Open SSL not available on Alpine Linux Kubernetes
792 views
Skip to first unread message
Cristian Radu
Nov 30, 2016, 8:33:09 AM11/30/16
to Search Guard
Hi guys,
I am trying to build a docker image for Kubernetes with search guard 5 openssl support enabled and running into the issue below. I'm using Alpine with the statically linked netty-tcnative.
I can't seem to spot where the problem might be. It just looks like it's not loading the jar correctly or maybe not the correct version of it ?
Attached a few files describing my setup.
[2016-11-30T12:56:42,225][INFO ][c.f.s.s.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-linux-x86_64, netty-tcnative-linux-x86_64-fedora, netty-tcnative]
Thanks in advance for your help.
Cristian
SG
Nov 30, 2016, 1:06:00 PM11/30/16
to search...@googlegroups.com
Did you try the dynamically linked libary too? (cause you installed openssl and apr which are not neccessary for statically linked version).
I dont have experience with alpine but you may look here https://github.com/pires/netty-tcnative-alpine and/or ask the netty project for help.
Search Guard does use vanilla netty tcnative so it should not be a problem to build either a dynamic or statically linked version for alpine if necessary.
See https://github.com/netty/netty-tcnative/issues/111 and https://github.com/netty/netty-tcnative/issues/152
Another thing: searchguard.ssl.transport.keystore_filepath and searchguard.ssl.transport.truststore_filepath in the config file are supposed to be relative paths (to the config dir)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2e6e75b-bb1d-48d1-b07a-fde2664368c8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <Dockerfile><docker-entrypoint.sh><elasticsearch.yaml.j2>
I dont have experience with alpine but you may look here https://github.com/pires/netty-tcnative-alpine and/or ask the netty project for help.
Search Guard does use vanilla netty tcnative so it should not be a problem to build either a dynamic or statically linked version for alpine if necessary.
See https://github.com/netty/netty-tcnative/issues/111 and https://github.com/netty/netty-tcnative/issues/152
Another thing: searchguard.ssl.transport.keystore_filepath and searchguard.ssl.transport.truststore_filepath in the config file are supposed to be relative paths (to the config dir)
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2e6e75b-bb1d-48d1-b07a-fde2664368c8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <Dockerfile><docker-entrypoint.sh><elasticsearch.yaml.j2>
Cristian Radu
Dec 1, 2016, 10:36:43 AM12/1/16
to search...@googlegroups.com
Thanks a lot for your suggestions.
I was able to get it working using https://github.com/pires/netty-tcnative-alpine with NETTY_TCNATIVE_TAG=netty-tcnative-parent-1.1.33.Fork23
So it looks like this library must be compiled on Alpine in order for it to work. Probably due to the musl libc vs glibc on other distros.
Strange that the statically linked one did't work. I did try both dynamic and static, yes.
Cristian
On Wed, Nov 30, 2016 at 6:05 PM, SG <in...@search-guard.com> wrote:
Did you try the dynamically linked libary too? (cause you installed openssl and apr which are not neccessary for statically linked version).
I dont have experience with alpine but you may look here https://github.com/pires/netty-tcnative-alpine and/or ask the netty project for help.
Search Guard does use vanilla netty tcnative so it should not be a problem to build either a dynamic or statically linked version for alpine if necessary.
See https://github.com/netty/netty-tcnative/issues/111 and https://github.com/netty/netty-tcnative/issues/152
Another thing: searchguard.ssl.transport.keystore_filepath and searchguard.ssl.transport.truststore_filepath in the config file are supposed to be relative paths (to the config dir)
> Am 30.11.2016 um 14:33 schrieb Cristian Radu <cristian.andrei.radu@gmail.com>:
>
> Hi guys,
>
> I am trying to build a docker image for Kubernetes with search guard 5 openssl support enabled and running into the issue below. I'm using Alpine with the statically linked netty-tcnative.
> I can't seem to spot where the problem might be. It just looks like it's not loading the jar correctly or maybe not the correct version of it ?
>
> Attached a few files describing my setup.
>
> [2016-11-30T12:56:42,225][INFO ][c.f.s.s.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-linux-x86_64, netty-tcnative-linux-x86_64-fedora, netty-tcnative]
>
> Thanks in advance for your help.
