Search code examples
dockerapache-karafapache-felixjasypt

Issue when using host file in docker container for karaf

My issue is the "auto-encryption" of the karaf users.properties file done by jasypt. I am using docker to quickly deploy 3 karaf environments.

I am using the karaf-maven-plugin to build a simple karaf archetype, containing the basic features I need, and then I build a docker image and run it in Docker, externalizing some folders, which are environment-specific.

Here is an extract of my Dockerfile:

VOLUME ["/opt/karaf/deploy"]
VOLUME ["/opt/karaf/data"]
VOLUME ["/opt/karaf/etc/config-files"]

RUN rm /opt/karaf/etc/users.properties

RUN ln -s /opt/karaf/etc/config-files/users.properties /opt/karaf/etc/users.properties \
        && ln -s /opt/karaf/etc/config-files/log4j2.xml /opt/karaf/etc/log4j2.xml

And, here is the run command I am using:

docker run -it --rm -p 8181:8181 \
        -v d:/amc_karaf/config-files:/opt/karaf/etc/config-files \
        -v d:/amc_karaf/deploy:/opt/karaf/deploy \
        -v d:/amc_karaf/data:/opt/karaf/data \
        --name karaf-container karaf:test

As you can see the actual users.properties file is stored on my host and not my container, and it works (authentication using password stored on host works).

Now, here's what happens:

  • when I do not externalize the users.properties (symbolic link + volume), the passwords are properly encrypted as soon as I modify them and save.
  • when I do use the externalization of the file, the encryption is only performed when I start karaf, not as soon as I save the file.

I suspect the issue might be related to Felix, which from my understanding watches the file for change, and the externalization using docker volume. I have however not been able to find a solution to that specific problem.

Do you have any ideas or suggestions on how to solve this?

(I also have the same issue with the deploy folder. When I add new bundles in the deploy folder, I need to restart karaf otherwise they will not be automatically started as I would normally expect them to. But I do see them when I use ls on the folder.)

Solution

  • There are known (probably difficult to solve) issues related to sharing folders with docker containers.

    I don't know the details but more often than not applications running inside containers have hard time tracking file changes or file additions if said changes have been made in the host machine.

    When modifying config files for Karaf running inside docker I often have to resort to docker exec -it karaf /bin/bash and use some touch or cp command trickery before karaf detects the new configurations. This is also the case when I am installing features that add configs from my local maven repository to karaf running.

    Trickery:

    1. use touch command on modified file (doesn't always work).
    2. when touch fails I usually have to copy the configuration file to new file, delete the original and rename the copy to original name.

    These are not exclusive to docker and plague podman as well.

    One way to get around these issues is to use karaf shell to add the user

    jaas:realm-list
# Check the index of properties module (usually 1)
jaas:manage-realm --index <index>

jaas:user-add <username> <password>
jaas:group-add <username> <group>
jaas:update

# example create new user example-user and add it to admingroup
jaas:manage-realm --index 1
jaas:user-add example-user password
jaas:group-add example-user admingroup
jaas:update

    Other alternatives would be to use some other logging module which could allow you to use something like active directory or database to authenticate users.