Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing libnss3.so after updating openjdk:8-jdk-alpine image #289

Closed
mohannadj opened this issue Mar 16, 2019 · 11 comments
Closed

Missing libnss3.so after updating openjdk:8-jdk-alpine image #289

mohannadj opened this issue Mar 16, 2019 · 11 comments

Comments

@mohannadj
Copy link

Hello,

I have a docker file that builds openjdk:8-jdk-alpine based images. When updating the image internally (from the docker file) using apk update && apk upgrade , and running my (spring-boot) app, it throws java.io.IOException: Error loading shared library libnss3.so: No such file or directory. However; after removing the apk update && apk upgrade and building the image again, the app runs smoothly.

I have logged into my images in both cases, and made sure that the file wasn't there on the first case, and was there after removing apk update && apk upgrade . In the later case, it was located in /usr/lib/

Is this a bug, or can you please inform me of what I might be missing ?
@gato
Copy link

gato commented Mar 17, 2019

same here

@mike-treadway
Copy link

I'm basing my image on node:10-alpine, which is based on alpine:3.9. Neither my docker file nor the node:10-alpine are doing an apk update and I'm still having this problem.

It's unclear what the work around is at this point. I hope this gets fixed soon.

@gato
Copy link

gato commented Mar 18, 2019

so far i've have fixed the issue by doing

RUN apk add --no-cache nss

on my Dockerfile, that install the missing .so file, but i don't know why it was present before and not now

@danielgrant
Copy link

danielgrant commented Mar 18, 2019
edited

We've also just been hit with this. We execute an apk update && apk upgrade during each build of our image, and today we've started getting the following error during start up of our Tomcat application:

Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
	at sun.security.pkcs11.Secmod.initialize(Secmod.java:193)
	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:218)
	... 100 more

The root cause appears to be the PostgreSQL driver establishing an SSL connection to an RDS endpoint.

Here's the output from our apk upgrade:

13:17:57  (1/7) Upgrading libcrypto1.1 (1.1.1a-r1 -> 1.1.1b-r1)
13:17:57  (2/7) Upgrading libssl1.1 (1.1.1a-r1 -> 1.1.1b-r1)
13:17:57  (3/7) Upgrading openjdk8-jre-base (8.191.12-r0 -> 8.201.08-r0)
13:17:57  (4/7) Upgrading openjdk8-jre (8.191.12-r0 -> 8.201.08-r0)
13:17:57  (5/7) Purging nss (3.41-r0)
13:17:57  (6/7) Purging nspr (4.20-r0)
13:17:57  (7/7) Purging sqlite-libs (3.26.0-r3)

I'm not sure which of the upgraded packages is causing APK to purge nss, but following up with apk add --no-cache nss seems to bring it back.

Edit: should probably add that we're targeting openjdk:8-alpine, which is pulling sha256:d2e2716147d1f7fe73b1a9f72a9cff7a7aa92d32eb8de4fffbfddc596e004984.

@wglambert
Copy link

Looks like someone filed a bug upstream about this https://bugs.alpinelinux.org/issues/10126

@wglambert
Copy link

wglambert commented Mar 18, 2019
edited

Probing the issue; I'm not so sure this is a bug with apk, perhaps something with openjdk8-jre-base dependencies

/ # apk --upgrade add openjdk8-jre-base
(1/4) Upgrading openjdk8-jre-base (8.191.12-r0 -> 8.201.08-r0)
(2/4) Purging nss (3.41-r0)
(3/4) Purging nspr (4.20-r0)
(4/4) Purging sqlite-libs (3.26.0-r3)
Executing java-common-0.1-r0.trigger
OK: 98 MiB in 51 packages

As a side note doing an apk upgrade goes against best practices for a couple reasons; it's reproducibility is temporally dependent, and it can yield unpredictable results without knowledge of what each package is updating or perhaps deprecating, which goes against the container's immutability.

@mohannadj
Copy link
Author

Thank you guys for your feedback,

@wglambert , The problem is that we are updating apk; expecting that it wouldn't remove a system file that is required by whatever underlying system that might be using it, hence the bug. Didn't test it yet, but using the unzip tool also seemed to be affected by the upgrade.

I think the safest approach for now is to follow @gato 's recommendation, or find the last working openjdk image as what @danielgrant has mentioned. I remember pulling the latest (upgraded) working image around last Friday, maybe I'll start there.

Saying that, I don't think that this is a solution; but rather a workaround. Since this is my first time logging an issue here, do you think that we should close this one as it was already logged upstream ?

@wunderkind2k1
Copy link

so far i've have fixed the issue by doing

RUN apk add --no-cache nss

on my Dockerfile, that install the missing .so file, but i don't know why it was present before and not now

Just want to say having had the same problem this solution worked perfectly for us.

@danielgrant
Copy link

Taking a quick look between version 8.201.08-r0 of openjdk8-jre-base that is currently being installed by apk upgrade (https://pkgs.alpinelinux.org/package/v3.6/community/x86_64/openjdk8-jre-base) and version 8.181.13-r0 (https://pkgs.alpinelinux.org/package/v3.5/community/x86_64/openjdk8-jre-base), it looks like nss was dropped from the list of dependencies - you can see this by expanding out "Dependencies" on those pages.

I wonder if this was caused by increasing the version of IcedTea from 3.10.0 to 3.11.0, I'm looking specifically at this entry the changelog (https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2019-March/041223.html):

  • New features
    • PR3667: Use the internal copy of the SunEC library rather than statically linking against NSS

ayeletmorris pushed a commit to Gigaspaces/docker that referenced this issue Mar 19, 2019
Fix missing NSS file in alpine docker - based on the issue found here:
7e178b0 
docker-library/openjdk#289
https://bugs.alpinelinux.org/issues/10126
@zephinzer zephinzer mentioned this issue Mar 20, 2019
Closed
This was referenced Mar 20, 2019
Open
Open
dyrkin added a commit to dyrkin/luxmed-bot that referenced this issue Mar 20, 2019
@dyrkin
Fix bug: Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so (
ce55973 
docker-library/openjdk#289)
beaudh pushed a commit to beaudh/docker-jmeter that referenced this issue Mar 21, 2019
Quick fix for docker-library/openjdk#289 (comment)
735a496
@justb4 justb4 mentioned this issue Mar 22, 2019
Closed
ghostserverd added a commit to ghostserverd/docker-transmission-filebot that referenced this issue Mar 23, 2019
@ghostserverd
add nss as explicit dependency
a814058 
docker-library/openjdk#289
https://bugs.alpinelinux.org/issues/10126
@hakan42 hakan42 mentioned this issue Mar 24, 2019
Merged
@luiszimmermann luiszimmermann mentioned this issue Mar 25, 2019
Closed
@wglambert wglambert mentioned this issue Mar 25, 2019
Closed
@yosifkit yosifkit mentioned this issue Mar 27, 2019
Closed
@luiszimmermann luiszimmermann mentioned this issue Mar 27, 2019
Merged
@goofball222 goofball222 mentioned this issue Mar 28, 2019
Closed
@theotherp theotherp mentioned this issue Mar 31, 2019
Closed
@leszko leszko mentioned this issue Apr 1, 2019
Merged
leszko pushed a commit to hazelcast/hazelcast-docker that referenced this issue Apr 2, 2019
Add setting logging level and building custom docker images (#111)
2d4f427 
Changes:
- Add default `logging.properties` file
- Add property `LOGGING_LEVEL` to enable changing logging level while starting the container
- Add description on how to build custom Hazelcast Image for testing
- Add `apk add --no-cache nss` (unrelated, but needed because of the change in Alpine, read more [here](docker-library/openjdk#289 (comment)))
@arihasa4
Copy link

arihasa4 commented Apr 4, 2019

so far i've have fixed the issue by doing

RUN apk add --no-cache nss

on my Dockerfile, that install the missing .so file, but i don't know why it was present before and not now

Just want to say having had the same problem this solution worked perfectly for us.

You safe my day man. Thanks :)

@danielgrant
Copy link

FYI this has been resolved upstream: https://git.alpinelinux.org/aports/commit/?id=a0a5ffcea690a74b6f8c240d811be43542af60a6

@andmarios andmarios mentioned this issue Apr 5, 2019
Open
@gmouchakis gmouchakis mentioned this issue Apr 8, 2019
Merged
irbull added a commit to eclipsesource/J2V8 that referenced this issue Apr 11, 2019
@irbull
Explicitly add nss to the build image
aaf2331 
It appears that nss has been removed from current versions
for Apline Linux [1]. It needs to be there for secure
connections.

[1] docker-library/openjdk#289
@scatat scatat mentioned this issue Apr 18, 2019
Closed
irbull added a commit to eclipsesource/J2V8 that referenced this issue Apr 26, 2019
@irbull
Explicitly add nss to the build image
e631ff3 
It appears that nss has been removed from current versions
for Apline Linux [1]. It needs to be there for secure
connections.

[1] docker-library/openjdk#289
@tobiasmo1 tobiasmo1 mentioned this issue May 23, 2019
Merged
quotidian-ennui added a commit to adaptris/docker-interlok that referenced this issue May 24, 2019
@quotidian-ennui
Add nss because of docker-library/openjdk#289
8949d3f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@wunderkind2k1 @gato @danielgrant @mike-treadway @mohannadj @wglambert @arihasa4