Consider switching to the alpine base image for tomcat

[metazool]

There are concerns raised here about the provenance of the code in OpenJDK 8 base images, both in terms of OpenJDK builds and older Debian distributions used as a base: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-May/009330.html

And certainly when we run a container security scan on the geonetwork:3.6.0 docker image we are seeing a lot of CVEs. Switching from a debian stretch to an alpine base image has eliminated most or all in other projects.

https://hub.docker.com/_/tomcat - this has 8.5.41-jre8-alpine, 8.5-jre8-alpine, 8-jre8-alpine, jre8-alpine, 8.5.41-alpine, 8.5-alpine, 8-alpine any of which you could consider as a base for the official geonetwork image and would improve the situation somewhat

[doublebyte1]

@metazool I don't see any problems in moving to alpine, and there is also the benefit of a smaller footprint. @tianon what do you think?

[tianon]

I'd caution against using OpenJDK based on Alpine -- Alpine is not yet officially supported by the OpenJDK project, and the porting effort could use some help (see https://github.com/docker-library/openjdk/pull/235#issuecomment-424599754).

[giltene]

If you are looking for officially released Alpine-native JDKs and JREs, Zulu 8, 11 and 12 Alpine-native OpenJDK builds are officially released and regularly updated by Azul. See https://hub.docker.com/r/azul/zulu-openjdk-alpine

We hope to get the Alpine ports upstreamed into the main OpenJDK project and into OpenJDK 8 and 11 (all of which are separate from Portola), but they will need to be accepted in the associated OpenJDK projects, and at least for 8 and 11, I expect that may take a few quarters (as the projects are focused on stability and quality of updates and backports). In the meantime, Azul is committed to keeping free Zulu builds for Alpine-native updated, and to keep doing so even after upstream integration into the relevant OpenJDK projects.