Assess current set of dependencies in dockerfiles to determine if they are still needed

adoptium / containers

Repo containing the dockerfiles and scripts to produce the official eclipse-temurin containers.

https://hub.docker.com/_/eclipse-temurin/

Apache License 2.0

206 stars 88 forks source link

Assess current set of dependencies in dockerfiles to determine if they are still needed #458

Closed gdams closed 8 months ago

gdams commented 8 months ago

Initially discussed with @sxa via slack.

We don't believe that we need to ship libretls & zlib with Alpine anymore (we bundle zlib with the JDK)

All remaining dependencies should also be checked

gdams commented 8 months ago

Alpine

Name	Still Required?	Comments
bash	❌	gdams - bash was required for https://github.com/adoptium/containers/issues/415
fontconfig	👍	See Footnote¹
ttf-dejavu	👍	See Footnote¹
java-cacerts	❌	gdams - replace with more granular `ca-certificates p11-kit-trust`
libretls	❌	not required
zlib	❌	bundled with the JDK
musl-locales
musl-locales-lang
binutils	👍	Required for jlink, see https://github.com/docker-library/openjdk/issues/351
tzdata	👍	Require for TZ, see see https://github.com/AdoptOpenJDK/openjdk-docker/issues/249

fontconfig

[1]:# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077

↩

gdams commented 8 months ago

Centos

Name	Still Required?	Comments
gzip	👍	Required to extract the JDK
tar	👍	Required to extract the JDK
curl	🔜	Required for historical reasons, see adoptium/containers#255, will be removed in 22
wget	👍	Required to download JDK
tzdata	👍	Require for TZ, see see https://github.com/AdoptOpenJDK/openjdk-docker/issues/249
openssl
ca-certificates	👍	Utilities for syncing Centos & OpenJDK CA certs, adoptium/containers#293
binutils	👍	Required for jlink, see docker-library/openjdk#351
fontconfig	👍	See Footnote¹

fontconfig

[1]:# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077

↩

gdams commented 8 months ago

UBI9-Minimal

Name	Still Required?	Comments
gzip	👍	Required to extract the JDK
tar	👍	Required to extract the JDK
binutils	👍	Required for jlink, see https://github.com/docker-library/openjdk/issues/351
tzdata	👍	Require for TZ, see see https://github.com/AdoptOpenJDK/openjdk-docker/issues/249
openssl
wget	👍	Required to download JDK
ca-certificates	👍	Utilities for syncing UBI & OpenJDK CA certs, https://github.com/adoptium/containers/issues/293
fontconfig	👍	See Footnote¹
glibc-langpack-en	👍	fixes: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

fontconfig

[1]:# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077

↩

gdams commented 8 months ago

Ubuntu (Focal and Jammy)

Name	Still Required?	Comments
curl	🔜	Required for historical reasons, see adoptium/containers#255, will be removed in 22
wget	👍	Required to download JDK
fontconfig	👍	See Footnote¹
ca-certificates	👍	Utilities for syncing Ubuntu & OpenJDK CA certs, https://github.com/adoptium/containers/issues/293
p11-kit	👍	Utilities for syncing Ubuntu & OpenJDK CA certs, https://github.com/adoptium/containers/issues/293
binutils	👍	Required for jlink, see https://github.com/docker-library/openjdk/issues/351
tzdata	👍	Require for TZ, see see https://github.com/AdoptOpenJDK/openjdk-docker/issues/249
locales
libatomic1	👍	Required for arm32 builds

fontconfig

[1]:# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077

↩

sxa commented 8 months ago

Ref Alpine, I suspect we can get rid of the requirement for bash without too much difficulty if it's only needed for entrypoint.sh - that's not a particularly complex script.

gdams commented 8 months ago

Ref Alpine, I suspect we can get rid of the requirement for bash without too much difficulty if it's only needed for entrypoint.sh - that's not a particularly complex script.

@yosifkit did some digging and discovered that it broke in busybox for a while but has since been fixed:

$ docker run --rm -it -e test.var=alpine busybox:1.25.0 /bin/sh -c 'env' | grep 'test.var'
test.var=alpine
$ docker run --rm -it -e test.var=alpine busybox:1.26.0 /bin/sh -c 'env' | grep 'test.var'
$ docker run --rm -it -e test.var=alpine busybox:1.27.0 /bin/sh -c 'env' | grep 'test.var'
$ docker run --rm -it -e test.var=alpine busybox:1.28.0 /bin/sh -c 'env' | grep 'test.var'
test.var=alpine

gdams commented 8 months ago

ping @dinogun as he might have some context as to why we ship UBI and Centos with the OpenSSL package

dinogun commented 8 months ago

@gdams The best explanation that I have is that we required OpenSSL at one point for OpenJ9 and this ended up being copied over for OpenJDK as well. Would be reasonable to remove it. Folks who really want OpenSSL, can always update their Dockerfiles to add it on top of the standard images.