Closed iromli closed 2 years ago
Yes this is quite an issue. I think we need to stick to a plain image and handle the rest manually without depending on another image. We have switched base images before and I think that hurts.
Agreed. Having base image from another vendor may block security patches.
One thing that still unresolved while using ld_preload is failure on calling external program from Java apps. This happens on jans-config-api image that calls facter
via subprocess. Still investigating the issue.
After a few tests, using LD_PRELOAD has some issue on resolving path when Java code calls shell process (i.e. running facter).
I'm testing custom image with the following setup:
Here's an example of Dockerfile that conform to the following image setup:
1. official Alpine 3.15 image 2. glibc Alpine package 3. self-compile zlib and gcc for Java 11 4. Eclipse Temurin (OpenJDK) JRE 11 with glibc-based native library
This issue is no longer relevant as there's newer Alpine stable release (v3.16).
Is your feature request related to a problem? Please describe.
Janssen images are based on Alpine 3.14. This version has vulnerabilities which most of them are fixed in Alpine 3.15. Note that Java-based images are based on
bellsoft/liberica-openjre-alpine:11
which unfortunately are still using Alpine 3.14. Thebellsoft/liberica-openjre-alpine:11
is used forglibc
(instead ofmusl
) compatibility as Janssen Java-based apps are using native library (that only works withglibc
) to interact with Spanner.Describe the solution you'd like
Upgrade base image to Alpine 3.15.
Most of Java-based images can be switched from
bellsoft/liberica-openjre-alpine:11
toalpine:3.15.x
. Example:Also, the
entrypoint.sh
should add the following environment variable before running server:configurator
andcertmanager
(using Java only to generate JWKS) can be safely switched toalpine:3.15.x
Describe alternatives you've considered
bellsoft/liberica-openjre-alpine:11
to be upgraded to Alpine 3.15 (unknown roadmap)glibc
(requires more effort)Additional context
References: