Feat-multi-arch-containers #5533
Conversation
dependencies are part of distroless base image enable experimental image push for testing
see eXist-db#5450 close eXist-db#4151 close eXist-db#5532 close eXist-db#4153
duncdrum
force-pushed
the
feat-multi-arch-containers
branch
from
e453994
to
75981d8
Compare
|
The codacy issue here is pointless. We are trying to generate moving tag |
duncdrum
force-pushed
the
feat-multi-arch-containers
branch
2 times, most recently
from
44ac3cd
to
edfc10e
Compare
|
Deploy in my fork: 
images tested locally, all good. 
|
|
Ubuntu build fails, any idea ? |
|
@dizzzz some timeout with building distribution packages, I restarted it. Pretty sure it's unrelated to the changes in here. |
|
@line-o this is good to go. There are problems with the back port, but I m 99,9% certain that these will not affect the contents of this PR, which also fixes our broken ci. |
|
@line-o go ahead I ll be afk a lot this week. Thanks for the help |
line-o
force-pushed
the
feat-multi-arch-containers
branch
from
6f7fff4
to
9b1a3cf
Compare
|
|
|
||
| FROM gcr.io/distroless/java17:latest | ||
|
|
||
| # Copy over dependencies for Apache FOP, missing from GCR's JRE |
There was a problem hiding this comment.
This change breaks XSL:FO in eXist-db when using Apache FOP. Unfortunately, the gcr.io/distroless/java17-debian12:latest image you have chosen to update to does not include these libraries. Please test a proper XSL-FO to PDF transformation with these changes, and you will see the error.
There was a problem hiding this comment.
This PR switches from gcr.io/distroless/java17:latest to gcr.io/distroless/java17-debian12:latest
The lines stating they would be needed for FOP are commented out (lines 24-27 and 32-41) and select a different base image debian:bullseye-slim.
So, even if those additional libraries were needed for PDF-generation using XSL:FO they are already missing and nothing is changed from the status quo.
It, therefore, would be beneficial to create an additional Dockerfile that has all that is needed for this specific use-case. This could also be provided by a third party.
This is all just under the pretense that this is really needed for PDF generation and the adoption rate would also show us how common it is.
There was a problem hiding this comment.
@line-o It looks like they are only commented out because they were recently done so in a prior Pull Request that looks like it broke this.
I pointed out the problems in #4895 would break Apache FOP here, here, and here.
The response was that the base image now contains the required libraries, however, I have now checked the base image, and it is clear that that is not the case. See below:
We can see in the above image that /usr/lib inside the base image does not contain the previously required libraries.
There was a problem hiding this comment.
If they are no longer included that's a bug likely introduced when moving to debian 12. see GoogleContainerTools/distroless#321 or GoogleContainerTools/distroless#789 from 2019 and 2021 for relevant discussions. I will check the java-base image and move the discussion to the distroless repo
There was a problem hiding this comment.
I don't see it as a bug with Debian 12 or GCR. Simply, GCR has never included these libraries as many Java Applications don't need them. However, we do need them for eXist-db, which is why previously we explicitly installed them into a base Debian image and then copied them into our derivative of GCR.
There was a problem hiding this comment.
There was a problem hiding this comment.
@adamretter https://github.com/GoogleContainerTools/distroless/blob/main/java/BUILD#L117 here actually. I also remember and tested that the files were present after the discussions 3-4 years ago. If they no longer are it's a bug. Only libssl should no longer be included on Debian 12 Java images. I won't have time to look into this for another week or so. But I will check again. In the meantime I don't see how keeping a failing deploy tank running is helping. More fixes should come in a separate PR.
There was a problem hiding this comment.
@duncdrum Interesting that the files even though listed in that BUILD file don't seem to have ever been in the published GCR images as far as I can see.
There was a problem hiding this comment.
Just to be sure @adamretter You are checking in subsequent layers as well, and not seeing the dependencies?
There was a problem hiding this comment.
You are checking in subsequent layers as well, and not seeing the dependencies?
@duncdrum Yes, I think so. What do you see when you look in the image?
| @@ -21,7 +21,7 @@ | |||
| # | |||
|
|
|||
| # Use JDK 17 in Debian Bullseye (as our production image gcr.io/distroless/java:17 is based on Debian Bullseye with just a JRE) | |||
There was a problem hiding this comment.
I think this comment is out of date if you are switching the non-debug build to bookworm also.
There was a problem hiding this comment.
Yeah, better remove the name of a specific build of Debian from the comment, otherwise we will need to change it everytime the base image changes
enables a long overdue feature: multi-arch containers for
existdb/existdbbackport will remove a release blocker for 6.3.1
sidessteps docker maven plugin bug,
deployis green again.see fabric8io/docker-maven-plugin#1835
fixes outdated JRE patches, bumps base image to Debian 12
see #5450
close #4151
close #5532
close #4153