WARNING: The sunec native library... using multistage Images

[Jerry Thome]

I built a service that makes secure JDBC calls to Azure.  Works great locally.  Works great in OpenShift when the image is built via Dockerfile.jvm.  I'm having an issue running the application when built with Dockerfile.native.

I came across the multistage guide which is very handy!  I was very hopeful this would work without issues because the images have everything that's needed  I created a multistage file exactly like in the guide:

## Stage 1 : build with maven builder image with native capabilities
FROM quay.io/quarkus/centos-quarkus-maven:19.0.2 AS build
COPY src /usr/src/app/src
COPY pom.xml /usr/src/app
USER root
RUN chown -R quarkus /usr/src/app
USER quarkus
RUN mvn -f /usr/src/app/pom.xml -Pnative clean package
## Stage 2 : create the docker final image
FROM registry.access.redhat.com/ubi8/ubi
WORKDIR /work/
COPY --from=build /usr/src/app/target/*-runner /work/application
RUN chmod 775 /work
EXPOSE 8080
CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]

I am using <quarkus.version>0.19.1</quarkus.version>.  I successfully ran the build and started the container.  My first request yields the below error:

[devadmin@localhost notification-customer]$ docker run -i --rm --name notify -p 8080:8080  fss/notification-customer-native
2019-07-18 21:31:49,427 INFO  [io.quarkus] (main) Quarkus 0.19.1 started in 0.023s. Listening on: http://0.0.0.0:8080
2019-07-18 21:31:49,428 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, hibernate-validator, jdbc-h2, jdbc-mssql, narayana-jta, resteasy, resteasy-jsonb, security, smallrye-openapi, swagger-ui]
2019-07-18 21:33:50,725 INFO  [com.fol.not.api.fil.LoggingFilter] (executor-thread-1) Request GET /notification-customer/customers from IP xxx.xx.x.x
WARNING: The sunec native library, required by the SunEC provider, could not be loaded. This library is usually shipped as part of the JDK and can be found under <JAVA_HOME>/jre/lib/<platform>/libsunec.so. It is loaded at run time via System.loadLibrary("sunec"), the first time services from SunEC are accessed. To use this provider's services the java.library.path system property needs to be set accordingly to point to a location that contains libsunec.so. Note that if java.library.path is not set it defaults to the current working directory.
2019-07-18 21:33:50,978 ERROR [io.und.req.io] (executor-thread-1) Exception handling request 2b5b83fb-6cd8-4725-9ff2-c5efb11f7cc3-1 to /notification-customer/customers: org.jboss.resteasy.spi.UnhandledException: java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.generateECKeyPair(I[B[B)[Ljava/lang/Object; [symbol: Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair or Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair__I_3B_3B]
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:106)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:372)
...
Caused by: java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.generateECKeyPair(I[B[B)[Ljava/lang/Object; [symbol: Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair or Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair__I_3B_3B]
        at com.oracle.svm.jni.access.JNINativeLinkage.getOrFindEntryPoint(JNINativeLinkage.java:145)
        at com.oracle.svm.jni.JNIGeneratedMethodSupport.nativeCallAddress(JNIGeneratedMethodSupport.java:57)
        at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(ECKeyPairGenerator.java)
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)

        

I eventually ran across this other Quarkus guide which makes me feel like SSL should work 'out of the box', especially when following the multistage example.  I checked the image output and do see security services are enabled.

[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] /opt/graalvm/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager --initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime -jar notification-customer-1.0-SNAPSHOT-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:+PrintAnalysisCallTree -H:+AddAllCharsets -H:EnableURLProtocols=http,https --enable-all-security-services -H:-SpawnIsolates -H:+JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace

It seems like java.library.path isn't set. Do I need to pass something into the native build process to tell it the file is at \graalvm-ce-19.0.2\jre\lib\amd64\libsunec.so ?  Did I miss something in the documentation?

Any help would be appreciated.

Thank you.

[Jerry Thome]

Does anyone out there have a Quarkus app making secure JDBC calls while running in a native image?  If so, did you set anything special at build time?

Thanks!

[Emmanuel Bernard]

Can you open an issue in GitHub with a reproducible, I think we need to test/make a better job in that area.

On 24 Jul 2019, at 13:23, Jerry Thome wrote:

Does anyone out there have a Quarkus app making secure JDBC calls while running in a native image?  If so, did you set anything special at build time?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/09679d56-dace-4f23-be8c-159852f55a2a%40googlegroups.com.

[Guillaume Smet]

This will help you: https://github.com/quarkusio/quarkus/pull/3222/files .

It will be included in the guide when we publish 0.20.0 at the end of July.

Maybe we should add a link from the multi-stage guide to this one. I'll have a look.

Feedback welcome if it doesn't solve your issue.

--

Guillaume

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/0AF77371-D7D3-494C-A889-8C7A4BE5F16E%40redhat.com.

[Jerry Thome]

That PR did provide the missing link.  Thank you.

We now have GraalVM baked into the pipeline and deploying to OpenShift. The application is generally working.  BUT, after building and deploying with GraalVM, I no longer see metrics being reported (we view metrics via Instana). This application uses the Quarkus health checks and metrics extensions.  

I have triple checked that branches are all merged correctly on our side.  Things were good when using the 'JVM' Docker image.  Is it possible that somehow extensions can be omitted during the GraalVM compiling process?  More likely, grabbing metrics from Java and Containers is different than from a GraalVM and I need to talk to our vendor about support.  Anyone experience something like this?

Thanks.

[Loïc MATHIEU]

Hi Jerry,

Instana is an APM tool, is it using metrics like prometheus metric  that are integrated in Quarkus via the microprofile metrics extension or is it using other kind of technology (like JMX, sericeability or Java agent) ?

Because GraalVM CE don't inlude all those other technologies, that may be why you didn't see all the metrics in Instana after migrating to GraalVM.

Reading the following page on there website : https://www.instana.com/supported-technologies/java-monitoring/ I'm pretty sure it's using the serviceability API to automatically install a Java agent when discovering a Java application. This cannot works with GrallVM CE, I'm not sure it will work with GrallVM enterprise. You should ask the Instana support (and GrallVM support if you have it).

I see that Instana can also monitor via Open Tracing, you will not have the full monitoring capability of Instana with it, but if you use the open tracing extension of Quarkus, you will at least have Instana detects transactions inside your apps thanks to Open Tracing monitoring agent it provides.

So, according to me, it's GraalVM that is not compatible with Instana et not Quarkus ...

Regards,

Loïc

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALjXcUZ8LSAuqpnukVMMwsGKYXvfB_N_f3b76%3Dodr2YUwgqXmQ%40mail.gmail.com.

[Sanne Grinovero]

On Fri, 26 Jul 2019 at 09:05, Loïc MATHIEU <loik...@gmail.com> wrote:
>
> Hi Jerry,
>
> Instana is an APM tool, is it using metrics like prometheus metric that are integrated in Quarkus via the microprofile metrics extension or is it using other kind of technology (like JMX, sericeability or Java agent) ?
> Because GraalVM CE don't inlude all those other technologies, that may be why you didn't see all the metrics in Instana after migrating to GraalVM.
>
> Reading the following page on there website : https://www.instana.com/supported-technologies/java-monitoring/ I'm pretty sure it's using the serviceability API to automatically install a Java agent when discovering a Java application. This cannot works with GrallVM CE, I'm not sure it will work with GrallVM enterprise. You should ask the Instana support (and GrallVM support if you have it).
>
> I see that Instana can also monitor via Open Tracing, you will not have the full monitoring capability of Instana with it, but if you use the open tracing extension of Quarkus, you will at least have Instana detects transactions inside your apps thanks to Open Tracing monitoring agent it provides.
>
> So, according to me, it's GraalVM that is not compatible with Instana et not Quarkus ...

well, pretty much nothing is compatible with GraalVM out of the box :)
but Quarkus is able to make any such technologies compatible... so
even if the expectations need to be clarified, we could still try to
fix this.

I don't know much about Instana though, and this is not an urgent
thing for us. Jerry, maybe you could try creating a Quarkus extension
for it?

> To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAJLxjVFXAZHXR85xFdRx9-OLk-nauEx4ok0uhpJXSpjs%2BkEqSQ%40mail.gmail.com.