Quarkus: JVM Dockerfile failing to create

Created on 7 Apr 2020 · 7Comments · Source: quarkusio/quarkus

Describe the bug
The sample project generated using the maven archetype uses micrdnf to install openssl. This has started failing the docker build with the below error:

error: Error running transaction: package openssl-libs-1:1.1.1c-2.el8_1.1.x86_64 (which is newer than openssl-libs-1:1.1.1c-2.el8.x86_64) is already installed

Expected behavior
The docker image should build from the generated sample

Actual behavior
The docker image fails to build

To Reproduce
Steps to reproduce the behavior:

Use the below mvn archetype to generate a quarkus project:

mvn io.quarkus:quarkus-maven-plugin:1.3.1.Final:create \
    -DprojectGroupId=my-groupId \
    -DprojectArtifactId=my-artifactId \
    -DprojectVersion=my-version \
    -DclassName="org.my.group.MyResource"

Try to build the docker image

Environment (please complete the following information):

Dockerfile

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1

ARG JAVA_PACKAGE=java-1.8.0-openjdk-headless
ARG RUN_JAVA_VERSION=1.3.5

ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'

# Install java and the run-java script
# Also set up permissions for user `1001`
RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \
    && microdnf update \
    && microdnf clean all \
    && mkdir /deployments \
    && chown 1001 /deployments \
    && chmod "g+rwX" /deployments \
    && chown 1001:root /deployments \
    && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \
    && chown 1001 /deployments/run-java.sh \
    && chmod 540 /deployments/run-java.sh \
    && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security

# Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size.
ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"

COPY build/lib/* /deployments/lib/
COPY build/*-runner.jar /deployments/app.jar

EXPOSE 8080
USER 1001

ENTRYPOINT [ "/deployments/run-java.sh" ]

kinbug

Source

irishshagua

Most helpful comment

The ubi image has been updated is now contains an updated version of openssl. This change is a CVE fix (from what I can read). Just remove openssl from the package list and you should be good to go. I'm opening a PR that just does that.

cescoffier on 7 Apr 2020

👍3

All 7 comments

Can confirm, tried to work-around by

adding -y to microdnf install
removing microdnf update

with no success.

bjblazko on 7 Apr 2020

Is it possible to provide a stable image, since with no update to the Dockerfile our CI/CD broke due to that?

bjblazko on 7 Apr 2020

I've removed openssl from the list of install targets as the message seemed to indicate it was already present. This, at least gets the image build working again. Not sure if this will cause future issues though... 🤷‍♂

irishshagua on 7 Apr 2020

We got the same bug suddenly appear in CI. Locally I was still able to build the image. After I pulled the ubi-minimal:8.1 again, it did break. So it seams redhat updated the image and changed the ssl stuff.

andreas-eberle on 7 Apr 2020

👍1

cescoffier on 7 Apr 2020

👍3

Hi, I can confirm that removing openssl from microdnf install command works: my remote build for the Quarkus "getting started" via Google Cloud was failing this morning. As soon as I removed openssl, the build and deployment worked again.

If you want to reproduce, my project is gcp-quarkus .

Commit to fix Dockerfile is https://github.com/didier-durand/gcp-quarkus/commit/0a9d1f80bf00da7bad0dcdb3cd945c7cbc342170

didier-durand on 8 Apr 2020

I need to install another program in my docker image that depends on openssl. If I leave openssl in the microdnf install ... line, I get the same error described in the ticket, but if I remove it, then when the second package is installed, the docker build fails because openssl is a dependency and is not installed. Anything I can do in my situation?