Java 11

[vorburger]

Issue to discuss eventually (not today or tomorrow) supporting Java 9.

NOK for the moment , master...vorburger:java9 :

Step 17/35 : RUN yum install -y java-9-openjdk
 ---> Running in f2920f7f4327
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
 * base: fr2.rpmfind.net
 * extras: mirrors.ircam.fr
 * updates: centos.crazyfrogs.org
No package java-9-openjdk available.
Error: Nothing to do
The command '/bin/sh -c yum install -y java-9-openjdk' returned a non-zero code: 1

[ctron]

I think this one is more important now as Java 11 (LTS) just came out. And I do already have the first discussion about switching to Java 11, which does impact fabric8-s2i, as we are using this in this case for the OpenShift deployment.

I would suggest to change the title to "Java 11" and start making plans.

[rhuss]

@ctron good point to focus on the LTE release. We should start working on this asap ...

[vorburger]

@rhuss @ctron I'm motivated to help with this, and may be able to make time next week.

We'd have both a Java 8 and Java 11 image, likely for quite some time, not go from 8 to 11 only, agreed?

Anyone know if & how to get a Java 11 package on CentOS ? Else I can ask somehow I know internally.

[rhuss]

yes, we should have two variants. fish-pepper can help here (like for the plain java image which btw would also benefit of an upgrade :)

No, unfortunately I don't know how to get Java 11 for CentOS (or RHEL which would be equally important)

[vorburger]

Friend of mine (TX @skitt) has pointed me to https://koji.fedoraproject.org/koji/packageinfo?packageID=27256 but that is Fedora.... I need to find out more about CentOS (@rhuss re. RHEL I propose we follow up on that in a separate new issue later, after we have a PR in for a community image; and gain some experience with that first; makes sense?).

@rhuss @ctron what are your thoughts about using a Fedora 28 instead of CentOS based image here (for a Java 11 variant) - go for it, or no go for some reason I need to learn about?

[ctron]

I would prefer to stick to to CentOS/RHEL here.

From what I read, for the moment there is no Java 11 from RHEL/CentOS. But it will be there "soon".

Of course you can always drop in OpenJDK manually, like I did it with https://github.com/ctron/s2i-java-openj9 …

But, I don't think this makes sense on the long run. I would suggest to wait a little bit longer for some official Java 11. If it takes "too long", there is always the possibility to drop in plain OpenJDK until that happens.

[rhuss]

I would also like to stick to CentOS and use packages, just to be close as possible to the the product variants (RHEL that is)

[gunnarmorling]

What's the advantage of using an "official" package? FWIW, I think it'd be nice to get out a first version quickly, so people can start benefitting from the nice Java 9/10/11 improvements. It always can be retrofitted to using an properly installed package later on, though the advantage (apart from product similarity) seems not huge IMO.

[vorburger]

@gunnarmorling but then let me do a Fedora (where there is a Java 11 package, apparently) instead of a CentOS based image here, instead of fetching the binary dist ZIP from Oracle.com (I really like to avoid that). Once there is a Java 11 package on CentOS, we use that. How is that as a plan for everyone?

PS: If I'm missing something that is wrong with Fedora over CentOS, please educate me! 😸

[gunnarmorling]

Well, not that I have any say in this :) It seems though that changing the base of the image later on seems potentially more disruptive than only altering the way of installing the JDK. Note you can download OpenJDK builds (created by Oracle) from http://jdk.java.net/11/. There are also builds created by AdoptOpenJDK, I haven't tried those yet, though.

[rhuss]

@vorburger @gunnarmorling I think the major work will be to adapt https://github.com/fabric8io-images/run-java-sh to adopt the auto-generation options for the JDK. E.g. it would need a Java 8 / Java 11 dynamic detection (or taken from an env var) and use only the self-calculated cgroup based limits if not running on Java 11.

Also, it would be awesome to update the fine-tuned options for Java 11 as well.

A similar issue is open over there btw --> https://issues.jboss.org/browse/CLOUD-2839

[gunnarmorling]

Hey @rhuss and @vorburger, any news on this one?

We'd like to update Debezium's Docker images to Java 11, so to benefit from all the recent container-related improvements. How about using a minimum image (e.g. registry.centos.org/centos/centos7-atomic or registry.fedoraproject.org/fedora-minimal) as a basis?

In terms of install, it appears just fetching the latest JDK from openjdk.net would give us the latest updates quicker than relying on packages. Btw. the current OpenJDK 11 package on Fedora gives very bad results with jlink modular runtime images (huge size due to debug symbols), so I'd advise against using it).

it would need a Java 8 / Java 11 dynamic detection (or taken from an env var) and use only the self-calculated cgroup based limits if not running on Java 11.

+1

Also, it would be awesome to update the fine-tuned options for Java 11 as well.

What options are still needed with Java 11?

[vorburger]

I've completed a first version of this tonight. I propose we get that in, and then incrementally improve upon it.

In addition to #181, I've opened new #191 & #192 for the other new points suggested above.

FTR: This is my "hobby", not real main work... looking forward to more contributions from others! 😈

[ctron]

I would really stick CentOS as a base image. Even for a short period of time, switching to Fedora might cause more problems than it actually solves.

e.g. in https://github.com/eclipse/hono/blob/master/deploy/src/main/deploy/openshift_s2i/containers/custom-base/Dockerfile … I am extending the S2I image with a few additions. Simply switching the base image would break this, and then break this again later on.

So I would really suggest to stick to CentOS 7.x for the S2I 2.x release series.

Maybe creating a parallel "fedora-s2i-java" image is a better approach for this.

[rhuss]

I agree we should do it with a complete different image as we e.g. also do it for https://github.com/fabric8io-images/java . This should be super easy with add some extra configuration to fish-pepper, which exactly was created for that. The differences can go in a single Dockerfile template, and we could clean up the Fedora branch when we fully switch back to CentOS when Java 11 is available there.

We should also decide whether we want to have the Fedora branch only temporarily (and then mention this in the README) or we would support it permanently. Any ideas what other advantages/differences a Fedora image would have over a CentOS image ?

I'm saying without actually having looked into the PR (which I plan for tomorrow, or later when I'm back on the train)

[vorburger]

I would really stick CentOS as a base image.
So I would really suggest to stick to CentOS 7.x for the S2I 2.x release series.
decide whether we want to have the Fedora branch only temporarily

except there is no CentOS base image with Java 11 available just yet, so in #160 I propose that we get the ball rolling with a Fedora 29 base image. This will let people try this out sooner rather than later. We can switch from Fedora to CentOS 7.6 when that's available; I've opened #193 so we don't forget.

ideas what other advantages/differences a Fedora image would have over a CentOS image ?

Other than Fedora 29 have a Java 11 package which CentOS 7.5 does not yet (but 7.6 will), from what I understand of such matters, I don't think it should make a huge difference for most average users (of the community image). I would love to be proven wrong and learn something myself.

Even for a short period of time, switching to Fedora might cause more problems than it actually solves.
e.g. in ... I am extending the S2I image with a few additions. Simply switching the base image would
break this, and then break this again later on.

Are you sure? I thought Fedora was close enough to CentOS. You could try it out?

The differences can go in a single Dockerfile template,
super easy with add some extra configuration to fish-pepper, which exactly was created for that.
Maybe creating a parallel "fedora-s2i-java" image is a better approach for this.
I agree we should do it with a complete different image

Yes, of course; #160 does exactly what you propose - I think.

[skitt]

Are you sure? I thought Fedora was close enough to CentOS. You could try it out?

CentOS 7.x is based on RHEL 7.x which is based on Fedora somewhere between 19 and 20. There are many differences in the package selection between Fedora and CentOS, and of course their versions (when comparing current releases). Whether that has any impact on the images here is another matter...

[vorburger]

Whether that has any impact on the images here is another matter...

Indeed, and that's my real point here. For the majority of users just wanting to start exploring Java 11, even if you yum install some additional packages, without fixed version numbers (such as e.g. @ctron is doing here), IMHO there is a fair chance it will "just work" (or require only minor adjustments). This, to me, seems to "justify" letting anyone interested start exploring a Java 11 based S2I Java Builder rather sooner than later, without having to wait for a CentOS 7.6 release (#193).

[vorburger]

Closing this issue now, as we do have basic Java 11 support; more specific issues for finer follow-up points.

[maslick]

In the end which jdk11 build comes with the fabric8/s2i-java:latest-java11 s2i image? The one from Oracle (6 months of security patches), or the one from AdoptOpenJDK (4+ years of security patches)?
https://blog.joda.org/2018/09/do-not-fall-into-oracles-java-11-trap.html

[vorburger]

In the end which jdk11 build comes with the fabric8/s2i-java:latest-java11 s2i image? The one from Oracle (6 months of security patches), or the one from AdoptOpenJDK (4+ years of security patches)?
https://blog.joda.org/2018/09/do-not-fall-into-oracles-java-11-trap.html

@maslick neither of those, but the one which Red Hat maintains; it's an RPM package which you get from yum install on Fedora / CentOS / RHEL; it's also available for Windows for development, see https://developers.redhat.com/products/openjdk/download, and for production you can get long term support with security patches for it from Red Hat via a subscription. More background about all this all e.g. on https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-openjdk-updates-without-oracle-support/

[maslick]

@vorburger thanks a lot. As far as I understand this Dockerfile is based on the centos:7 image. If I'm not mistaken, you don't need a RHEL subscription for CentOS. So I'm still guessing which license the fabric8/s2i-java:latest-java11's JDK has?

[vorburger]

As far as I understand this Dockerfile is based on the centos:7 image. If I'm not mistaken, you don't need a RHEL subscription for CentOS.

That is correct; the OpenJDK used in this image is pretty much the same thing like downloading a CentOS ISO in a VM and doing yum install java-11-openjdk-devel there ... it's "community supported".

For production you can get LTS with security patches for OpenJDK from Red Hat via a subscription for another image similar but not completely identical (see #218) to this one, see https://github.com/jboss-container-images/openjdk.

guessing which license does the fabric8/s2i-java:latest-java11's JDK have?

The OpenJDK license is a different question than support, but I don't think that's what you are asking.

[maslick]

@vorburger with my original inquiry I wanted to not
"get a nasty phone call from Oracle's license enforcement teams demanding lots of money" ;) Also I was wondering if it's LTS. So the answer is (if I understood you correctly):

1. It's not an Oracle build, but the RedHat one, in other words free.
2. It's not LTS, meaning no security patches after Java 12 is released (which is today). If I want LTS, I would need a different Dockerfile (with RHEL base image and a proper subscription).

[vorburger]

It's not LTS, meaning no security patches after Java 12 is released (which is today).

No I think that's Oracle policy, only. I'm pretty sure that the CentOS Java 11 (and Java 8 BTW) RPM packages get security patches for longer than today... but could not tell you exactly for how long. You could try to Google it or ask on ... a CentOS (or Fedora) community list / Forum - I'm actually not entirely sure myself where.

If I want LTS, I would need a different Dockerfile (with RHEL base image and a proper subscription).

For production you can get LTS with security patches for OpenJDK from Red Hat via a subscription for another image similar but not completely identical (see #218) to this one, see https://github.com/jboss-container-images/openjdk.