From 3fec00485b8448f6a9a4c150ad8a770306ca6814 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 21 Jan 2021 23:11:24 -0800 Subject: [PATCH] Add initial jq-based templating engine This moves us from 11 templates down to 2, bringing much more consistency to the generated results. This also adds support for Alpine 3.13 (because we might as well). --- .gitattributes | 2 + .github/workflows/verify-templating.yml | 22 + .gitignore | 1 + 11/jdk/buster/Dockerfile | 55 +-- 11/jdk/oraclelinux7/Dockerfile | 42 +- 11/jdk/oraclelinux8/Dockerfile | 42 +- 11/jdk/slim-buster/Dockerfile | 49 +-- 11/jdk/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 24 +- .../windowsservercore-ltsc2016/Dockerfile | 24 +- 11/jre/buster/Dockerfile | 55 +-- 11/jre/slim-buster/Dockerfile | 49 +-- 11/jre/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 24 +- .../windowsservercore-ltsc2016/Dockerfile | 24 +- 15/jdk/buster/Dockerfile | 47 +-- 15/jdk/oraclelinux7/Dockerfile | 41 +- 15/jdk/oraclelinux8/Dockerfile | 41 +- 15/jdk/slim-buster/Dockerfile | 40 +- 15/jdk/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 15 +- .../windowsservercore-ltsc2016/Dockerfile | 15 +- 16/jdk/alpine3.12/Dockerfile | 19 +- 16/jdk/alpine3.13/Dockerfile | 58 +++ 16/jdk/buster/Dockerfile | 46 +-- 16/jdk/oraclelinux7/Dockerfile | 41 +- 16/jdk/oraclelinux8/Dockerfile | 41 +- 16/jdk/slim-buster/Dockerfile | 39 +- 16/jdk/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 15 +- .../windowsservercore-ltsc2016/Dockerfile | 15 +- .../jdk/alpine3.12/Dockerfile | 25 +- 17/jdk/alpine3.13/Dockerfile | 58 +++ 17/jdk/buster/Dockerfile | 46 +-- 17/jdk/oraclelinux7/Dockerfile | 41 +- 17/jdk/oraclelinux8/Dockerfile | 41 +- 17/jdk/slim-buster/Dockerfile | 39 +- 17/jdk/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 15 +- .../windowsservercore-ltsc2016/Dockerfile | 15 +- 8/jdk/buster/Dockerfile | 46 +-- 8/jdk/oraclelinux7/Dockerfile | 35 +- 8/jdk/oraclelinux8/Dockerfile | 35 +- 8/jdk/slim-buster/Dockerfile | 40 +- 8/jdk/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 24 +- .../windowsservercore-ltsc2016/Dockerfile | 24 +- 8/jre/buster/Dockerfile | 46 +-- 8/jre/slim-buster/Dockerfile | 40 +- 8/jre/windows/nanoserver-1809/Dockerfile | 12 +- .../windows/windowsservercore-1809/Dockerfile | 24 +- .../windowsservercore-ltsc2016/Dockerfile | 24 +- Dockerfile-adopt-debian-slim.template | 109 ----- Dockerfile-adopt-debian.template | 105 ----- Dockerfile-adopt-oraclelinux.template | 95 ----- Dockerfile-adopt-windows-nanoserver.template | 33 -- Dockerfile-adopt-windows-servercore.template | 48 --- Dockerfile-linux.template | 332 +++++++++++++++ Dockerfile-oracle-debian-slim.template | 86 ---- Dockerfile-oracle-debian.template | 87 ---- Dockerfile-oracle-oraclelinux.template | 71 ---- Dockerfile-oracle-windows-nanoserver.template | 25 -- Dockerfile-oracle-windows-servercore.template | 58 --- Dockerfile-windows.template | 113 +++++ apply-templates.sh | 77 ++++ generate-stackbrew-library.sh | 73 ++-- update.sh | 391 +----------------- versions.json | 187 +++++++++ versions.sh | 275 ++++++++++++ 69 files changed, 2027 insertions(+), 1726 deletions(-) create mode 100644 .gitattributes create mode 100644 .github/workflows/verify-templating.yml create mode 100644 .gitignore create mode 100644 16/jdk/alpine3.13/Dockerfile rename Dockerfile-oracle-alpine.template => 17/jdk/alpine3.12/Dockerfile (69%) create mode 100644 17/jdk/alpine3.13/Dockerfile delete mode 100644 Dockerfile-adopt-debian-slim.template delete mode 100644 Dockerfile-adopt-debian.template delete mode 100644 Dockerfile-adopt-oraclelinux.template delete mode 100644 Dockerfile-adopt-windows-nanoserver.template delete mode 100644 Dockerfile-adopt-windows-servercore.template create mode 100644 Dockerfile-linux.template delete mode 100644 Dockerfile-oracle-debian-slim.template delete mode 100644 Dockerfile-oracle-debian.template delete mode 100644 Dockerfile-oracle-oraclelinux.template delete mode 100644 Dockerfile-oracle-windows-nanoserver.template delete mode 100644 Dockerfile-oracle-windows-servercore.template create mode 100644 Dockerfile-windows.template create mode 100755 apply-templates.sh create mode 100644 versions.json create mode 100755 versions.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..90ec81cf --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +/*/**/Dockerfile linguist-generated +/Dockerfile*.template linguist-language=Dockerfile diff --git a/.github/workflows/verify-templating.yml b/.github/workflows/verify-templating.yml new file mode 100644 index 00000000..7e833f1c --- /dev/null +++ b/.github/workflows/verify-templating.yml @@ -0,0 +1,22 @@ +name: Verify Templating + +on: + pull_request: + push: + +defaults: + run: + shell: 'bash -Eeuo pipefail -x {0}' + +jobs: + apply-templates: + name: Check For Uncomitted Changes + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Apply Templates + run: ./apply-templates.sh + - name: Check Git Status + run: | + status="$(git status --short)" + [ -z "$status" ] diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..d548f66d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.jq-template.awk diff --git a/11/jdk/buster/Dockerfile b/11/jdk/buster/Dockerfile index b89fbbc3..51a4ca65 100644 --- a/11/jdk/buster/Dockerfile +++ b/11/jdk/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-scm RUN set -eux; \ @@ -7,24 +13,22 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-11 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -43,26 +47,27 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'arm64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -80,8 +85,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 # http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 @@ -90,11 +93,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ @@ -103,6 +102,10 @@ RUN set -eux; \ find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ ldconfig; \ \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/11/jdk/oraclelinux7/Dockerfile b/11/jdk/oraclelinux7/Dockerfile index 5f6b9183..c855e62d 100644 --- a/11/jdk/oraclelinux7/Dockerfile +++ b/11/jdk/oraclelinux7/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:7-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ rm -rf /var/cache/yum -# Default to UTF-8 file.encoding -ENV LANG en_US.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-11 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG en_US.UTF-8 + # https://adoptopenjdk.net/upstream.html # > # > What are these binaries? @@ -36,20 +42,19 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'i386:x86-64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'aarch64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ curl -fL -o openjdk.tgz "$downloadUrl"; \ + curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ # pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it @@ -75,7 +80,9 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -86,12 +93,9 @@ RUN set -eux; \ alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ done; \ \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done; \ - if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi; \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$cacertsFile"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$cacertsFile"; \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ diff --git a/11/jdk/oraclelinux8/Dockerfile b/11/jdk/oraclelinux8/Dockerfile index 6241947b..2b46b14b 100644 --- a/11/jdk/oraclelinux8/Dockerfile +++ b/11/jdk/oraclelinux8/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:8-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ microdnf clean all -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-11 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 + # https://adoptopenjdk.net/upstream.html # > # > What are these binaries? @@ -36,20 +42,19 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'i386:x86-64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'aarch64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ curl -fL -o openjdk.tgz "$downloadUrl"; \ + curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ # pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it @@ -75,7 +80,9 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -86,12 +93,9 @@ RUN set -eux; \ alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ done; \ \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done; \ - if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi; \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$cacertsFile"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$cacertsFile"; \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ diff --git a/11/jdk/slim-buster/Dockerfile b/11/jdk/slim-buster/Dockerfile index deab0f8e..95c89631 100644 --- a/11/jdk/slim-buster/Dockerfile +++ b/11/jdk/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,12 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-11 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -34,13 +38,13 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'arm64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -53,16 +57,17 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -80,8 +85,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -94,11 +97,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ @@ -107,6 +106,10 @@ RUN set -eux; \ find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ ldconfig; \ \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/11/jdk/windows/nanoserver-1809/Dockerfile b/11/jdk/windows/nanoserver-1809/Dockerfile index 8c9d3f83..2044261f 100644 --- a/11/jdk/windows/nanoserver-1809/Dockerfile +++ b/11/jdk/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-11 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://adoptopenjdk.net/upstream.html @@ -27,7 +34,8 @@ COPY --from=openjdk:11.0.10-jdk-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ && echo javac --version && javac --version \ - && echo java --version && java --version + && echo java --version && java --version \ + && echo Complete. # "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) CMD ["jshell"] diff --git a/11/jdk/windows/windowsservercore-1809/Dockerfile b/11/jdk/windows/windowsservercore-1809/Dockerfile index ed03e4d0..ef3410d3 100644 --- a/11/jdk/windows/windowsservercore-1809/Dockerfile +++ b/11/jdk/windows/windowsservercore-1809/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-11 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/11/jdk/windows/windowsservercore-ltsc2016/Dockerfile b/11/jdk/windows/windowsservercore-ltsc2016/Dockerfile index ef94333b..9f15b8f7 100644 --- a/11/jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/11/jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-11 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/11/jre/buster/Dockerfile b/11/jre/buster/Dockerfile index 07d07326..a3a48920 100644 --- a/11/jre/buster/Dockerfile +++ b/11/jre/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-curl RUN set -eux; \ @@ -7,24 +13,22 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-11 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -43,26 +47,27 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'arm64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -80,8 +85,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 # http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 @@ -90,11 +93,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ @@ -103,5 +102,9 @@ RUN set -eux; \ find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ ldconfig; \ \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ # basic smoke test java --version diff --git a/11/jre/slim-buster/Dockerfile b/11/jre/slim-buster/Dockerfile index 6edfec25..da1d3a6b 100644 --- a/11/jre/slim-buster/Dockerfile +++ b/11/jre/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,12 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-11 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -34,13 +38,13 @@ ENV JAVA_VERSION 11.0.10 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_aarch64_linux_11.0.10_9.tar.gz ;; \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_linux_11.0.10_9.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_linux_11.0.10_9.tar.gz'; \ + ;; \ + 'arm64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_aarch64_linux_11.0.10_9.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -53,16 +57,17 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -80,8 +85,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -94,11 +97,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ @@ -107,5 +106,9 @@ RUN set -eux; \ find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ ldconfig; \ \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ # basic smoke test java --version diff --git a/11/jre/windows/nanoserver-1809/Dockerfile b/11/jre/windows/nanoserver-1809/Dockerfile index ad04fbd9..4b00e8a3 100644 --- a/11/jre/windows/nanoserver-1809/Dockerfile +++ b/11/jre/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-11 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://adoptopenjdk.net/upstream.html @@ -26,4 +33,5 @@ ENV JAVA_VERSION 11.0.10 COPY --from=openjdk:11.0.10-jre-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ - && echo java --version && java --version + && echo java --version && java --version \ + && echo Complete. diff --git a/11/jre/windows/windowsservercore-1809/Dockerfile b/11/jre/windows/windowsservercore-1809/Dockerfile index 2a3645f7..57e5261d 100644 --- a/11/jre/windows/windowsservercore-1809/Dockerfile +++ b/11/jre/windows/windowsservercore-1809/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-11 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/11/jre/windows/windowsservercore-ltsc2016/Dockerfile b/11/jre/windows/windowsservercore-ltsc2016/Dockerfile index afe09e8f..3f083f61 100644 --- a/11/jre/windows/windowsservercore-ltsc2016/Dockerfile +++ b/11/jre/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-11 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/15/jdk/buster/Dockerfile b/15/jdk/buster/Dockerfile index ca8b43d1..dadd213c 100644 --- a/15/jdk/buster/Dockerfile +++ b/15/jdk/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-scm RUN set -eux; \ @@ -7,27 +13,26 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory binutils \ + \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-15 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -38,23 +43,19 @@ ENV JAVA_VERSION 15.0.2 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz; \ - downloadSha256=3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz'; \ + downloadSha256='91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz; \ - downloadSha256=91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz'; \ + downloadSha256='3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -64,7 +65,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 @@ -74,11 +75,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/15/jdk/oraclelinux7/Dockerfile b/15/jdk/oraclelinux7/Dockerfile index 37eb1426..2b54afcd 100644 --- a/15/jdk/oraclelinux7/Dockerfile +++ b/15/jdk/oraclelinux7/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:7-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ rm -rf /var/cache/yum -# Default to UTF-8 file.encoding -ENV LANG en_US.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-15 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG en_US.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 15.0.2 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz; \ - downloadSha256=3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz'; \ + downloadSha256='91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz; \ - downloadSha256=91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz'; \ + downloadSha256='3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/15/jdk/oraclelinux8/Dockerfile b/15/jdk/oraclelinux8/Dockerfile index b9a435fa..c185f8d3 100644 --- a/15/jdk/oraclelinux8/Dockerfile +++ b/15/jdk/oraclelinux8/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:8-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ microdnf clean all -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-15 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 15.0.2 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz; \ - downloadSha256=3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz'; \ + downloadSha256='91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz; \ - downloadSha256=91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz'; \ + downloadSha256='3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/15/jdk/slim-buster/Dockerfile b/15/jdk/slim-buster/Dockerfile index b77d6474..76d32530 100644 --- a/15/jdk/slim-buster/Dockerfile +++ b/15/jdk/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,12 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-15 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -26,19 +30,15 @@ ENV JAVA_VERSION 15.0.2 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz; \ - downloadSha256=3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz'; \ + downloadSha256='91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz; \ - downloadSha256=91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz'; \ + downloadSha256='3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -49,7 +49,7 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -59,7 +59,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ @@ -73,11 +73,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/15/jdk/windows/nanoserver-1809/Dockerfile b/15/jdk/windows/nanoserver-1809/Dockerfile index 271e09b1..562bc9eb 100644 --- a/15/jdk/windows/nanoserver-1809/Dockerfile +++ b/15/jdk/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-15 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://jdk.java.net/ @@ -19,7 +26,8 @@ COPY --from=openjdk:15.0.2-jdk-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ && echo javac --version && javac --version \ - && echo java --version && java --version + && echo java --version && java --version \ + && echo Complete. # "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) CMD ["jshell"] diff --git a/15/jdk/windows/windowsservercore-1809/Dockerfile b/15/jdk/windows/windowsservercore-1809/Dockerfile index e5082e63..4c1858b0 100644 --- a/15/jdk/windows/windowsservercore-1809/Dockerfile +++ b/15/jdk/windows/windowsservercore-1809/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-15 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/15/jdk/windows/windowsservercore-ltsc2016/Dockerfile b/15/jdk/windows/windowsservercore-ltsc2016/Dockerfile index d7be3141..99ad23a1 100644 --- a/15/jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/15/jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-15 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/16/jdk/alpine3.12/Dockerfile b/16/jdk/alpine3.12/Dockerfile index db71a6a8..4862b813 100644 --- a/16/jdk/alpine3.12/Dockerfile +++ b/16/jdk/alpine3.12/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM alpine:3.12 RUN apk add --no-cache java-cacerts @@ -15,14 +21,11 @@ ENV JAVA_VERSION 16-ea+32 RUN set -eux; \ \ arch="$(apk --print-arch)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# amd64 - x86_64) \ - downloadUrl=https://download.java.net/java/early_access/alpine/32/binaries/openjdk-16-ea+32_linux-x64-musl_bin.tar.gz; \ - downloadSha256=f9ec3071fdea08ca5be7b149d6c2f2689814e3ee86ee15b7981f5eed76280985; \ + 'x86_64') \ + downloadUrl='https://download.java.net/java/early_access/alpine/32/binaries/openjdk-16-ea+32_linux-x64-musl_bin.tar.gz'; \ + downloadSha256='f9ec3071fdea08ca5be7b149d6c2f2689814e3ee86ee15b7981f5eed76280985'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -36,10 +39,10 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ -# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) ln -sT /etc/ssl/certs/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 diff --git a/16/jdk/alpine3.13/Dockerfile b/16/jdk/alpine3.13/Dockerfile new file mode 100644 index 00000000..44ba9bdf --- /dev/null +++ b/16/jdk/alpine3.13/Dockerfile @@ -0,0 +1,58 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + +FROM alpine:3.13 + +RUN apk add --no-cache java-cacerts + +ENV JAVA_HOME /opt/openjdk-16 +ENV PATH $JAVA_HOME/bin:$PATH + +# https://jdk.java.net/ +# > +# > Java Development Kit builds, from Oracle +# > +ENV JAVA_VERSION 16-ea+32 +# "For Alpine Linux, builds are produced on a reduced schedule and may not be in sync with the other platforms." + +RUN set -eux; \ + \ + arch="$(apk --print-arch)"; \ + case "$arch" in \ + 'x86_64') \ + downloadUrl='https://download.java.net/java/early_access/alpine/32/binaries/openjdk-16-ea+32_linux-x64-musl_bin.tar.gz'; \ + downloadSha256='f9ec3071fdea08ca5be7b149d6c2f2689814e3ee86ee15b7981f5eed76280985'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ + esac; \ + \ + wget -O openjdk.tgz "$downloadUrl"; \ + echo "$downloadSha256 *openjdk.tgz" | sha256sum -c -; \ + \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file openjdk.tgz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) + ln -sT /etc/ssl/certs/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ + \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ +# basic smoke test + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + javac --version; \ + java --version + +# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) +CMD ["jshell"] diff --git a/16/jdk/buster/Dockerfile b/16/jdk/buster/Dockerfile index 642e2cd2..2754dcbf 100644 --- a/16/jdk/buster/Dockerfile +++ b/16/jdk/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-scm RUN set -eux; \ @@ -7,27 +13,25 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory binutils \ + \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-16 ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -38,23 +42,19 @@ ENV JAVA_VERSION 16-ea+34 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz; \ - downloadSha256=9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz'; \ + downloadSha256='11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz; \ - downloadSha256=11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz'; \ + downloadSha256='9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -64,7 +64,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 @@ -74,11 +74,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/16/jdk/oraclelinux7/Dockerfile b/16/jdk/oraclelinux7/Dockerfile index 1395c1a4..6e114b24 100644 --- a/16/jdk/oraclelinux7/Dockerfile +++ b/16/jdk/oraclelinux7/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:7-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ rm -rf /var/cache/yum -# Default to UTF-8 file.encoding -ENV LANG en_US.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-16 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG en_US.