Dockerfile tweaks

* Uses recommended JSON array notation for `CMD` directives.
* Suppresses warnings for `sun.misc.Unsafe` usage (for Lucene) emitted by Java 25.
* Removes undesired `|| true` and `|| exit 1` occurrences as they don't provide any benefit.
* Specifies `--chown` for COPY directives to make ownership more explicit.
* Switches from `wget` to `curl` for health check as it has the same flags in Alpine and Debian, which wget does not have.

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

dev/docker-compose.yml

@@ -18,7 +18,7 @@ name: "dependency-track"
 
 services:
   apiserver:
-    image: dependencytrack/apiserver:snapshot
+    image: dependencytrack/apiserver:snapshot-alpine
     environment:
       # Speed up password hashing for faster initial login (default is 14 rounds).
       ALPINE_BCRYPT_ROUNDS: "4"
@@ -27,11 +27,6 @@ services:
     - "127.0.0.1:8080:8080"
     volumes:
     - "apiserver-data:/data"
-    healthcheck:
-      test: [ "CMD-SHELL", "wget -t 1 -T 3 --no-proxy -q -O /dev/null http://127.0.0.1:8080$${CONTEXT}health || exit 1" ]
-      interval: 30s
-      start_period: 60s
-      timeout: 3s
     restart: unless-stopped
 
   frontend:

src/main/docker/Dockerfile

@@ -64,41 +64,43 @@ ENV TZ=Etc/UTC \
 # Create a user and assign home directory to a ${DATA_DIR}
 # Ensure UID 1000 & GID 1000 own all the needed directories
 RUN mkdir -p ${APP_DIR} ${DATA_DIR} \
-    && groupadd --system --gid ${GID} dtrack || true \
-    && useradd --system --no-user-group --gid dtrack --no-create-home --home-dir ${DATA_DIR} --comment "dtrack user" --shell /bin/false --uid ${UID} dtrack || true \
+    && groupadd --system --gid ${GID} dtrack \
+    && useradd --system --no-user-group --gid dtrack --no-create-home --home-dir ${DATA_DIR} --comment "dtrack user" --shell /bin/false --uid ${UID} dtrack \
     && chown -R dtrack:0 ${DATA_DIR} ${APP_DIR} \
     && chmod -R g=u ${DATA_DIR} ${APP_DIR} \
     \
-    # Install wget for health check
+    # Install curl for health check
     && apt-get -yqq update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends wget \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends curl \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy JRE from temurin base image
-COPY --from=jre-build /opt/java/openjdk $JAVA_HOME
-
-# Copy the compiled WAR to the application directory created above
-COPY ./target/${WAR_FILENAME} ./src/main/docker/logback-json.xml ${APP_DIR}
-
-# Specify the user to run as (in numeric format for compatibility with Kubernetes/OpenShift's SCC)
 USER ${UID}
-
-# Specify the container working directory
 WORKDIR ${APP_DIR}
 
+COPY --from=jre-build --chown=${UID}:0 /opt/java/openjdk $JAVA_HOME
+COPY --chown=${UID}:0 ./target/${WAR_FILENAME} ./src/main/docker/logback-json.xml ./
+
 # Launch Dependency-Track
-CMD exec java ${JAVA_OPTIONS} ${EXTRA_JAVA_OPTIONS} \
-    --add-opens java.base/java.util.concurrent=ALL-UNNAMED \
-    -Dlogback.configurationFile=${LOGGING_CONFIG_PATH} \
-    -DdependencyTrack.logging.level=${LOGGING_LEVEL} \
-    -jar ${WAR_FILENAME} \
-    -context ${CONTEXT}
+CMD [ \
+    "/bin/sh", "-c", \
+    "exec java \
+        ${JAVA_OPTIONS} ${EXTRA_JAVA_OPTIONS} \
+        --add-opens java.base/java.util.concurrent=ALL-UNNAMED \
+        --sun-misc-unsafe-memory-access=allow \
+        -Dlogback.configurationFile=${LOGGING_CONFIG_PATH} \
+        -DdependencyTrack.logging.level=${LOGGING_LEVEL} \
+        -jar ${WAR_FILENAME} \
+        -context ${CONTEXT}" \
+]
 
 # Specify which port Dependency-Track listens on
 EXPOSE 8080
 
 # Add a healthcheck using the Dependency-Track version API
-HEALTHCHECK --interval=30s --start-period=60s --timeout=3s CMD wget -t 1 -T 3 --no-proxy -q -O /dev/null http://127.0.0.1:8080${CONTEXT}health || exit 1
+HEALTHCHECK --interval=30s --start-period=60s --timeout=3s CMD [ \
+    "/bin/sh", "-c", \
+    "curl -f -s --max-time 3 --noproxy '*' -o /dev/null http://127.0.0.1:8080${CONTEXT}health" \
+]
 
