Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: UBI9 Containers 1.20
Affects Version/s: None
Component/s: container
Labels:
- customer

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

See attached example - in this case the TRUSTSTORE_PASSWORD environment variable is populated from a secret, and added to JAVA_OPTS_APPEND:

               "-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)

The password is visible in the application logs during pod start:

Starting the Java application using /opt/jboss/container/java/run/run-java.sh ...
INFO exec -a "java" java -XX:MaxRAMPercentage=80.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+ExitOnOutOfMemoryError -Djavax.net.ssl.trustStorePassword=supersecretpassword -cp "." -jar /deployments/csb-app-1.0-SNAPSHOT.jar

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

csb-app.tar.gz
7 kB
2024/02/28 5:54 PM

links to

RHBA-2024:132720 Updated RHEL-9-based OpenJDK container images

1.

OpenJDK image should scrub passwords from logs [rhel-8]

Closed

Jonathan Dowland

Assignee:: Jonathan Dowland

Reporter:: Stephen Higgs

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/02/28 5:53 PM

Updated:: 2024/06/06 9:58 PM

Resolved:: 2024/06/06 9:58 PM