packaging: Overhaul Containerfile and use Temurin JRE

[k3rnelpan1c-dev]

Description

I props these changes as I stumbled over this great tool while dealing with the aftermath that was the Log4Shell hell week and noticed that the Dockerfile could be improved. I did so since we would deploy dtrack to our OpenShift cluster which uses arbitrary UIDs, which is currently already supported by the fronted container yet not by the API server. And while I have made similar changes to packaging for an internal draft container to test deploy dtrack I wanted to offer these changes upstream as well.

Additionally, I noticed that there is the motivation to use the Eclipse-Temurin JVM based on the comment in #1213 (comment), so I took the liberty and migrated the Container to that alongside the other changes.

To answer questions as to why I did so via a multi stage build I advice to read the following to issues that may be a long read but should explain it:

• Design the offerings for Docker images containing Adoptium runtimes adoptium/containers#1 (also covers the glibc issue with Alpine and announces that there will be a Musl build of the Temurin JVM eventually 🎉 )
• slim container jdk releases adoptium/containers#54

TLDR: DockerHub apparently does not accept slim images anymore for their Official Image labelled images and the 'old' adoptopenjdk too did only offer Ubuntu, CentOS7 and WindowsServerCore images. So the common consensus is to utilize multi stage builds to copy the JDK/JRE from a official image to a derived image with the same package manager (i.e. Ubuntu to Debian, CentOS to UBI or Fedora, etc.), a good example could be the Jenkins Official Docker images, which use Jlink to minify the JDK and then copy it to their image. (I did the same without Jlink since the JRE does not have that nor need it to be slim)

If there are any further questions or any feedback please feel free to share them I will come back to them as soon as possible.

Changes

• overhauls and (IMHO) simplifies/groups Dockerfile
• migrates Dockerfile to Eclipse-Temurin from Zulu JRE
• update maven workflow slightly

Issues

• relates to Support ARM64 #1213 (comment)
• relates to Migrate Docker image from Alpine to Debian Slim #1090
• similar to Update Dockerfile for OpenShift #994
• similar to Update Dockerfile to be OpenShift restricted SCC compliant #891

Notes

I noticed that you seem to use a bash script to release new version of dtrack and want to propose moving that to CI (GitHub Actions) as well. I would be up for submitting the necessary PRs to do so if you are interested 🙂

EDIT: there are now official musl builds of Temurin 11, 16 and 17 available, so if you ever want to offer an alpine spin alongside the debian one you can now without any glibc hackery for the Alpine JVM variant.

[k3rnelpan1c-dev]

JQ and Docker are both already installed in a recent version in the GitHub Actions Virtual environment and since you don't seem to use trivy here, and it having an official action otherwise, I cleaned up this overhead

[k3rnelpan1c-dev]

@stevespringett sorry for the ping, but could I get your feedback on this and whether you would be interested in a GitHub Action based release workflow instead or as an alternative to your release.sh?

[stevespringett]

Thanks for the PR. I'll need a few days to review.

[nscuro]

LGTM overall. Have a few minor suggestions, and the UID situation needs clarification.

[namloc2001]

@k3rnelpan1c-dev - looks really good, the only thing that is missing for full OpenShift compatibility is:

# Specify this so that when OpenShift restricted SCC assigns arbitrary UID - it is aware of the correct home dir to use
ENV HOME ${DATA_DIR}

This is what I use in my Dockerfile that uses FROM dependencytrack/apiserver:4.3.6 as base image. (DATA_DIR is used because that is the home directory assigned to dtrack user and the chown & chmod statements make it accessible when OpenShift assigns an arbitrary UID and GID=0 to the container user under the restricted SCC).

Are you please able to add it in?

@Homopatrol FYI.

[mtcolman]

I've run 4.4.0 in my cluster, (without setting $HOME as above), and I see this in the logs:

2022-02-18 16:15:02,325 INFO [EmbeddedJettyServer] Alpine Executable WAR v1.3.0 (49dc89aa-4f58-404e-b0d6-4001902c5fa1) built on: 2022-02-13T03:18:56Z
2022-02-18 16:15:04,750 INFO [Config] --------------------------------------------------------------------------------
2022-02-18 16:15:04,754 INFO [Config] OS Name:      Linux
2022-02-18 16:15:04,754 INFO [Config] OS Version:   3.10.0-1160.53.1.el7.x86_64
2022-02-18 16:15:04,755 INFO [Config] OS Arch:      amd64
2022-02-18 16:15:04,756 INFO [Config] CPU Cores:    4
2022-02-18 16:15:04,779 INFO [Config] Max Memory:   6.4 GB (6,873,415,680.0 bytes)
2022-02-18 16:15:04,780 INFO [Config] Java Vendor:  Eclipse Adoptium
2022-02-18 16:15:04,785 INFO [Config] Java Version: 11.0.14.1+1
2022-02-18 16:15:04,785 INFO [Config] Java Home:    /opt/java/openjdk
2022-02-18 16:15:04,786 INFO [Config] Java Temp:    /tmp
2022-02-18 16:15:04,787 INFO [Config] User:         1000640000
2022-02-18 16:15:04,787 INFO [Config] User Home:    /
2022-02-18 16:15:04,787 INFO [Config] --------------------------------------------------------------------------------

Note the following:

INFO [Config] User:         1000640000
INFO [Config] User Home:    /

This is the arbitrary UID assigned to my user and the user home is defined as /. My user won't have write access to this.

$ oc rsh -c dependency-track-apiserver matt-dt-dependency-track-apiserver-b5695c877-pjrpz sh -c "id"
uid=1000640000(1000640000) gid=0(root) groups=0(root),1000640000

[k3rnelpan1c-dev]

Hi,

first of all thank you two for this observation!
I work with OpenShift at work as well and have run/tested this changes there before I contributed them and never noticed that the user home was even listed in the logs.
However, mind me asking if any of you happen to know if this is a big issue?
I have only a limited set of test and evaluation experience with Dependency Track on OpenShift, but as far as I was able to tell it never complained nor ran into issues caused by the improperly set home dir. The likely reason for that is that Dependency Track stores all of its data to the /data/ dir and largely, if not entirely, ignoring the home dir despise the log output by Alpine.

[namloc2001]

@k3rnelpan1c-dev it appears that the container can certainly start up and analyse an SBOM with the home directory defaulting to /, however I would suggest that best practice is followed for compatibility and the environment variable is added in.

Also, on a separate note to this topic, I've noticed you've amended the HEALTHCHECK statement. I believe that by removing the "/" but not updating the comment associated with the CONTEXT environment variable, you risk someone setting one without a trailing slash and breaking the healthcheck command.

[k3rnelpan1c-dev]

Hey @namloc2001,
I am not opposed to adding the envVar, was just wondering 😉
Regarding the Context, that you are indeed right that it could mess with the Healthcheck 🤦‍♂️.
Unfortunately, I messed actually messed the Healtcheck up with this PR which then needed to be fixed in a followup PR #1408 and that is now in 4.4.1 (yay for the OCI standard not supporting HEALTHCHECK and me not testing the Docker format xD).

All things considered, I will offer the HOME env addition in a future PR and have to check the Healthcheck again :/
Thank you for the comments and the pointer for yet another issue with the Health check 😑