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 16-ea+34 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz; \ - downloadSha256=9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz'; \ + downloadSha256='11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz; \ - downloadSha256=11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz'; \ + downloadSha256='9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/16/jdk/oraclelinux8/Dockerfile b/16/jdk/oraclelinux8/Dockerfile index e61c614f..7dbac3f8 100644 --- a/16/jdk/oraclelinux8/Dockerfile +++ b/16/jdk/oraclelinux8/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:8-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ microdnf clean all -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-16 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 16-ea+34 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz; \ - downloadSha256=9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz'; \ + downloadSha256='11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz; \ - downloadSha256=11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz'; \ + downloadSha256='9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/16/jdk/slim-buster/Dockerfile b/16/jdk/slim-buster/Dockerfile index 2c92c37b..d8a08693 100644 --- a/16/jdk/slim-buster/Dockerfile +++ b/16/jdk/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,11 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-16 ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -26,19 +29,15 @@ ENV JAVA_VERSION 16-ea+34 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz; \ - downloadSha256=9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz'; \ + downloadSha256='11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz; \ - downloadSha256=11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz'; \ + downloadSha256='9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -49,7 +48,7 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -59,7 +58,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ @@ -73,11 +72,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/16/jdk/windows/nanoserver-1809/Dockerfile b/16/jdk/windows/nanoserver-1809/Dockerfile index 4f1bfd8f..7747465d 100644 --- a/16/jdk/windows/nanoserver-1809/Dockerfile +++ b/16/jdk/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-16 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://jdk.java.net/ @@ -19,7 +26,8 @@ COPY --from=openjdk:16-ea-34-jdk-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ && echo javac --version && javac --version \ - && echo java --version && java --version + && echo java --version && java --version \ + && echo Complete. # "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) CMD ["jshell"] diff --git a/16/jdk/windows/windowsservercore-1809/Dockerfile b/16/jdk/windows/windowsservercore-1809/Dockerfile index 531c8ba4..70b4ebdf 100644 --- a/16/jdk/windows/windowsservercore-1809/Dockerfile +++ b/16/jdk/windows/windowsservercore-1809/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-16 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/16/jdk/windows/windowsservercore-ltsc2016/Dockerfile b/16/jdk/windows/windowsservercore-ltsc2016/Dockerfile index 17450fce..cff85b7d 100644 --- a/16/jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/16/jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-16 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/Dockerfile-oracle-alpine.template b/17/jdk/alpine3.12/Dockerfile similarity index 69% rename from Dockerfile-oracle-alpine.template rename to 17/jdk/alpine3.12/Dockerfile index 504d5f51..899d4ce1 100644 --- a/Dockerfile-oracle-alpine.template +++ b/17/jdk/alpine3.12/Dockerfile @@ -1,22 +1,33 @@ -FROM alpine:placeholder +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + +FROM alpine:3.12 RUN apk add --no-cache java-cacerts -ENV JAVA_HOME placeholder +ENV JAVA_HOME /opt/openjdk-17 ENV PATH $JAVA_HOME/bin:$PATH # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle # > -ENV JAVA_VERSION placeholder +ENV JAVA_VERSION 17-ea+5 # "For Alpine Linux, builds are produced on a reduced schedule and may not be in sync with the other platforms." RUN set -eux; \ \ arch="$(apk --print-arch)"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ + case "$arch" in \ + 'x86_64') \ + downloadUrl='https://download.java.net/java/early_access/alpine/5/binaries/openjdk-17-ea+5_linux-x64-musl_bin.tar.gz'; \ + downloadSha256='709daae3577453dba8e4ea03e8b52daeb11370648d2da1d012df527556c0cda2'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ + esac; \ \ wget -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum -c -; \ @@ -28,10 +39,10 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ -# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) ln -sT /etc/ssl/certs/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 diff --git a/17/jdk/alpine3.13/Dockerfile b/17/jdk/alpine3.13/Dockerfile new file mode 100644 index 00000000..73022fc4 --- /dev/null +++ b/17/jdk/alpine3.13/Dockerfile @@ -0,0 +1,58 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + +FROM alpine:3.13 + +RUN apk add --no-cache java-cacerts + +ENV JAVA_HOME /opt/openjdk-17 +ENV PATH $JAVA_HOME/bin:$PATH + +# https://jdk.java.net/ +# > +# > Java Development Kit builds, from Oracle +# > +ENV JAVA_VERSION 17-ea+5 +# "For Alpine Linux, builds are produced on a reduced schedule and may not be in sync with the other platforms." + +RUN set -eux; \ + \ + arch="$(apk --print-arch)"; \ + case "$arch" in \ + 'x86_64') \ + downloadUrl='https://download.java.net/java/early_access/alpine/5/binaries/openjdk-17-ea+5_linux-x64-musl_bin.tar.gz'; \ + downloadSha256='709daae3577453dba8e4ea03e8b52daeb11370648d2da1d012df527556c0cda2'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ + esac; \ + \ + wget -O openjdk.tgz "$downloadUrl"; \ + echo "$downloadSha256 *openjdk.tgz" | sha256sum -c -; \ + \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file openjdk.tgz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) + ln -sT /etc/ssl/certs/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ + \ +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ +# basic smoke test + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + javac --version; \ + java --version + +# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) +CMD ["jshell"] diff --git a/17/jdk/buster/Dockerfile b/17/jdk/buster/Dockerfile index 168effc9..901f8928 100644 --- a/17/jdk/buster/Dockerfile +++ b/17/jdk/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-scm RUN set -eux; \ @@ -7,27 +13,25 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory binutils \ + \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-17 ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -38,23 +42,19 @@ ENV JAVA_VERSION 17-ea+7 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz; \ - downloadSha256=f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz'; \ + downloadSha256='0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz; \ - downloadSha256=0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz'; \ + downloadSha256='f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -64,7 +64,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 @@ -74,11 +74,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/17/jdk/oraclelinux7/Dockerfile b/17/jdk/oraclelinux7/Dockerfile index 4cbb6ae5..cd886f8c 100644 --- a/17/jdk/oraclelinux7/Dockerfile +++ b/17/jdk/oraclelinux7/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:7-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ rm -rf /var/cache/yum -# Default to UTF-8 file.encoding -ENV LANG en_US.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-17 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG en_US.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 17-ea+7 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz; \ - downloadSha256=f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz'; \ + downloadSha256='0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz; \ - downloadSha256=0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz'; \ + downloadSha256='f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/17/jdk/oraclelinux8/Dockerfile b/17/jdk/oraclelinux8/Dockerfile index 3b10f3bc..a6ab25fb 100644 --- a/17/jdk/oraclelinux8/Dockerfile +++ b/17/jdk/oraclelinux8/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:8-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ microdnf clean all -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-17 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 + # https://jdk.java.net/ # > # > Java Development Kit builds, from Oracle @@ -28,21 +34,16 @@ ENV JAVA_VERSION 17-ea+7 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz; \ - downloadSha256=f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e; \ + 'i386:x86-64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz'; \ + downloadSha256='0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz; \ - downloadSha256=0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1; \ + 'aarch64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz'; \ + downloadSha256='f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -56,7 +57,11 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ + \ + rm -rf "$JAVA_HOME/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -71,10 +76,6 @@ RUN set -eux; \ # https://openjdk.java.net/jeps/341 java -Xshare:dump; \ \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ # basic smoke test fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ javac --version; \ diff --git a/17/jdk/slim-buster/Dockerfile b/17/jdk/slim-buster/Dockerfile index 71c789d7..85050c85 100644 --- a/17/jdk/slim-buster/Dockerfile +++ b/17/jdk/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,11 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-17 ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://jdk.java.net/ # > @@ -26,19 +29,15 @@ ENV JAVA_VERSION 17-ea+7 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# arm64v8 - arm64 | aarch64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz; \ - downloadSha256=f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e; \ + 'amd64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz'; \ + downloadSha256='0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1'; \ ;; \ -# amd64 - amd64 | i386:x86-64) \ - downloadUrl=https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz; \ - downloadSha256=0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1; \ + 'arm64') \ + downloadUrl='https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz'; \ + downloadSha256='f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e'; \ ;; \ -# fallback *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -49,7 +48,7 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ \ mkdir -p "$JAVA_HOME"; \ @@ -59,7 +58,7 @@ RUN set -eux; \ --strip-components 1 \ --no-same-owner \ ; \ - rm openjdk.tgz; \ + rm openjdk.tgz*; \ \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ @@ -73,11 +72,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/17/jdk/windows/nanoserver-1809/Dockerfile b/17/jdk/windows/nanoserver-1809/Dockerfile index 8e31ba3b..63b9e68e 100644 --- a/17/jdk/windows/nanoserver-1809/Dockerfile +++ b/17/jdk/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-17 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://jdk.java.net/ @@ -19,7 +26,8 @@ COPY --from=openjdk:17-ea-7-jdk-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ && echo javac --version && javac --version \ - && echo java --version && java --version + && echo java --version && java --version \ + && echo Complete. # "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) CMD ["jshell"] diff --git a/17/jdk/windows/windowsservercore-1809/Dockerfile b/17/jdk/windows/windowsservercore-1809/Dockerfile index 9cb8830a..7cb1ae18 100644 --- a/17/jdk/windows/windowsservercore-1809/Dockerfile +++ b/17/jdk/windows/windowsservercore-1809/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-17 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/17/jdk/windows/windowsservercore-ltsc2016/Dockerfile b/17/jdk/windows/windowsservercore-ltsc2016/Dockerfile index d1e1c0e8..6972bd3c 100644 --- a/17/jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/17/jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,9 +1,15 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# enable TLS 1.2 # https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ @@ -14,13 +20,14 @@ RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-n New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' ENV JAVA_HOME C:\\openjdk-17 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://jdk.java.net/ # > diff --git a/8/jdk/buster/Dockerfile b/8/jdk/buster/Dockerfile index d199ed1b..d8e7bf62 100644 --- a/8/jdk/buster/Dockerfile +++ b/8/jdk/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-scm RUN set -eux; \ @@ -7,24 +13,22 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-8 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -43,24 +47,24 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -78,8 +82,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 # http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 @@ -88,11 +90,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/jre/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/8/jdk/oraclelinux7/Dockerfile b/8/jdk/oraclelinux7/Dockerfile index 36c788b6..dec5ff69 100644 --- a/8/jdk/oraclelinux7/Dockerfile +++ b/8/jdk/oraclelinux7/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:7-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ rm -rf /var/cache/yum -# Default to UTF-8 file.encoding -ENV LANG en_US.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-8 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG en_US.UTF-8 + # https://adoptopenjdk.net/upstream.html # > # > What are these binaries? @@ -36,18 +42,16 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'i386:x86-64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ curl -fL -o openjdk.tgz "$downloadUrl"; \ + curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ # pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it @@ -73,7 +77,9 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? + rm -rf "$JAVA_HOME/jre/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/jre/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -84,13 +90,6 @@ RUN set -eux; \ alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ done; \ \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done; \ - if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi; \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$cacertsFile"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$cacertsFile"; \ - \ # basic smoke test javac -version; \ java -version diff --git a/8/jdk/oraclelinux8/Dockerfile b/8/jdk/oraclelinux8/Dockerfile index 12f27a5a..6aa9b83c 100644 --- a/8/jdk/oraclelinux8/Dockerfile +++ b/8/jdk/oraclelinux8/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM oraclelinux:8-slim RUN set -eux; \ @@ -14,12 +20,12 @@ RUN set -eux; \ ; \ microdnf clean all -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/java/openjdk-8 ENV PATH $JAVA_HOME/bin:$PATH +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 + # https://adoptopenjdk.net/upstream.html # > # > What are these binaries? @@ -36,18 +42,16 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" + arch="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'i386:x86-64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ curl -fL -o openjdk.tgz "$downloadUrl"; \ + curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ # pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it @@ -73,7 +77,9 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? + rm -rf "$JAVA_HOME/jre/lib/security/cacerts"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/jre/lib/security/cacerts"; \ \ # https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 ln -sfT "$JAVA_HOME" /usr/java/default; \ @@ -84,13 +90,6 @@ RUN set -eux; \ alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ done; \ \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done; \ - if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi; \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$cacertsFile"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$cacertsFile"; \ - \ # basic smoke test javac -version; \ java -version diff --git a/8/jdk/slim-buster/Dockerfile b/8/jdk/slim-buster/Dockerfile index e6fd6785..ee87a456 100644 --- a/8/jdk/slim-buster/Dockerfile +++ b/8/jdk/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,12 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-8 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -34,11 +38,10 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -51,16 +54,17 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -78,8 +82,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -92,11 +94,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/jre/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/8/jdk/windows/nanoserver-1809/Dockerfile b/8/jdk/windows/nanoserver-1809/Dockerfile index efc22926..98639b22 100644 --- a/8/jdk/windows/nanoserver-1809/Dockerfile +++ b/8/jdk/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-8 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://adoptopenjdk.net/upstream.html @@ -27,4 +34,5 @@ COPY --from=openjdk:8u282-jdk-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ && echo javac -version && javac -version \ - && echo java -version && java -version + && echo java -version && java -version \ + && echo Complete. diff --git a/8/jdk/windows/windowsservercore-1809/Dockerfile b/8/jdk/windows/windowsservercore-1809/Dockerfile index 16dcd721..b38cc080 100644 --- a/8/jdk/windows/windowsservercore-1809/Dockerfile +++ b/8/jdk/windows/windowsservercore-1809/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-8 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/8/jdk/windows/windowsservercore-ltsc2016/Dockerfile b/8/jdk/windows/windowsservercore-ltsc2016/Dockerfile index 559964ba..6caeabca 100644 --- a/8/jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/8/jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-8 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/8/jre/buster/Dockerfile b/8/jre/buster/Dockerfile index 01549499..55c0175c 100644 --- a/8/jre/buster/Dockerfile +++ b/8/jre/buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM buildpack-deps:buster-curl RUN set -eux; \ @@ -7,24 +13,22 @@ RUN set -eux; \ unzip \ xz-utils \ \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ # java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 fontconfig libfreetype6 \ + \ +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-8 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -43,24 +47,24 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -78,8 +82,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ # update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) # see https://github.com/docker-library/openjdk/issues/327 # http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 @@ -88,11 +90,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/8/jre/slim-buster/Dockerfile b/8/jre/slim-buster/Dockerfile index c6c3aba1..bc540a85 100644 --- a/8/jre/slim-buster/Dockerfile +++ b/8/jre/slim-buster/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM debian:buster-slim RUN set -eux; \ @@ -8,14 +14,12 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/* -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - ENV JAVA_HOME /usr/local/openjdk-8 +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility ENV PATH $JAVA_HOME/bin:$PATH -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] +# Default to UTF-8 file.encoding +ENV LANG C.UTF-8 # https://adoptopenjdk.net/upstream.html # > @@ -34,11 +38,10 @@ ENV JAVA_VERSION 8u282 RUN set -eux; \ \ arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" case "$arch" in \ -# amd64 - amd64 | i386:x86-64) downloadUrl=https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_linux_8u282b08.tar.gz ;; \ -# fallback + 'amd64') \ + downloadUrl='https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_linux_8u282b08.tar.gz'; \ + ;; \ *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ esac; \ \ @@ -51,16 +54,17 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ + wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; \ + wget --progress=dot:giga -O openjdk.tgz.asc "$downloadUrl.sign"; \ \ export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ # TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? # no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ | tee /dev/stderr \ | grep '0xA5CD6035332FA671' \ @@ -78,8 +82,6 @@ RUN set -eux; \ ; \ rm openjdk.tgz*; \ \ -# TODO strip "demo" and "man" folders? - \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -92,11 +94,7 @@ RUN set -eux; \ { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \ } > /etc/ca-certificates/update.d/docker-openjdk; \ chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ /etc/ca-certificates/update.d/docker-openjdk; \ diff --git a/8/jre/windows/nanoserver-1809/Dockerfile b/8/jre/windows/nanoserver-1809/Dockerfile index 7aa9925e..9ae37986 100644 --- a/8/jre/windows/nanoserver-1809/Dockerfile +++ b/8/jre/windows/nanoserver-1809/Dockerfile @@ -1,3 +1,9 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/nanoserver:1809 SHELL ["cmd", "/s", "/c"] @@ -6,7 +12,8 @@ ENV JAVA_HOME C:\\openjdk-8 # "ERROR: Access to the registry path is denied." USER ContainerAdministrator RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. USER ContainerUser # https://adoptopenjdk.net/upstream.html @@ -26,4 +33,5 @@ ENV JAVA_VERSION 8u282 COPY --from=openjdk:8u282-jre-windowsservercore-1809 $JAVA_HOME $JAVA_HOME RUN echo Verifying install ... \ - && echo java -version && java -version + && echo java -version && java -version \ + && echo Complete. diff --git a/8/jre/windows/windowsservercore-1809/Dockerfile b/8/jre/windows/windowsservercore-1809/Dockerfile index 336164d5..f7e23491 100644 --- a/8/jre/windows/windowsservercore-1809/Dockerfile +++ b/8/jre/windows/windowsservercore-1809/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:1809 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-8 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/8/jre/windows/windowsservercore-ltsc2016/Dockerfile b/8/jre/windows/windowsservercore-ltsc2016/Dockerfile index afcc174e..61ec93ee 100644 --- a/8/jre/windows/windowsservercore-ltsc2016/Dockerfile +++ b/8/jre/windows/windowsservercore-ltsc2016/Dockerfile @@ -1,13 +1,33 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM mcr.microsoft.com/windows/servercore:ltsc2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + ENV JAVA_HOME C:\\openjdk-8 RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath + setx /M PATH $newPath; \ + Write-Host 'Complete.' # https://adoptopenjdk.net/upstream.html # > diff --git a/Dockerfile-adopt-debian-slim.template b/Dockerfile-adopt-debian-slim.template deleted file mode 100644 index ee3014c1..00000000 --- a/Dockerfile-adopt-debian-slim.template +++ /dev/null @@ -1,109 +0,0 @@ -FROM debian:placeholder-slim - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - ; \ - rm -rf /var/lib/apt/lists/* - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] - -# https://adoptopenjdk.net/upstream.html -# > -# > What are these binaries? -# > -# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. -# > -ENV JAVA_VERSION placeholder -# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 -# > -# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. -# > ... -# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. -# > - -RUN set -eux; \ - \ - arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - dirmngr \ - gnupg \ - wget \ - ; \ - rm -rf /var/lib/apt/lists/*; \ - \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ - \ - export GNUPGHOME="$(mktemp -d)"; \ -# TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? -# no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 - gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ - gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ - | tee /dev/stderr \ - | grep '0xA5CD6035332FA671' \ - | grep 'Andrew Haley'; \ - gpg --batch --verify openjdk.tgz.asc openjdk.tgz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz*; \ - \ -# TODO strip "demo" and "man" folders? - \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - \ -# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) -# see https://github.com/docker-library/openjdk/issues/327 -# http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 -# https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in -# https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29 - { \ - echo '#!