKS6012I: The JSON Web Token (JWT) consumer service is available.
[INFO    ] CWWKS6002I: The JSON Web Token (JWT) endpoint service is available.
[INFO    ] CWWKS5500I: The MicroProfile JWT configuration [MicroProfileJwtService] was successfully processed.
[INFO    ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[AUDIT   ] CWWKS4104A: LTPA keys created in 1.300 seconds. LTPA key file: /opt/ibm/wlp/output/defaultServer/resources/security/ltpa.keys
[INFO    ] CWWKS4105I: LTPA configuration is ready after 1.305 seconds.
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.ws.security.jwt.
[INFO    ] SRVE0250I: Web Module com.ibm.ws.security.jwt has been bound to default_host.
[INFO    ] SRVE0169I: Loading Web Module: MicroProfileMetrics.
[INFO    ] SRVE0250I: Web Module MicroProfileMetrics has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/jwt/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/metrics/
[INFO    ] SRVE0169I: Loading Web Module: ibm/api.
[INFO    ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/ibm/api/
[INFO    ] SRVE0169I: Loading Web Module: OpenAPIUI.
[INFO    ] SRVE0250I: Web Module OpenAPIUI has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/openapi/ui/
[INFO    ] J2CA7018I: Installing resource adapter mq.
[INFO    ] SRVE0169I: Loading Web Module: health.
[INFO    ] SRVE0250I: Web Module health has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/health/
[INFO    ] SESN0176I: A new session context will be created for application key default_host/jwt
[INFO    ] SESN0176I: A new session context will be created for application key default_host/ibm/api
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/openapi/ui
[INFO    ] SESN0176I: A new session context will be created for application key default_host/metrics
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/health
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SRVE0242I: [com.ibm.ws.microprofile.metrics.1.1] [/metrics] [MetricsRESTProxyServlet]: Initialization successful.
[INFO    ] FFDC1015I: An FFDC Incident has been created: "javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned. com.ibm.ws.jca.internal.ConnectorAdapter 106" at ffdc_18.08.05_18.59.13.0.log
[INFO    ] FFDC1015I: An FFDC Incident has been created: "com.ibm.wsspi.adaptable.module.UnableToAdaptException: javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned. com.ibm.ws.app.manager.rar.internal.RARApplicationHandlerImpl 92" at ffdc_18.08.05_18.59.13.1.log
[ERROR   ] J2CA7002E: An exception occurred while installing the resource adapter mq. The exception message is: com.ibm.wsspi.adaptable.module.UnableToAdaptException: javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned.
[INFO    ] SRVE0169I: Loading Web Module: MicroProfileOpenAPI.
[INFO    ] SRVE0250I: Web Module MicroProfileOpenAPI has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://76b57278d4c5:9080/openapi/
[INFO    ] SESN0176I: A new session context will be created for application key default_host/openapi
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SRVE0242I: [com.ibm.ws.microprofile.openapi] [/openapi] [OpenAPIServlet]: Initialization successful.
[AUDIT   ] CWPKI0803A: SSL certificate created in 3.937 seconds. SSL key file: /opt/ibm/wlp/output/defaultServer/resources/security/key.jks
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host *  (IPv4) port 9443.
[AUDIT   ] CWWKF0012I: The server installed the following features: [mpFaultTolerance-1.0, servlet-3.1, microProfile-1.3, ssl-1.0, jndi-1.0, jca-1.7, mpHealth-1.0, jms-2.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, mpRestClient-1.0, mpMetrics-1.1, mpOpenTracing-1.0, cdi-1.2, managedBeans-1.0, logstashCollector-1.0, jsonp-1.0, mpConfig-1.2, jaxrsClient-2.0, concurrent-1.0, jwt-1.0, opentracing-1.0, mpJwt-1.0, json-1.0, mpOpenAPI-1.0, distributedMap-1.0].
[INFO    ] CWWKF0008I: Feature update completed in 34.378 seconds.
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.

Notice the FFDC error above:

[INFO ] FFDC1015I: An FFDC Incident has been created: "javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned. com.ibm.ws.jca.internal.ConnectorAdapter 106" at ffdc_18.08.05_18.59.13.0.log
[INFO ] FFDC1015I: An FFDC Incident has been created: "com.ibm.wsspi.adaptable.module.UnableToAdaptException: javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned. com.ibm.ws.app.manager.rar.internal.RARApplicationHandlerImpl 92" at ffdc_18.08.05_18.59.13.1.log
[ERROR ] J2CA7002E: An exception occurred while installing the resource adapter mq. The exception message is: com.ibm.wsspi.adaptable.module.UnableToAdaptException: javax.xml.bind.UnmarshalException: Namespace URIs and local names to the unmarshaller needs to be interned.

Expected outcome

Because of the FFDC error, the application fails to load.

I have an older version of WebSphere Liberty where in the failure doesn't occur:

# FROM websphere-liberty:microProfile
FROM ibmstocktrader/portfolio:latest

ADD https://jitpack.io/com/github/WASdev/sample.servlet/2.1.0/sample.servlet-2.1.0.war /config/apps/
ADD http://repo1.maven.org/maven2/com/ibm/mq/wmq.jmsra/9.1.0.0/wmq.jmsra-9.1.0.0.rar /config/wmq.jmsra.rar
COPY server.xml /config/server.xml

RUN installUtility install --acceptLicense defaultServer

With this older base image (ibmstocktrader/portfolio:latest), I do not see the error and the same application and RAR adapter load fine:

