search

paketo-buildpacks / oracle

A Cloud Native Buildpack that provides the Oracle JDK implementations of JREs and JDKs
Apache License 2.0
1 stars 3 forks source link

Add JRE to avoid using JDK at runtime #126

Closed danicattaneob closed 1 year ago

danicattaneob commented 1 year ago

I'm creating Docker images of my Spring Boot application using this buildpack but when it builds it it uses the JDK instead of JRE because of the following message: No valid JRE available, providing matching JDK instead. Using a JDK at runtime has security implications. Can we add a JRE to the buildpack in order to use a JDK at runtime?

Describe the Enhancement

Add a JRE to the buildpack.

Possible Solution

Motivation

Using JRE instead of JDK has security implications.

dmikusa commented 1 year ago

Oracle does not publish a JRE, but you can use the jlink feature to strip out the JDK bits.

$BP_JVM_JLINK_ENABLED | Configures whether to run the JDK's jlink tool at build time to generate a custom JRE. Defaults to false. If no custom args are specified, the default args are --no-man-pages --no-header-files --strip-debug --compress=1.

$BP_JVM_JLINK_ARGS | Configure custom arguments to supply to the jlink tool. If any custom args are specified, no default args are supplied.

I believe you'd need custom args to strip out the JDK bits though, we don't do that by default.

https://github.com/paketo-buildpacks/oracle#configuration

danicattaneob commented 1 year ago

Thanks for the quick response, I'll look into it. I tried also with the amazon corretto buildpack and has the same issue but amazon does publish a JRE, do you know if it could be added to the corretto's buildpack?

dmikusa commented 1 year ago

Yes, if you're aware of one we'll certainly publish it. If you open an issue against that repo and point us to the location for the JRE, we can add it.

danicattaneob commented 1 year ago

Perfect, thanks for the help!! I'll open the issue in the corretto's repo.