Design the offerings for Docker images containing Adoptium runtimes

[tellison]

A significant proportion of downloads for Adopt' builds traditionally come via the Docker image repository.
However, the Docker images have evolved over time to include number ous OS base images, tags, supporting libraries, and version support.

This issue is to capture the design for Eclipse Temurin images, with a goal of making the Docker repository simpler, easy to navigate and consume, while maintaining the information and resources that our users require. Discussion and raising requirements is encouraged!

The AdoptOpenJDK builds currently are published in a project managed repository (u/adoptopenjdk), in the official AdoptOpenJDK repository (_/adoptopenjdk), and in some instances also in the official OpenJDK repository.

For Adoptium, the proposal is as follows for Eclipse Temurin binaries:

Reduce the set of base images, and introduce a policy for removing obsolete versions

Too many distros make it difficult to produce and maintain them in a timely manner. The Adoptium project should be very selective about the base images that are being used, and should have a policy in pace to remove base images that fall out of support by their community.

Consider using a single base image OS, and encourage users to extract the Eclipse Temurin runtime into their own preferred distros using the Docker COPY operation.

Use the official repo at Docker exclusively.

Having a project repository and an official Docker repository can be confusion for end users. Providing we can transition the existing official repository we will use that exclusively for publishing the Eclipse Temurin images, rather than set up a new one owned by the Adoptium project.

Clear transition document for users who are used to having multiple distros.

To enable users to transition from the existing Docker image availability it will be necessary for the project to produce good documentation that explains how the Adoptium images can be used to achieve equivalence on each of the main different platforms and operating systems.

[jerboaa]

One critical consideration for supported OS (base images) is support for security updates and a continued pipeline of rolling updates for base image CVEs. As such, the set of base images should be chosen carefully and with a proven record of updates.

[karianna]

After scanning The Project Handbook[1] for “DockerHub” and reading the background information we needed, we've decided to go for the DockerHub namespace of eclipse-temurin and will ask Docker to make those official images.

[1] https://www.eclipse.org/projects/handbook/

[sxa]

I know there has been suggestions elsewhere that we should use Ubuntu 20.04 and CentOS7 as a minimal set, however with the changes to CentOS and trying to direct people towards CentOS Stream I would suggest initially only publishing Ubuntu 20.04 and then we consider (based on feedback where it is forthcoming) which version of CentOS/UBI etc. we go forward with as the next ones after Ubuntu 20.04, unless there's a particular know driver for choosing that one in the initial set.

[karianna]

I think this is resolved now. We have the fully supported list that we had previously at AdoptOpenJDK. We do need to add a link to the official DockerHub repo CC @gdams

[sxa]

@karianna What do you mean by "the fully supported list that we previously had at AdoptOpenJDK"? Are you saying we had specific extra "support" for the Ubuntu 20.04 and CentOS7 at AdoptOpenJDK and nothing else?

[karianna]

docker-library/official-images#10662 contains the matrix. Once that lands we can figure out how to link to that in our README.md file (hopefully we can autogenerate this).

[sxa]

Forgive me for being pedantic but how does that PR related to "the fully supported list that we previously had at AdoptOpenJDK"? Is that a statement specifically for what AdoptOpenJDK has as official images? (Which is not clear from the statements above)

[karianna]

You're right, I'm tired, that was a lazy comment, I'll delete it.

[mattnelson]

Is there a rough idea of when image parity will be available between AdoptOpenJDK and Adoptium?
Or some guidance for the community to help reach parity through contributions?

The latest patch updates were announced ~22 days ago along with their corresponding CVEs. Historically with https://github.com/AdoptOpenJDK/openjdk-docker the updated images would be available within ~1 week.

[karianna]

See docker-library/official-images#10662 for the progress - we're waiting on Docker (Hub) to accept the PR.

[mattnelson]

I'm most specifically interested in @gdams comment > docker-library/official-images#10662 (comment)

We don't plan on adding any other distros (other than perhaps Alpine at some point)

Is Alpine support expected with that initial PR? or relatively soon thereafter? Will Alpine images be offered on previous JDKs that do not include JEP 386?

Myself, and I imagine many other users, have an eagerness(or contractual obligation) to upgrade to images without known vulnerabilities. Previously, the timeliness of those releases allowed for leveraging the community images. I understand this release isn't the same as previous releases due to the switch between AdoptOpenJDK and Adoptium. But, I'm trying to determine if I need to roll my own JDK base layer, in the short term, to resolve the CVEs until those other distros are offered.

---

Clear transition document for users who are used to having multiple distros.
To enable users to transition from the existing Docker image availability it will be necessary for the project to produce good documentation that explains how the Adoptium images can be used to achieve equivalence on each of the main different platforms and operating systems.

When can we expect this document?