/usr/bin/env bash'; \ - echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ - } > /etc/ca-certificates/update.d/docker-openjdk; \ - chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ - /etc/ca-certificates/update.d/docker-openjdk; \ - \ -# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 - find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ - ldconfig; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-adopt-debian.template b/Dockerfile-adopt-debian.template deleted file mode 100644 index e42a7c7b..00000000 --- a/Dockerfile-adopt-debian.template +++ /dev/null @@ -1,105 +0,0 @@ -FROM buildpack-deps:placeholder - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - bzip2 \ - unzip \ - xz-utils \ - \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ -# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory -# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager -# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 - fontconfig libfreetype6 \ - ; \ - rm -rf /var/lib/apt/lists/* - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] - -# https://adoptopenjdk.net/upstream.html -# > -# > What are these binaries? -# > -# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. -# > -ENV JAVA_VERSION placeholder -# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 -# > -# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. -# > ... -# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. -# > - -RUN set -eux; \ - \ - arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - wget -O openjdk.tgz.asc "$downloadUrl.sign"; \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ - \ - export GNUPGHOME="$(mktemp -d)"; \ -# TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? -# no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 - gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ -# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead) -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ - gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ - | tee /dev/stderr \ - | grep '0xA5CD6035332FA671' \ - | grep 'Andrew Haley'; \ - gpg --batch --verify openjdk.tgz.asc openjdk.tgz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz*; \ - \ -# TODO strip "demo" and "man" folders? - \ -# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) -# see https://github.com/docker-library/openjdk/issues/327 -# http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 -# https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in -# https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29 - { \ - echo '#!/usr/bin/env bash'; \ - echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ - } > /etc/ca-certificates/update.d/docker-openjdk; \ - chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ - /etc/ca-certificates/update.d/docker-openjdk; \ - \ -# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 - find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ - ldconfig; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-adopt-oraclelinux.template b/Dockerfile-adopt-oraclelinux.template deleted file mode 100644 index f0a2113b..00000000 --- a/Dockerfile-adopt-oraclelinux.template +++ /dev/null @@ -1,95 +0,0 @@ -FROM oraclelinux:placeholder-slim - -RUN set -eux; \ - microdnf install \ - gzip \ - tar \ - \ -# jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 -# Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory - binutils \ -# java.lang.UnsatisfiedLinkError: /usr/java/openjdk-12/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory -# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 - freetype fontconfig \ - ; \ - microdnf clean all - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# https://adoptopenjdk.net/upstream.html -# > -# > What are these binaries? -# > -# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. -# > -ENV JAVA_VERSION placeholder -# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 -# > -# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. -# > ... -# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. -# > - -RUN set -eux; \ - \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - curl -fL -o openjdk.tgz.asc "$downloadUrl.sign"; \ - curl -fL -o openjdk.tgz "$downloadUrl"; \ - \ - export GNUPGHOME="$(mktemp -d)"; \ -# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it -# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) -# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg - gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ -# TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? -# no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 - gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ - gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ - | tee /dev/stderr \ - | grep '0xA5CD6035332FA671' \ - | grep 'Andrew Haley'; \ - gpg --batch --verify openjdk.tgz.asc openjdk.tgz; \ - rm -rf "$GNUPGHOME"; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz*; \ - \ -# TODO strip "demo" and "man" folders? - \ -# https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 - ln -sfT "$JAVA_HOME" /usr/java/default; \ - ln -sfT "$JAVA_HOME" /usr/java/latest; \ - for bin in "$JAVA_HOME/bin/"*; do \ - base="$(basename "$bin")"; \ - [ ! -e "/usr/bin/$base" ]; \ - alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ - done; \ - \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done; \ - if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi; \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$cacertsFile"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$cacertsFile"; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-adopt-windows-nanoserver.template b/Dockerfile-adopt-windows-nanoserver.template deleted file mode 100644 index f2aa545b..00000000 --- a/Dockerfile-adopt-windows-nanoserver.template +++ /dev/null @@ -1,33 +0,0 @@ -FROM placeholder - -SHELL ["cmd", "/s", "/c"] - -ENV JAVA_HOME placeholder -# "ERROR: Access to the registry path is denied." -USER ContainerAdministrator -RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% -USER ContainerUser - -# https://adoptopenjdk.net/upstream.html -# > -# > What are these binaries? -# > -# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. -# > -ENV JAVA_VERSION placeholder -# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 -# > -# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. -# > ... -# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. -# > - -COPY --from=%%SERVERCORE-IMAGE%% $JAVA_HOME $JAVA_HOME - -RUN echo Verifying install ... \ - && echo javac --version && javac --version \ - && echo java --version && java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-adopt-windows-servercore.template b/Dockerfile-adopt-windows-servercore.template deleted file mode 100644 index 104aa21b..00000000 --- a/Dockerfile-adopt-windows-servercore.template +++ /dev/null @@ -1,48 +0,0 @@ -FROM placeholder - -# $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 -SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] - -ENV JAVA_HOME placeholder -RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ - Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath - -# https://adoptopenjdk.net/upstream.html -# > -# > What are these binaries? -# > -# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. -# > -ENV JAVA_VERSION placeholder -ENV JAVA_URL placeholder -# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 -# > -# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. -# > ... -# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. -# > - -RUN Write-Host ('Downloading {0} ...' -f $env:JAVA_URL); \ - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ - Invoke-WebRequest -Uri $env:JAVA_URL -OutFile 'openjdk.zip'; \ -# TODO signature? checksum? - \ - Write-Host 'Expanding ...'; \ - New-Item -ItemType Directory -Path C:\temp | Out-Null; \ - Expand-Archive openjdk.zip -DestinationPath C:\temp; \ - Move-Item -Path C:\temp\* -Destination $env:JAVA_HOME; \ - Remove-Item C:\temp; \ - \ - Write-Host 'Removing ...'; \ - Remove-Item openjdk.zip -Force; \ - \ - Write-Host 'Verifying install ...'; \ - Write-Host ' javac --version'; javac --version; \ - Write-Host ' java --version'; java --version; \ - \ - Write-Host 'Complete.' - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template new file mode 100644 index 00000000..9ce8e553 --- /dev/null +++ b/Dockerfile-linux.template @@ -0,0 +1,332 @@ +{{ + def is_alpine: + env.variant | startswith("alpine") + ; + def alpine_version: + env.variant | ltrimstr("alpine") +-}} +{{ + def is_oracle: + env.variant | startswith("oraclelinux") + ; + def oracle_version: + env.variant | ltrimstr("oraclelinux") +-}} +{{ + def is_debian: + is_alpine or is_oracle | not + ; + def is_debian_slim: + is_debian and (env.variant | startswith("slim-")) + ; + def debian_suite: + env.variant | ltrimstr("slim-") +-}} +{{ + if is_alpine then ( +-}} +FROM alpine:{{ alpine_version }} + +RUN apk add --no-cache java-cacerts + +ENV JAVA_HOME /opt/openjdk-{{ env.version }} +{{ + ) elif is_oracle then ( +-}} +FROM oraclelinux:{{ oracle_version }}-slim + +RUN set -eux; \ +{{ if oracle_version == "7" then ( -}} + yum install -y \ +{{ ) else ( -}} + microdnf install \ +{{ ) end -}} + gzip \ + tar \ + \ +# jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 +# Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory + binutils \ +# java.lang.UnsatisfiedLinkError: /usr/java/openjdk-12/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory +# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + freetype fontconfig \ + ; \ +{{ if oracle_version == "7" then ( -}} + rm -rf /var/cache/yum +{{ ) else ( -}} + microdnf clean all +{{ ) end -}} + +ENV JAVA_HOME /usr/java/openjdk-{{ env.version }} +{{ + ) else ( +-}} +FROM {{ + if is_debian_slim then + "debian:" + debian_suite + "-slim" + else + "buildpack-deps:" + debian_suite + ( + if env.javaType == "jdk" then + "-scm" + else + "-curl" + end + ) + end +}} + +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ +{{ if is_debian_slim then "" else ( -}} + bzip2 \ + unzip \ + xz-utils \ + \ +{{ if env.version | tonumber >= 13 then ( -}} +# jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 +# Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory + binutils \ + \ +{{ ) else "" end -}} +# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory +# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager +# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 + fontconfig libfreetype6 \ + \ +{{ ) end -}} +# utilities for keeping Debian and OpenJDK CA certificates in sync + ca-certificates p11-kit \ + ; \ + rm -rf /var/lib/apt/lists/* + +ENV JAVA_HOME /usr/local/openjdk-{{ env.version }} +{{ if env.version | tonumber < 16 then ( -}} +RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] # backwards compatibility +{{ ) else "" end -}} +{{ + ) end +-}} +ENV PATH $JAVA_HOME/bin:$PATH + +{{ if is_alpine then "" else ( -}} +# Default to UTF-8 file.encoding +ENV LANG {{ if is_oracle and oracle_version == "7" then "en_US.UTF-8" else "C.UTF-8" end }} + +{{ ) end -}} +{{ def java_version: if is_alpine then .alpine.version else .version end -}} +{{ if .source == "oracle" then ( -}} +# https://jdk.java.net/ +# > +# > Java Development Kit builds, from Oracle +# > +ENV JAVA_VERSION {{ java_version }} +{{ if is_alpine then ( -}} +# "For Alpine Linux, builds are produced on a reduced schedule and may not be in sync with the other platforms." +{{ ) else "" end -}} +{{ ) else ( -}} +# https://adoptopenjdk.net/upstream.html +# > +# > What are these binaries? +# > +# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. +# > +ENV JAVA_VERSION {{ java_version }} +# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 +# > +# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. +# > ... +# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. +# > +{{ ) end -}} + +{{ + def arches: + if is_alpine then .alpine else . end + | .