feat(jdk) Use of JRE image using multi-arch build #17866
Conversation
che-bot
added
status/code-review
|
❌ E2E Happy path tests failed ❗ See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) ℹ️ |
|
[crw-ci-test] |
| @@ -19,7 +19,7 @@ FROM ${CHE_DASHBOARD_ORGANIZATION}/che-dashboard:${CHE_DASHBOARD_VERSION} as che | |||
| FROM ${CHE_DASHBOARD_NEXT_ORGANIZATION}/che-dashboard-next:${CHE_DASHBOARD_NEXT_VERSION} as che_dashboard_next | |||
| FROM ${CHE_WORKSPACE_LOADER_ORGANIZATION}/che-workspace-loader:${CHE_WORKSPACE_LOADER_VERSION} as che_workspace_loader_base | |||
|
|
|||
| FROM openjdk:11-jre-slim | |||
| FROM adoptopenjdk/openjdk11:jre-11.0.8_10 | |||
There was a problem hiding this comment.
I would use adoptopenjdk/openjdk11:jre tag, to get latest security patches automatically.
There was a problem hiding this comment.
well we usually don't to be sure that we're always use a predefined image
like in 6months, maybe a new 'security/bugfix' might break che 7.20
There was a problem hiding this comment.
Yes, it can break, but I think probability is very low. Question is, whether it's more probable that there will be new security vulnerability and we forget to update jdk, or that latest jdk breaks our code.
I guess in ideal world, we would use jre in master to get latest security release, and replace it with matching exact version tag or hash for a release.
There was a problem hiding this comment.
what is used is dependabot that should trigger specific updates to the docker image when there is new image released.
There was a problem hiding this comment.
are you sure that dependabot will work here? (it maybe will, I don't know how dependabot actually works). Anyway, I'm not against merging it as is. I just think it's not the best we can have :)
There was a problem hiding this comment.
maybe it's not configured properly but it's how it works
https://dependabot.com/docker/
https://dependabot.com/blog/dependabot-now-supports-docker/
Change-Id: I6fecbd6122398698688f72e3d7809fffd5cc8b5f Signed-off-by: Florent Benoit <fbenoit@redhat.com>
|
rebasing to make it work with happy path |
|
[crw-ci-test] |
|
✅ E2E Happy path tests succeed 🎉 See Details
Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1) |
che-bot
removed
the
status/code-review
What does this PR do?
Use a multi-arch build of OpenJDK/jre
$ docker images | grep jre openjdk 11-jre-slim a982abd9eead 5 days ago 204MB adoptopenjdk/openjdk11 jre d762b86b9a70 3 weeks ago 229MB adoptopenjdk/openjdk11 jre-11.0.8_10 d762b86b9a70 3 weeks ago 229MBScreenshot/screencast of this PR
Multi arch images
What issues does this PR fix or reference?
#16655
How to test this PR?
Usage of docker image built with JRE
PR Checklist
As the author of this Pull Request I made sure that:
What issues does this PR fix or referenceandHow to test this PRcompletedReviewers
Reviewers, please comment how you tested the PR when approving it.
Change-Id: I6fecbd6122398698688f72e3d7809fffd5cc8b5f
Signed-off-by: Florent Benoit fbenoit@redhat.com