Skip to content

Instantly share code, notes, and snippets.

@andystanton
Last active November 15, 2022 08:17
Show Gist options
  • Save andystanton/958a9a87f5b5a4eae537f96f896a19bc to your computer and use it in GitHub Desktop.
Save andystanton/958a9a87f5b5a4eae537f96f896a19bc to your computer and use it in GitHub Desktop.
A script that inspects the DNS TTL for a JVM in a supplied Docker image.

A script that inspects the DNS TTL for a JVM in a supplied Docker image. The image must also contain a JDK.

It does this by generating a Docker image containing a Java program that outputs the JVM's DNS TTL and executing this, then cleaning up the container, image and temporary files.

Usage

$ ./jvm-dns-ttl-policy.sh openjdk:8

This will download the image if necessary and then output the image JVM's DNS TTL:

Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 is 30 seconds

Optionally you can pass an argument --enable-security-manager to the script and it will test the behaviour with a security manager enabled.

$ ./jvm-dns-ttl-policy.sh openjdk:8 --enable-security-manager

Which outputs:

Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 (with security manager enabled) is -1 seconds
#!/bin/sh
if [ -z "${1}" ]; then
echo "Usage: ${0} <image> --enable-security-manager"
exit 1
fi
target_image="${1}"
dockerfile="
FROM ${target_image}
WORKDIR /var/tmp
RUN printf ' \\
public class DNSTTLPolicy { \\
public static void main(String args[]) { \\
System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
} \\
}' >DNSTTLPolicy.java
RUN javac DNSTTLPolicy.java -XDignore.symbol.file
CMD java DNSTTLPolicy
ENTRYPOINT java DNSTTLPolicy
"
dockerfile_security_manager="
FROM ${target_image}
WORKDIR /var/tmp
RUN printf ' \\
public class DNSTTLPolicy { \\
public static void main(String args[]) { \\
System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' (with security manager enabled) is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
} \\
}' >DNSTTLPolicy.java
RUN printf ' \\
grant { \\
permission java.security.AllPermission; \\
};' >all-permissions.policy
RUN javac DNSTTLPolicy.java -XDignore.symbol.file
CMD java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
ENTRYPOINT java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
"
target_dockerfile="${dockerfile}"
if [ -n "${2}" ] && [ "${2}" == "--enable-security-manager" ]; then
target_dockerfile="${dockerfile_security_manager}"
fi
tag_name="jvm-dns-ttl-policy"
output_file="$(mktemp)"
function cleanup() {
rm "${output_file}"
docker rmi "${tag_name}" >/dev/null
}
trap "cleanup; exit" SIGHUP SIGINT SIGTERM
echo "Building Docker image based on ${target_image} ..." >&2
docker build -t "${tag_name}" - <<<"${target_dockerfile}" &>"${output_file}"
if [ "$?" -ne 0 ]; then
>&2 echo "Error building test image:"
cat "${output_file}"
cleanup
exit 1
fi
echo "Testing DNS TTL ..." >&2
docker run --rm "${tag_name}" &>"${output_file}"
if [ "$?" -ne 0 ]; then
>&2 echo "Error running test image:"
cat "${output_file}"
cleanup
exit 1
fi
cat "${output_file}"
cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment