Skip to content

Commit

Permalink
Updates to Alpine 3.20.3, Java 17.0.13_p11 and latest maven deps
Browse files Browse the repository at this point in the history
Signed-off-by: Adrian Cole <[email protected]>
  • Loading branch information
codefromthecrypt committed Nov 19, 2024
1 parent fd2b54a commit 5d1f3f9
Show file tree
Hide file tree
Showing 6 changed files with 84 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ on:

jobs:
deploy:
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
runs-on: ubuntu-24.04 # newest available distribution, aka numbat
steps:
- name: Checkout Repository
uses: actions/checkout@v4
Expand Down
59 changes: 59 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
name: security

# We don't scan documentation-only commits.
on: # yamllint disable-line rule:truthy
push: # non-tagged pushes to master
branches:
- master
tags-ignore:
- '*'
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json
pull_request: # pull requests targeted at the master branch.
branches:
- master
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json

jobs:
security:
name: security
runs-on: ubuntu-24.04 # newest available distribution, aka numbat
# skip commits made by the release plugin
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache Trivy Database
with:
path: .trivy
key: ${{ runner.os }}-trivy
restore-keys: ${{ runner.os }}-trivy
- name: Run Trivy vulnerability and secret scanner
uses: aquasecurity/trivy-action@master
id: trivy
env: # See https://github.com/aquasecurity/trivy/discussions/7668
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: 'fs'
scan-ref: '.' # scan the entire repository
scanners: vuln,secret
exit-code: '1'
severity: HIGH,CRITICAL
output: trivy-report.md
cache-dir: .trivy
- name: Set Summary
shell: bash
if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
# Add the Trivy report to the summary
#
# Note: This will cause a workflow error if trivy-report.md > the step
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@ on:
jobs:
test:
name: test (${{ matrix.name }})
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
runs-on: ubuntu-24.04 # newest available distribution, aka numbat
strategy:
fail-fast: false # don't fail fast as some failures are LTS specific
matrix: # match with maven-enforcer-plugin rules in pom.xml
include:
- name: build-arg
version: 17.0.12_p7
version: 17.0.13_p11
- name: implicit
version: master
steps:
Expand Down
16 changes: 8 additions & 8 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# docker_parent_image is the base layer of full and jre image
#
# Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/alpine
ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2
ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.3

# java_version and java_home are hard-coded here to allow the following:
# * `docker build https://github.com/openzipkin/docker-java.git`
Expand All @@ -17,17 +17,17 @@ ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2
# When updating, also update the README
# * Use current version from https://pkgs.alpinelinux.org/packages?name=openjdk17, stripping
# the `-rX` at the end.
ARG java_version=17.0.12_p7
ARG java_version=17.0.13_p11
ARG java_home=/usr/lib/jvm/java-17-openjdk

# We copy files from the context into a scratch container first to avoid a problem where docker and
# docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.
# COPY --from= works around the issue.
FROM scratch as code
FROM scratch AS code

COPY . /code/

FROM $docker_parent_image as base
FROM $docker_parent_image AS base

# java_version is hard-coded here to allow the following to work:
# * `docker build https://github.com/openzipkin/docker-java.git`
Expand All @@ -51,17 +51,17 @@ WORKDIR /java
ENTRYPOINT ["java", "-jar"]

# The JDK image includes a few build utilities and Maven
FROM base as jdk
FROM base AS jdk
LABEL org.opencontainers.image.description="OpenJDK on Alpine Linux"
ARG java_version
ARG maven_version=3.9.8
ARG maven_version=3.9.9
LABEL maven-version=$maven_version

COPY --from=code /code/install.sh .
RUN ./install.sh $java_version $maven_version && rm install.sh

# Use a temporary target to build a JRE using the JDK we just built
FROM jdk as install
FROM jdk AS install

WORKDIR /install

Expand Down Expand Up @@ -93,7 +93,7 @@ jdk.localedata --include-locales en \
--output jre

# Our JRE image is minimal: Only Alpine, gcompat and a stripped down JRE
FROM base as jre
FROM base AS jre
LABEL org.opencontainers.image.description="Minimal OpenJDK JRE on Alpine Linux"

COPY --from=install /install/jre/ ${JAVA_HOME}/
Expand Down
22 changes: 11 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope

To try the image, run the `java -version` command:
```bash
$ docker run --rm ghcr.io/openzipkin/java:17.0.12_p7 -version
openjdk version "17.0.12" 2024-07-16
OpenJDK Runtime Environment (build 17.0.12+7-alpine-r0)
OpenJDK 64-Bit Server VM (build 17.0.12+7-alpine-r0, mixed mode, sharing)
$ docker run --rm ghcr.io/openzipkin/java:17.0.13_p11 -version
openjdk version "17.0.13" 2024-10-15
OpenJDK Runtime Environment (build 17.0.13+11-alpine-r0)
OpenJDK 64-Bit Server VM (build 17.0.13+11-alpine-r0, mixed mode, sharing)
```

## Release process
Expand All @@ -39,26 +39,26 @@ Build the [Dockerfile](Dockerfile) using the current version without the
revision classifier from here:
* https://pkgs.alpinelinux.org/packages?name=openjdk17
```bash
# Note 17.0.12_p7 not 17.0.12_p7-r2!
./build-bin/build 17.0.12_p7
# Note 17.0.13_p11 not 17.0.13_p11-r2!
./build-bin/build 17.0.13_p11
```

Next, verify the built image matches that version:
```bash
$ docker run --rm openzipkin/java:test -version
openjdk version "17.0.12" 2024-07-16
OpenJDK Runtime Environment (build 17.0.12+7-alpine-r0)
OpenJDK 64-Bit Server VM (build 17.0.12+7-alpine-r0, mixed mode, sharing)
openjdk version "17.0.13" 2024-10-15
OpenJDK Runtime Environment (build 17.0.13+11-alpine-r0)
OpenJDK 64-Bit Server VM (build 17.0.13+11-alpine-r0, mixed mode, sharing)
```

To release the image, push a tag matching the arg to `build-bin/build` (ex `17.0.12_p7`).
To release the image, push a tag matching the arg to `build-bin/build` (ex `17.0.13_p11`).
This triggers a [GitHub Actions](https://github.com/openzipkin/docker-java/actions) job to push the image.

## java.lang.ClassNotFoundException

The image ending in `-jre` is stripped to only retain the minimal modules needed by Zipkin. This is
to make it as small as possible. If the `zipkin` or `zipkin-slim` images fail with a
`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile][Dockerfile].
`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile](Dockerfile).

If the package begins with `java.`, `sun.` or `com.sun.`, it is likely a JRE module. To verify, use
`javap` without any other options. If a result is printed, you need to link a corresponding module.
Expand Down
6 changes: 3 additions & 3 deletions install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ maybe_log_crash() {
}

java_version=${1?java_version is required. ex --strip-debug}
maven_version=${2?maven_version is required. ex 3.9.8}
maven_version=${2?maven_version is required. ex 3.9.9}
java_major_version=$(echo ${java_version}| cut -f1 -d .)
package=openjdk${java_major_version}

Expand All @@ -43,5 +43,5 @@ apache_backup_mirror=https://downloads.apache.org/
(wget ${apache_mirror}${maven_dist_path} || wget ${apache_backup_mirror}${maven_dist_path}) | tar xz --strip=1 -C maven
ln -s ${PWD}/maven/bin/mvn /usr/bin/mvn

mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.4.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.7.1:get -Dmdep.skip
mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get -Dmdep.skip

0 comments on commit 5d1f3f9

Please sign in to comment.