Support
Quality
Security
License
Reuse
kandi has reviewed jib and discovered the below as its top functions. This is intended to give you an instant insight into jib implemented functionality, and help decide if they suit your requirements.
Fast - Deploy your changes fast. Jib separates your application into multiple layers, splitting dependencies from classes. Now you don’t have to wait for Docker to rebuild your entire Java application - just deploy the layers that changed.
Reproducible - Rebuilding your container image with the same contents always generates the same image. Never trigger an unnecessary update again.
Daemonless - Reduce your CLI dependencies. Build your Docker image from within Maven or Gradle and push to any registry of your choice. No more writing Dockerfiles and calling docker build/push.
How to quickly detect and remove log4j classes from our code base and the base image? "mvn dependency:tree" does not check base image
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:
# Class File CVE
# org/apache/log4j/net/SocketAppender.class CVE-2019-17571
# org/apache/log4j/net/SocketServer.class CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class CVE-2021-4104
# org/apache/log4j/net/JMSSink.class CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class CVE-2022-23305
# org/apache/log4j/chainsaw/*.class CVE-2022-23307
cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)
size() {
stat -c %s "$1"
}
extract_remove_repackage() {
before=$1
# jar xf -C some_dir only extract to current dir, we have to cd first
jar_dir=$(dirname "$2")
jar_file=$(basename "$2")
temp_dir=$jar_dir/temp
mkdir "$temp_dir"
cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
cd "$temp_dir"
jar xf "$jar_file"
# provide file and dir names to rm with list.txt
xargs rm -rvf < list.txt && rm list.txt "$jar_file"
jar cf "$jar_file" .
mv "$jar_file" ../
# go back and clean up
cd "$before" && rm -rf "$temp_dir"
}
find_vulnerable_jars() {
cd "$root_dir"
jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
if [ "$(size list.txt)" -gt 0 ]; then
echo ">>>>> Removing class file from '$(realpath "$1")'":
extract_remove_repackage "$(pwd)" "$1"
else
return 0
fi
}
remove_classes_from_jars() {
echo Starting to fix all CVEs regarding Log4j 1.x...
# exclude jolokia.jar(link)
# xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
# because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
echo All vunerable classes removed. CVE addressed:
printf '%s\n' "${cves[@]}"
else
echo "Error while removing classes; exiting..."
return 1
fi
}
# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>${version.activemq-all}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${version.log4j}</version>
<scope>provided</scope>
</dependency>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-cve-jars</id>
<phase>compile</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<includeArtifactIds>activemq-all,log4j</includeArtifactIds>
<includeScope>provided</includeScope>
<includeTypes>jar</includeTypes>
<outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
<excludeTransitive>true</excludeTransitive>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>remove-cve-classes</id>
<phase>process-classes</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
<arguments>
<!-- should match copy-dependency output dir -->
<argument>${project.build.directory}/dependency</argument>
</arguments>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>${docker.base.image}</image>
</from>
<to>
<image>${docker.image}</image>
<tags>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<appRoot>/dev/null</appRoot>
<entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
</container>
<containerizingMode>packaged</containerizingMode>
<extraDirectories>
<paths>
<path>${project.basedir}/src/main/jib</path>
<path>${project.build.directory}/jib</path>
<path>
<from>target/dependency</from>
<into>/opt/amq/lib/optional</into>
<includes>log4j-${version.log4j}.jar</includes>
</path>
<path>
<from>target/dependency</from>
<into>/opt/amq</into>
<includes>activemq-all-${version.activemq-all}.jar</includes>
</path>
</paths>
<permissions>
<permission>
<!-- don't forget to restrict writing to prevent tampering -->
<file>/opt/amq/conf/log4j.properties</file>
<mode>444</mode>
</permission>
<!-- the copied jars need to be executable -->
<permission>
<file>/opt/amq/lib/${application.executable}</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
<mode>755</mode>
</permission>
<permission>
<file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
<executions>
<execution>
<id>jib-build</id>
<phase>package</phase>
<goals>
<goal>${jib.goal}</goal>
</goals>
</execution>
</executions>
</plugin>
-----------------------
\- org.springframework.boot:spring-boot-starter-web:jar:2.6.0:compile
[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.6.0:compile
[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.6.0:compile
[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
<dependency>
<groupId>your dep groupId</groupId>
<artifactId>your dep artifactId</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
</exclusion>
</exclusions>
</dependencies>
-----------------------
\- org.springframework.boot:spring-boot-starter-web:jar:2.6.0:compile
[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.6.0:compile
[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.6.0:compile
[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
<dependency>
<groupId>your dep groupId</groupId>
<artifactId>your dep artifactId</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
</exclusion>
</exclusions>
</dependencies>
Google Jib - Is it possible to run a linux command at container startup using CMD/ENTRYPOINT?