docker run -e LICENSE=accept websphere-bug:latest
Launching defaultServer (WebSphere Application Server 18.0.0.2/wlp-1.0.21.cl180220180619-0403) on IBM J9 VM, version 8.0.5.17 - pxa6480sr5fp17-20180627_01(SR5 FP17) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[INFO    ] CWWKE0002I: The kernel started after 1.624 seconds
[INFO    ] CWWKF0007I: Feature update started.
[INFO    ] CWWKS0007I: The security service is starting...
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications.
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host *  (IPv4) port 9080.
[INFO    ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO    ] DYNA1071I: The cache provider default is being used.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[AUDIT   ] CWPKI0820A: The default keystore has been created using the 'keystore_password' environment variable.
[INFO    ] CWPKI0802I: Creating the SSL certificate. This may take a few seconds.
[INFO    ] CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
[INFO    ] CWWKS1123I: The collective authentication plugin with class name NullCollectiveAuthenticationPlugin has been activated. 
[INFO    ] CWWKS6012I: The JSON Web Token (JWT) consumer service is available.
[INFO    ] CWWKS6002I: The JSON Web Token (JWT) endpoint service is available.
[INFO    ] CWWKS5500I: The MicroProfile JWT configuration [MicroProfileJwtService] was successfully processed.
[INFO    ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[AUDIT   ] CWWKS4104A: LTPA keys created in 1.373 seconds. LTPA key file: /opt/ibm/wlp/output/defaultServer/resources/security/ltpa.keys
[INFO    ] CWWKS4105I: LTPA configuration is ready after 1.379 seconds.
[INFO    ] Created user preferences directory.
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.ws.security.jwt.
[INFO    ] SRVE0169I: Loading Web Module: ibm/api.
[INFO    ] SRVE0250I: Web Module com.ibm.ws.security.jwt has been bound to default_host.
[INFO    ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[INFO    ] SRVE0169I: Loading Web Module: MicroProfileMetrics.
[INFO    ] SRVE0250I: Web Module MicroProfileMetrics has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/jwt/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/ibm/api/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/metrics/
[INFO    ] J2CA7018I: Installing resource adapter mq.
[INFO    ] SRVE0169I: Loading Web Module: OpenAPIUI.
[INFO    ] SRVE0250I: Web Module OpenAPIUI has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/openapi/ui/
[INFO    ] SRVE0169I: Loading Web Module: health.
[INFO    ] SRVE0250I: Web Module health has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/health/
[INFO    ] SRVE0169I: Loading Web Module: MicroProfileOpenAPI.
[INFO    ] SRVE0250I: Web Module MicroProfileOpenAPI has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/openapi/
[INFO    ] SESN0176I: A new session context will be created for application key default_host/ibm/api
[INFO    ] SESN0176I: A new session context will be created for application key default_host/metrics
[INFO    ] SESN0176I: A new session context will be created for application key default_host/jwt
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/openapi/ui
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/openapi
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/health
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[INFO    ] SRVE0242I: [com.ibm.ws.microprofile.metrics.1.1] [/metrics] [MetricsRESTProxyServlet]: Initialization successful.
[INFO    ] SRVE0242I: [com.ibm.ws.microprofile.openapi] [/openapi] [OpenAPIServlet]: Initialization successful.
[INFO    ] WELD-000900: 2.4.7 (Final)
[AUDIT   ] CWPKI0803A: SSL certificate created in 5.419 seconds. SSL key file: /opt/ibm/wlp/output/defaultServer/resources/security/key.jks
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host *  (IPv4) port 9443.
[INFO    ] J2CA9935I: The Java 2 security permissions specified in the deployment descriptor for resource adapter mq will not be enforced.
[AUDIT   ] J2CA7001I: Resource adapter mq installed in 4.691 seconds.
[INFO    ] CWWKZ0018I: Starting application SampleServlet.
[INFO    ] SRVE0169I: Loading Web Module: sample.servlet-2.1.0.
[INFO    ] SRVE0250I: Web Module sample.servlet-2.1.0 has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://426ad763f49b:9080/sample/
[AUDIT   ] CWWKZ0001I: Application SampleServlet started in 0.229 seconds.
[INFO    ] SESN0176I: A new session context will be created for application key default_host/sample
[INFO    ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation.
[AUDIT   ] CWWKF0012I: The server installed the following features: [mpFaultTolerance-1.0, servlet-3.1, microProfile-1.3, ssl-1.0, jndi-1.0, jca-1.7, mpHealth-1.0, jms-2.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, mpRestClient-1.0, mpMetrics-1.1, mpOpenTracing-1.0, cdi-1.2, managedBeans-1.0, logstashCollector-1.0, jsonp-1.0, mpConfig-1.2, jaxrsClient-2.0, concurrent-1.0, jwt-1.0, opentracing-1.0, mpJwt-1.0, json-1.0, mpOpenAPI-1.0, distributedMap-1.0].
[INFO    ] CWWKF0008I: Feature update completed in 10.461 seconds.
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[INFO    ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /opt/ibm/wlp/output/defaultServer/logs/state/plugin-cfg.xml.
[INFO    ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /opt/ibm/wlp/output/defaultServer/logs/state/plugin-cfg.xml.

Dockerfile should make use of entrypoint over cmd

When putting the open-liberty official image up it was pointed out that we should use an entry point script and a default cmd, which would allow someone to do docker run websphere-liberty rather than have it start the server.

See https://github.com/OpenLiberty/ci.docker/blob/master/release/kernel/java8/ibmjava/Dockerfile for a good example.

Dockerfile for webProfile7 and javaee7 missing ampersands

webProfile and javaee7 are missing && preceding the echo command
This results in the repositories.properties not being written correctly

https://github.com/WASdev/ci.docker/blob/master/ga/developer/webProfile7/Dockerfile

microProfile and webProfile6 are ok

https://github.com/WASdev/ci.docker/blob/master/ga/developer/microProfile/Dockerfile

Passing custom server.env

How can I pass a custom server.env to the Container?

config.xml location

I am running websphere with s2i on Openshift. But getting config.xml not found,

config file location is
\resources\ExpressConfig\wcm\files\config

Is there any property I need to specify in server.xml?

