From b37ae359054479f0fef1820047ba3358c25dcda8 Mon Sep 17 00:00:00 2001
From: Bruno Borges <bruno.borges@gmail.com>
Date: Tue, 29 Nov 2022 13:23:41 -0800
Subject: [PATCH 1/4] Add non-root user 'app' to all images

---
 docker/distroless/Dockerfile.msopenjdk-11-jdk  | 10 ++++++++++
 docker/distroless/Dockerfile.msopenjdk-17-jdk  | 10 ++++++++++
 docker/distroless/Dockerfile.temurin-8-jdk     | 10 ++++++++++
 docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk |  8 +++++++-
 docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk |  8 +++++++-
 docker/mariner/Dockerfile.msopenjdk-11-jdk     |  6 ++++++
 docker/mariner/Dockerfile.msopenjdk-17-jdk     |  6 ++++++
 docker/mariner/Dockerfile.temurin-8-jdk        |  6 ++++++
 docker/ubuntu/Dockerfile.msopenjdk-11-jdk      |  3 +++
 docker/ubuntu/Dockerfile.msopenjdk-17-jdk      |  4 ++++
 10 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/docker/distroless/Dockerfile.msopenjdk-11-jdk b/docker/distroless/Dockerfile.msopenjdk-11-jdk
index 26dd871..214d22e 100644
--- a/docker/distroless/Dockerfile.msopenjdk-11-jdk
+++ b/docker/distroless/Dockerfile.msopenjdk-11-jdk
@@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \
 RUN mkdir /staging \
     && tdnf install -y --releasever=2.0 --installroot /staging zlib
 
+# Create a non-root user and group (just like .NET's image)
+RUN tdnf install -y gawk shadow-utils \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+
 # Clean up staging
 RUN rm -rf /staging/etc/tdnf \
     && rm -rf /staging/run/* \
@@ -37,6 +46,7 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
 
 COPY --from=installer /staging/ /
 COPY --from=installer /usr/jdk/ /usr/jdk/
+COPY --from=installer --chown=101:101 /staging/home/app /home/app
 
 ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
diff --git a/docker/distroless/Dockerfile.msopenjdk-17-jdk b/docker/distroless/Dockerfile.msopenjdk-17-jdk
index eaa68bf..d01e6b6 100644
--- a/docker/distroless/Dockerfile.msopenjdk-17-jdk
+++ b/docker/distroless/Dockerfile.msopenjdk-17-jdk
@@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \
 RUN mkdir /staging \
     && tdnf install -y --releasever=2.0 --installroot /staging zlib
 
+# Create a non-root user and group (just like .NET's image)
+RUN tdnf install -y gawk shadow-utils \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+
 # Clean up staging
 RUN rm -rf /staging/etc/tdnf \
     && rm -rf /staging/run/* \
@@ -37,6 +46,7 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
 
 COPY --from=installer /staging/ /
 COPY --from=installer /usr/jdk/ /usr/jdk/
+COPY --from=installer --chown=101:101 /staging/home/app /home/app
 
 ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
diff --git a/docker/distroless/Dockerfile.temurin-8-jdk b/docker/distroless/Dockerfile.temurin-8-jdk
index 941bee8..df9741c 100644
--- a/docker/distroless/Dockerfile.temurin-8-jdk
+++ b/docker/distroless/Dockerfile.temurin-8-jdk
@@ -8,6 +8,15 @@ FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
 ARG PKGS="ca-certificates tzdata freetype"
 ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk"
 
+# Create a non-root user and group (just like .NET's image)
+RUN tdnf install -y gawk shadow-utils \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+
 # Install pre-reqs
 RUN mkdir -p /usr/lib/jvm && \
     tdnf install -y ca-certificates tar && \
@@ -25,5 +34,6 @@ ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 
 COPY --from=installer /usr/jdk/ /usr/jdk/
+COPY --from=installer --chown=101:101 /staging/home/app /home/app
 
 ENTRYPOINT [ "/usr/jdk/bin/java" ]
diff --git a/docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk b/docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk
index 34b9863..fcd98c8 100644
--- a/docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk
+++ b/docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk
@@ -20,4 +20,10 @@ RUN tdnf -y update && \
     java -Xshare:dump && \
     rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip
 
-ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
\ No newline at end of file
+RUN tdnf install -y gawk shadow-utils \
+    && tdnf clean all \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
+ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
diff --git a/docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk b/docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk
index 4e830b4..2446fe5 100644
--- a/docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk
+++ b/docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk
@@ -20,4 +20,10 @@ RUN tdnf -y update && \
     java -Xshare:dump && \
     rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip
 
-ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
\ No newline at end of file
+RUN tdnf install -y gawk shadow-utils \
+    && tdnf clean all \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
+ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
diff --git a/docker/mariner/Dockerfile.msopenjdk-11-jdk b/docker/mariner/Dockerfile.msopenjdk-11-jdk
index 8eab6f7..df62c0e 100644
--- a/docker/mariner/Dockerfile.msopenjdk-11-jdk
+++ b/docker/mariner/Dockerfile.msopenjdk-11-jdk
@@ -17,4 +17,10 @@ RUN tdnf install -y --releasever=2.0 ${package} ${PKGS} && \
     java -Xshare:dump && \
     rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip
 
+RUN tdnf install -y gawk shadow-utils \
+    && tdnf clean all \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
 ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
diff --git a/docker/mariner/Dockerfile.msopenjdk-17-jdk b/docker/mariner/Dockerfile.msopenjdk-17-jdk
index 254fda6..9243740 100644
--- a/docker/mariner/Dockerfile.msopenjdk-17-jdk
+++ b/docker/mariner/Dockerfile.msopenjdk-17-jdk
@@ -17,4 +17,10 @@ RUN rpm -Uhv https://packages.microsoft.com/config/centos/7/packages-microsoft-p
     java -Xshare:dump && \
     rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip
 
+RUN tdnf install -y gawk shadow-utils \
+    && tdnf clean all \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
 ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
diff --git a/docker/mariner/Dockerfile.temurin-8-jdk b/docker/mariner/Dockerfile.temurin-8-jdk
index 7d40507..dc6cb63 100644
--- a/docker/mariner/Dockerfile.temurin-8-jdk
+++ b/docker/mariner/Dockerfile.temurin-8-jdk
@@ -15,4 +15,10 @@ RUN tdnf install -y ${JDK_PKG} ${PKGS} && \
     rm -rf /var/cache/tdnf && \
     rm -rf ./usr/lib/jvm/temurin-8-jdk/src.zip
 
+RUN tdnf install -y gawk shadow-utils \
+    && tdnf clean all \
+    && groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
 ENV JAVA_HOME=/usr/lib/jvm/temurin-8-jdk
diff --git a/docker/ubuntu/Dockerfile.msopenjdk-11-jdk b/docker/ubuntu/Dockerfile.msopenjdk-11-jdk
index c33d570..42e310d 100644
--- a/docker/ubuntu/Dockerfile.msopenjdk-11-jdk
+++ b/docker/ubuntu/Dockerfile.msopenjdk-11-jdk
@@ -25,6 +25,9 @@ RUN DEBIAN_FRONTEND=noninteractive && \
     java -Xshare:dump && \
     rm -rf ./usr/lib/jvm/msopenjdk-11-amd64/lib/src.zip
 
+RUN groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
 
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
diff --git a/docker/ubuntu/Dockerfile.msopenjdk-17-jdk b/docker/ubuntu/Dockerfile.msopenjdk-17-jdk
index 5e9cfe5..629c1f9 100644
--- a/docker/ubuntu/Dockerfile.msopenjdk-17-jdk
+++ b/docker/ubuntu/Dockerfile.msopenjdk-17-jdk
@@ -25,6 +25,10 @@ RUN DEBIAN_FRONTEND=noninteractive && \
     java -Xshare:dump && \
     rm -rf ./usr/lib/jvm/msopenjdk-17-amd64/lib/src.zip
 
+RUN groupadd --system --gid=101 app \
+    && adduser --uid 101 --gid 101 --system app \
+    && install -d -m 0755 -o 101 -g 101 "/home/app"
+
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17-amd64

From 241e81e64cfa9a9857a61bf8b9c742711069535f Mon Sep 17 00:00:00 2001
From: Bruno Borges <bruno.borges@gmail.com>
Date: Tue, 29 Nov 2022 13:29:55 -0800
Subject: [PATCH 2/4] Create a staging directory.

---
 docker/distroless/Dockerfile.temurin-8-jdk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker/distroless/Dockerfile.temurin-8-jdk b/docker/distroless/Dockerfile.temurin-8-jdk
index df9741c..1ecd644 100644
--- a/docker/distroless/Dockerfile.temurin-8-jdk
+++ b/docker/distroless/Dockerfile.temurin-8-jdk
@@ -9,7 +9,8 @@ ARG PKGS="ca-certificates tzdata freetype"
 ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk"
 
 # Create a non-root user and group (just like .NET's image)
-RUN tdnf install -y gawk shadow-utils \
+RUN mkdir /staging \
+    && tdnf install -y gawk shadow-utils \
     && groupadd --system --gid=101 app \
     && adduser --uid 101 --gid 101 --shell /bin/false --system app \
     && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \

From c910b6613b0e466a9454a21c1f2520e4d5fd62c5 Mon Sep 17 00:00:00 2001
From: Bruno Borges <bruno.borges@gmail.com>
Date: Tue, 29 Nov 2022 13:55:44 -0800
Subject: [PATCH 3/4] update versions in shell script

---
 build-all-images.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build-all-images.sh b/build-all-images.sh
index 3d8d395..9ff5c9f 100755
--- a/build-all-images.sh
+++ b/build-all-images.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Set expected JDK versions after the images are built
-declare -A jdkversions=( ["11"]="11.0.15" ["17"]="17.0.3" ["8"]="1.8.0_332" )
+declare -A jdkversions=( ["11"]="11.0.17" ["17"]="17.0.5" ["8"]="1.8.0_352" )
 
 # Set the base MCR repo
 basemcr="mcr.microsoft.com/openjdk/jdk"

From c6a3cc3292708be02f180c50ba4400b6dfcad8d7 Mon Sep 17 00:00:00 2001
From: Bruno Borges <bruno.borges@gmail.com>
Date: Tue, 29 Nov 2022 14:01:36 -0800
Subject: [PATCH 4/4] create subdirectory etc in /staging

---
 docker/distroless/Dockerfile.temurin-8-jdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/distroless/Dockerfile.temurin-8-jdk b/docker/distroless/Dockerfile.temurin-8-jdk
index 1ecd644..675e8b7 100644
--- a/docker/distroless/Dockerfile.temurin-8-jdk
+++ b/docker/distroless/Dockerfile.temurin-8-jdk
@@ -9,7 +9,7 @@ ARG PKGS="ca-certificates tzdata freetype"
 ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk"
 
 # Create a non-root user and group (just like .NET's image)
-RUN mkdir /staging \
+RUN mkdir -p /staging/etc/ \
     && tdnf install -y gawk shadow-utils \
     && groupadd --system --gid=101 app \
     && adduser --uid 101 --gid 101 --shell /bin/false --system app \