Uploaded image for project: 'XWiki Docker images'
  1. XWiki Docker images
  2. XDOCKER-241

Tomcat 9-jre11 base image move to eclipse-temurin makes XWiki image unusable

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • Unknown
    • N/A
    • N/A

    Description

      Tomcat base image 9-jre11 changed from 9-jre11-openjdk-buster to 9-jre11-temurin-jammy:
      https://github.com/docker-library/docs/blob/master/tomcat/README.md#supported-tags-and-respective-dockerfile-links

      Therefore the base image eclipse-temurin:11-jre-jammy will be used instead of openjdk:11-jre-bullseye.

      With this base image change xwiki:13.10.7 becomes unusable on our SLES 12SP5 (and also SLES 15) hosts.

      $ docker run -it --rm --entrypoint /bin/bash docker.io/library/eclipse-temurin:11-jre-jammy
root@14bf7795a012:/# if [ -r /.dockerenv ]; then echo ok; else echo error; fi
error
root@14bf7795a012:/# java -version
[0.011s][warning][os,thread] Failed to start thread - pthread_create failed (EPERM) for attributes: stacksize: 1024k, guardsize: 4k, detached.
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Cannot create worker GC thread. Out of system resources.
# An error report file with more information is saved as:
# //hs_err_pid8.log

      I figured out that this is because of active seccomp security profiles for docker:
      https://docs.docker.com/engine/security/seccomp/

      There is a bug report which is explaining the cause of the issue pretty good:
      https://github.com/adoptium/containers/issues/215#issuecomment-1142046045

      ...Latest glibc will attempt to use clone3(). As a result, most newer distro (ubuntu Jammy 22.04, but probably others) will fail unless we allow the syscall...

      However, I would like to communicate the issue here as well. I am pretty sure other xwiki users/customer will get this issue also, and you should know about it.
      I would love having this information in the docs/faqs, because this costs too much valueable time if this issue hits you.

      Maybe you decide to specify another tomcat base image, eg: FROM tomcat:9-jre11-openjdk-bullseye?

      I know of three possible ways to fix the issue:

      1. Update docker-engine to >= 20.10.16
      2. Run docker container without the default seccomp profile
      3. Change base image back to tomcat:9-jre11-openjdk-bullseye

      For us option 1 is not an option, since we have to use docker engine provided by SLES. And somehow I dislike option 2 as well.

      Attachments

        Activity

          People

            vmassol Vincent Massol
            bbartke Bernd Bartke
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: