andystanton/JVM DNS TTL Policy.md

## JVM DNS TTL Policy.md

      
    Raw
  

              JVM DNS TTL Policy.md
            
          
    A script that inspects the DNS TTL for a JVM in a supplied Docker image. The image must also contain a JDK.
It does this by generating a Docker image containing a Java program that outputs the JVM's DNS TTL and executing this, then cleaning up the container, image and temporary files.
Usage

$ ./jvm-dns-ttl-policy.sh openjdk:8
This will download the image if necessary and then output the image JVM's DNS TTL:
Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 is 30 seconds

Optionally you can pass an argument --enable-security-manager to the script and it will test the behaviour with a security manager enabled.
$ ./jvm-dns-ttl-policy.sh openjdk:8 --enable-security-manager
Which outputs:
Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 (with security manager enabled) is -1 seconds


## jvm-dns-ttl-policy.sh
#!/bin/sh

if [ -z "${1}" ]; then
  echo "Usage: ${0} <image> --enable-security-manager"
  exit 1
fi

target_image="${1}"

dockerfile="
FROM        ${target_image}
WORKDIR     /var/tmp
RUN         printf ' \\
              public class DNSTTLPolicy { \\
                public static void main(String args[]) { \\
                  System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
                } \\
              }' >DNSTTLPolicy.java
RUN         javac DNSTTLPolicy.java -XDignore.symbol.file
CMD         java DNSTTLPolicy
ENTRYPOINT  java DNSTTLPolicy
"

dockerfile_security_manager="
FROM        ${target_image}
WORKDIR     /var/tmp
RUN         printf ' \\
              public class DNSTTLPolicy { \\
                public static void main(String args[]) { \\
                  System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' (with security manager enabled) is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
                } \\
              }' >DNSTTLPolicy.java
RUN         printf ' \\
              grant { \\
                permission java.security.AllPermission; \\
              };' >all-permissions.policy
RUN         javac DNSTTLPolicy.java -XDignore.symbol.file
CMD         java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
ENTRYPOINT  java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
"

target_dockerfile="${dockerfile}"
if [ -n "${2}" ] && [ "${2}" == "--enable-security-manager" ]; then
  target_dockerfile="${dockerfile_security_manager}"
fi

tag_name="jvm-dns-ttl-policy"
output_file="$(mktemp)"

function cleanup() {
  rm "${output_file}"
  docker rmi "${tag_name}" >/dev/null
}

trap "cleanup; exit" SIGHUP SIGINT SIGTERM

echo "Building Docker image based on ${target_image} ..." >&2
docker build -t "${tag_name}" - <<<"${target_dockerfile}" &>"${output_file}"

if [ "$?" -ne 0 ]; then
  >&2 echo "Error building test image:"
  cat "${output_file}"
  cleanup
  exit 1
fi

echo "Testing DNS TTL ..." >&2
docker run --rm "${tag_name}" &>"${output_file}"

if [ "$?" -ne 0 ]; then
  >&2 echo "Error running test image:"
  cat "${output_file}"
  cleanup
  exit 1
fi

cat "${output_file}"

cleanup
	#!/bin/sh

	if [ -z "${1}" ]; then
	echo "Usage: ${0} <image> --enable-security-manager"
	exit 1
	fi

	target_image="${1}"

	dockerfile="
	FROM ${target_image}
	WORKDIR /var/tmp
	RUN printf ' \\
	public class DNSTTLPolicy { \\
	public static void main(String args[]) { \\
	System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
	} \\
	}' >DNSTTLPolicy.java
	RUN javac DNSTTLPolicy.java -XDignore.symbol.file
	CMD java DNSTTLPolicy
	ENTRYPOINT java DNSTTLPolicy
	"

	dockerfile_security_manager="
	FROM ${target_image}
	WORKDIR /var/tmp
	RUN printf ' \\
	public class DNSTTLPolicy { \\
	public static void main(String args[]) { \\
	System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' (with security manager enabled) is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
	} \\
	}' >DNSTTLPolicy.java
	RUN printf ' \\
	grant { \\
	permission java.security.AllPermission; \\
	};' >all-permissions.policy
	RUN javac DNSTTLPolicy.java -XDignore.symbol.file
	CMD java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
	ENTRYPOINT java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
	"

	target_dockerfile="${dockerfile}"
	if [ -n "${2}" ] && [ "${2}" == "--enable-security-manager" ]; then
	target_dockerfile="${dockerfile_security_manager}"
	fi

	tag_name="jvm-dns-ttl-policy"
	output_file="$(mktemp)"

	function cleanup() {
	rm "${output_file}"
	docker rmi "${tag_name}" >/dev/null
	}

	trap "cleanup; exit" SIGHUP SIGINT SIGTERM

	echo "Building Docker image based on ${target_image} ..." >&2
	docker build -t "${tag_name}" - <<<"${target_dockerfile}" &>"${output_file}"

	if [ "$?" -ne 0 ]; then
	>&2 echo "Error building test image:"
	cat "${output_file}"
	cleanup
	exit 1
	fi

	echo "Testing DNS TTL ..." >&2
	docker run --rm "${tag_name}" &>"${output_file}"

	if [ "$?" -ne 0 ]; then
	>&2 echo "Error running test image:"
	cat "${output_file}"
	cleanup
	exit 1
	fi

	cat "${output_file}"

	cleanup