[3/5/18 15:52:43:710 UTC] 00000077 GlobalMessage I com.dev.wcm.common.log.LogUtilJCL log executing GlobalMessageResources constructor; factory=[com.dev.wcm.web.common.global.GlobalMessageResourcesFactory@f8b62653]; config=[general]; returnNull=[{2}]
[3/5/18 15:52:43:719 UTC] 00000077 PropertyMessa I org.apache.struts.util.PropertyMessageResources Initializing, config='/WEB-INF/properties/ApplicationResources', returnNull=true
[3/5/18 15:52:43:720 UTC] 00000077 GlobalMessage I com.dev.wcm.common.log.LogUtilJCL log executing GlobalMessageResources constructor; factory=[com.dev.wcm.web.common.global.GlobalMessageResourcesFactory@8774427f]; config=[ENVIRONMENT_PROP]; returnNull=[{2}]
[3/5/18 15:52:43:720 UTC] 00000077 GlobalMessage I com.dev.wcm.common.log.LogUtilJCL log executing GlobalMessageResources constructor; factory=[com.dev.wcm.web.common.global.GlobalMessageResourcesFactory@fb5250bf]; config=[devX_FX_PROP]; returnNull=[{2}]
[3/5/18 15:52:43:721 UTC] 00000077 GlobalMessage I com.dev.wcm.common.log.LogUtilJCL log executing GlobalMessageResources constructor; factory=[com.dev.wcm.web.common.global.GlobalMessageResourcesFactory@862bb982]; config=[devX_ENVIRONMENT_PROP]; returnNull=[{2}]
[3/5/18 15:52:43:732 UTC] 00000077 SystemErr R java.io.FileNotFoundException: Config file (config.xml) not found.
[3/5/18 15:52:43:732 UTC] 00000077 SystemErr R at com.dev.wcm.common.global.Global.load(Global.java:127)
[3/5/18 15:52:43:733 UTC] 00000077 SystemErr R at com.dev.wcm.web.common.struts.plugin.GlobalConfigPlugin.init(GlobalConfigPlugin.java:76)
[3/5/18 15:52:43:733 UTC] 00000077 SystemErr R at org.apache.struts.action.ActionServlet.initModulePlugIns(ActionServlet.java:1158)
[3/5/18 15:52:43:733 UTC] 00000077 SystemErr R at org.apache.struts.action.ActionServlet.init(ActionServlet.java:473)

Add Docker Certified Images

Publish Images as Docker Certified Images!

See:
https://success.docker.com/Store#Docker_Certified_Publisher_FAQ

Thanks,
Chris

License check performed for all commands

Images are currently failing an official repo test that checks that the default command can be overridden because the entrypoint script requires license acceptance regardless of the command being run.

MicroProfile features have diverged

Latest Travis build has failed as we appear to be missing a feature in the microProfile image that exists in the WASdev download.

installUtility is leaving logs in the wrong location

Log files are being left in /opt/ibm/wlp/usr/servers/defaultServer/logs/ when installUtility checks the server features. We should remove those. I'll also raise a defect against installUtility as this suggests it is ignoring LOG_DIR.

List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)

I am getting error like List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied) when trying to install any OS package in websphere-liberty:webProfile7 docker image.

My Dockerfile looks like :

FROM websphere-liberty:webProfile7
RUN apt-get update
RUN apt-get install -y curl

Include a default config overlay for docker-best-practice values

a) turn off file polling (switch to mbean)
b) set coreThreads to a reasonable value (5) so the executor service isn't going off of potentially bad virtualized values.
c) turn off deferred application start

Something like the following in configDropins/defaults:

    <!-- turn off polling -->
    <config updateTrigger="mbean" />
    <applicationMonitor dropinsEnabled="false" updateTrigger="mbean"/>

    <!-- This is required to prevent the web apps from being lazily loaded -->
    <webContainer deferServletLoad="false"/>
    <!-- The JVM can get confused about available CPU in virtualized envs -->
    <executor coreThreads="5"/>

Liberty cluster

Does current version supports Websphere liberty cluster on Kubernetes or openshift environment?

springBoot2 liberty container with JAX-RS - Jersey results in ClassNotFoundException: javax.annotation.Priority

Hi,

We use the websphere-liberty:springBoot2 image and to run our Spring Boot application which uses JAX-RS and Jersey for configuring our REST controllers.
When running the app directly in our IDE it works fine but when we try to run it using the specified docker image, it fails to start with the following problem: ClassNotFoundException: javax.annotation.Priority (See truncated stacktrace below).

