[feature] Switch from Google Cloud Platform distroless Docker base image to Chainguard distroless base image. We now have latest JDK 17 and nonroot user operation

adamretter · adamretter · commit 03cb8a144e92 · 2024-10-29T15:04:29.000+01:00
diff --git a/exist-docker/pom.xml b/exist-docker/pom.xml
@@ -107,7 +107,10 @@
                             <header>${project.parent.relativePath}/../elemental-parent/elemental-LGPL-21-ONLY-license.template.txt</header>
                             <excludes>
                                 <exclude>pom.xml</exclude>
-                                <exclude>src/**</exclude>
+                                <exclude>src/assembly/**</exclude>
+                                <exclude>src/main/xslt/**</exclude>
+                                <exclude>src/test/**</exclude>
+                                <exclude>**.md</exclude>
                             </excludes>
                         </licenseSet>
 
@@ -126,11 +129,7 @@
                             </multi>
                             <includes>
                                 <include>pom.xml</include>
-                                <include>src/main/resources-filtered/**</include>
                             </includes>
-                            <excludes>
-                                <exclude>**.md</exclude>
-                            </excludes>
                         </licenseSet>
 
                         <licenseSet>
diff --git a/exist-docker/src/main/resources-filtered/Dockerfile b/exist-docker/src/main/resources-filtered/Dockerfile
@@ -18,59 +18,53 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 #
-# NOTE: Parts of this file contain code from 'The eXist-db Authors'.
-#       The original license header is included below.
-#
-# =====================================================================
-#
-# eXist-db Open Source Native XML Database
-# Copyright (C) 2001 The eXist-db Authors
-#
-# info@exist-db.org
-# http://www.exist-db.org
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-#
 
-# Use Debian Bullseye (which is the base of gcr.io/distroless/java:17) for additional library dependencies that we need
-# FROM debian:bullseye-slim as debian-slim
-# RUN apt-get update && apt-get -y dist-upgrade
-# RUN apt-get install -y openjdk-17-jre-headless
-# RUN apt-get install -y expat fontconfig     # Install tools required by FOP
+# Install latest JRE 17 in Chainguard Wolfi temporary builder image
+FROM cgr.dev/chainguard/wolfi-base AS builder
+
+RUN apk update && apk upgrade
+# Install dependencies needed for JRE
+RUN apk add zlib libjpeg-turbo libpng lcms2 freetype ttf-dejavu fontconfig-config libfontconfig1 expat libuuid libbrotlicommon1 libbrotlidec1 libbrotlienc1 libcrypt1
+# Install latest JRE
+RUN apk add openjdk-17-jre
 
-FROM gcr.io/distroless/java17:latest
+# Use Chainguard distroless glibc base for dynamically linked libraries
+FROM cgr.dev/chainguard/glibc-dynamic:latest
 
-# Copy over dependencies for Apache FOP, missing from GCR's JRE
-# COPY --from=debian-slim /usr/lib/x86_64-linux-gnu/libfreetype.so.6 /usr/lib/x86_64-linux-gnu/libfreetype.so.6
-# COPY --from=debian-slim /usr/lib/x86_64-linux-gnu/liblcms2.so.2 /usr/lib/x86_64-linux-gnu/liblcms2.so.2
-# COPY --from=debian-slim /usr/lib/x86_64-linux-gnu/libpng16.so.16 /usr/lib/x86_64-linux-gnu/libpng16.so.16
-# COPY --from=debian-slim /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1
+# Copy over dependencies for updated JRE from Wolfi
+COPY --from=builder /etc/ca-certificates /etc/ca-certificates
+COPY --from=builder /etc/ca-certificates.conf /etc/ca-certificates.conf
+COPY --from=builder /lib/libz.so.1 /lib/libz.so.1
+COPY --from=builder /usr/lib/libjpeg.so.8 /usr/lib/libjpeg.so.8
+COPY --from=builder /usr/lib/libturbojpeg.so.0 /usr/lib/libturbojpeg.so.0
+COPY --from=builder /usr/lib/libpng16.so.16 /usr/lib/libpng16.so.16
+COPY --from=builder /usr/lib/liblcms2.so.2 /usr/lib/liblcms2.so.2
+COPY --from=builder /usr/lib/libfreetype.so.6 /usr/lib/libfreetype.so.6
+COPY --from=builder /usr/share/fonts /usr/share/fonts
+COPY --from=builder /etc/fonts /etc/fonts
+COPY --from=builder /usr/share/fontconfig /usr/share/fontconfig
+COPY --from=builder /usr/share/gettext /usr/share/gettext
+COPY --from=builder /usr/share/xml /usr/share/xml
+COPY --from=builder /usr/lib/libfontconfig.so.1 /usr/lib/libfontconfig.so.1
+COPY --from=builder /usr/lib/libexpat.so.1 /usr/lib/libexpat.so.1
+COPY --from=builder /usr/lib/libuuid.so.1 /usr/lib/libuuid.so.1
+COPY --from=builder /usr/lib/libbrotlicommon.so.1 /usr/lib/libbrotlicommon.so.1
+COPY --from=builder /usr/lib/libbrotlidec.so.1 /usr/lib/libbrotlidec.so.1
+COPY --from=builder /usr/lib/libbrotlienc.so.1 /usr/lib/libbrotlienc.so.1
 
-# Copy dependencies for Apache Batik (used by Apache FOP to handle SVG rendering)
-# COPY --from=debian-slim /etc/fonts /etc/fonts
-# COPY --from=debian-slim /lib/x86_64-linux-gnu/libexpat.so.1 /lib/x86_64-linux-gnu/libexpat.so.1
-# COPY --from=debian-slim /usr/share/fontconfig /usr/share/fontconfig
-# COPY --from=debian-slim /usr/share/fonts/truetype/dejavu /usr/share/fonts/truetype/dejavu
+# Copy over updated JRE from Wolfi
+COPY --from=builder /usr/lib/jvm/java-17-openjdk /usr/lib/jvm/java-17-openjdk
+
+# Switch to nonroot user
+USER nonroot
 
 # Copy Elemental
 COPY LICENSE /elemental/LICENSE
 COPY autodeploy /elemental/autodeploy
 COPY etc /elemental/etc
 COPY lib /elemental/lib
-COPY logs /elemental/logs
-
+COPY --chown=nonroot logs /elemental/logs
+COPY --chown=nonroot logs /elemental/data
 
 # Build-time metadata as defined at http://label-schema.org
 # and used by autobuilder @hooks/build
@@ -90,27 +84,15 @@ ARG CACHE_MEM
 ARG MAX_BROKER
 ARG JVM_MAX_RAM_PERCENTAGE
 
-ENV ELEMENTAL_HOME "/elemental"
-ENV EXIST_HOME "/elemental"
-ENV CLASSPATH=/elemental/lib/${elemental.uber.jar.filename}
-
-ENV JAVA_TOOL_OPTIONS \
-  -Dfile.encoding=UTF8 \
-  -Dsun.jnu.encoding=UTF-8 \
-  -Djava.awt.headless=true \
-  -Dorg.exist.db-connection.cacheSize=${CACHE_MEM:-256}M \
-  -Dorg.exist.db-connection.pool.max=${MAX_BROKER:-20} \
-  -Dlog4j.configurationFile=/elemental/etc/log4j2.xml \
-  -Dexist.home=/elemental \
-  -Dexist.configurationFile=/elemental/etc/conf.xml \
-  -Djetty.home=/elemental \
-  -Dexist.jetty.config=/elemental/etc/jetty/standard.enabled-jetty-configs \
-  -XX:+UseNUMA \
-  -XX:+UseZGC \
-  -XX:+UseStringDeduplication \
-  -XX:+UseContainerSupport \
-  -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} \
-  -XX:+ExitOnOutOfMemoryError
+ENV ELEMENTAL_HOME="/elemental"
+ENV EXIST_HOME="/elemental"
+ENV CLASSPATH="/elemental/lib/${elemental.uber.jar.filename}"
+
+ENV JAVA_HOME="/usr/lib/jvm/java-17-openjdk"
+
+ENV JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dsun.jnu.encoding=UTF-8 -Djava.awt.headless=true -Dorg.exist.db-connection.cacheSize=${CACHE_MEM:-256}M -Dorg.exist.db-connection.pool.max=${MAX_BROKER:-20} -Dlog4j.configurationFile=/elemental/etc/log4j2.xml -Dexist.home=/elemental -Dexist.configurationFile=/elemental/etc/conf.xml -Djetty.home=/elemental -Dexist.jetty.config=/elemental/etc/jetty/standard.enabled-jetty-configs -XX:+UseNUMA -XX:+UseZGC -XX:+UseContainerSupport -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} -XX:+ExitOnOutOfMemoryError"
+
+ENV PATH="/usr/lib/jvm/java-17-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
 HEALTHCHECK CMD [ "java", \
     "org.exist.start.Main", "client", \
diff --git a/exist-docker/src/main/resources-filtered/Dockerfile-DEBUG b/exist-docker/src/main/resources-filtered/Dockerfile-DEBUG
@@ -18,44 +18,26 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 #
-# NOTE: Parts of this file contain code from 'The eXist-db Authors'.
-#       The original license header is included below.
-#
-# =====================================================================
-#
-# eXist-db Open Source Native XML Database
-# Copyright (C) 2001 The eXist-db Authors
-#
-# info@exist-db.org
-# http://www.exist-db.org
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-#
 
-# Use JDK 17 in Debian Bullseye (as our production image gcr.io/distroless/java:17 is based on Debian Bullseye with just a JRE)
-FROM debian:bullseye-slim
-RUN apt-get update && apt-get -y dist-upgrade
-RUN apt-get install -y openjdk-17-jdk-headless
-RUN apt-get install -y expat fontconfig     # Install tools required by FOP
+# Use Chainguard Wolfi
+FROM cgr.dev/chainguard/wolfi-base
+
+RUN apk update && apk upgrade
+# Install dependencies needed for JDK
+RUN apk add zlib libjpeg-turbo libpng lcms2 freetype ttf-dejavu fontconfig-config libfontconfig1 expat libuuid libbrotlicommon1 libbrotlidec1 libbrotlienc1 libcrypt1
+# Install latest JDK
+RUN apk add openjdk-17
+
+# Switch to nonroot user
+USER nonroot
 
 # Copy Elemental
 COPY LICENSE /elemental/LICENSE
 COPY autodeploy /elemental/autodeploy
 COPY etc /elemental/etc
 COPY lib /elemental/lib
-COPY logs /elemental/logs
+COPY --chown=nonroot logs /elemental/logs
+COPY --chown=nonroot logs /elemental/data
 
 # Build-time metadata as defined at http://label-schema.org
 # and used by autobuilder @hooks/build
@@ -76,28 +58,15 @@ ARG MAX_BROKER
 ARG JVM_MAX_RAM_PERCENTAGE
 ARG JVM_JDWP_SUSPEND
 
-ENV ELEMENTAL_HOME "/elemental"
-ENV EXIST_HOME "/elemental"
-ENV CLASSPATH=/elemental/lib/${elemental.uber.jar.filename}
+ENV ELEMENTAL_HOME="/elemental"
+ENV EXIST_HOME="/elemental"
+ENV CLASSPATH="/elemental/lib/${elemental.uber.jar.filename}"
+
+ENV JAVA_HOME="/usr/lib/jvm/java-17-openjdk"
+
+ENV JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dsun.jnu.encoding=UTF-8 -Djava.awt.headless=true -Dorg.exist.db-connection.cacheSize=${CACHE_MEM:-256}M -Dorg.exist.db-connection.pool.max=${MAX_BROKER:-20} -Dlog4j.configurationFile=/elemental/etc/log4j2.xml -Dexist.home=/elemental -Dexist.configurationFile=/elemental/etc/conf.xml -Djetty.home=/elemental -Dexist.jetty.config=/elemental/etc/jetty/standard.enabled-jetty-configs -XX:+UseNUMA -XX:+UseZGC -XX:+UseContainerSupport -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} -XX:+ExitOnOutOfMemoryError -agentlib:jdwp=transport=dt_socket,server=y,suspend=${JVM_JDWP_SUSPEND:-n},address=5005"
 
-ENV JAVA_TOOL_OPTIONS \
-  -Dfile.encoding=UTF8 \
-  -Dsun.jnu.encoding=UTF-8 \
-  -Djava.awt.headless=true \
-  -Dorg.exist.db-connection.cacheSize=${CACHE_MEM:-256}M \
-  -Dorg.exist.db-connection.pool.max=${MAX_BROKER:-20} \
-  -Dlog4j.configurationFile=/elemental/etc/log4j2.xml \
-  -Dexist.home=/elemental \
-  -Dexist.configurationFile=/elemental/etc/conf.xml \
-  -Djetty.home=/elemental \
-  -Dexist.jetty.config=/elemental/etc/jetty/standard.enabled-jetty-configs \
-  -XX:+UseNUMA \
-  -XX:+UseZGC \
-  -XX:+UseStringDeduplication \
-  -XX:+UseContainerSupport \
-  -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} \
-  -XX:+ExitOnOutOfMemoryError \
-  -agentlib:jdwp=transport=dt_socket,server=y,suspend=${JVM_JDWP_SUSPEND:-n},address=5005
+ENV PATH="/usr/lib/jvm/java-17-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
 HEALTHCHECK CMD [ "java", \
     "org.exist.start.Main", "client", \
diff --git a/exist-docker/src/main/resources-filtered/README.md b/exist-docker/src/main/resources-filtered/README.md
@@ -5,7 +5,7 @@ ${project.description}
 
 This module holds the source files for building a minimal docker image of the [Elemental](https://www.elemental.xyz)
 NoSQL Database. Images are automatically updated as part of the build-test life-cycle. 
-These images are based on Google Cloud Platform's ["Distroless" Docker Images](https://github.com/GoogleCloudPlatform/distroless).
+These images are based on Chainguard's ["Distroless" Docker Images](https://edu.chainguard.dev/chainguard/chainguard-images/about/getting-started-distroless/).
 
 
 ## Requirements