[env.javaType].arches + ; + def get_arch_command: + if is_alpine then + "apk --print-arch" + elif is_oracle then + "objdump=\"$(command -v objdump)\" && objdump --file-headers \"$objdump\" | awk -F '[:,]+[[:space:]]+' '$1 == \"architecture\" { print $2 }'" + else + "dpkg --print-architecture" + end + ; + def case_arch: + # input is a bashbrew arch + # - "amd64", "arm64v8", etc + # output is a shell "case" expression for matching the output of running "get_arch_command" + # - "amd64 | i386:x86-64", etc + . as $bashbrewArch + | if is_alpine then { + amd64: "x86_64", + arm64v8: "aarch64", + } elif is_oracle then { + amd64: "i386:x86-64", + arm64v8: "aarch64", + } else { + amd64: "amd64", + arm64v8: "arm64", + } end + | .[$bashbrewArch] // error("unsupported bashbrew architecture: " + $bashbrewArch) + | @sh + ; + def wget_command: + if is_oracle then + "curl -fL -o" + else + [ + "wget", + if is_alpine then empty else "--progress=dot:giga" end, + "-O" + ] | join(" ") + end +-}} +RUN set -eux; \ + \ + arch="$({{ get_arch_command }})"; \ + case "$arch" in \ +{{ + [ + arches | to_entries[] + | select(.key | startswith("windows-") | not) + | .key as $bashbrewArch | .value + | ( +-}} + {{ $bashbrewArch | case_arch }}) \ + downloadUrl={{ .url | @sh }}; \ +{{ if .sha256 then ( -}} + downloadSha256={{ .sha256 | @sh }}; \ +{{ ) else "" end -}} + ;; \ +{{ + ) + ] | add +-}} + *) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; \ + esac; \ + \ +{{ if is_debian_slim then ( -}} + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ +{{ if .source == "adopt" then ( -}} + dirmngr \ + gnupg \ +{{ ) else "" end -}} + wget \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ +{{ ) else "" end -}} + {{ wget_command }} openjdk.tgz "$downloadUrl"; \ +{{ if [ arches[] ] | any(has("sha256")) then ( -}} + echo "$downloadSha256 *openjdk.tgz" | sha256sum {{ if is_alpine then "-c" else "--strict --check" end }} -; \ +{{ ) else "" end -}} +{{ if .source == "adopt" then ( -}} + {{ wget_command }} openjdk.tgz.asc "$downloadUrl.sign"; \ + \ + export GNUPGHOME="$(mktemp -d)"; \ +# pre-fetch Andrew Haley's (the OpenJDK 8 and 11 Updates OpenJDK project lead) key so we can verify that the OpenJDK key was signed by it +# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190) +# we pre-fetch this so that the signature it makes on the OpenJDK key can survive "import-clean" in gpg + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \ +# TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense? +# no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07 + gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \ + gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \ + | tee /dev/stderr \ + | grep '0xA5CD6035332FA671' \ + | grep 'Andrew Haley'; \ + gpg --batch --verify openjdk.tgz.asc openjdk.tgz; \ +{{ if is_oracle then "" else ( -}} + gpgconf --kill all; \ +{{ ) end -}} + rm -rf "$GNUPGHOME"; \ +{{ ) else "" end -}} + \ + mkdir -p "$JAVA_HOME"; \ + tar --extract \ + --file openjdk.tgz \ + --directory "$JAVA_HOME" \ + --strip-components 1 \ + --no-same-owner \ + ; \ + rm openjdk.tgz*; \ + \ +{{ if is_debian_slim then ( -}} + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +{{ ) else "" end -}} +{{ + def cacerts_file: + # 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ use "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) + if env.version == "8" and env.javaType == "jdk" then + "$JAVA_HOME/jre/lib/security/cacerts" + else + "$JAVA_HOME/lib/security/cacerts" + end +-}} +{{ if is_alpine then ( -}} + rm -rf "{{ cacerts_file }}"; \ +# see "java-cacerts" package installed above (which maintains "/etc/ssl/certs/java/cacerts" for us) + ln -sT /etc/ssl/certs/java/cacerts "{{ cacerts_file }}"; \ +{{ ) elif is_oracle then ( -}} + rm -rf "{{ cacerts_file }}"; \ +# see "update-ca-trust" script which creates/maintains this cacerts bundle + ln -sT /etc/pki/ca-trust/extracted/java/cacerts "{{ cacerts_file }}"; \ + \ +# https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 + ln -sfT "$JAVA_HOME" /usr/java/default; \ + ln -sfT "$JAVA_HOME" /usr/java/latest; \ + for bin in "$JAVA_HOME/bin/"*; do \ + base="$(basename "$bin")"; \ + [ ! -e "/usr/bin/$base" ]; \ + alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ + done; \ +{{ ) else ( -}} +# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) +# see https://github.com/docker-library/openjdk/issues/327 +# http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 +# https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in +# https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29 + { \ + echo '#!/usr/bin/env bash'; \ + echo 'set -Eeuo pipefail'; \ + echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "{{ cacerts_file }}"'; \ + } > /etc/ca-certificates/update.d/docker-openjdk; \ + chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ + /etc/ca-certificates/update.d/docker-openjdk; \ + \ +# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 + find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ + ldconfig; \ +{{ ) end -}} + \ +{{ if env.version == "8" then ( -}} +# basic smoke test +{{ if env.javaType == "jdk" then ( -}} + javac -version; \ +{{ ) else "" end -}} + java -version +{{ ) else ( -}} +# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 +# https://openjdk.java.net/jeps/341 + java -Xshare:dump; \ + \ +# basic smoke test +{{ if env.javaType == "jdk" then ( -}} + fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ + javac --version; \ + java --version + +# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) +CMD ["jshell"] +{{ ) else ( -}} + java --version +{{ ) end -}} +{{ ) end -}} diff --git a/Dockerfile-oracle-debian-slim.template b/Dockerfile-oracle-debian-slim.template deleted file mode 100644 index 431ef372..00000000 --- a/Dockerfile-oracle-debian-slim.template +++ /dev/null @@ -1,86 +0,0 @@ -FROM debian:placeholder-slim - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - ; \ - rm -rf /var/lib/apt/lists/* - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] - -# https://jdk.java.net/ -# > -# > Java Development Kit builds, from Oracle -# > -ENV JAVA_VERSION placeholder - -RUN set -eux; \ - \ - arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - wget \ - ; \ - rm -rf /var/lib/apt/lists/*; \ - \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ - echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz; \ - \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - \ -# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) -# see https://github.com/docker-library/openjdk/issues/327 -# http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 -# https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in -# https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29 - { \ - echo '#!/usr/bin/env bash'; \ - echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ - } > /etc/ca-certificates/update.d/docker-openjdk; \ - chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ - /etc/ca-certificates/update.d/docker-openjdk; \ - \ -# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 - find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ - ldconfig; \ - \ -# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 -# https://openjdk.java.net/jeps/341 - java -Xshare:dump; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-oracle-debian.template b/Dockerfile-oracle-debian.template deleted file mode 100644 index 3d1a2e15..00000000 --- a/Dockerfile-oracle-debian.template +++ /dev/null @@ -1,87 +0,0 @@ -FROM buildpack-deps:placeholder - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - bzip2 \ - unzip \ - xz-utils \ - \ -# utilities for keeping Debian and OpenJDK CA certificates in sync - ca-certificates p11-kit \ - \ -# jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 -# Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory - binutils \ -# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory -# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager -# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 - fontconfig libfreetype6 \ - ; \ - rm -rf /var/lib/apt/lists/* - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# backwards compatibility shim -RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ] - -# https://jdk.java.net/ -# > -# > Java Development Kit builds, from Oracle -# > -ENV JAVA_VERSION placeholder - -RUN set -eux; \ - \ - arch="$(dpkg --print-architecture)"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - wget -O openjdk.tgz "$downloadUrl" --progress=dot:giga; \ - echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz; \ - \ -# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store) -# see https://github.com/docker-library/openjdk/issues/327 -# http://rabexc.org/posts/certificates-not-working-java#comment-4099504075 -# https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in -# https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29 - { \ - echo '#!/usr/bin/env bash'; \ - echo 'set -Eeuo pipefail'; \ - echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \ -# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory) - echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \ - echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \ - echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \ - } > /etc/ca-certificates/update.d/docker-openjdk; \ - chmod +x /etc/ca-certificates/update.d/docker-openjdk; \ - /etc/ca-certificates/update.d/docker-openjdk; \ - \ -# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472 - find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \ - ldconfig; \ - \ -# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 -# https://openjdk.java.net/jeps/341 - java -Xshare:dump; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-oracle-oraclelinux.template b/Dockerfile-oracle-oraclelinux.template deleted file mode 100644 index 0e6d18c7..00000000 --- a/Dockerfile-oracle-oraclelinux.template +++ /dev/null @@ -1,71 +0,0 @@ -FROM oraclelinux:placeholder-slim - -RUN set -eux; \ - microdnf install \ - gzip \ - tar \ - \ -# jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351 -# Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory - binutils \ -# java.lang.UnsatisfiedLinkError: /usr/java/openjdk-12/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory -# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077 - freetype fontconfig \ - ; \ - microdnf clean all - -# Default to UTF-8 file.encoding -ENV LANG C.UTF-8 - -ENV JAVA_HOME placeholder -ENV PATH $JAVA_HOME/bin:$PATH - -# https://jdk.java.net/ -# > -# > Java Development Kit builds, from Oracle -# > -ENV JAVA_VERSION placeholder - -RUN set -eux; \ - \ - objdump="$(command -v objdump)"; \ - arch="$(objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \ -# this "case" statement is generated via "update.sh" - %%ARCH-CASE%%; \ - \ - curl -fL -o openjdk.tgz "$downloadUrl"; \ - echo "$downloadSha256 *openjdk.tgz" | sha256sum --strict --check -; \ - \ - mkdir -p "$JAVA_HOME"; \ - tar --extract \ - --file openjdk.tgz \ - --directory "$JAVA_HOME" \ - --strip-components 1 \ - --no-same-owner \ - ; \ - rm openjdk.tgz; \ - \ -# https://github.com/oracle/docker-images/blob/a56e0d1ed968ff669d2e2ba8a1483d0f3acc80c0/OracleJava/java-8/Dockerfile#L17-L19 - ln -sfT "$JAVA_HOME" /usr/java/default; \ - ln -sfT "$JAVA_HOME" /usr/java/latest; \ - for bin in "$JAVA_HOME/bin/"*; do \ - base="$(basename "$bin")"; \ - [ ! -e "/usr/bin/$base" ]; \ - alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \ - done; \ - \ -# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840 -# https://openjdk.java.net/jeps/341 - java -Xshare:dump; \ - \ -# see "update-ca-trust" script which creates/maintains this cacerts bundle - rm -rf "$JAVA_HOME/lib/security/cacerts"; \ - ln -sT /etc/pki/ca-trust/extracted/java/cacerts "$JAVA_HOME/lib/security/cacerts"; \ - \ -# basic smoke test - fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \ - javac --version; \ - java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-oracle-windows-nanoserver.template b/Dockerfile-oracle-windows-nanoserver.template deleted file mode 100644 index c6538095..00000000 --- a/Dockerfile-oracle-windows-nanoserver.template +++ /dev/null @@ -1,25 +0,0 @@ -FROM placeholder - -SHELL ["cmd", "/s", "/c"] - -ENV JAVA_HOME placeholder -# "ERROR: Access to the registry path is denied." -USER ContainerAdministrator -RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ - && setx /M PATH %JAVA_HOME%\bin;%PATH% -USER ContainerUser - -# https://jdk.java.net/ -# > -# > Java Development Kit builds, from Oracle -# > -ENV JAVA_VERSION placeholder - -COPY --from=%%SERVERCORE-IMAGE%% $JAVA_HOME $JAVA_HOME - -RUN echo Verifying install ... \ - && echo javac --version && javac --version \ - && echo java --version && java --version - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-oracle-windows-servercore.template b/Dockerfile-oracle-windows-servercore.template deleted file mode 100644 index 2f177ddb..00000000 --- a/Dockerfile-oracle-windows-servercore.template +++ /dev/null @@ -1,58 +0,0 @@ -FROM placeholder - -# $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 -SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] - -# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") -# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 -# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 -RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ - $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ - if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ - New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ - New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ - New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ - New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force - -ENV JAVA_HOME placeholder -RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ - Write-Host ('Updating PATH: {0}' -f $newPath); \ -# Nano Server does not have "[Environment]::SetEnvironmentVariable()" - setx /M PATH $newPath - -# https://jdk.java.net/ -# > -# > Java Development Kit builds, from Oracle -# > -ENV JAVA_VERSION placeholder -ENV JAVA_URL placeholder -ENV JAVA_SHA256 placeholder - -RUN Write-Host ('Downloading {0} ...' -f $env:JAVA_URL); \ - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ - Invoke-WebRequest -Uri $env:JAVA_URL -OutFile 'openjdk.zip'; \ - Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_SHA256); \ - if ((Get-FileHash openjdk.zip -Algorithm sha256).Hash -ne $env:JAVA_SHA256) { \ - Write-Host 'FAILED!'; \ - exit 1; \ - }; \ - \ - Write-Host 'Expanding ...'; \ - New-Item -ItemType Directory -Path C:\temp | Out-Null; \ - Expand-Archive openjdk.zip -DestinationPath C:\temp; \ - Move-Item -Path C:\temp\* -Destination $env:JAVA_HOME; \ - Remove-Item C:\temp; \ - \ - Write-Host 'Removing ...'; \ - Remove-Item openjdk.zip -Force; \ - \ - Write-Host 'Verifying install ...'; \ - Write-Host ' javac --version'; javac --version; \ - Write-Host ' java --version'; java --version; \ - \ - Write-Host 'Complete.' - -# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) -CMD ["jshell"] diff --git a/Dockerfile-windows.template b/Dockerfile-windows.template new file mode 100644 index 00000000..0fdbf3f2 --- /dev/null +++ b/Dockerfile-windows.template @@ -0,0 +1,113 @@ +FROM mcr.microsoft.com/windows/{{ env.windowsVariant }}:{{ env.windowsRelease }} + +{{ if env.windowsVariant == "servercore" then ( -}} +# $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 +SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] + +# enable TLS 1.2 +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + Write-Host 'Complete.' + +ENV JAVA_HOME C:\\openjdk-{{ env.version }} +RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ + Write-Host ('Updating PATH: {0}' -f $newPath); \ + setx /M PATH $newPath; \ + Write-Host 'Complete.' +{{ ) else ( -}} +SHELL ["cmd", "/s", "/c"] + +ENV JAVA_HOME C:\\openjdk-{{ env.version }} +# "ERROR: Access to the registry path is denied." +USER ContainerAdministrator +RUN echo Updating PATH: %JAVA_HOME%\bin;%PATH% \ + && setx /M PATH %JAVA_HOME%\bin;%PATH% \ + && echo Complete. +USER ContainerUser +{{ ) end -}} + +{{ if .source == "oracle" then ( -}} +# https://jdk.java.net/ +# > +# > Java Development Kit builds, from Oracle +# > +{{ ) else ( -}} +# https://adoptopenjdk.net/upstream.html +# > +# > What are these binaries? +# > +# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/. +# > +{{ ) end -}} +ENV JAVA_VERSION {{ .version }} +{{ if env.windowsVariant == "servercore" then ( -}} +{{ # TODO $env:PROCESSOR_ARCHITECTURE for arm64v8 someday (https://superuser.com/a/1441469/101945) -}} +ENV JAVA_URL {{ .[env.javaType].arches["windows-amd64"].url }} +{{ if .[env.javaType].arches["windows-amd64"] | has("sha256") then ( -}} +ENV JAVA_SHA256 {{ .[env.javaType].arches["windows-amd64"].sha256 }} +{{ ) else "" end -}} +{{ ) else "" end -}} +{{ if .source == "adopt" then ( -}} +# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246 +# > +# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead. +# > ... +# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them. +# > +{{ ) else "" end -}} + +{{ if env.windowsVariant == "servercore" then ( -}} +RUN Write-Host ('Downloading {0} ...' -f $env:JAVA_URL); \ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ + Invoke-WebRequest -Uri $env:JAVA_URL -OutFile 'openjdk.zip'; \ +{{ if .[env.javaType].arches["windows-amd64"] | has("sha256") then ( -}} + Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_SHA256); \ + if ((Get-FileHash openjdk.zip -Algorithm sha256).Hash -ne $env:JAVA_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ +{{ ) else ( -}} +# TODO signature? checksum? +{{ ) end -}} + \ + Write-Host 'Expanding ...'; \ + New-Item -ItemType Directory -Path C:\temp | Out-Null; \ + Expand-Archive openjdk.zip -DestinationPath C:\temp; \ + Move-Item -Path C:\temp\* -Destination $env:JAVA_HOME; \ + Remove-Item C:\temp; \ + \ + Write-Host 'Removing ...'; \ + Remove-Item openjdk.zip -Force; \ + \ + Write-Host 'Verifying install ...'; \ +{{ def version_flag: if env.version == "8" then "-version" else "--version" end -}} +{{ if env.javaType == "jdk" then ( -}} + Write-Host ' javac {{ version_flag }}'; javac {{ version_flag }}; \ +{{ ) else "" end -}} + Write-Host ' java {{ version_flag }}'; java {{ version_flag }}; \ + \ + Write-Host 'Complete.' +{{ ) else ( -}} +COPY --from=openjdk:{{ .version | gsub("[+]"; "-") }}-{{ env.javaType }}-windowsservercore-{{ env.windowsRelease }} $JAVA_HOME $JAVA_HOME + +RUN echo Verifying install ... \ +{{ if env.javaType == "jdk" then ( -}} + && echo javac {{ version_flag }} && javac {{ version_flag }} \ +{{ ) else "" end -}} + && echo java {{ version_flag }} && java {{ version_flag }} \ + && echo Complete. +{{ ) end -}} +{{ if env.version != "8" and env.javaType == "jdk" then ( -}} + +# "jshell" is an interactive REPL for Java (see https://en.wikipedia.org/wiki/JShell) +CMD ["jshell"] +{{ ) else "" end -}} diff --git a/apply-templates.sh b/apply-templates.sh new file mode 100755 index 00000000..d55b3313 --- /dev/null +++ b/apply-templates.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +[ -f versions.json ] # run "versions.sh" first + +jqt='.jq-template.awk' +if [ -n "${BASHBREW_SCRIPTS:-}" ]; then + jqt="$BASHBREW_SCRIPTS/jq-template.awk" +elif [ "$BASH_SOURCE" -nt "$jqt" ]; then + wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/00e281f36edd19f52541a6ba2f215cc3c4645128/scripts/jq-template.awk' +fi + +if [ "$#" -eq 0 ]; then + versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)" + eval "set -- $versions" +fi + +generated_warning() { + cat <<-EOH + # + # NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" + # + # PLEASE DO NOT EDIT IT DIRECTLY. + # + + EOH +} + +for version; do + export version + + rm -rf "$version/" + + variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)" + eval "variants=( $variants )" + + for javaType in jdk jre; do + export javaType + + if ! hasJavaType="$(jq -r '.[env.version] | if has(env.javaType) then "1" else "" end' versions.json)" || [ -z "$hasJavaType" ]; then + continue + fi + + for variant in "${variants[@]}"; do + export variant + + if [ "$javaType" = 'jre' ] && [[ "$variant" == oraclelinux* ]]; then + continue # no Oracle-based JRE images (for now? gotta figure a few things out to do that) + fi + + dir="$version/$javaType/$variant" + mkdir -p "$dir" + + case "$variant" in + windows/*) + variant="$(basename "$dir")" # "buster", "windowsservercore-1809", etc + windowsVariant="${variant%%-*}" # "windowsservercore", "nanoserver" + windowsRelease="${variant#$windowsVariant-}" # "1809", "ltsc2016", etc + windowsVariant="${windowsVariant#windows}" # "servercore", "nanoserver" + export windowsVariant windowsRelease + template='Dockerfile-windows.template' + ;; + + *) + template='Dockerfile-linux.template' + ;; + esac + + echo "processing $dir ..." + + { + generated_warning + gawk -f "$jqt" "$template" + } > "$dir/Dockerfile" + done + done +done diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh index f57f3699..838d4e96 100755 --- a/generate-stackbrew-library.sh +++ b/generate-stackbrew-library.sh @@ -6,7 +6,7 @@ declare -A aliases=( [15-jre]='jre' ) defaultType='jdk' -defaultAlpine='3.12' +defaultAlpine='3.13' defaultDebian='buster' defaultOracle='8' @@ -15,11 +15,13 @@ image="${1:-openjdk}" self="$(basename "$BASH_SOURCE")" cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" -versions=( */ ) -versions=( "${versions[@]%/}" ) +if [ "$#" -eq 0 ]; then + versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)" + eval "set -- $versions" +fi # sort version numbers with highest first -IFS=$'\n'; versions=( $(echo "${versions[*]}" | sort -rV) ); unset IFS +IFS=$'\n'; set -- $(sort -rV <<<"$*"); unset IFS # get the most recent commit which modified any of "$@" fileCommit() { @@ -31,15 +33,19 @@ dirCommit() { local dir="$1"; shift ( cd "$dir" - fileCommit \ - Dockerfile \ - $(git show HEAD:./Dockerfile | awk ' + files="$( + git show HEAD:./Dockerfile | awk ' toupper($1) == "COPY" { for (i = 2; i < NF; i++) { + if ($i ~ /^--from=/) { + next + } print $i } } - ') + ' + )" + fileCommit Dockerfile $files ) } @@ -141,47 +147,58 @@ aliases() { echo "${variantAliases[@]}" } -for javaVersion in "${versions[@]}"; do +for version; do + export version + + variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)" + eval "variants=( $variants )" + for javaType in jdk jre; do - for v in \ - oraclelinux{8,7} \ - {,slim-}buster \ - alpine3.12 \ - windows/windowsservercore-{1809,ltsc2016} \ - windows/nanoserver-1809 \ - ; do - dir="$javaVersion/$javaType/$v" + export javaType + + for v in "${variants[@]}"; do + dir="$version/$javaType/$v" [ -f "$dir/Dockerfile" ] || continue + variant="$(basename "$v")" + export variant commit="$(dirCommit "$dir")" - fullVersion="$(git show "$commit":"$dir/Dockerfile" | awk '$1 == "ENV" && $2 == "JAVA_VERSION" { gsub(/[~+]/, "-", $3); print $3; exit }')" + fullVersion="$(jq -r '.