tianon
commented
4 years ago You should not use Alpine-based OpenJDK images in production, full stop. OpenJDK is not officially supported on Alpine yet, and more community contribution has been requested in Project Portola before this is something that's official or recommended. Any existing Alpine images in the openjdk repository are either outdated and unsupported or are experimental early-access builds.
The slim variants are as slim as we can reasonably make them (the only things explicitly installed on top of the standard debian:buster-slim official image are ca-certificates and a tool to help manage those), and if you've got suggestions for more ways to make them slimmer, then a pull request would be very interesting. :+1:
$ docker pull openjdk:11-jre-slim-buster
11-jre-slim-buster: Pulling from library/openjdk
Digest: sha256:4a7d4c42f10c08491ffaf476d068f4e039bbce8e00d9488225ce80dde7ecae5c
Status: Image is up to date for openjdk:11-jre-slim-buster
docker.io/library/openjdk:11-jre-slim-buster
$ docker run -it --rm openjdk:11-jre-slim-buster bash
root@82d257a315f2:/# apt-mark showmanual
ca-certificates
p11-kit
$ docker run --rm openjdk:11-jre-slim-buster dpkg -l | wc -l
95
$ docker run --rm debian:buster-slim dpkg -l | wc -l
89
psakar
Hello,
Have you considered producing absolute minimum JRE and JDK images for production? Something like
Alpine+JDK/JRE+cacerts
Because even slim variants come with debien:buster-slim, curl, libpng e.t.c., are additional build time components that are not required on production systems. This is to reduce layers prone to vulnerabilities and gain some size benefits(not much important)
Or there is a rationale behind adding additional tooling on even slim varients?
Thanks, Prasad.CH