diff --git a/17/jdk/ubuntu/oracular/Dockerfile b/17/jdk/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..4ccbc52b4 --- /dev/null +++ b/17/jdk/ubuntu/oracular/Dockerfile @@ -0,0 +1,92 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255 + curl \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 + # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory + binutils \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-17.0.11+9 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='f54c301e3ed3250b3f11cb06eeb799e4aa871477b1ce8bf9fec9fee8ce6beb96'; \ + BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.11%2B9/OpenJDK17U-jdk_riscv64_linux_hotspot_17.0.11_9.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + echo "javac --version"; javac --version; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] + +CMD ["jshell"] diff --git a/17/jdk/ubuntu/oracular/entrypoint.sh b/17/jdk/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/17/jdk/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/17/jre/ubuntu/oracular/Dockerfile b/17/jre/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..cdd63d378 --- /dev/null +++ b/17/jre/ubuntu/oracular/Dockerfile @@ -0,0 +1,85 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255 + curl \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-17.0.11+9 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='e814bfe176ee1d1dc8054571070a0f98fc6a87477382d84df7c6bed27622f97e'; \ + BINARY_URL='https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.11%2B9/OpenJDK17U-jre_riscv64_linux_hotspot_17.0.11_9.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/oracular/entrypoint.sh b/17/jre/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/17/jre/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/21/jdk/ubuntu/oracular/Dockerfile b/21/jdk/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..65fdcf9d6 --- /dev/null +++ b/21/jdk/ubuntu/oracular/Dockerfile @@ -0,0 +1,92 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255 + curl \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 + # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory + binutils \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-21.0.3+9 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='246acb1db3ef69a7e3328fa378513b2e606e64710626ae8dd29decc0e525359b'; \ + BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.3%2B9/OpenJDK21U-jdk_riscv64_linux_hotspot_21.0.3_9.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + echo "javac --version"; javac --version; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] + +CMD ["jshell"] diff --git a/21/jdk/ubuntu/oracular/entrypoint.sh b/21/jdk/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/21/jdk/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/21/jre/ubuntu/oracular/Dockerfile b/21/jre/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..7e5d0b6a5 --- /dev/null +++ b/21/jre/ubuntu/oracular/Dockerfile @@ -0,0 +1,85 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255 + curl \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-21.0.3+9 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='83cae236bf823b6d6525a255f1e4ebd7bdb2e40e3778d1eb4d34b43478a680f9'; \ + BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.3%2B9/OpenJDK21U-jre_riscv64_linux_hotspot_21.0.3_9.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] diff --git a/21/jre/ubuntu/oracular/entrypoint.sh b/21/jre/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/21/jre/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/22/jdk/ubuntu/oracular/Dockerfile b/22/jdk/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..444aba5bd --- /dev/null +++ b/22/jdk/ubuntu/oracular/Dockerfile @@ -0,0 +1,90 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 + # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory + binutils \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-22.0.1+8 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='767bbe2b9581272b6ac435b8c62bb1c079041d6ff2a1c39552d4403b4d7170f5'; \ + BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.1%2B8/OpenJDK22U-jdk_riscv64_linux_hotspot_22.0.1_8.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + echo "javac --version"; javac --version; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] + +CMD ["jshell"] diff --git a/22/jdk/ubuntu/oracular/entrypoint.sh b/22/jdk/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/22/jdk/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/22/jre/ubuntu/oracular/Dockerfile b/22/jre/ubuntu/oracular/Dockerfile new file mode 100644 index 000000000..5303ffded --- /dev/null +++ b/22/jre/ubuntu/oracular/Dockerfile @@ -0,0 +1,83 @@ +# ------------------------------------------------------------------------------ +# NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# ------------------------------------------------------------------------------ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:oracular + +ENV JAVA_HOME /opt/java/openjdk +ENV PATH $JAVA_HOME/bin:$PATH + +# Default to UTF-8 file.encoding +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' + +RUN set -eux; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + wget \ + # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory + # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager + # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig \ + # utilities for keeping Ubuntu and OpenJDK CA certificates in sync + # https://github.com/adoptium/containers/issues/293 + ca-certificates p11-kit \ + tzdata \ + # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8 + locales \ + ; \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ + locale-gen en_US.UTF-8; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_VERSION jdk-22.0.1+8 + +RUN set -eux; \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + riscv64) \ + ESUM='15193b64eac9a5ade9fc7d20fe90b9769887c0195afb20442d2a6adeb07c140f'; \ + BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.1%2B8/OpenJDK22U-jre_riscv64_linux_hotspot_22.0.1_8.tar.gz'; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \ + echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file /tmp/openjdk.tar.gz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \ + # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ + # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 + # https://openjdk.java.net/jeps/341 + java -Xshare:dump; + +RUN set -eux; \ + echo "Verifying install ..."; \ + echo "java --version"; java --version; \ + echo "Complete." +COPY entrypoint.sh /__cacert_entrypoint.sh +ENTRYPOINT ["/__cacert_entrypoint.sh"] diff --git a/22/jre/ubuntu/oracular/entrypoint.sh b/22/jre/ubuntu/oracular/entrypoint.sh new file mode 100755 index 000000000..0a5c75c36 --- /dev/null +++ b/22/jre/ubuntu/oracular/entrypoint.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# JDK truststore location +CACERT=$JAVA_HOME/lib/security/cacerts + +# JDK8 puts its JRE in a subdirectory +if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT=$JAVA_HOME/jre/lib/security/cacerts +fi + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + if [ ! -w /tmp ]; then + echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + exit 1 + fi + + # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, + # we'll use a temporary truststore. + if [ ! -w "$CACERT" ]; then + # We cannot write to the JVM truststore, so we create a temporary one + CACERT_NEW=$(mktemp) + echo "Using a temporary truststore at $CACERT_NEW" + cp $CACERT $CACERT_NEW + CACERT=$CACERT_NEW + # If we use a custom truststore, we need to make sure that the JVM uses it + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + fi + + tmp_store=$(mktemp) + + # Copy full system CA store to a temporary location + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" + + # Add the system CA certificates to the JVM truststore. + keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + + # Import the additional certificate into JVM truststore + for i in /certificates/*crt; do + if [ ! -f "$i" ]; then + continue + fi + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + done + + # Add additional certificates to the system CA store. This requires write permissions to several system + # locations, which is not possible in a container with read-only filesystem and/or non-root container. + if [ "$(id -u)" -eq 0 ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then + + # UBI + if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then + cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/ + fi + + # Ubuntu/Alpine + if [ -d /usr/local/share/ca-certificates/ ]; then + cp -La /certificates/* /usr/local/share/ca-certificates/ + fi + fi + + # UBI + if which update-ca-trust >/dev/null; then + update-ca-trust + fi + + # Ubuntu/Alpine + if which update-ca-certificates >/dev/null; then + update-ca-certificates + fi + else + # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`, + # but since the JVM is the primary focus here, we can live with that. + true + fi +fi + +# Let's provide a variable with the correct path for tools that want or need to use it +export CACERT + +exec "$@" diff --git a/config/hotspot.yml b/config/hotspot.yml index b6646e1a8..1450e5d96 100644 --- a/config/hotspot.yml +++ b/config/hotspot.yml @@ -13,11 +13,16 @@ # supported_distributions: - OS: [alpine, focal, jammy, ubi9-minimal, windowsservercore-1809, nanoserver-1809, windowsservercore-ltsc2022, nanoserver-ltsc2022] + OS: [alpine, focal, jammy, oracular, ubi9-minimal, windowsservercore-1809, nanoserver-1809, windowsservercore-ltsc2022, nanoserver-ltsc2022] Versions: [8, 11, 17, 21, 22] configurations: linux: + - directory: ubuntu/oracular + architectures: [riscv64] + image: ubuntu:oracular + os: ubuntu + - directory: ubuntu/jammy image: ubuntu:22.04 architectures: [aarch64, arm, ppc64le, s390x, x64]