[sxa]

Ref my comment above about CentOS7, it appears similar conterns were raised at the official docker repo as to why it was needed and the response was that it was easier to copy the image from an RPM-based distro to another one

Our reasoning behind an ubuntu and a centos repo is that centos is RPM-based so the JDK can be easily copied into Rhel/Clefos etc, and Ubuntu is debian based so covers all the apt distros

but the instructions (Use a base image) from https://hub.docker.com/_/eclipse-temurin/ appears to just copy from the default Ubuntu image if I'm reading it properly. Also they should also be identical since we're copying into the docker image from a tarball, not an RPM/DEB package (which would likely install into a different location from where we are putting them in the docker image)

[karianna]

See docker-library/official-images#10662 for the progress - we're waiting on Docker (Hub) to accept the PR.

This PR is on hold until we get more community feedback on whether we should have glibc based apline images.

[dinogun]

My 2 cents based on our previous adoptopenjdk experience, glibc alpine based images were easily the most used ones. Admittedly this is not scientific, and is based on issues created, slack postings and queries etc as we cannot get a breakdown of the various images from DockerHub. The main attraction of these images being the smaller sized images and lesser attack surface. Since there is a large user base of both 8 and 11 and no musl based builds available, it would be good to have atleast these two versions made available with alpine glibc.

Java 11 Image sizes for reference

$ docker images
REPOSITORY                                   TAG                IMAGE ID      CREATED        SIZE
docker.io/adoptopenjdk/openjdk11             alpine-jre         6cf1fc1047fc  20 hours ago   149 MB
docker.io/adoptopenjdk/openjdk11             centos-jre         13dbb45d8dc0  20 hours ago   486 MB
docker.io/adoptopenjdk/openjdk11             ubuntu-jre         398ce73b3bf4  20 hours ago   249 MB

docker.io/adoptopenjdk/openjdk11             alpine             b6e96c767b1a  45 hours ago   343 MB
docker.io/adoptopenjdk/openjdk11             centos             2e830ca52a50  45 hours ago   679 MB
docker.io/adoptopenjdk/openjdk11             ubuntu             231c7df92d0b  44 hours ago   443 MB

[kittylyst]

Strongly against glibc-Alpine. We did this at New Relic, and it did not go well.

The images are, in any case, not much smaller than a full Ubuntu / CentOS image - which kind of defeats the entire point.

[chadlwilson]

Is this the location you're looking for feedback? (albeit user, not maintainer)

I disagree that it defeats the 'entire' point. Reduced attack (and vulnerability) surface is still potentially relevant independent of image sizes. I say potentially only because I haven't tracked CentOS actively in recent years, but it certainly appears true c.f Ubuntu or Debian base images.

Just curious, since we've had gibc alpine images for a number of years on Adopt (and personally used them without obvious issue), were any of the alluded to (but not described) problems at New Relic observed with the Adopt images? Were those issues in the maintenance thereof, or the usage/behaviour in the wild?

[vielmetti]

From an Alpine and security perspective, I'd defer to @kaniini for preferences.

[sxa]

@chadlwilson Yes this is the preferred forum for feedback (But we'll take it in private too if anyone prefers!)

[brunoborges]

JEP 386 has not been backported officially to any pre-16 version, even though certain vendors (namely Bell Soft, Corretto, and Azul, as far as I could find) have published musl-compiled JDKs for Java 11 and other pre-16 versions.

I am not in favour of glibc-Alpine either as it does not provide the expected benefits of musl. I think that end users are more than capable of cooking their own Alpine-based images (with glibc) for any JDK version. At most, Adoptium may provide coordinates/docs on how to create such image.

[koldat]

I am also all for muslc based JDK. Alpine itself has builds for JDK 8, 11 and 16 with muslc provided by community. AdoptOpenJDK had at least 16 which we used, because there were CVE against glibc and our customers did not want any security issue. We are creating our docker anyway, because it must be always having fixes for security, but having binaries will be essential (it is missing right now). It is not in your power to cover all needs, because even choosing Alpine version is hard (everyone has different needs). So I agree with you that having minimal set is good approach. Everyone else can do just "COPY" as you say. That is what we do.

If you look on how glibc based docker is done compared to muslc one it is like night and day. Glibc one looks like a big hack (it is downloading binaries from other distro, etc.) Having native one would be very nice (like in AdoptOpenJDK 16).

And important with having Alpine image and not using CentOS/Ubuntu is security fixes. This distro needs tiny bit of packages installed and tries to be very fresh so it is passing much better vulnerabilities scans.

[brunoborges]

Alpine itself has builds for JDK 8, 11 and 16 with muslc provided by community.

I'm curious about this. Are you saying that the Alpine project backported JEP 386 for jdk8u and jdk11u?

