JRE version with jib (Docker)

Asked 5/5, 2019 at 11:53 Answered 5/5, 2019 at 13:23

I'm trying to get my head around building Docker images with Google's Jib project and Jib Maven Plugin.

I don't understand how to specify the JRE version.

I understand I can customize in the plugin's config, something like:

<configuration>
  <from>
    <image>gcr.io/distroless/java</image>
  </from>
</configuration>

but what does that mean in terms of the actual JRE version which will be used ? What if I want say specifically JRE 8u172 ?

The Jib project states this as a feature:

Reproducible - Rebuilding your container image with the same contents always generates the same image.

therefore I'm assuming there must be some way to lock down the JRE version?

Level: Advanced on Java and Maven, newbie on everything Docker.

Seismography answered 5/5, 2019 at 11:53 Comment(0)

Availability of 8u172 depends on whether the distributor has created a build image of that version.

java building version is not managed with docker image tags with gcr.io/distroless/java.
Currently gcr.io/distroless/java:8, it was 8u212 as below.

https://console.cloud.google.com/gcr/images/distroless/GLOBAL/java?gcrImageListsize=30

~ $ docker run -it --rm  --entrypoint java  gcr.io/distroless/java:8 -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
OpenJDK 64-Bit Server VM (build 25.212-b01, mixed mode)
~ $

If you want to specify to java build version, I suggest using AdroptOpenJDK.

e.g.

<configuration>
  <from>
    <image>adoptopenjdk/openjdk8:jdk8u172-b11</image>
  </from>
</configuration>

If you can use 8u171, you can select openjdk.

<configuration>
  <from>
    <image>openjdk:8u171-jre</image>
  </from>
</configuration>

Culch answered 5/5, 2019 at 13:23 Comment(4)

Very good answer. I've arrived at the same conclusion: since Google's "distroless" docker images do not contain sufficient version tags there's no way to do reproducable builds. So not a deficiency in Jib as such except that this project advocates use of Google's distroless docker images. – Seismography 5/5, 2019 at 13:40

Ahh. I'm not the first one to notice this. There are several Github issues on the matter. I found this sentence "Since Docker tags aren't immutable they aren't really suitable to pin to a specific version. If you want reproducibility, you really need to reference the SHA1 as the distroless base image updates fairly often, which cascades through the other images." here. – Seismography 5/5, 2019 at 13:47

I see.I checked github.com/GoogleContainerTools/jib/issues/1360. distroless does not provide a build version of 8u172. The 8u171 version was in the repository. gcr.io/distroless/java@sha256: 8d00c1a8067379ec6876d881ec03f516d5a63ae2335c9a4e53b930f2a93c04b4 – Culch 5/5, 2019 at 14:28

If you want to always completly same image , it is better to use an image by your managed private repository. – Culch 5/5, 2019 at 14:29

You probably want to use a base image with java preinstalled. every docker image contains tag(s), which are like versions. if you don't specify tag like you did above, then the latest is taken and that can lead to unexpected change of java version.

For example you can use opendjk image with java version 8u212 by using openjdk:8u212-jre-stretch. and in OpenJDK Docker Hub you can see the list of all available tags

Ablate answered 5/5, 2019 at 13:19 Comment(0)

Recommended topics

Hot tags