We checked our Spring Boot jar and the Priority annotation class is there.
Opening the jar shows the following: application.jar/BOOT-INF/lib/javax.annotation-api-1.3.2.jar/javax/annotation/Priority.class

It seems like the classloader used does not look for the Priority class in our jar.
Any idea why this is happening?

Does the websphere-liberty:springBoot2 image not support the JAX-RS - Spring combination?

2018-08-23 09:50:53.773  INFO 1 --- [ecutor-thread-2] o.s.web.context.ContextLoader            : Root WebApplicationContext: initialization completed in 2574 ms
2018-08-23 09:50:53.867  WARN 1 --- [ecutor-thread-6] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Error occured initializing the ServletContext.
2018-08-23 09:50:53.892  INFO 1 --- [ecutor-thread-6] ConditionEvaluationReportLoggingListener : 

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2018-08-23 09:50:53.920 ERROR 1 --- [ecutor-thread-6] o.s.boot.SpringApplication               : Application run failed

org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Error occured initializing the ServletContext.
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:155) ~[spring-boot-2.0.4.RELEASE.jar:2.0.4.RELEASE]
...
Caused by: java.lang.NoClassDefFoundError: javax.annotation.Priority
	at org.glassfish.jersey.model.internal.ComponentBag.modelFor(ComponentBag.java:551) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.model.internal.ComponentBag.lambda$registerModel$10(ComponentBag.java:477) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.model.internal.ComponentBag$$Lambda$343.0000000030070F00.call(Unknown Source) ~[na:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:316) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:298) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:229) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.model.internal.ComponentBag.registerModel(ComponentBag.java:469) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.model.internal.ComponentBag.register(ComponentBag.java:306) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.model.internal.CommonConfig.register(CommonConfig.java:408) ~[jersey-common-2.26.jar:na]
	at org.glassfish.jersey.server.ResourceConfig.register(ResourceConfig.java:422) ~[jersey-server-2.26.jar:na]
	... 44 common frames omitted
Caused by: java.lang.ClassNotFoundException: javax.annotation.Priority
	at com.ibm.ws.classloading.internal.AppClassLoader.findClassCommonLibraryClassLoaders(AppClassLoader.java:504) ~[na:na]
	at com.ibm.ws.classloading.internal.AppClassLoader.findClass(AppClassLoader.java:276) ~[na:na]
	at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:925) ~[na:2.9 (07-31-2018)]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:870) ~[na:2.9 (07-31-2018)]
	at com.ibm.ws.classloading.internal.AppClassLoader.findOrDelegateLoadClass(AppClassLoader.java:482) ~[na:na]
	at com.ibm.ws.classloading.internal.AppClassLoader.loadClass(AppClassLoader.java:443) ~[na:na]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:853) ~[na:2.9 (07-31-2018)]
	... 55 common frames omitted

Kind regards,
Jooones

keystore password regenerated on container restart

The new logic for generating a keystore stanza get driven every time a container starts and will therefore generate a new password when a container is restarted. This needs fixing (and we should add at least one test that restarts a container along the way).

Cannot disable welcome page

The Liberty documentation (and other resources) suggest that I should be able to disable the Liberty welcome page by adding a line like

<httpDispatcher enableWelcomePage="false" />

...to my server.xml. However, if I build and run a Docker container from a Dockerfile like

FROM websphere-liberty:19.0.0.2-webProfile8
RUN sed -i 's,</server>,    <httpDispatcher enableWelcomePage="false" />\n</server>,' /config/server.xml

...then go to localhost:9080, I still see the Liberty welcome page.

websphere-liberty:javaee7/webProfile7 can be squashed

Playing around with docker-squash gratifyingly shows that the websphere-liberty:kernel has no fat to lose but, in contrast, websphere-liberty:javaee7 can be reduced from 511 MB to 488 MB and webProfile7 from 462MB to 451MB which suggests that the feature installation is causing some existing data to be overwritten. Further investigation is required to see whether we can avoid this or it is an inevitable consequence of the way in which additional features are added.

Can't Ctrl-C when running container interactively

When I run the Docker container without the "-d" option, then Ctrl-C doesn't work. This makes it difficult to get back to my terminal as I have to kill the process from another terminal session. I think the way to handle this is to make sure that the Liberty process handles the SIGINT signal.

Error 403: Authentication Failed : DIGEST not supported

I'm trying to run a war with http auth, and receiving this error message:

Error 403: Authentication Failed : DIGEST not supported

There's some limitation or specific configuration to support digest on this was-liberty container ?

Att

Building the kernel docker image failed with wget not found

Building the kernel docker image (ga/developer/kernel/dockerfile) failed with wget not found

/bin/sh: 1: wget: not found

SamlWebSso20

SamlWebSso20 authentication doesn't work in our setup with the docker version of WLP. HTTPs requests are not filtered/redirected. Interestingly, the same server.xml works fine on a local installation of WLP (non-docker). The installed features are also the same.

Configuration used in server.xml is as follows:

     <samlWebSso20
              id="defaultSP" mapToUserRegistry="No" signatureMethodAlgorithm="SHA1" spHostAndPort="..." />

Make it easier to unzip a usr package over the image

OL is installed in /opt/ol in the image. In the WebSphere Liberty image, the location is /opt/IBM. I'd like to write a Dockerfile that can take a usr server package and unzip it into either of these locations in a consistent way, without reference these locations. I think this could be solved by adding ln -s /opt/ol /liberty to the Open Liberty image and ln -s /opt/ibm /liberty to the WebSphere Liberty image and so dependent images could just use /liberty for both.

See OpenLiberty/ci.docker#22 (OL Issue)

/liberty symlink is not consistent between Open Liberty and WebSphere Liberty images

/liberty is not consistent between Open Liberty and WebSphere Liberty.

Open Liberty:

RUN mkdir /logs \
    ...
    && ln -s /liberty /opt/ol/wlp

WebSphere Liberty:

RUN mkdir /logs \
    ...
    && ln -s /opt/ibm /liberty \

Probably should be fixed for +19.0.0.2 so we don't break users.

New docker tags for springBoot features

Once the Spring Boot features are included in an Websphere Liberty release (OpenLiberty/open-liberty#3169) we need to create new tags in docker that include the new features for Spring Boot.

OpenSSL dependency

The IBM JRE image will soon remove its OpenSSL dependency via ibmruntimes/ci.docker#28

Although WebSphere Liberty is not using Alpine, the PR above mentions that the same change is being considered for Ubuntu too - so we should proactively add the OpenSSL package dependency to prevent future breakage.

image tags should be immutable / provide tags for the latest version

Hi,

our team is currently unsatisfied with how the wlp images are tagged in docker-hub. For the latest version (should be 16.0.0.2 at the time of writing) you do not provide a specific tag. Instead, this version is only accessible through the latest / javaee7 /webProfile7 ... tags. This leads to serious problems, as there is no way to explicitly depend on 16.0.0.2 or one of it's subsets. Also, depending on for example webProfile7 tag is not satisfying as at some point in the future this tag will point to a more recent release - which can lead to pretty unobvious problems, when one machine still has an older cached version and another doesn't. (docker does only reevaluate the latest tag on every build, other tags are served from the cache indefinitely, see this discussion for details: moby/moby#13331)

We propose to provide explicit tags for even the latest version and to point out that for example the webProfile7 tag does not mean latest webProfile7 but instead means whatever version of webProfile7 docker has cached for you.