[koldat]

@brunoborges I do not know what it means, but they have these builds:
https://pkgs.alpinelinux.org/package/edge/testing/x86_64/openjdk16

root@6X1ZHP2:~# docker run -it alpine:3.14
/ # echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories
/ # apk update && apk add openjdk16-jdk@testing
/ # java -version
openjdk version "16.0.2" 2021-07-20
OpenJDK Runtime Environment (build 16.0.2+7-alpine-r0)
OpenJDK 64-Bit Server VM (build 16.0.2+7-alpine-r0, mixed mode, sharing)

https://pkgs.alpinelinux.org/package/edge/community/x86_64/openjdk11

root@6X1ZHP2:~# docker run -it alpine:3.14
/ # echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/community/" >> /etc/apk/repositories
/ # apk update && apk add openjdk11-jre-headless@testing
/ # java -version
openjdk version "11.0.12" 2021-07-20
OpenJDK Runtime Environment (build 11.0.12+7-alpine-r0)
OpenJDK 64-Bit Server VM (build 11.0.12+7-alpine-r0, mixed mode)

OpenJDK 8 was not updated and is still on 8.292.10

[chadlwilson]

Jdk11 appears to rely on Portola patches with some additional modifications: https://git.alpinelinux.org/aports/tree/community/openjdk11/build.patch

[brunoborges]

Thanks @chadlwilson and @koldat for the details.

I'd like to highlight that even Oracle has decided not to release a musl-compiled JDK for 16, not even EA 17 (even though JEP 386 got merged in 16), as they don't feel it is mature, well tested, and stable enough.

In the OpenJDK 16 GA release (https://jdk.java.net/16/), they noted the following:

The Alpine Linux build previously available on this page was removed as of the first JDK 16 release candidate. It’s not production-ready because it hasn’t been tested thoroughly enough to be considered a GA build. Please use the early-access JDK 17 Alpine Linux build in its place.

In the 17 EA releases, there are no Alpine builds either. (https://jdk.java.net/17/)

[koldat]

@brunoborges we are using musl adoptopenjdk 16.0.1 in production without any issue quite a long time.

[Campano]

• Java 16/17 - Those builds are doable today but we need to set up TCK infrastructure for those and see if we can make sure that meets compliance.

Really intereseting thread indeed. Where can we follow the progress on that @karianna ?

[karianna]

@Campano - The work has largely been done and we produce Alpine builds for 17 and 11 and are working on it for Java 8. TCK work is strictly private though I'm afraid so folks just have to wait until it pops out :-)

[SourceNode]

First, thanks for all of your support on this project. Second, I am unable to locate an arm64/v8-based (macOS on Apple M1/M2 hardware) eclipse-temurin for Alpine and JRE8:

$ docker pull eclipse-temurin:8-jre-alpine
8-jre-alpine: Pulling from library/eclipse-temurin
no matching manifest for linux/arm64/v8 in the manifest list entries

I can work around this by specifying amd64 platform, but that is a non-native version (Rosetta2) and much slower for us. Any help appreciated!

[karianna]

First, thanks for all of your support on this project. Second, I am unable to locate an arm64/v8-based (macOS on Apple M1/M2 hardware) eclipse-temurin for Alpine and JRE8:

$ docker pull eclipse-temurin:8-jre-alpine
8-jre-alpine: Pulling from library/eclipse-temurin
no matching manifest for linux/arm64/v8 in the manifest list entries

I can work around this by specifying amd64 platform, but that is a non-native version (Rosetta2) and much slower for us. Any help appreciated!

We don't support that platform combination at this stage.

[tianon]

If you switch off the Alpine variant, arm64v8 is supported:

$ docker run -it --rm --platform linux/arm64/v8 --pull always eclipse-temurin:8-jre
8-jre: Pulling from library/eclipse-temurin
Digest: sha256:4000764645ff6ecdda48f02d02bf51f551dd30eaa43a6328ffa7e42e94338c11
Status: Image is up to date for eclipse-temurin:8-jre
root@7c472e024d8f:/# dpkg --print-architecture
arm64
root@7c472e024d8f:/# java -version
openjdk version "1.8.0_332"
OpenJDK Runtime Environment (Temurin)(build 1.8.0_332-b09)
OpenJDK 64-Bit Server VM (Temurin)(build 25.332-b09, mixed mode)

[SourceNode]

I'm not sure I understand why only the Ubuntu releases provide arm64/v8 platform support. Not an option for me as we require Alpine for our Docker microservice containers. I know Alpine is heavily used by the community due to its small size and so was a little disappointed it is not supported. I would open a ticket, but sounds like it would be "not fix".

[vielmetti]

@SourceNode #158 is a relevant issue.

[SourceNode]

Thank you for @vielmetti , sorry I did not see it before now.

[sxa]

@SourceNode If you wanted to experiment with it, you can pull nightly alpine tarballs from the artifacts on https://ci.adoptopenjdk.net/job/build-scripts/job/jobs/job/jdk8u/job/jdk8u-alpine-linux-aarch64-temurin/ which you can incorporate into your own images, but obviously that comes with the standard "Use at your own risk, may not work, not fully tested" disclaimer.