UNCLASSIFIED - NO CUI

Container Startup Failing

Summary

From Jira ticket created for this issue

When we last ran the Iron Bank Container Hardening pipeline for our image's feature branch (https://repo1.dso.mil/dsop/f18-navy-boeing/osee/osee-postgres/-/pipelines/488224) the resultant build pipeline output image was fine and runs OK. However, between that feature branch run and IB's merge runs of our feature branch to Development and then Master, our application's base container image (OpenJDK8) looks to have gotten rebuilt on its master branch. Ever since that, the IB [development and] master branch runs on OUR container have been producing application container images that won't fire up! (https://repo1.dso.mil/dsop/f18-navy-boeing/osee/osee-postgres/-/pipelines/491013, https://repo1.dso.mil/dsop/f18-navy-boeing/osee/osee-postgres/-/pipelines/491046 both built fine, but the output images won't run). We first noticed the problem when pulling down our latest image from Registry1. Back-tracing "when did we break" by digging out the individual IB pipeline runs' "post-build" / "create-tar" image artifacts and testing each individually, we traced the "we used to work, now broken" timeline to what's described above. How do we get the IB pipeline to re-build our container into a running result now? What was the change (presumably to IB OpenJDK8) that is now breaking us? The error we get when activating our image is now along the lines of, "java.security.ProviderException: NSS module not available: fips". What's odd is that poking inside our images, we haven't yet found any Java-related differences between the ones that work and the ones that won't fire up. They are all (both working and not) using openjdk version "1.8.0_302", OpenJDK Runtime Environment (build 1.8.0_302-b08), for example. Envvars seem to be the same. We're mystified. Thanks!

Steps to reproduce

docker run

What is the current bug behavior?

Exception thrown on startup java.security.ProviderException: NSS module not available: fips

What is the expected correct behavior?

Container starts w/o an exception

Relevant logs and/or screenshots

Possible fixes

Issue in OpenJDK8 project for this same exception provides a link to a Red Hat support issue suggesting disabling FIPS w/in Java

Defintion of Done

  • Bug has been identified and corrected within the container

UNCLASSIFIED - NO CUI