#!/bin/sh
# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
-cp $( cat /app/jib-classpath-file ) \
$( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
<!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
<entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
<permissions>
<permission>
<file>/my-entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>/my-entrypoint.sh</arg>
</entrypoint>
</container>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>-c</arg>
<arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
</entrypoint>
</container>
-----------------------
#!/bin/sh
# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
-cp $( cat /app/jib-classpath-file ) \
$( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
<!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
<entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
<permissions>
<permission>
<file>/my-entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>/my-entrypoint.sh</arg>
</entrypoint>
</container>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>-c</arg>
<arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
</entrypoint>
</container>
-----------------------
#!/bin/sh
# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
-cp $( cat /app/jib-classpath-file ) \
$( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
<!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
<entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
<permissions>
<permission>
<file>/my-entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>/my-entrypoint.sh</arg>
</entrypoint>
</container>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>-c</arg>
<arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
</entrypoint>
</container>
-----------------------
#!/bin/sh
# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
-cp $( cat /app/jib-classpath-file ) \
$( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
<!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
<entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
<permissions>
<permission>
<file>/my-entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>/my-entrypoint.sh</arg>
</entrypoint>
</container>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>-c</arg>
<arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
</entrypoint>
</container>
-----------------------
#!/bin/sh
# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
-cp $( cat /app/jib-classpath-file ) \
$( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
<!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
<entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
<permissions>
<permission>
<file>/my-entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>/my-entrypoint.sh</arg>
</entrypoint>
</container>
<container>
<entrypoint>
<arg>/bin/sh</arg>
<arg>-c</arg>
<arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
</entrypoint>
</container>
How to decide Quarkus application arguments in Kubernetes at run-time?
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3
ARG JAVA_PACKAGE=java-11-openjdk-headless
ARG RUN_JAVA_VERSION=1.3.8
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
# Install java and the run-java script
# Also set up permissions for user `1001`
RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \
&& microdnf update \
&& microdnf clean all \
&& mkdir /deployments \
&& chown 1001 /deployments \
&& chmod "g+rwX" /deployments \
&& chown 1001:root /deployments \
&& curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \
&& chown 1001 /deployments/run-java.sh \
&& chmod 540 /deployments/run-java.sh \
&& echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security
# Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size.
ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
# We make four distinct layers so if there are application changes the library layers can be re-used
COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/
COPY --chown=1001 target/quarkus-app/*.jar /deployments/
COPY --chown=1001 target/quarkus-app/app/ /deployments/app/
COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/
EXPOSE 8080
USER 1001
# [== BEFORE ==]
# ENTRYPOINT [ "/deployments/run-java.sh" ]
# [== AFTER ==]
ENTRYPOINT "/deployments/run-java.sh" $CLI_ARGUMENTS
JIB with GitHub Actions
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
# Adds Gradle init script that applies the Jib Gradle plugin.
echo "initscript {
repositories { maven { url 'https://plugins.gradle.org/m2' } }
dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
}
rootProject {
afterEvaluate {
if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
}
}
}" > "$HOME"/init-script.gradle
# Runs the Gradle Jib build.
gradle jib \
--init-script="$HOME"/init-script.gradle \
-Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
# Adds Gradle init script that applies the Jib Gradle plugin.
echo "initscript {
repositories { maven { url 'https://plugins.gradle.org/m2' } }
dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
}
rootProject {
afterEvaluate {
if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
}
}
}" > "$HOME"/init-script.gradle
# Runs the Gradle Jib build.
gradle jib \
--init-script="$HOME"/init-script.gradle \
-Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
# Adds Gradle init script that applies the Jib Gradle plugin.
echo "initscript {
repositories { maven { url 'https://plugins.gradle.org/m2' } }
dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
}
rootProject {
afterEvaluate {
if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
}
}
}" > "$HOME"/init-script.gradle
# Runs the Gradle Jib build.
gradle jib \
--init-script="$HOME"/init-script.gradle \
-Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
name: JIB container publish
on:
release:
types: [created]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: JIB container build and publish
uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
with:
PASSWORD: ${{ secrets.GITHUB_TOKEN }}
GitHub Actions: Error 401 Unauthorized in JIB maven plugin
Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
Jib create folder for temporary files and changing folder ownership
extraDirectories.paths = ['jib-extra']
pluginExtensions {
pluginExtension {
implementation = 'com.google.cloud.tools.jib.gradle.extension.ownership.JibOwnershipExtension'
configuration {
rules {
rule {
// must be absolute path starting with '/'
glob = '/app/export'
ownership = '1000'
}
// if you have files under /app/export
rule {
glob = '/app/export/**'
ownership = '1000'
}
}
}
How to solve permissions for push to Google Artifact Registry from Cloud Build using jib-maven-plugin?
