[KEYCLOAK-10059] Use ubi8-minimal instead of base-jdk as base image

[douglaspalmer]

No description provided.

[abstractj]

@douglaspalmer should we consider https://github.com/adorsys/dockerhub-pipeline-images/blob/84ce6aa05b2e0ee81339fda34d47d338b9731f78/java/ubi/8/Dockerfile#L38 ?

[abstractj]

@douglaspalmer so far that's a great progress and I feel like we are almost there. Please see my comments above, and please let me know if something does not make sense.

[abstractj]

PR looks good and it's ready to be merged, although we're blocked by https://issues.jboss.org/browse/KEYCLOAK-11185 which will hopefully be fixed until the end of the sprint.

[abstractj]

@stianst @douglaspalmer I was thinking that we may have the chance to make this image even smaller than the current state. With addressing 2 items:

• After run all the git operations here https://github.com/keycloak/keycloak-containers/blob/master/server/tools/build-keycloak.sh#L38. Remove git with microdnf remove git && microdnf clean all

• When download tar.gz files, after extract the whole Keycloak distribution, remove tar, gzip with microdnf remove tar gzip && microdnf clean all

I believe that may have an impact on the image size and after clone the repository or extract the tar.gz file, we don't need these utilities anymore.

Wdyt?

[douglaspalmer]

I tried 'microdnf remove git’ but it gave an error. Regards Doug

…

On Sep 25, 2019, at 1:17 PM, Bruno Oliveira da Silva ***@***.***> wrote: @stianst <https://github.com/stianst> @douglaspalmer <https://github.com/douglaspalmer> I was thinking that we may have the chance to make this image even smaller than the current state. With addressing 2 items: After run all the git operations here https://github.com/keycloak/keycloak-containers/blob/master/server/tools/build-keycloak.sh#L38 <https://github.com/keycloak/keycloak-containers/blob/master/server/tools/build-keycloak.sh#L38>. Remove git with microdnf remove git && microdnf clean all When download tar.gz files, after extract the whole Keycloak distribution, remove tar, gzip with microdnf remove tar gzip && microdnf clean all I believe that may have an impact on the image size and after clone the repository or extract the tar.gz file, we don't need these utilities anymore. Wdyt? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#217?email_source=notifications&email_token=AAE4Z4N2NC37CG334CR5BV3QLPBN3A5CNFSM4IXW3IGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7TGY7A#issuecomment-535194748>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAE4Z4OIXFESZS74SO2IQJLQLPBN3ANCNFSM4IXW3IGA>.

[abstractj]

@douglaspalmer this is the overall idea for the Keycloak build script. I tried it here using your PR and it worked:

#!/bin/bash -e

###########################
# Build/download Keycloak #
###########################

# Used exclusively for testing purposes. Should be removed
GIT_REPO="douglaspalmer/keycloak"
GIT_BRANCH="KEYCLOAK-11185"

if [ "$GIT_REPO" != "" ]; then
    if [ "$GIT_BRANCH" == "" ]; then
        GIT_BRANCH="master"
    fi

    # Install Git
    microdnf install -y git

    # Install Maven
    cd /opt/jboss 
    curl -s https://apache.uib.no/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz | tar xz
    mv apache-maven-3.5.4 /opt/jboss/maven
    export M2_HOME=/opt/jboss/maven

    # Clone repository
    git clone --depth 1 https://github.com/$GIT_REPO.git -b $GIT_BRANCH /opt/jboss/keycloak-source

    # Build
    cd /opt/jboss/keycloak-source

    MASTER_HEAD=`git log -n1 --format="%H"`
    echo "Keycloak from [build]: $GIT_REPO/$GIT_BRANCH/commit/$MASTER_HEAD"

    $M2_HOME/bin/mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install
    
    cd /opt/jboss

    tar xfz /opt/jboss/keycloak-source/distribution/server-dist/target/keycloak-*.tar.gz
    
    mv /opt/jboss/keycloak-?.?.?* /opt/jboss/keycloak

    # Remove temporary files
    rm -rf /opt/jboss/maven
    rm -rf /opt/jboss/keycloak-source
    rm -rf $HOME/.m2/repository
    # Remove cached packages and previous installed packages 
    microdnf remove -y git gzip tar && microdnf clean all
    rm -rf /var/cache/yum/*
else
    echo "Keycloak from [download]: $KEYCLOAK_DIST"

    cd /opt/jboss/
    curl -L $KEYCLOAK_DIST | tar zx
    mv /opt/jboss/keycloak-?.?.?* /opt/jboss/keycloak
    # Remove cached packages and previous installed packages  
    microdnf remove -y gzip tar
    rm -rf /var/cache/yum/*
fi

#####################
# Create DB modules #
#####################

mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$JDBC_MYSQL_VERSION/mysql-connector-java-$JDBC_MYSQL_VERSION.jar
cp /opt/jboss/tools/databases/mysql/module.xml .

mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar
cp /opt/jboss/tools/databases/postgres/module.xml .

mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
curl -L https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$JDBC_MARIADB_VERSION/mariadb-java-client-$JDBC_MARIADB_VERSION.jar > mariadb-jdbc.jar
cp /opt/jboss/tools/databases/mariadb/module.xml .

mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
cp /opt/jboss/tools/databases/oracle/module.xml .

mkdir -p /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
curl -L https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/$JDBC_MSSQL_VERSION/mssql-jdbc-$JDBC_MSSQL_VERSION.jar > mssql-jdbc.jar
cp /opt/jboss/tools/databases/mssql/module.xml .

######################
# Configure Keycloak #
######################

cd /opt/jboss/keycloak

bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli
rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history

bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-ha-configuration.cli
rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history

###################
# Set permissions #
###################

chgrp -R 0 /opt/jboss/keycloak
chmod -R g=u /opt/jboss/keycloak

[stianst]

No need to remove git - that's only installed for dev-only images and image size isn't critical there

[stianst]

tar and gzip are pretty small, so not sure it's worth it

[stianst]

From my perspective this is ready to be merged. We can always tune and tweaks things, but then there was this thing called time ;)

[abstractj]

@stianst Here's my opinion on:

1. Git brings dependencies like Python, which from time to time generate alerts on quay.io about new potential vulnerabilities, even though is a dev image, you have the inconvenience of looking at these alerts
2. If we remove the repository by the end of the build script, we don't need this package
3. Less packages, less maintenance

That's just my opinion, but I will leave that for your best judgment.

[stianst]

Ok, if it's trivial to clean it up afterwards then let's go for it.

[abstractj]

I had a chat with @stianst and we agreed that would be nice to merge it to make our distributions stable and merge this PR. The build of the Docker image is expected to fail while trying to build the changes from master, due to https://issues.jboss.org/browse/KEYCLOAK-11185, but we can follow up on this as a separate issue.