Skip to content

use multistage build dockerfiles for JDK24+ #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gdams wants to merge 2 commits into from
Closed

use multistage build dockerfiles for JDK24+ #676

gdams wants to merge 2 commits into from

Conversation

@gdams
Copy link
Member

@gdams gdams commented Oct 22, 2024
edited
Loading

fixes: #675

This will mean that for JDK24+ we stop shipping container images with build time dependencies in them (e.g wget, curl, gnupg etc)

github-actions[bot]
github-actions bot previously requested changes Oct 22, 2024
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

@karianna
Copy link
Contributor

karianna commented Oct 22, 2024

We wouldn't backport this because... we'd be removing tools?

@gdams
Copy link
Member Author

gdams commented Oct 23, 2024

We wouldn't backport this because... we'd be removing tools?

correct, it would be a breaking change so it's best to only change this going forwards

@karianna
Copy link
Contributor

karianna commented Oct 23, 2024

We wouldn't backport this because... we'd be removing tools?

correct, it would be a breaking change so it's best to only change this going forwards

We'll need to advertise this strongly then (blogs etc)

@tianon
Copy link

tianon commented Oct 25, 2024

If the tools shouldn't be in the final images, I'd suggest instead moving the installation to the RUN instruction where they are used and cleaning them up/removing after use (before the RUN line ends).

See https://github.com/docker-library/cassandra/blob/1e3d5732f34ceb9e77870d0be9501515f917cc60/5.0/Dockerfile#L40-L54 for a pretty straightforward/compressed example of what I mean (but I'm happy to provide a more detailed example if helpful, maybe in the form of a diff against the current Dockerfile here; for Alpine-based images this is even more straightforward thanks to their support for --virtual on apk add to group package installs in a way that makes them trivial to remove afterwards).

@gdams gdams removed the PMC-agenda label Dec 4, 2024
@karianna
Copy link
Contributor

karianna commented Feb 10, 2025

/thaw

@github-actions github-actions bot dismissed their stale review February 10, 2025 01:07

Pull Request unblocked - code freeze is over.

@gdams
Copy link
Member Author

gdams commented Mar 28, 2025

If the tools shouldn't be in the final images, I'd suggest instead moving the installation to the RUN instruction where they are used and cleaning them up/removing after use (before the RUN line ends).

See https://github.com/docker-library/cassandra/blob/1e3d5732f34ceb9e77870d0be9501515f917cc60/5.0/Dockerfile#L40-L54 for a pretty straightforward/compressed example of what I mean (but I'm happy to provide a more detailed example if helpful, maybe in the form of a diff against the current Dockerfile here; for Alpine-based images this is even more straightforward thanks to their support for --virtual on apk add to group package installs in a way that makes them trivial to remove afterwards).

@tianon I'm looping back round to this for JDK25 (our next LTS release). Would you be able to provide an example of changes to one of our Dockerfiles? Also seeing an example of the --virtual feature on Alpine would be really useful please.

@tianon
Copy link

tianon commented Apr 1, 2025

Sure, here's an example of what I'd propose for both Alpine and Ubuntu variants:

diff --git a/24/jdk/alpine/3.21/Dockerfile b/24/jdk/alpine/3.21/Dockerfile
index 1c0bd25..ed80b38 100644
--- a/24/jdk/alpine/3.21/Dockerfile
+++ b/24/jdk/alpine/3.21/Dockerfile
@@ -31,8 +31,6 @@ RUN set -eux; \
         # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
         # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
         fontconfig ttf-dejavu \
-        # gnupg required to verify the signature
-        gnupg \
         # utilities for keeping Alpine and OpenJDK CA certificates in sync
         # https://github.com/adoptium/containers/issues/293
         ca-certificates p11-kit-trust \
@@ -68,6 +66,7 @@ RUN set -eux; \
          exit 1; \
          ;; \
     esac; \
+    apk add --no-cache --virtual .fetch-deps gnupg; \
     wget -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
     wget -O /tmp/openjdk.tar.gz.sig ${BINARY_URL}.sig; \
     export GNUPGHOME="$(mktemp -d)"; \
@@ -83,7 +82,8 @@ RUN set -eux; \
         --strip-components 1 \
         --no-same-owner \
     ; \
-    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip;
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    apk del --no-network .fetch-deps;
 
 RUN set -eux; \
     echo "Verifying install ..."; \
diff --git a/24/jdk/ubuntu/noble/Dockerfile b/24/jdk/ubuntu/noble/Dockerfile
index 6665147..6d7ac32 100644
--- a/24/jdk/ubuntu/noble/Dockerfile
+++ b/24/jdk/ubuntu/noble/Dockerfile
@@ -28,9 +28,6 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 RUN set -eux; \
     apt-get update; \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        wget \
-        # gnupg required to verify the signature
-        gnupg \
         # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
         # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
         # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
@@ -79,6 +76,9 @@ RUN set -eux; \
          exit 1; \
          ;; \
     esac; \
+    savedAptMark="$(apt-mark showmanual)"; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends wget gnupg; \
     wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
     wget --progress=dot:giga -O /tmp/openjdk.tar.gz.sig ${BINARY_URL}.sig; \
     export GNUPGHOME="$(mktemp -d)"; \
@@ -95,6 +95,10 @@ RUN set -eux; \
         --no-same-owner \
     ; \
     rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark > /dev/null; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*; \
     # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
     find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
     ldconfig; \

@gdams
Copy link
Member Author

gdams commented Apr 2, 2025

Sure, here's an example of what I'd propose for both Alpine and Ubuntu variants:

diff --git a/24/jdk/alpine/3.21/Dockerfile b/24/jdk/alpine/3.21/Dockerfile
index 1c0bd25..ed80b38 100644
--- a/24/jdk/alpine/3.21/Dockerfile
+++ b/24/jdk/alpine/3.21/Dockerfile
@@ -31,8 +31,6 @@ RUN set -eux; \
         # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
         # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
         fontconfig ttf-dejavu \
-        # gnupg required to verify the signature
-        gnupg \
         # utilities for keeping Alpine and OpenJDK CA certificates in sync
         # https://github.com/adoptium/containers/issues/293
         ca-certificates p11-kit-trust \
@@ -68,6 +66,7 @@ RUN set -eux; \
          exit 1; \
          ;; \
     esac; \
+    apk add --no-cache --virtual .fetch-deps gnupg; \
     wget -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
     wget -O /tmp/openjdk.tar.gz.sig ${BINARY_URL}.sig; \
     export GNUPGHOME="$(mktemp -d)"; \
@@ -83,7 +82,8 @@ RUN set -eux; \
         --strip-components 1 \
         --no-same-owner \
     ; \
-    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip;
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    apk del --no-network .fetch-deps;
 
 RUN set -eux; \
     echo "Verifying install ..."; \
diff --git a/24/jdk/ubuntu/noble/Dockerfile b/24/jdk/ubuntu/noble/Dockerfile
index 6665147..6d7ac32 100644
--- a/24/jdk/ubuntu/noble/Dockerfile
+++ b/24/jdk/ubuntu/noble/Dockerfile
@@ -28,9 +28,6 @@ ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 RUN set -eux; \
     apt-get update; \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        wget \
-        # gnupg required to verify the signature
-        gnupg \
         # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
         # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
         # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
@@ -79,6 +76,9 @@ RUN set -eux; \
          exit 1; \
          ;; \
     esac; \
+    savedAptMark="$(apt-mark showmanual)"; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends wget gnupg; \
     wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
     wget --progress=dot:giga -O /tmp/openjdk.tar.gz.sig ${BINARY_URL}.sig; \
     export GNUPGHOME="$(mktemp -d)"; \
@@ -95,6 +95,10 @@ RUN set -eux; \
         --no-same-owner \
     ; \
     rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark > /dev/null; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*; \
     # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
     find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
     ldconfig; \

thanks @tianon, I've proposed these changes in JDK25+ via #752

@gdams gdams closed this Apr 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karianna karianna karianna approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Temurin images contain packages only used at container build time

3 participants

@gdams @karianna @tianon