Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to UBI minimal #2007

Closed
arthurdm opened this issue Feb 8, 2021 · 4 comments
Closed

Switch to UBI minimal #2007

arthurdm opened this issue Feb 8, 2021 · 4 comments

Comments

@arthurdm
Copy link

arthurdm commented Feb 8, 2021

I would like to propose that the core Dockerfile be modified to start FROM adoptopenjdk/openjdk11:ubi-minimal instead of the current :slim tag. This would switch the base Operating System from Ubuntu to the Universal Base Image (UBI) - which in my opinion is a more robust and enterprise-ready Operating System.
@astefanutti
Copy link
Member

It sounds like a sensible proposition.

The decision to use adoptopenjdk/openjdk11:slim was primarily taken based on the size criteria, as we moved away from a large image.

Here are the listing of few Java 11 image candidates (sizes are uncompressed):

REPOSITORY                TAG              IMAGE ID         SIZE
adoptopenjdk/openjdk11    ubi-minimal      dab86988d321     454MB
adoptopenjdk/openjdk11    ubi-slim         49f5b9a9c785     557MB
adoptopenjdk/openjdk11    slim             c6089e7f0313     370MB
adoptopenjdk/openjdk11    debian-slim      03e78c06ffc5     426MB
gcr.io/distroless/java    11               681cb422d023     197MB

I think adoptopenjdk/openjdk11:ubi-minimal size increase is acceptable, compared to adoptopenjdk/openjdk11:slim. Obviously, size is a debatable criteria.

Some argue that distroless images reduce the attack surface. There is an interesting discussion to move Kubernetes images to using distroless images: kubernetes/enhancements#1729.

One benefit that I see is to reduce CVE noise. Lots of rebuilds can be triggered because of CVEs, while they affected unused libraries.

For Goland operators, it seems "troubleshooting" may be the only use case that requires an operator system in the image. That is however alleviated with kubectl debug and ephemeral containers. I'm not sure how easy that is to be distroless for the JDK, though, ideally AdoptOpenJDK would provide distroless images.

@astefanutti
Copy link
Member

For reference, the current base image comes from #1215.

@github-actions
Copy link
Contributor

This issue has been automatically marked as stale due to 90 days of inactivity.
It will be closed if no further activity occurs within 15 days.
If you think that’s incorrect or the issue should never stale, please simply write any comment.
Thanks for your contributions!

@astefanutti
Copy link
Member

We've switched to ubi-quarkus-mandrel:21.3.0.0-Final-java11, which relies on UBI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@astefanutti @arthurdm