 # metadata labels
 LABEL \

src/main/docker/Dockerfile.alpine

@@ -73,37 +73,39 @@ ENV TZ=Etc/UTC \
 # Create a user and assign home directory to a ${DATA_DIR}
 # Ensure UID 1000 & GID 1000 own all the needed directories
 RUN mkdir -p ${APP_DIR} ${DATA_DIR} \
-    && addgroup -S -g ${GID} dtrack || true \
-    && adduser -S -D -G dtrack -H -h ${DATA_DIR} -g "dtrack user" -s /bin/false -u ${UID} dtrack || true \
+    && addgroup -S -g ${GID} dtrack \
+    && adduser -S -D -G dtrack -H -h ${DATA_DIR} -g "dtrack user" -s /bin/false -u ${UID} dtrack \
     && chown -R dtrack:0 ${DATA_DIR} ${APP_DIR} \
     && chmod -R g=u ${DATA_DIR} ${APP_DIR} \
-    && apk add --no-cache tzdata
+    && apk add --no-cache tzdata curl
 
-# Copy JRE from temurin base image
-COPY --from=jre-build /work/jre ${JAVA_HOME}
-
-# Copy the compiled WAR to the application directory created above
-COPY ./target/${WAR_FILENAME} ./src/main/docker/logback-json.xml ${APP_DIR}
-
-# Specify the user to run as (in numeric format for compatibility with Kubernetes/OpenShift's SCC)
 USER ${UID}
-
-# Specify the container working directory
 WORKDIR ${APP_DIR}
 
+COPY --from=jre-build --chown=${UID}:0 /work/jre ${JAVA_HOME}
+COPY --chown=${UID}:0 ./target/${WAR_FILENAME} ./src/main/docker/logback-json.xml ./
+
 # Launch Dependency-Track
-CMD exec java ${JAVA_OPTIONS} ${EXTRA_JAVA_OPTIONS} \
-    --add-opens java.base/java.util.concurrent=ALL-UNNAMED \
-    -Dlogback.configurationFile=${LOGGING_CONFIG_PATH} \
-    -DdependencyTrack.logging.level=${LOGGING_LEVEL} \
-    -jar ${WAR_FILENAME} \
-    -context ${CONTEXT}
+CMD [ \
+    "/bin/sh", "-c", \
+    "exec java \
+        ${JAVA_OPTIONS} ${EXTRA_JAVA_OPTIONS} \
+        --add-opens java.base/java.util.concurrent=ALL-UNNAMED \
+        --sun-misc-unsafe-memory-access=allow \
+        -Dlogback.configurationFile=${LOGGING_CONFIG_PATH} \
+        -DdependencyTrack.logging.level=${LOGGING_LEVEL} \
+        -jar ${WAR_FILENAME} \
+        -context ${CONTEXT}" \
+]
 
 # Specify which port Dependency-Track listens on
 EXPOSE 8080
 
 # Add a healthcheck using the Dependency-Track version API
-HEALTHCHECK --interval=30s --start-period=60s --timeout=3s CMD wget -t 1 -T 3 --proxy off -q -O /dev/null http://127.0.0.1:8080${CONTEXT}health || exit 1
+HEALTHCHECK --interval=30s --start-period=60s --timeout=3s CMD [ \
+    "/bin/sh", "-c", \
+    "curl -f -s --max-time 3 --noproxy '*' -o /dev/null http://127.0.0.1:8080${CONTEXT}health" \
+]
 
 # metadata labels
 LABEL \

src/main/docker/docker-compose.yml

@@ -110,11 +110,15 @@ services:
     - '8081:8080'
     volumes:
     - 'dtrack-data:/data'
-    healthcheck:
-      test: [ "CMD-SHELL", "wget -t 1 -T 3 --no-proxy -q -O /dev/null http://127.0.0.1:8080$${CONTEXT}health || exit 1" ]
-      interval: 30s
-      start_period: 60s
-      timeout: 3s
+    # Older versions of Podman Compose do not support the HEALTHCHECK directive
+    # that is defined in the image's Dockerfile. If you're using Podman and are
+    # facing healthcheck-related issues, try un-commenting the section below.
+    #
+    # healthcheck:
+    #   test: [ "CMD-SHELL", "curl -f -s --max-time 3 --noproxy '*' -o /dev/null http://127.0.0.1:8080$${CONTEXT}health" ]
+    #   interval: 30s
+    #   start_period: 60s
+    #   timeout: 3s
     restart: unless-stopped
 
   frontend: