Upgrade base image to Alpine 3.15

[iromli]

Is your feature request related to a problem? Please describe.

Janssen images are based on Alpine 3.14. This version has vulnerabilities which most of them are fixed in Alpine 3.15. Note that Java-based images are based on bellsoft/liberica-openjre-alpine:11 which unfortunately are still using Alpine 3.14. The bellsoft/liberica-openjre-alpine:11 is used for glibc (instead of musl) compatibility as Janssen Java-based apps are using native library (that only works with glibc) to interact with Spanner.

Describe the solution you'd like

• Upgrade base image to Alpine 3.15.

• Most of Java-based images can be switched from bellsoft/liberica-openjre-alpine:11 to alpine:3.15.x. Example:

  FROM alpine:3.15.3
  # gcompat for glibc compatibility layer
  RUN apk add --update openjdk11-jre-alpine gcompat

  Also, the entrypoint.sh should add the following environment variable before running server:

  export LD_PRELOAD=/lib/libgcompat.so.0
  exec java -jar ...

• configurator and certmanager (using Java only to generate JWKS) can be safely switched to alpine:3.15.x

Describe alternatives you've considered

• Waiting for bellsoft/liberica-openjre-alpine:11 to be upgraded to Alpine 3.15 (unknown roadmap)
• Custom image that adds glibc (requires more effort)

Additional context

References:

• https://wiki.alpinelinux.org/wiki/Running_glibc_programs

[moabu]

Yes this is quite an issue. I think we need to stick to a plain image and handle the rest manually without depending on another image. We have switched base images before and I think that hurts.

[iromli]

Agreed. Having base image from another vendor may block security patches.

One thing that still unresolved while using ld_preload is failure on calling external program from Java apps. This happens on jans-config-api image that calls facter via subprocess. Still investigating the issue.

[iromli]

After a few tests, using LD_PRELOAD has some issue on resolving path when Java code calls shell process (i.e. running facter).

I'm testing custom image with the following setup:

1. official Alpine 3.15 image
2. glibc Alpine package
3. self-compile zlib and gcc for Java 11
4. Eclipse Temurin (OpenJDK) JRE 11 with glibc-based native library

[iromli]

Here's an example of Dockerfile that conform to the following image setup:

1. official Alpine 3.15 image

2. glibc Alpine package

3. self-compile zlib and gcc for Java 11

4. Eclipse Temurin (OpenJDK) JRE 11 with glibc-based native library

[iromli]

This issue is no longer relevant as there's newer Alpine stable release (v3.16).