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>3.1.4</version>
<configuration>
<from>
<image>${base.image}</image>
</from>
<to>
<image>${docker.image.repo}/${project.artifactId}:latest</image>
<tags>
<tag>${VERSION_ID}</tag>
<tag>latest</tag>
</tags>
</to>
<creationTime>USE_CURRENT_TIMESTAMP</creationTime>
<allowInsecureRegistries>true</allowInsecureRegistries>
<container>
<ports>
<port>8080</port>
</ports>
</container>
</configuration>
<executions>
<execution>
<id>build-and-push-docker-image</id>
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
...
- name: 'gcr.io/cloud-builders/gcloud'
args:
- '-c'
- >
gcloud auth configure-docker --quiet --verbosity=debug `echo
${_CONTAINER_REPO} | cut -d / -f 1`
/root
id: gcloud auth
entrypoint: /bin/bash
...
- name: 'gcr.io/cloud-builders/mvn:3.5.0-jdk-8'
args:
- '-Dmaven.test.skip=false'
- '-Dmaven.repo.local=/workspace/.m2/repository'
- '--settings'
- custom-settings.xml
- clean
- install
- '-DskipITs'
- '-B'
- '-X'
- '-DVERSION_ID=$TAG_NAME'
- '-DBRANCH_ID=master'
- '-DPROJECT_ID=$PROJECT_ID'
- '-DCONTAINER_REPO=${_CONTAINER_REPO}'
- '-DMAVEN_REPO=${_MAVEN_REPO}'
- '-DDOCKER_CONFIG=/builder/home/.docker'
- '-P'
- release
id: build
-----------------------
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>3.1.4</version>
<configuration>
<from>
<image>${base.image}</image>
</from>
<to>
<image>${docker.image.repo}/${project.artifactId}:latest</image>
<tags>
<tag>${VERSION_ID}</tag>
<tag>latest</tag>
</tags>
</to>
<creationTime>USE_CURRENT_TIMESTAMP</creationTime>
<allowInsecureRegistries>true</allowInsecureRegistries>
<container>
<ports>
<port>8080</port>
</ports>
</container>
</configuration>
<executions>
<execution>
<id>build-and-push-docker-image</id>
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
...
- name: 'gcr.io/cloud-builders/gcloud'
args:
- '-c'
- >
gcloud auth configure-docker --quiet --verbosity=debug `echo
${_CONTAINER_REPO} | cut -d / -f 1`
/root
id: gcloud auth
entrypoint: /bin/bash
...
- name: 'gcr.io/cloud-builders/mvn:3.5.0-jdk-8'
args:
- '-Dmaven.test.skip=false'
- '-Dmaven.repo.local=/workspace/.m2/repository'
- '--settings'
- custom-settings.xml
- clean
- install
- '-DskipITs'
- '-B'
- '-X'
- '-DVERSION_ID=$TAG_NAME'
- '-DBRANCH_ID=master'
- '-DPROJECT_ID=$PROJECT_ID'
- '-DCONTAINER_REPO=${_CONTAINER_REPO}'
- '-DMAVEN_REPO=${_MAVEN_REPO}'
- '-DDOCKER_CONFIG=/builder/home/.docker'
- '-P'
- release
id: build
Adding prometheus jmx agent jar to JIB build
container {
jvmFlags = ...
}
extraDirectories {
paths {
path {
setFrom("$jibExtraDir")
}
}
}
extraDirectories.paths = "$jibExtraDir"
-----------------------
container {
jvmFlags = ...
}
extraDirectories {
paths {
path {
setFrom("$jibExtraDir")
}
}
}
extraDirectories.paths = "$jibExtraDir"
Error creating bean with name 'solverManager', Unsatisfied dependency expressed through constructor parameter
java.lang.NullPointerException: null at java.compiler@11.0.12/javax.tools.ToolProvider.lambda$matches$0(Unknown Source)
Maven jib:dockerBuild fails for non-root user on Ubuntu (and in Windows wsl2 as well)
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
gcloud auth configure-docker`
gcloud auth configure-docker eu.gcr.io
-----------------------
gcloud auth configure-docker`
gcloud auth configure-docker eu.gcr.io
QUESTION
Including files (NOT classpath resource) in Quarkus Native
Asked 2022-Apr-08 at 06:02In Quarkus, to include random files as classpath resource, we use quarkus.native.resources.includes
(https://quarkus.io/guides/writing-native-applications-tips#including-resources).
How to include files in the file system? I.e. something read using new File(thePath)
.
If we use Jib, we simply put those files inside src/main/jib
. But that's for non-native.
ANSWER
Answered 2022-Apr-08 at 06:02Building a native binary has nothing to do with adding files to the file system of the target platform.
If your goal is to create a container image using the native binary and also add files to the container image's filesystem, then you can use Quarkus with Jib and the files to src/main/jib
(as you mentioned). These files will be included on the built container image as described here.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
No vulnerabilities reported
Save this library and start creating your kit
Explore Related Topics
Save this library and start creating your kit