Default OpenJDK version used for S2I by Container Image OpenShift extension?

[michalvavrik]

For our S2I build deployed to OpenShift we use registry.access.redhat.com/ubi8/openjdk-11:latest in ImageStream template field dockerImageRepository as you can see here. We are using the latest OpenJDK while Quarkus default JVM image is 1.15. We mentioned one important difference (important for us, because we are using internal non-local HTTP mirror repository and HTTP is not supported since 3.8.1 as you can see here due to the man in the middle attack) that Maven version used by OpenJDK changed from 3.6.2 to 3.8.5 as you can see in OPENJDK-1954. I can see that @aloubyansky bumped from version from 1.14 to 1.15 in #32753 and I'd like to understand what is supported and recommended version for our customers because RHBQ Fireball uses latest OpenJDK https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/rhbq-documentation-2-13/guide/7c17772d-f5b3-4284-b668-24712d1039a2#_f225ca8d-842e-4e03-9cb1-71c8baf9416b so theoretically anyone who - as QE team - is using HTTP mirror and the latest OpenJDK will run into issues (meaning = need to use more secure way).

Could someone give me information (e.g. where to look and so on):

• why is Quarkus using 1.15
• which OpenJDK version is recommended for using S2I for deploying Quarkus 2.13 application to OpenShift

[michalvavrik]

Maybe @iocanel @Sgitario, @cescoffier or @geoand could help me? Sorry for spamming, but I'm in hurry :-)

[geoand]

I personally don't have any answers here

[maxandersen]

I'm not following what is the problem exactly? We use version that fixes mvn where http is not trusted by default anymore.

Which version is it you expect to be used if not 1.15?

Btw. You say "us" but sure what "us" refer to?

[maxandersen]

"which OpenJDK version is recommended for using S2I for deploying Quarkus 2.13 application to OpenShift" the latest java 11 and 17 you can get access to.

[maxandersen]

So read the openjdk and related issue and seem to be a wish to use http in maven repo.

Then use settings.xml where http is explicitly allowed or add .mvn folder with local maven settings.

See https://stackoverflow.com/questions/67001968/how-to-disable-maven-blocking-external-http-repositories

Also documented at https://maven.apache.org/docs/3.8.1/release-notes.html

No one should be using maven unless maven 3.8 and higher is the short answer.

Is there anything that prevents you from using newer versions ?

[michalvavrik]

Yes, we are using the latest and disabled blocking - quarkus-qe/quarkus-test-framework#805

"which OpenJDK version is recommended for using S2I for deploying Quarkus 2.13 application to OpenShift" the latest java 11 and 17 you can get access to.

My problem is that documented version is the latest, while Quarkus is using 1.15.

Well, more like I am trying to verify that it is alright that customers should use the latest OpenJDK because if they were deploying with S2I using the latest OpenJDK and HTTP mirror, it would break for them and they would have to fix it. I voice no opinion, just try to understand if the situation is expected or customers should use 1.15 @maxandersen

[michalvavrik]

FYI there is no issue when default 1.15 is used as blocking mirrors is disabled.

[maxandersen]

1.15 is the minimal version that has the maven cve version fixed, right?

So wether they use 1.15 or latest they will have to explict allow http.

I believe we did mention that I. Release notes/docs when this cve was fixed.

If not that's a bug worthy for Rhbq jira.

[maxandersen]

Btw. We use fixed versions to ensure consistency. But we are to be compatible with latest of jdk builds.

[michalvavrik]

I tested it and 1.15 is using Apache Maven 3.6.2 (Red Hat 3.6.2-7). Thank you for information @maxandersen , I think I got what I needed.