docker-kafka
docker-kafka copied to clipboard
ches
Verify Checksum - magic ADD
Because of the "magic" ADD, your tgz is being unpacked prematurely. see https://www.ctl.io/developers/blog/post/dockerfile-add-vs-copy/. This means that there is no file for the checksum to verify. Replace ADD with WGET...
Step 7/21 : ADD http://www.us.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE} /tmp/
Downloading [==================================================>] 34.05MB/34.05MB
---> 917bfbd79471
Removing intermediate container 47eac95d4e8d
Step 8/21 : ADD https://dist.apache.org/repos/dist/release/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE}.md5 /tmp/
Downloading 74B
---> c6400a6cf8d8
Removing intermediate container 906298a3ca79
Step 9/21 : WORKDIR /tmp
---> 623ea82c854b
Removing intermediate container 7fa0b041357f
Step 10/21 : RUN echo "networkaddress.cache.ttl=30" >> $JAVA_HOME/jre/lib/security/java.security
---> Running in e33f31ac57b5
---> 8bcf5378cba3
Removing intermediate container e33f31ac57b5
Step 11/21 : RUN echo VERIFY CHECKSUM: && gpg --print-md MD5 ${KAFKA_RELEASE_ARCHIVE} 2>/dev/null && cat ${KAFKA_RELEASE_ARCHIVE}.md5
---> Running in 214a69a3272d
VERIFY CHECKSUM:
The command '/bin/sh -c echo VERIFY CHECKSUM: && gpg --print-md MD5 ${KAFKA_RELEASE_ARCHIVE} 2>/dev/null && cat ${KAFKA_RELEASE_ARCHIVE}.md5' returned a non-zero code: 2
I'm suggesting you replace those with...
WORKDIR /tmp
RUN wget -q http://www.us.apache.org/dist/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE}
RUN wget -q https://dist.apache.org/repos/dist/release/kafka/${KAFKA_VERSION}/${KAFKA_RELEASE_ARCHIVE}.md5
Hi, thanks for reporting, but I have not observed this issue—take for example the latest automated build on Docker Hub where you'll see in the build log output that the checksum is indeed being computed/printed from the tgz.
As the article you linked says,
Interestingly, the URL download and archive unpacking features cannot be used together. Any archives copied via URL will NOT be automatically unpacked.
So unless something has changed quite recently in Docker, there should not be premature unpacking occurring. Perhaps you can tell me if there is any more to reproducing the problem? I see an additional step for modifying java.security in your output so perhaps you have some modifications.
I'm not so bothered by the concerns of "magic" that article takes an opinionated stance on, personally. There's a reasonable argument there for curl/wget to pipeline commands and reduce layers, but that doesn't apply if I want to keep the step of saving the archive on disk to verify its digest.
