Switched Docker runtime image to jlink (#371)

pioorg · web-flow · commit 6e66f73070b8 · 2025-08-14T11:31:52.000-04:00
Details: * bumped JDK to the latest 21 in the builder image * switched the runtime base image to chainguard-base * updated git version to 2.50.1-r1 * used `jlink `to create smaller image without not needed JDK modules, man pages and so on ### Closes #370 ### Checklists  #### Pre-Review Checklist - [x] This PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check `crawler.yml.example` and `elasticsearch.yml.example`) - [ ] This PR has a meaningful title - [ ] This PR links to all relevant GitHub issues that it fixes or partially addresses - If there is no GitHub issue, please create it. Each PR should have a link to an issue - [ ] this PR has a thorough description - [ ] Covered the changes with automated tests - [x] Tested the changes locally - [ ] Added a label for each target release version (example: `v0.1.0`) - [ ] Considered corresponding documentation changes - [ ] Contributed any configuration settings changes to the configuration reference - [ ] Ran `make notice` if any dependencies have been added #### Changes Requiring Extra Attention  This PR **has to be well tested before merging**, to ensure all necessary modules are present in the customised JDK image. Until proper CI and tests are completed, please treat it as a work in progress. - [ ] Security-related changes (encryption, TLS, SSRF, etc) - [ ] New external service dependencies added. ### Related Pull Requests  ### Release Note
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
@@ -1,6 +1,5 @@
 # Build stage
-FROM docker.elastic.co/wolfi/jdk:openjdk-21.35-r1@sha256:d7ca36452a68f28e4c4683062241e817b548844820a0ffd087451214e61eb188 AS builder
-
+FROM docker.elastic.co/wolfi/jdk:openjdk-21.0.8-r1-dev@sha256:935bb066f36b48abf8e7dce4533cec6a0d62c24d4ec4073a5c95d282840028f9 AS builder
 USER root
 
 # ------------------------------------------------------------------------------
@@ -53,25 +52,35 @@ RUN make clean install
 # add more directories and files not to be copied to the runtime image from /home/app
 RUN rm -rf .git .github .idea .devcontainer .buildkite
 
+# Create custom JDK using jlink
+RUN jlink \
+    --add-modules java.base,jdk.crypto.ec,java.logging,java.management,java.naming,java.net.http,java.scripting,java.security.jgss,java.security.sasl,java.sql,jdk.unsupported \
+    --strip-debug \
+    --no-man-pages \
+    --no-header-files \
+    --compress=zip-6 \
+    --output /opt/jdk-crawler
+
 # ------------------------------------------------------------------------------
-# Runtime stage - using the same base image
-FROM docker.elastic.co/wolfi/jdk:openjdk-21.35-r1@sha256:d7ca36452a68f28e4c4683062241e817b548844820a0ffd087451214e61eb188
+# Runtime stage - using wolfi-base
+FROM docker.elastic.co/wolfi/chainguard-base@sha256:3b2026fffccfc6223a9f49f09279e044008b64e30b948cee17f9a74143a2c850
 
 USER root
 
+# Create java user and install runtime dependencies
+RUN addgroup -g 1000 java && adduser -u 1000 -G java -s /bin/bash -D java && \
+    apk update && apk add --no-cache libcurl-openssl4=~8.12.1 git=~2.50.1-r1 bash=~5.3.0
+
 # Set environment variables
-ENV JAVA_HOME=/usr/lib/jvm/default-jvm \
-    PATH=/opt/jruby/bin:/usr/local/bundle/bin:$PATH \
+ENV JAVA_HOME=/opt/jdk-crawler \
+    PATH=/opt/jdk-crawler/bin:/opt/jruby/bin:/usr/local/bundle/bin:$PATH \
     GEM_HOME=/usr/local/bundle \
     BUNDLE_SILENCE_ROOT_WARNING=1 \
     BUNDLE_APP_CONFIG=/usr/local/bundle \
     IS_DOCKER=1
 
-# Install runtime dependencies
-RUN apk update && apk add --no-cache libcurl-openssl4=~8.12.1 git=~2.45.0
-
-
-# Copy JRuby, gem environment, and application from builder
+# Copy custom JDK, JRuby, gem environment, and application from builder
+COPY --from=builder /opt/jdk-crawler /opt/jdk-crawler
 COPY --from=builder /opt/jruby /opt/jruby
 COPY --from=builder /usr/local/bundle /usr/local/bundle
 COPY --from=builder --chown=java:java /home/app /home/app
