Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation of openJDK docker images #2288

Open
tech-6 opened this issue Nov 24, 2024 · 3 comments · May be fixed by #2289
Open

Deprecation of openJDK docker images #2288

tech-6 opened this issue Nov 24, 2024 · 3 comments · May be fixed by #2289
Labels
dependencies Pull requests that update a dependency file distribution Issue refers to target platform, e.g. Docker

Comments

@tech-6
Copy link
Contributor

tech-6 commented Nov 24, 2024

As of December 20th 2022 the openJDK images from the docker library were deprecated (see docker-library/openjdk@d2f1e2d and docker-library/openjdk#505). With this comes with a handful of questions for continuation of the reposilite docker images. Below are some choices to go with moving forward.

One base image to rule them all

Pick a new single base image for future reposilite images

  • Amazon's Corretto JVM images
    • amazoncorretto:${JDK}-al2023 based off of Amazon Linux 2023
    • amazoncorretto:${JDK}-alpine based off Alpine Linux
  • Eclipse's Temurin JVM images
    • eclipse-temurin:${JDK} based off Ubuntu
    • eclipse-temurin:${JDK}-alpine based off Alpine Linux
    • eclipse-temurin:${JDK}-windowsservercore based off Windows Server 2016 (I advise against this one)
  • BellSoft Liberica JVM images
    • bellsoft/liberica-runtime-container:jre-${JDK}
  • IBM Semeru (OpenJ9) JVM images
    • ibm-semeru-runtimes:open-${JDK} based off Ubuntu
  • SapMachine JVM images
    • sapmachine:${JDK} based off Ubuntu

With one of these images rework the Dockerfile to use said image.
Example

How about all of them

Publish a build for x amount of base runtime images using artifacts from a build image. Allowing users to choose their preferred JVM runtime to run their repo with. A method of doing this could be using docker buildx bake to make a build job to build the JAR file and cache them for building the runtime images (which could be done in parallel).


More commentary is wanted or more potential solutions. Many thanks.

@dzikoysk dzikoysk added the distribution Issue refers to target platform, e.g. Docker label Nov 24, 2024
@dzikoysk
Copy link
Owner

dzikoysk commented Nov 24, 2024

Hey, thanks for taking a look at it! I personally don't like an idea of having all of them - it adds a little bit of mess for no clear reason. I'd probably go for Liberica from BellSoft that is usually my go-to distribution.

An especially good reason for that in our case is that they're maintaining good old JRE targets:

image

And those are just small out of the box. Of course we need to double-check if Reposilite is actually still able to start on it 👀

@dzikoysk dzikoysk added the dependencies Pull requests that update a dependency file label Nov 24, 2024
@tech-6
Copy link
Contributor Author

tech-6 commented Nov 24, 2024

Added the BellSoft images to the list of images, will take a look at them and hammer out a Dockerfile for it and add it to the to be tested pile.

tech-6 added a commit to tech-6/reposilite that referenced this issue Nov 24, 2024
Default user and group id is now 977 as 999 was taken.
!!**This may cause permissions issues in existing installations**. These issues can be fixed by either:
- mounting the volume with another container as a root user and changing ownership of `/app/data` (including their contents) to 977:977
- `chmod -R 977:977 /var/lib/docker/volumes/${VOLUME_NAME_OR_HASH}` of the volume from the host's volume directory.
- `chmod -R  777 /app/data` (don't do this)

Dockerfile and entrypoint.sh was changed to run NO application as a privileged user. When the container is running there is no code executed in a privileged context.

Proposed Solution to dzikoysk#2288
tech-6 added a commit to tech-6/reposilite that referenced this issue Nov 24, 2024
Default user and group id is now 977 as 999 was taken.
!!**This may cause permissions issues in existing installations**. These issues can be fixed by either:
- mounting the volume with another container as a root user and changing ownership of `/app/data` (including their contents) to 977:977
- `chmod -R 977:977 /var/lib/docker/volumes/${VOLUME_NAME_OR_HASH}` of the volume from the host's volume directory.
- `chmod -R  777 /app/data` (don't do this)

Dockerfile and entrypoint.sh was changed to run NO application code as a privileged used. When the container is running there is no code executed in a privileged context, as anything requiring privileges is run during build time.

Proposed Solution to dzikoysk#2288
tech-6 added a commit to tech-6/reposilite that referenced this issue Nov 24, 2024
Default user and group id is now 977 as 999 was taken.
!!**This may cause permissions issues in existing installations**. These issues can be fixed by either:
- mounting the volume with another container as a root user and changing ownership of `/app/data` (including their contents) to 977:977
- `chmod -R 977:977 /var/lib/docker/volumes/${VOLUME_NAME_OR_HASH}` of the volume from the host's volume directory.
- `chmod -R  777 /app/data` (don't do this)

Dockerfile and entrypoint.sh was changed to run NO application code as a privileged used. When the container is running there is no code executed in a privileged context, as anything requiring privileges is run during build time.

Proposed Solution to dzikoysk#2288
tech-6 added a commit to tech-6/reposilite that referenced this issue Nov 24, 2024
Default user and group id is now 977 as 999 was taken.
!!**This may cause permissions issues in existing installations**. These issues can be fixed by either:
- mounting the volume with another container as a root user and changing ownership of `/app/data` (including their contents) to 977:977
- `chmod -R 977:977 /var/lib/docker/volumes/${VOLUME_NAME_OR_HASH}` of the volume from the host's volume directory.
- `chmod -R  777 /app/data` (don't do this)

Dockerfile and entrypoint.sh was changed to run NO application code as a privileged user. When the container is running there is no code executed in a privileged context, as anything requiring privileges is run during build time.

Proposed Solution to dzikoysk#2288
@tech-6
Copy link
Contributor Author

tech-6 commented Nov 24, 2024

With the proposed change to the BellSoft Liberica base image. There will be compatibility issue that would require users of the current image to apply a fix while upgrading. More information about the changes is detailed out in #2289.

dzikoysk pushed a commit that referenced this issue Dec 9, 2024
…e user/group id (Refs #2288)

* Add .dockerignore to help improve container image cache hits when building locally.
* POSIX Shell compatibility in preparation for future Alpine based images.
* Add Dockerfile migration warning and change user and group id to 977.
* Use Ubuntu Noble with Eclipe Temurin based images for build and run
This is a migration point between the deprecated `openjdk` images and proposed change
to using Alpine based images.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file distribution Issue refers to target platform, e.g. Docker
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants