stackabletech · NickLarsenNZ · Oct 15, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+nix/** linguist-generated
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,8 +27,9 @@ All notable changes to this project will be documented in this file.
 
 - ci: Rename local actions, adjust action inputs and outputs, add definition
   README file ([#819]).
-- Update cargo-cyclonedx to 0.5.5 and build CycloneDX 1.5 files ([#783])
-- Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872])
+- Update cargo-cyclonedx to 0.5.5 and build CycloneDX 1.5 files ([#783]).
+- Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]).
+- java: migrate to temurin jdk/jre ([#894]).
 
 ### Removed
 
@@ -78,6 +79,7 @@ All notable changes to this project will be documented in this file.
 [#880]: https://github.com/stackabletech/docker-images/pull/880
 [#881]: https://github.com/stackabletech/docker-images/pull/881
 [#882]: https://github.com/stackabletech/docker-images/pull/882
+[#894]: https://github.com/stackabletech/docker-images/pull/894
 
 ## [24.7.0] - 2024-07-24
 

diff --git a/hive/versions.py b/hive/versions.py
@@ -4,7 +4,7 @@
         "jmx_exporter": "1.0.1",
         # Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11
         "java-base": "11",
-        "java-devel": "1.8.0",
+        "java-devel": "8",
         "hadoop": "3.3.6",
         # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6
         "aws_java_sdk_bundle": "1.12.367",
@@ -16,7 +16,7 @@
         "jmx_exporter": "1.0.1",
         # Hive 3 must be built with Java 8 but will run on Java 11
         "java-base": "11",
-        "java-devel": "1.8.0",
+        "java-devel": "8",
         "hadoop": "3.3.6",
         # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6
         "aws_java_sdk_bundle": "1.12.367",

diff --git a/java-base/Dockerfile b/java-base/Dockerfile
@@ -17,13 +17,20 @@ LABEL name="Stackable image for OpenJDK" \
     summary="The Stackable OpenJDK base image." \
     description="This image is the base image for all Stackable Java product images."
 
-# We need to use EPEL, as openjdk 22 is not shipped with UBI9
-RUN rpm --install --replacepkgs https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+# See: https://adoptium.net/en-gb/installation/linux/#_centosrhelfedora_instructions
+RUN cat <<EOF > /etc/yum.repos.d/adoptium.repo
+[Adoptium]
+name=Adoptium
+baseurl=https://packages.adoptium.net/artifactory/rpm/rhel/\$releasever/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.adoptium.net/artifactory/api/gpg/key/public
+EOF
 
 RUN microdnf update && \
     microdnf install \
-    # Obviously needed to run Java programs
-    java-${PRODUCT}-openjdk-headless \
+    # Needed to run Java programs
+    "temurin-${PRODUCT}-jre" \
     # Needed, because otherwise e.g. Zookeeper fails with
     # Caused by: java.io.FileNotFoundException: /usr/lib/jvm/java-11-openjdk-11.0.20.0.8-2.el8.x86_64/lib/tzdb.dat (No such file or directory)
     tzdata-java \
@@ -34,7 +41,7 @@ RUN microdnf update && \
 
 COPY java-base/licenses /licenses
 
-ENV JAVA_HOME=/usr/lib/jvm/jre-${PRODUCT}
+ENV JAVA_HOME="/usr/lib/jvm/temurin-${PRODUCT}-jre"
 
 # This image doesn't include the development packages for Java.
 # For images that need the devel package (ex. Spark) use this env variable to

diff --git a/java-base/versions.py b/java-base/versions.py
@@ -1,6 +1,6 @@
 versions = [
     {
-        "product": "1.8.0",
+        "product": "8",
         "vector": "0.41.1",
     },
     {

diff --git a/java-devel/Dockerfile b/java-devel/Dockerfile
@@ -9,8 +9,15 @@ FROM stackable/image/stackable-base
 
 ARG PRODUCT
 
-# We need to use EPEL, as openjdk 22 is not shipped with UBI9
-RUN rpm --install --replacepkgs https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+# See: https://adoptium.net/en-gb/installation/linux/#_centosrhelfedora_instructions
+RUN cat <<EOF > /etc/yum.repos.d/adoptium.repo
+[Adoptium]
+name=Adoptium
+baseurl=https://packages.adoptium.net/artifactory/rpm/rhel/\$releasever/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.adoptium.net/artifactory/api/gpg/key/public
+EOF
 
 RUN microdnf update && \
     microdnf install -y \
@@ -27,9 +34,10 @@ RUN microdnf update && \
     gettext \
     # For the apply_patches.sh script
     git \
-    # needed by the maven ant run plugin for the "set-hostname-property" step in zookeeper
+    # Needed by the maven ant run plugin for the "set-hostname-property" step in zookeeper
     hostname \
-    java-"${PRODUCT}"-openjdk-devel \
+    # Needed for compiling Java projects
+    "temurin-${PRODUCT}-jdk" \
     krb5-devel \
     libcurl-devel \
     make \
@@ -46,7 +54,7 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
-ENV JAVA_HOME=/usr/lib/jvm/jre-${PRODUCT}
+ENV JAVA_HOME="/usr/lib/jvm/temurin-${PRODUCT}-jdk"
 
 COPY --chown=stackable:0 java-devel/stackable/settings.xml /stackable/.m2/settings.xml
 

diff --git a/java-devel/versions.py b/java-devel/versions.py
@@ -1,6 +1,6 @@
 versions = [
     {
-        "product": "1.8.0",
+        "product": "8",
         "stackable-base": "1.0.0",
     },
     {

diff --git a/nix/sources.json b/nix/sources.json
diff --git a/nix/sources.nix b/nix/sources.nix
diff --git a/opa/Dockerfile b/opa/Dockerfile
@@ -9,7 +9,6 @@ ARG BUNDLE_BUILDER_VERSION
 RUN microdnf update \
   && microdnf install \
     cmake \
-    findutils \
     gcc \
     gcc-c++ \
     git \

diff --git a/shell.nix b/shell.nix
@@ -0,0 +1,13 @@
+{ sources ? import ./nix/sources.nix
+, nixpkgs ? sources.nixpkgs
+, pkgs ? import nixpkgs { }
+}:
+
+let
+  bake = pkgs.callPackage (sources.image-tools + "/image-tools.nix") { };
+in
+pkgs.mkShell {
+  packages = with pkgs; [
+    bake
+  ];
+}
diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile
@@ -80,6 +80,12 @@ COPY stackable-base/stackable/curlrc /root/.curlrc
 RUN <<EOF
 microdnf update
 
+# **findutils**
+# Needed to find all patch files, used in `apply_patches.sh`, and helpful for debugging
+# Added 2024-10: Last vulnerability in 2007, only two vulnerabilities in total, a risk we accept
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agnu&cpe_product=cpe%3A%2F%3Agnu%3Afindutils
+# cpe:2.3:a:gnu:findutils:*:*:*:*:*:*:*:*
+#
 # **iputils**
 # To make debugging easier, includes things like ping
 # Added 2024-03: We cannot find any vulnerabilities in the past years
@@ -103,6 +109,7 @@ microdnf update
 # https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agnu%3Atar%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*
 # cpe:2.3:a:gnu:tar:-:*:*:*:*:*:*:*
 microdnf install \
+  findutils \
   iputils \
   less \
   nano \