A script that inspects the DNS TTL for a JVM in a supplied Docker image.

JVM DNS TTL Policy.md

A script that inspects the DNS TTL for a JVM in a supplied Docker image. The image must also contain a JDK.

It does this by generating a Docker image containing a Java program that outputs the JVM's DNS TTL and executing this, then cleaning up the container, image and temporary files.

Usage

$ ./jvm-dns-ttl-policy.sh openjdk:8

This will download the image if necessary and then output the image JVM's DNS TTL:

Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 is 30 seconds

Optionally you can pass an argument --enable-security-manager to the script and it will test the behaviour with a security manager enabled.

$ ./jvm-dns-ttl-policy.sh openjdk:8 --enable-security-manager

Which outputs:

Building Docker image based on openjdk:8 ...
Testing DNS TTL ...
Implementation DNS TTL for JVM in Docker image based on openjdk:8 (with security manager enabled) is -1 seconds

jvm-dns-ttl-policy.sh

#!/bin/sh

if [ -z "${1}" ]; then
  echo "Usage: ${0} <image> --enable-security-manager"
  exit 1
fi

target_image="${1}"

dockerfile="
FROM        ${target_image}
WORKDIR     /var/tmp
RUN         printf ' \\
              public class DNSTTLPolicy { \\
                public static void main(String args[]) { \\
                  System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
                } \\
              }' >DNSTTLPolicy.java
RUN         javac DNSTTLPolicy.java -XDignore.symbol.file
CMD         java DNSTTLPolicy
ENTRYPOINT  java DNSTTLPolicy
"

dockerfile_security_manager="
FROM        ${target_image}
WORKDIR     /var/tmp
RUN         printf ' \\
              public class DNSTTLPolicy { \\
                public static void main(String args[]) { \\
                  System.out.printf(\"Implementation DNS TTL for JVM in Docker image based on '${target_image}' (with security manager enabled) is %%d seconds\\\\n\", sun.net.InetAddressCachePolicy.get()); \\
                } \\
              }' >DNSTTLPolicy.java
RUN         printf ' \\
              grant { \\
                permission java.security.AllPermission; \\
              };' >all-permissions.policy
RUN         javac DNSTTLPolicy.java -XDignore.symbol.file
CMD         java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
ENTRYPOINT  java -Djava.security.manager -Djava.security.policy==all-permissions.policy DNSTTLPolicy
"

target_dockerfile="${dockerfile}"
if [ -n "${2}" ] && [ "${2}" == "--enable-security-manager" ]; then
  target_dockerfile="${dockerfile_security_manager}"
fi

tag_name="jvm-dns-ttl-policy"
output_file="$(mktemp)"

function cleanup() {
  rm "${output_file}"
  docker rmi "${tag_name}" >/dev/null
}

trap "cleanup; exit" SIGHUP SIGINT SIGTERM

echo "Building Docker image based on ${target_image} ..." >&2
docker build -t "${tag_name}" - <<<"${target_dockerfile}" &>"${output_file}"

if [ "$?" -ne 0 ]; then
  >&2 echo "Error building test image:"
  cat "${output_file}"
  cleanup
  exit 1
fi

echo "Testing DNS TTL ..." >&2
docker run --rm "${tag_name}" &>"${output_file}"

if [ "$?" -ne 0 ]; then
  >&2 echo "Error running test image:"
  cat "${output_file}"
  cleanup
  exit 1
fi

cat "${output_file}"

cleanup