Environment variable not expanded in JVM system properties using Jib and base image

Question

I have a Jib configuration like this:

environment = [
                'QUARKUS_PROFILE'         : 'test',
                'TRUSTSTORE'              : '/etc/ssl/certs/java/cacerts/keystore.jks',
                'TRUSTSTORE_PASSWORD'     : 'no.secret',
                'JAVA_APP_JAR'            : '/deployments/myapp-runner.jar',
                'JAVA_APP_NAME'           : 'myapp',
// Tried using JAVA_OPTS_APPEND or JAVA_TOOL_OPTIONS
                'JAVA_OPTS_APPEND'        : '-Djavax.net.ssl.trustStore=${TRUSTSTORE} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}',
                'JAVA_TOOL_OPTIONS'       : '-Djavax.net.ssl.trustStore=${TRUSTSTORE} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}'
        ]
entrypoint = 'INHERIT'

I have a custom base image where I would like to run the official run-java.sh and be able to pass the JVM system properties expanded.

Thanks

Things I tried:

• using JAVA_OPTS_APPEND because run-java.sh makes echo of that variable and I thought it will trigger the variable expansion

• using JAVA_TOOL_OPTIONS because Jib use it

• many different ENTRYPOINTS in base image and Jib configuration

  • CMD ["/deployments/entrypoint.sh"]
  • ENTRYPOINT ["/deployments/entrypoint.sh"]
  • ENTRYPOINT ["/bin/sh", "-c", "/deployments/entrypoint.sh"]
  • ENTRYPOINT exec "/deployments/entrypoint.sh"

• tried the current entrypoint-ssl.sh in the base image

FROM registry.access.redhat.com/ubi9/openjdk-21-runtime:1.17

RUN <<EOF cat >> /deployments/entrypoint-ssl.sh
#!/bin/bash
startup() {
  echo "Running custom entrypoint for trustStore"
  exec -a "${JAVA_APP_NAME}" java -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE} -cp "." -jar ${JAVA_APP_JAR} $*
}
#
startup $*
EOF
RUN chmod +x /deployments/entrypoint-ssl.sh

The ubi9 image has no entrypoint but

CMD ["/opt/jboss/container/java/run/run-java.sh"] 

Dockerfile registry.access.redhat.com/ubi9/openjdk-21-runtime

run-java.sh

The only way I can get access to the variables is

• Option a: by accessing directly in the entrypoint command ENTRYPOINT ["/bin/sh", "-c", "echo ${TRUSTSTORE}"]
• Option b: by using this entrypoint in Jib entrypoint = ['/bin/sh', '-c','exec -a "${JAVA_APP_NAME}" java -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE} -cp "." -jar ${JAVA_APP_JAR} $*']

Is there any way of expanding environment variables in JAVA_TOOL_OPTIONS or JAVA_OPTS_APPEND? If not, is it possible to move the workaround entrypoint to the base image?

Answer 1

Basically, this is a Bash/shell question. Let's talk about this variable:

'JAVA_TOOL_OPTIONS' : '-Djavax.net.ssl.trustStore=${TRUSTSTORE} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}'

First, you need to understand who expands (replaces) the strings of the form $FOO at which point in time. In your case, it's certainly not Gradle (although you could have Gradle do that easily if, for example, you know TRUSTSTORE is static and won't dynamically change at container runtime). Most of the time, it's a shell program that replaces such strings.

Then, it's like you are asking the shell to replace a string inside a string that is replacing yet another string. That is, you want it to replace strings recursively such that, for example, FOO="foo $FOO" may expand to an infinite sequence of foo's.

But Bash doesn't recursively expand variables: https://unix.stackexchange.com/questions/194028/variable-not-expanding-inside-another-variable-bash

For example,

$ ( INNER='inner' OUTER='$INNER' ; echo $OUTER )
$INNER

OTOH, the following script expands $INNER first and then assigns the expanded value (the string literal of inner) to OUTER.

$ ( INNER='inner' OUTER="$INNER" ; echo $OUTER )
inner

---

Lastly, I am not sure if this will help, but just in case: Jib - How to use environmental variables from base image