高山Linux，非root用户，Java 7，Setcap：libjli.so：没有这样的文件或目录（java所需）

Question

On an Alpine Linux docker container I have created. I have set up a non-root user to run my java (jboss) server. I am trying to give it access to run on ports < 1024. As a result, I have had to use setcap in order to provide Java with the permissions in order to run on ports < 1024.

Please note that authbind does not yet exist on Alpine Linux , so this is not an option. Setcap is the recommended approach. See the final comment: https://github.com/gliderlabs/docker-alpine/issues/166

$ setcap cap_net_bind_service=+eip /opt/jdk1.7.0_51/bin/java \    
cap_net_bind_service=+eip /opt/jdk1.7.0_51/jre/bin/java

However, per Oracle, there is a known bug (and workaround) that resolves the setcap problem: http://bugs.java.com/view_bug.do?bug_id=7157699

Basically, they recommend creating a file with the below contents. Please note that I have installed java into "/opt/jdk1.7.0_51", and this is a 64 bit version, so the directory paths are different.

$ mkdir -p /etc/ld.so.conf.d
$ echo "/opt/jdk1.7.0_51/jre/lib/amd64/jli" > /etc/ld.so.conf.d/java.conf
$ cat /etc/ld.so.conf.d/java.conf
/opt/jdk1.7.0_51/jre/lib/amd64/jli

However, this did not work. I have also tried creating links to the file:

$ ln -s /opt/jdk1.7.0_51/jre/lib/amd64/jli/libjli.so /lib64/
$ ls -al /lib64
...
... libjli.so -> /opt/jdk1.7.0_51/jre/lib/amd64/jli/libjli.so
...
$ ls /opt/jdk1.7.0_51/jre/lib/amd64/jli/
libjli.so

This also did not work. I have tried debugging the problem as recommended in the original post using ldconfig:

$ ldconfig | grep libjli

This doesn't work. Alpine runs a customer version of ldconfig with little documentation, so I haven't figured out exactly what to do.

Regardless, everytime I try to debug using ldd, I still get this error:

$ /opt/jdk1.7.0_51/jre/bin$ ldd java
    /lib64/ld-linux-x86-64.so.2 (0x55901c23e000)
    libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x55901c23e000)
Error loading shared library libjli.so: No such file or directory (needed by java)
    libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x55901c23e000)
    libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x55901c23e000)
Error relocating java: JLI_Launch: symbol not found

I don't know what more I can possibly do at this point. I wanted to avoid changing our software again to get it to work under alpine, as that requires a release process and can potentially impact customers who are not yet on Docker. I don't really want to touch the ports again because they are working under root. I will have to go through another debug process to configure the load balancer, docker port redirection, customize recompile and debug our software, and then retest all of the above to make sure our automated scripts deploy it all correctly. This is something I'd perfer to avoid.

Anyone have suggestions?

Answer 1

The problem with libjli.so seems to be that the Oracle JDK are built using glibc whereas Alpine uses musl libc.

Issues for Java 8 have been opened for this, I guess they are also valid for Java 7:

• Alpine libs not compatible with Java 8
• libjli.so is missing for java:8-jre-alpine

There is this Docker image that provides glibc for Alpine, you may be able to use it as a base. It has been used to build a Oracle JDK 8 image .