>
> Cristian
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2e6e75b-bb1d-48d1-b07a-fde2664368c8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <Dockerfile><docker-entrypoint.sh><elasticsearch.yaml.j2>
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/C1B28F92-7E70-4053-942F-85760B1F5992%40search-guard.com.
Jasmine Hegman
Oct 25, 2017, 5:41:19 PM10/25/17
to Search Guard Community Forum
Thank you so much for your follow up Cristian! I just encountered this as well.
I was so confused by why the Alpine library was reporting fedora on boot:
Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-linux-x86_64, netty-tcnative-linux-x86_64-fedora, netty-tcnative]
Took some effort due to netty-tcnative-alpine's wget not working anymore with the maven download, but after switching it to curl it started working for me and built just as you described and it works a treat!
Open SSL OpenSSL 1.0.2l 25 May 2017 available
Just wanted to chime in and confirm that in late 2017 this approach still gets things working. :+1:
On Thursday, December 1, 2016 at 8:36:43 AM UTC-7, Cristian Radu wrote:
Thanks a lot for your suggestions.I was able to get it working using https://github.com/pires/netty-tcnative-alpine with NETTY_TCNATIVE_TAG=netty-tcnative-parent-1.1.33.Fork23So it looks like this library must be compiled on Alpine in order for it to work. Probably due to the musl libc vs glibc on other distros.Strange that the statically linked one did't work. I did try both dynamic and static, yes.Cristian
On Wed, Nov 30, 2016 at 6:05 PM, SG <in...@search-guard.com> wrote:
Did you try the dynamically linked libary too? (cause you installed openssl and apr which are not neccessary for statically linked version).
I dont have experience with alpine but you may look here https://github.com/pires/netty-tcnative-alpine and/or ask the netty project for help.
Search Guard does use vanilla netty tcnative so it should not be a problem to build either a dynamic or statically linked version for alpine if necessary.
See https://github.com/netty/netty-tcnative/issues/111 and https://github.com/netty/netty-tcnative/issues/152
Another thing: searchguard.ssl.transport.keystore_filepath and searchguard.ssl.transport.truststore_filepath in the config file are supposed to be relative paths (to the config dir)
> Am 30.11.2016 um 14:33 schrieb Cristian Radu <cristian.a...@gmail.com>:
>
> Hi guys,
>
> I am trying to build a docker image for Kubernetes with search guard 5 openssl support enabled and running into the issue below. I'm using Alpine with the statically linked netty-tcnative.
> I can't seem to spot where the problem might be. It just looks like it's not loading the jar correctly or maybe not the correct version of it ?
>
> Attached a few files describing my setup.
>
> [2016-11-30T12:56:42,225][INFO ][c.f.s.s.SearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-linux-x86_64, netty-tcnative-linux-x86_64-fedora, netty-tcnative]
>
> Thanks in advance for your help.
>
> Cristian
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2e6e75b-bb1d-48d1-b07a-fde2664368c8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <Dockerfile><docker-entrypoint.sh><elasticsearch.yaml.j2>
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
Search Guard
Oct 25, 2017, 5:48:33 PM10/25/17
to Search Guard Community Forum
Pls also look here https://github.com/floragunncom/search-guard-docs/blob/master/tls_openssl.md and
https://dl.bintray.com/floragunncom/netty-tcnative/
Meanwhile we provide statically compiled binaries for alpine
Jasmine Hegman
Oct 25, 2017, 5:52:05 PM10/25/17
to Search Guard Community Forum
Actually I posted too early. :blush:
I had two experiments running concurrently and one only installed `libuuid`as mentioned at the bottom of netty-tcnative-alpine's readme and with only that change it is working with the provided builds.
So if anyone runs into this again, just make sure libuuid is present.
Jasmine Hegman
Oct 25, 2017, 5:55:00 PM10/25/17
to Search Guard Community Forum
Thanks for the quick response! Unfortunately I was already following those instructions and using those compiled binaries and they did not work until `libuuid` was installed, but after that was installed they work perfectly. Thanks again!
SG
Oct 25, 2017, 5:58:10 PM10/25/17
to search...@googlegroups.com
can you submit a pull request for https://github.com/floragunncom/search-guard-docs/blob/master/tls_openssl.md to include the steps neccessary to make it work? that would really be great.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3f34531a-d64f-49d3-89ff-da4ef47cd8f5%40googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages