Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7474

Docker sample README.md provides wrong instructions for running the container

    Details

    • Type: Bug
    • Status: QA Backlog
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.1.0
    • Component/s: devops, security
    • Labels:

      Description

      The DS 7.0 Docker sample README.md includes misleading instructions for running the custom image:

      $ ./samples/docker/setup.sh
      ...
      $ docker build -t ds:latest .
      $ docker run --rm -it ds:latest start-ds
      

      The docker run command will fail because the keystore is not mounted into the container as per the instructions provided by the image's online help:

      $ docker run --rm -it ds:latest
      DS Docker Image Help
      ====================
      
      Getting started
      ---------------
      
      Use the following Docker command to start the server:
      
          docker run --rm -it \
              --env DS_SET_UID_ADMIN_AND_MONITOR_PASSWORDS=true \
              --env DS_UID_ADMIN_PASSWORD=password \
              --env DS_UID_MONITOR_PASSWORD=password \
              --mount type=bind,src=/path/to/secrets,dst=/opt/opendj/secrets \
              DS-IMAGE start-ds
      ...
      

      A further gotcha is that the sample setup.sh script removes the CA and SSL key-pair from the local keystore. Making it hard to use out of the box, especially now that DS seems to complain very noisily and repeatedly when it cannot find the required secrets:

      $ # NOTE that I'm mounting the local keystore that was created using setup.sh
      $ docker run --rm -it  --env DS_SET_UID_ADMIN_AND_MONITOR_PASSWORDS=true  --env DS_UID_ADMIN_PASSWORD=password --env DS_UID_MONITOR_PASSWORD=password --mount type=bind,src=`pwd`/config,dst=/opt/opendj/secrets ds:latest start-ds
      
      Initializing "data/db" from Docker image
      Initializing "data/changelogDb" from Docker image
      Initializing "data/import-tmp" from Docker image
      Initializing "data/locks" from Docker image
      Initializing "data/var" from Docker image
      Upgrading configuration and data...
       * OpenDJ data has already been upgraded to version
       7.1.0.9b16dfb85b5366a148d0677f595eaf515a7957c8
      Updating the "uid=admin" password
      Updating the "uid=monitor" password
      
      Server configured with:
          Group ID                        : default
          Server ID                       : 2671dd0e9933
          Advertised listen address       : 2671dd0e9933
          Bootstrap replication server(s) : 2671dd0e9933:8989
      
      [18/Sep/2020:07:39:27 +0000] category=CORE severity=NOTICE msgID=134 msg=ForgeRock Directory Services 7.1.0-SNAPSHOT (build 20200918091022, revision number 9b16dfb85b5366a148d0677f595eaf515a7957c8) starting up
      [18/Sep/2020:07:39:27 +0000] category=JVM severity=NOTICE msgID=21 msg=Installation Directory:  /opt/opendj
      [18/Sep/2020:07:39:27 +0000] category=JVM severity=NOTICE msgID=23 msg=Instance Directory:      /opt/opendj
      [18/Sep/2020:07:39:27 +0000] category=JVM severity=NOTICE msgID=17 msg=JVM Information: 11.0.8+10 by N/A, 64-bit architecture, 22271229952 bytes heap size
      [18/Sep/2020:07:39:27 +0000] category=JVM severity=NOTICE msgID=20 msg=JVM Host: 2671dd0e9933 default/2671dd0e9933, running Linux 5.4.0-47-generic amd64, unknown physical memory size, number of processors available 16
      [18/Sep/2020:07:39:27 +0000] category=JVM severity=NOTICE msgID=19 msg=JVM Arguments: "-XX:MaxRAMPercentage=75", "-XX:+UseParallelGC", "-XX:MaxTenuringThreshold=1", "-Djava.security.egd=file:/dev/urandom", "-Dorg.opends.server.scriptName=start-ds"
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Administration Connector' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Administration Connector', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'LDAP' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'LDAP', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'HTTPS' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'HTTPS', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'LDAPS' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'LDAPS', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=NOTICE msgID=204 msg=Replication server RS(2671dd0e9933) started listening for new connections on address 0.0.0.0 port 8989
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Client' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Client', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Server' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Server', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=INFORMATION msgID=105 msg=Replication server accepted a connection from /172.17.0.2:47926 to local address /172.17.0.2:8989 but the SSL handshake failed. This is probably benign, but may indicate a transient network outage or a misconfigured client application connecting to this replication server. The error was: No available authentication scheme
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=WARNING msgID=120 msg=Directory server DS(2671dd0e9933) encountered an transient problem while connecting to replication server 2671dd0e9933:8989 for domain "uid=monitor". Directory server will try to connect to a replication server again
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=WARNING msgID=208 msg=Directory server DS(2671dd0e9933) was unable to connect to any replication servers for domain "uid=monitor"
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on Administration Connector 0.0.0.0:4444
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAP 0.0.0.0:1389
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Server' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Server', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Client' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Client', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=INFORMATION msgID=105 msg=Replication server accepted a connection from /172.17.0.2:47928 to local address /172.17.0.2:8989 but the SSL handshake failed. This is probably benign, but may indicate a transient network outage or a misconfigured client application connecting to this replication server. The error was: No available authentication scheme
      [18/Sep/2020:07:39:28 +0000] category=SYNC severity=WARNING msgID=120 msg=Directory server DS(2671dd0e9933) encountered an transient problem while connecting to replication server 2671dd0e9933:8989 for domain "uid=monitor". Directory server will try to connect to a replication server again
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on HTTP 0.0.0.0:8080
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on HTTPS 0.0.0.0:8443
      [18/Sep/2020:07:39:28 +0000] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAPS 0.0.0.0:1636
      [18/Sep/2020:07:39:29 +0000] category=CORE severity=NOTICE msgID=135 msg=The Directory Server has started successfully
      [18/Sep/2020:07:39:29 +0000] category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully
      ^C[18/Sep/2020:07:39:29 +0000] category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerShutdown, alert ID org.opends.messages.core-141): The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServerShutdownHook and the reason provided for the shutdown was The Directory Server shutdown hook detected that the JVM is shutting down. This generally indicates that JVM received an external request to stop (e.g., through a kill signal)
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on Administration Connector 0.0.0.0:4444
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on LDAP 0.0.0.0:1389
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on HTTP 0.0.0.0:8080
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on HTTPS 0.0.0.0:8443
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=NOTICE msgID=277 msg=Stopped listening for new connections on LDAPS 0.0.0.0:1636
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Client' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Client', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=ERROR msgID=1526 msg=The key with alias 'ssl-key-pair' used by 'Replication Server' could not be found, which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:29 +0000] category=PROTOCOL severity=ERROR msgID=1527 msg=No usable key was found for 'Replication Server', which may cause subsequent SSL connections to fail. Verify that the underlying keystore is properly configured
      [18/Sep/2020:07:39:29 +0000] category=SYNC severity=INFORMATION msgID=105 msg=Replication server accepted a connection from /172.17.0.2:47930 to local address /172.17.0.2:8989 but the SSL handshake failed. This is probably benign, but may indicate a transient network outage or a misconfigured client application connecting to this replication server. The error was: No available authentication scheme
      ...
      

      It would be nice if we could make the generated image easier to use, e.g. by generating temporary run-time keys if we detect that they are missing, although a loud warning should be displayed in this case.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cyril.quinton Cyril Quinton
                Reporter:
                matthew Matthew Swift
                Dev Assignee:
                Matthew Swift
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: