Java 21 upgrade

[olivierboudet]

Hi,

Java 21 is GA, when can we hope to have an updated distroless image ?

thanks

[markallanson]

In the Java17 image as an example, configuration, properties, and policies are stored in the etc/java-17-openjdk directory.

All output taken from the dive tool.

│ Current Layer Contents ├─────────────────────────────────────────────────────────────────────────────────────────────────────────────
Permission     UID:GID       Size  Filetree
drwxr-xr-x         0:0     422 kB  ├── etc
drwxr-xr-x         0:0     422 kB  │   └── java-17-openjdk
-rw-r--r--         0:0      391 B  │       ├── accessibility.properties
drwxr-xr-x         0:0      72 kB  │       ├── jfr
-rw-r--r--         0:0      36 kB  │       │   ├── default.jfc
-rw-r--r--         0:0      36 kB  │       │   └── profile.jfc
-rw-r--r--         0:0       54 B  │       ├── jvm-amd64.cfg
-rw-r--r--         0:0     2.7 kB  │       ├── logging.properties
drwxr-xr-x         0:0      18 kB  │       ├── management
-rw-r--r--         0:0     4.0 kB  │       │   ├── jmxremote.access
-rw-r--r--         0:0      14 kB  │       │   └── management.properties
-rw-r--r--         0:0     6.6 kB  │       ├── net.properties
-rw-r--r--         0:0     3.8 kB  │       ├── psfont.properties.ja
-rw-r--r--         0:0      11 kB  │       ├── psfontj2d.properties
drwxr-xr-x         0:0     306 kB  │       ├── security
-rw-r--r--         0:0     2.5 kB  │       │   ├── blocked.certs
-rw-r--r--         0:0      10 kB  │       │   ├── default.policy
-rw-r--r--         0:0     2.2 kB  │       │   ├── java.policy
-rw-r--r--         0:0      57 kB  │       │   ├── java.security
-rw-r--r--         0:0      106 B  │       │   ├── nss.cfg
drwxr-xr-x         0:0     4.1 kB  │       │   ├── policy
-rw-r--r--         0:0     2.4 kB  │       │   │   ├── README.txt
drwxr-xr-x         0:0     1.4 kB  │       │   │   ├── limited
-rw-r--r--         0:0      146 B  │       │   │   │   ├── default_US_export.policy
-rw-r--r--         0:0      647 B  │       │   │   │   ├── default_local.policy
-rw-r--r--         0:0      566 B  │       │   │   │   └── exempt_local.policy
drwxr-xr-x         0:0      339 B  │       │   │   └── unlimited
-rw-r--r--         0:0      146 B  │       │   │       ├── default_US_export.policy
-rw-r--r--         0:0      193 B  │       │   │       └── default_local.policy
-rw-r--r--         0:0     229 kB  │       │   └── public_suffix_list.dat
-rw-r--r--         0:0     1.2 kB  │       ├── sound.properties
-rw-r--r--         0:0      113 B  │       └── swing.properties

Taking a single file, java.security as an example, that's symlinked from the actual java deploy in /usr/lib/jvm/<version>-<arch>/conf/security. The same pattern follows for all the other configuration files in /etc.

│ Current Layer Contents ├─────────────────────────────────────────────────────────────────────────────────────────────────────────────
Permission     UID:GID       Size  Filetree
drwxr-xr-x         0:0      57 kB  ├── etc
drwxr-xr-x         0:0      57 kB  │   └── java-17-openjdk
drwxr-xr-x         0:0      57 kB  │       └── security
-rw-r--r--         0:0      57 kB  │           └── java.security
drwxr-xr-x         0:0        0 B  └── usr
drwxr-xr-x         0:0        0 B      └── lib
drwxr-xr-x         0:0        0 B          └── jvm
drwxr-xr-x         0:0        0 B              └── java-17-openjdk-amd64
drwxr-xr-x         0:0        0 B                  ├── conf
drwxr-xr-x         0:0        0 B                  │   └── security
-rwxrwxrwx         0:0        0 B                  │       └── java.security → /etc/java-17-openjdk/security/java.security

In the current Java21 images this layout does not store config at all in /etc.

[Incluuu]

Java 21 only on Debian 12, will support also cover Debian 11?

[loosebazooka]

No, Debian 11 is eol pretty soon.

[abdennour]

Hello guys, this is reminder! What's the plan ? Do we have any showstopper ?

expected to have the image available under: distroless/java21-debian13

[jhawkins1]

What is the status / ETA of the publishing Java21 as an official Distroless Debian12 Image?

[loosebazooka]

once we get https://github.com/GoogleContainerTools/distroless/pull/1582, we should be able to publish them.

[nmendybayev]

Hi, I see that the Java 21 images are still in working in progress. However, I already can see the image in gcr.io/distroless/java21-debian12. What is that? Is that beta?

The reason I am asking is I have tried that image and found some issue related to some missing packages. This is the detail #1636

I don't know about if it is possible to use gcr.io/distroless/java21-debian12 for production but just tested it and it worked.

[loosebazooka]

Yeah I think we're about ready to advertise it

[gbaso]

I see gcr.io/distroless/java21-debian12 in the README. Should the image be considered production ready? Any reasons why this issue is still open?

[loosebazooka]

We seem to have reached parity with the existing images. So if that works for you then sure. There's one open issue around random number generation algorithms -- but that's not something distroless can fix.

[GregDThomas]

There's one open issue around random number generation algorithms

Do you have a reference? Appreciate it's not a distroless problem, but could be a show stopper depending on what it is.

[loosebazooka]

https://github.com/GoogleContainerTools/distroless/issues/1636