tomcat icon indicating copy to clipboard operation
tomcat copied to clipboard
verified publisher icon docker-library

Can an entrypoint be provided for Java truststore set-up?

Open vlk-charles opened this issue 1 year ago • 2 comments

#303 disabled the upstream entrypoint, which is __cacert_entrypoint.sh (at least in eclipse-temurin:8-jdk-jammy). This script can help set up the Java truststore. Can the functionality be reintroduced? It seems to me like setting up the truststore before Tomcat start-up would be a common use case. The script even acknowledges and deals with the issue for which it was bypassed:

#!/usr/bin/env bash
# Sheband needs to be `bash`, see https://github.com/adoptium/containers/issues/415 for details

However, I just found a recent change that switches this to sh again.

#!/usr/bin/env sh
# Converted to POSIX shell to avoid the need for bash in the image

vlk-charles avatar Jun 11 '24 11:06 vlk-charles

See https://github.com/docker-library/docs/pull/2338#issuecomment-1593765498 for my opinions about that entrypoint (also, we support more than just eclipse-temurin here, so it would be inconsistent behavior). There's some more recent in https://github.com/docker-library/docs/pull/2445#issuecomment-2137979552 and an even better / more generic proposal in https://github.com/adoptium/containers/issues/573.

tianon avatar Jun 11 '24 16:06 tianon

Just FYI, this is what I am doing in my Dockerfile now:

FROM tomcat:9.0-jdk8
ENTRYPOINT ["/__cacert_entrypoint.sh"]
CMD ["catalina.sh", "run"]
ENV USE_SYSTEM_CA_CERTS=1
...

and then if I want custom certificates at container run time, I mount a volume over /usr/local/share/ca-certificates (or /certificates).

vlk-charles avatar Jun 11 '24 19:06 vlk-charles