Regards,

Tobi

Run wlp as non-root user

Until user namespaces become available on Docker there should be a way to run WLP as a non-root user.

Something like the Dockerfile or the start script creating a specific or runtime-provided user (and chown'ning the WLP folder) and running WLP as this user. This is a somewhat common thing to find on generic Docker images around.

I'll try to make something like that on my own and will post it here if it works.

Run image as a non-root user

CentOS image

At the moment our CentOS Dockerfile copies files from the official image, which is not a very good pattern - duplicates code, misses updates, etc. This issue will look into how to properly build this without duplicating Dockerfiles.

Also, this image is not on Docker Hub. Please leave a comment here if you would find it useful to have a WebSphere Liberty image on Docker Hub based on CentOS.

websphere-liberty:18.0.0.3-javaee8 image tagged incorrectly

websphere-liberty:18.0.0.3-javaee8 image tagged incorrectly.
Version 18.0.0.4 starts instead of 18.0.0.3.

$ date
Thu Dec 27 14:49:30 DST 2018
$ docker pull websphere-liberty:18.0.0.3-javaee8
18.0.0.3-javaee8: Pulling from library/websphere-liberty
Digest: sha256:e8d5e73b5fde75a2ed7017eccc61d22e7a6443b367b73c6aa078ed4614e40e0a
Status: Image is up to date for websphere-liberty:18.0.0.3-javaee8
$ docker run --rm -it --name liberty websphere-liberty:18.0.0.3-javaee8

Launching defaultServer (WebSphere Application Server 18.0.0.4/wlp-1.0.23.cl180420181121-0300) on IBM J9 VM, version 8.0.5.26 - pxa6480sr5fp26-20181115_03(SR5 FP26) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/18.0.0.4/lafiles/en.html
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[WARNING ] CWWKS3103W: There are no users defined for the BasicRegistry configuration of ID com.ibm.ws.security.registry.basic.config[basic].
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications.

Although FROM websphere-liberty:kernel image is specified in Dockerfile, FROM websphere-liberty:18.0.0.3-kernel should be specified.

Not only 18.0.0.3-javaee8 tag but also other 18.0.0.3-* tags have same issues.

SSL handshake error when trying to register with Service Discovery

I hit the following error. I "can" logon each container to fix it, but it is too much work for anybody. Please fix the image so that we won't hit this issue so that Liberty docker image works with Service Discovery & Service Proxy seamlessly:

{"log":"[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.ng.bluemix.net, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: \n","stream":"stdout","time":"2016-06-07T21:01:00.502562079Z"}

useradd specifies wrong login shell

There is a line creating default user in Dockerfile.

&& useradd -u 1001 -r -g 0 -s /sbin/nologin default

But there is no /sbin/nologin in the base ubuntu image.
I think it should be /usr/sbin/nologin, not /sbin/nologin.

Docker websphere-liberty:javaee8 continuously transferring data in https

Hello, we use Docker to run a WAS Liberty application.

When starting the javaee8 profile and accessing the https page we get an infinite "Transferring data from localhost", in chrome or firefox there is a small animation left to the url in the browser. However debuging tools at browser level do not show any network activity.

When starting the javaee7 profile and accessing the https page the browser immediately completes the load of the page.

to reproduce this behaviour:
docker run -d -p 80:9080 -p 443:9443 websphere-liberty:javaee7
docker run -d -p 81:9080 -p 444:9443 websphere-liberty:javaee8

https://localhost:444 will shows the infinite loop.

Memory/CPU limits

Document/blog use of JAVA_OPTS environment variable on container to keep memory within bounds of container (c.f. https://dzone.com/articles/java-inside-docker-what-you-must-know-to-not-fail). Investigate option of script to set these intelligently.

Support for alpine image

Add images with apline linux (as separate tag):
https://hub.docker.com/_/alpine/