[env.version] | if env.variant | startswith("alpine") then .alpine.version else .version end | gsub("[+]"; "-")' versions.json)" variantArches= case "$v" in windows/*) variantArches='windows-amd64' ;; *) # see "update.sh" for where these comment lines get embedded - parent="$(git show "$commit":"$dir/Dockerfile" | awk '$1 == "FROM" { print $2; exit }')" + parent="$(awk 'toupper($1) == "FROM" { print $2; exit }' "$dir/Dockerfile")" parentArches="${parentRepoToArches[$parent]:-}" - for arch in $parentArches; do - if git show "$commit":"$dir/Dockerfile" | grep -qE "^# $arch\$"; then - variantArches+=" $arch" - fi - done + export parentArches + variantArches="$( + comm -12 \ + <( + jq -r ' + .[env.version] + | if env.variant | startswith("alpine") then .alpine else . end + | .[env.javaType].arches + | keys[] + ' versions.json | sort + ) \ + <(xargs -n1 <<<"$parentArches" | sort) + )" ;; esac sharedTags=() for windowsShared in windowsservercore nanoserver; do if [[ "$variant" == "$windowsShared"* ]]; then - sharedTags+=( $(aliases "$javaVersion" "$javaType" "$fullVersion" "$windowsShared") ) + sharedTags+=( $(aliases "$version" "$javaType" "$fullVersion" "$windowsShared") ) break fi done - if _latest "$javaVersion" "$variant"; then - sharedTags+=( $(aliases "$javaVersion" "$javaType" "$fullVersion" 'latest') ) + if _latest "$version" "$variant"; then + sharedTags+=( $(aliases "$version" "$javaType" "$fullVersion" 'latest') ) fi variantAliases=( "$variant" ) @@ -203,7 +220,7 @@ for javaVersion in "${versions[@]}"; do esac echo - echo "Tags: $(join ', ' $(aliases "$javaVersion" "$javaType" "$fullVersion" "${variantAliases[@]}"))" + echo "Tags: $(join ', ' $(aliases "$version" "$javaType" "$fullVersion" "${variantAliases[@]}"))" if [ "${#sharedTags[@]}" -gt 0 ]; then echo "SharedTags: $(join ', ' "${sharedTags[@]}")" fi diff --git a/update.sh b/update.sh index 0ab58aff..bac2d758 100755 --- a/update.sh +++ b/update.sh @@ -3,392 +3,5 @@ set -Eeuo pipefail cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" -versions=( "$@" ) -if [ ${#versions[@]} -eq 0 ]; then - versions=( */ ) -fi -versions=( "${versions[@]%/}" ) - -# sort version numbers with lowest first -IFS=$'\n'; versions=( $(sort -V <<<"${versions[*]}") ); unset IFS - -abs-url() { - local url="$1"; shift - local base="$1"; shift - - case "$url" in - http://* | https://* ) ;; - - /*) - local extra="${base#*://*/}" - local baseBase="${base%$extra}" - baseBase="${baseBase%/}" - url="$baseBase$url" - ;; - - *) - echo >&2 "error: TODO parse '$url' relative to '$base'" - exit 1 - ;; - esac - - echo "$url" -} - -adopt-github-url() { - local javaVersion="$1"; shift - - local url - url="$( - curl -fsS --head "https://github.com/AdoptOpenJDK/openjdk${javaVersion}-upstream-binaries/releases/latest" | tac|tac \ - | tr -d '\r' \ - | awk 'tolower($1) == "location:" { print $2; found = 1; exit } END { if (!found) { exit 1 } }' - )" || return 1 - - url="$(abs-url "$url" 'https://github.com')" || return 1 - - echo "$url" -} - -adopt-sources-url() { - local githubUrl="$1"; shift - - local url - url="$( - curl -fsSL "$githubUrl" | tac|tac \ - | grep -oEm1 'href="[^"]+-sources_[^"]+[.]tar[.]gz"' \ - | cut -d'"' -f2 \ - || : - )" - [ -n "$url" ] || return 1 - - url="$(abs-url "$url" "$githubUrl")" || return 1 - - echo "$url" -} - -adopt-version() { - local githubUrl="$1"; shift - - local version - version="$( - wget -qO- "$githubUrl" | tac|tac \ - | grep -oE '.+' \ - | grep -oE ' OpenJDK [^ ]+ ' \ - | cut -d' ' -f3 - )" || return 1 - - echo "$version" -} - -jdk-java-net-download-url() { - local javaVersion="$1"; shift - local fileSuffix="$1"; shift - wget -qO- "https://jdk.java.net/$javaVersion/" \ - | tac|tac \ - | grep -Eom1 "https://download.java.net/[^\"]+$fileSuffix" -} - -jdk-java-net-download-version() { - local javaVersion="$1"; shift - local downloadUrl="$1"; shift - - downloadVersion="$(grep -Eom1 "openjdk-$javaVersion[^_]*_" <<<"$downloadUrl")" || return 1 - downloadVersion="${downloadVersion%_}" - downloadVersion="${downloadVersion#openjdk-}" - if [ "$javaVersion" = '11' ]; then - # 11 is now GA, so drop any +NN (https://github.com/docker-library/openjdk/pull/235#issuecomment-425378941) - # future releases will be 11.0.1, for example - downloadVersion="${downloadVersion%%+*}" - fi - - echo "$downloadVersion" -} - -# see https://stackoverflow.com/a/2705678/433558 -sed_escape_rhs() { - sed -e 's/[\/&]/\\&/g' <<<"$*" | sed -e ':a;N;$!ba;s/\n/\\n/g' -} -sed_s() { - local lhs="$1"; shift - local rhs="$1"; shift - rhs="$(sed_escape_rhs "$rhs")" - echo -n "s/$lhs/$rhs/g" -} -sed_s_pre() { - local lhs="$1"; shift - local rhs="$1"; shift - rhs="$(sed_escape_rhs "$rhs")" - echo -n "s/^($lhs) .*$/\1 $rhs/" -} - -for javaVersion in "${versions[@]}"; do - for javaType in jdk jre; do - dir="$javaVersion/$javaType" - [ -d "$dir" ] || continue - - downloadSource= # "adopt", "oracle" - linuxVersion= # "11.0.8", "15-ea+33", "8u262", etc - alpineVersion= - windowsVersion= - linuxArchCase= - alpineArchCase= - windowsDownloadUrl= - windowsDownloadSha256= - - case "$javaVersion" in - 8 | 11) - downloadSource='adopt' - - githubUrl="$(adopt-github-url "$javaVersion")" - sourcesUrl="$(adopt-sources-url "$githubUrl")" - adoptVersion="$(adopt-version "$githubUrl")" - javaUrlBase="${sourcesUrl%%-sources_*}-" - javaUrlVersion="${sourcesUrl#${javaUrlBase}sources_}" - javaUrlVersion="${javaUrlVersion%.tar.gz}" - javaUrlBase+="${javaType}_" # "jre_", "jdk_", etc - - possibleArches=( - # https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases - # https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases - 'aarch64_linux' - 'x64_linux' - 'x64_windows' - ) - for arch in "${possibleArches[@]}"; do - case "$arch" in - *_linux) downloadSuffix='.tar.gz' ;; - *_windows) downloadSuffix='.zip' ;; - *) echo >&2 "error: unknown Adopt Upstream arch: '$arch'"; exit 1 ;; - esac - downloadUrl="${javaUrlBase}${arch}_${javaUrlVersion}${downloadSuffix}" - downloadFile="$(basename "$downloadUrl")" - if curl -fsSL "$githubUrl" |tac|tac| grep -qF "$downloadFile"; then - case "$arch" in - *_windows) - windowsVersion="$adoptVersion" - windowsDownloadUrl="$downloadUrl" - ;; - *_linux) - linuxVersion="$adoptVersion" - case "$arch" in - aarch64_*) caseArch='arm64 | aarch64'; bashbrewArch='arm64v8' ;; - x64_*) caseArch='amd64 | i386:x86-64'; bashbrewArch='amd64' ;; - *) echo >&2 "error: unknown Adopt Upstream linux arch: '$arch'"; exit 1 ;; - esac - newArchCase="$(printf '\t\t%s) downloadUrl=%q ;;' "$caseArch" "$downloadUrl")" - newArchCase="# $bashbrewArch"$'\n'"$newArchCase"$' \\\n' - linuxArchCase+="$newArchCase" - ;; - *) echo >&2 "error: unknown Adopt Upstream arch: '$arch'"; exit 1 ;; - esac - fi - done - ;; - - 14 | 15 | 16 | 17) - downloadSource='oracle' - - possibleArches=( - # https://jdk.java.net/15/ - # https://jdk.java.net/16/ - 'linux-aarch64' - 'linux-x64' - 'linux-x64-musl' - 'windows-x64' - ) - for arch in "${possibleArches[@]}"; do - downloadSuffix="_${arch}_bin" - case "$arch" in - linux-*) downloadSuffix+='.tar.gz' ;; - windows-*) downloadSuffix+='.zip' ;; - *) echo >&2 "error: unknown Oracle arch: '$arch'"; exit 1 ;; - esac - if downloadUrl="$(jdk-java-net-download-url "$javaVersion" "$downloadSuffix")" \ - && [ -n "$downloadUrl" ] \ - && downloadSha256="$(wget -qO- "$downloadUrl.sha256")" \ - && [ -n "$downloadSha256" ] \ - ; then - downloadVersion="$(jdk-java-net-download-version "$javaVersion" "$downloadUrl")" - case "$arch" in - windows-*) - windowsVersion="$downloadVersion" - windowsDownloadUrl="$downloadUrl" - windowsDownloadSha256="$downloadSha256" - ;; - linux-*) - if [[ "$arch" == *-musl ]]; then - if [ -z "$alpineVersion" ] || [ "$alpineVersion" = "$downloadVersion" ]; then - alpineVersion="$downloadVersion" - else - echo >&2 "error: mismatched Alpine versions! ('$alpineVersion' vs '$downloadVersion')" - exit 1 - fi - else - if [ -z "$linuxVersion" ] || [ "$linuxVersion" = "$downloadVersion" ]; then - linuxVersion="$downloadVersion" - else - echo >&2 "error: mismatched Linux versions! ('$linuxVersion' vs '$downloadVersion')" - exit 1 - fi - fi - case "$arch" in - linux-aarch64) caseArch='arm64 | aarch64'; bashbrewArch='arm64v8' ;; - linux-aarch64-musl) caseArch='aarch64'; bashbrewArch='arm64v8' ;; - linux-x64) caseArch='amd64 | i386:x86-64'; bashbrewArch='amd64' ;; - linux-x64-musl) caseArch='x86_64'; bashbrewArch='amd64' ;; - *) echo >&2 "error: unknown Alpine Oracle arch: '$arch'"; exit 1 ;; - esac - newArchCase="$(printf '\t\t%s) \\\n\t\t\tdownloadUrl=%q; \\\n\t\t\tdownloadSha256=%q; \\\n\t\t\t;;' "$caseArch" "$downloadUrl" "$downloadSha256")" - newArchCase="# $bashbrewArch"$'\n'"$newArchCase"$' \\\n' - if [[ "$arch" == *-musl ]]; then - alpineArchCase+="$newArchCase" - else - linuxArchCase+="$newArchCase" - fi - ;; - esac - fi - done - ;; - - *) - echo >&2 "error: unknown java version $javaVersion" - exit 1 - ;; - esac - - if [ -z "$downloadSource" ]; then - echo >&2 "error: missing download source for $javaVersion-$javaType" - exit 1 - fi - - echo "$javaVersion-$javaType: $linuxVersion ($downloadSource)" - if [ -n "$alpineVersion" ] && [ "$linuxVersion" != "$alpineVersion" ]; then - echo " - alpine: $alpineVersion" - fi - if [ -n "$windowsVersion" ] && [ "$linuxVersion" != "$windowsVersion" ]; then - echo " - windows: $windowsVersion" - fi - - # add "arch case" boilerplate - archCasePrefix=$'case "$arch" in \\\n' - archCaseSuffix=$'# fallback\n' - archCaseSuffix+=$'\t\t*) echo >&2 "error: unsupported architecture: \'$arch\'"; exit 1 ;; \\\n' - archCaseSuffix+=$'\tesac' - linuxArchCase="${archCasePrefix}${linuxArchCase}${archCaseSuffix}" - alpineArchCase="${archCasePrefix}${alpineArchCase}${archCaseSuffix}" - - for variant in \ - oraclelinux{8,7} \ - {,slim-}buster \ - alpine3.12 \ - windows/windowsservercore-{1809,ltsc2016} \ - windows/nanoserver-1809 \ - ; do - [ -d "$dir/$variant" ] || continue - - sedArgs=( -r ) - variantVersion= - variantJavaHome= - variantArchCase= - - case "$variant" in - alpine*) - template="Dockerfile-$downloadSource-alpine.template" - from="alpine:${variant#alpine}" - variantVersion="$alpineVersion" - variantJavaHome="/opt/openjdk-$javaVersion" - variantArchCase="$alpineArchCase" - ;; - oraclelinux*) - template="Dockerfile-$downloadSource-oraclelinux.template" - oracleVersion="${variant#oraclelinux}" # "7", "8", etc - from="oraclelinux:$oracleVersion-slim" - variantVersion="$linuxVersion" - variantJavaHome="/usr/java/openjdk-$javaVersion" - variantArchCase="$linuxArchCase" - if [ "$oracleVersion" -eq 7 ]; then - sedArgs+=( - # yum vs microdnf in Oracle Linux 7 - -e "$(sed_s 'microdnf install' 'yum install -y')" - -e "$(sed_s 'microdnf clean all' 'rm -rf /var/cache/yum')" - - # "en_US.UTF-8" vs "C.UTF-8" in Oracle Linux 7 - -e "$(sed_s 'C.UTF-8' 'en_US.UTF-8')" - ) - fi - ;; - windows/*) - variantVersion="$windowsVersion" - variantJavaHome="C:\\\\openjdk-$javaVersion" - windowsRelease="$(basename "$variant")" # "windowsservercore-1809", "nanoserver-1809", etc - windowsVariant="${windowsRelease%%-*}" # "windowsservercore", "nanoserver" - windowsRelease="${windowsRelease#$windowsVariant-}" # "1809", "ltsc2016", etc - windowsVariant="${windowsVariant#windows}" # "servercore", "nanoserver" - template="Dockerfile-$downloadSource-windows-$windowsVariant.template" - from="mcr.microsoft.com/windows/$windowsVariant:$windowsRelease" - if [ "$windowsVariant" = 'nanoserver' ]; then - servercore="openjdk:${variantVersion//+/-}-$javaType-windowsservercore-$windowsRelease" - sedArgs+=( -e "$(sed_s '%%SERVERCORE-IMAGE%%' "$servercore")" ) - fi - sedArgs+=( -e "$(sed_s_pre 'ENV JAVA_URL' "$windowsDownloadUrl")" ) - [ -z "$windowsDownloadSha256" ] || sedArgs+=( -e "$(sed_s_pre 'ENV JAVA_SHA256' "$windowsDownloadSha256")" ) - ;; - slim-*) - template="Dockerfile-$downloadSource-debian-slim.template" - from="debian:${variant#slim-}-slim" - variantVersion="$linuxVersion" - variantJavaHome="/usr/local/openjdk-$javaVersion" - variantArchCase="$linuxArchCase" - ;; - *) - template="Dockerfile-$downloadSource-debian.template" - case "$javaType" in - jdk) from="buildpack-deps:$variant-scm" ;; - jre) from="buildpack-deps:$variant-curl" ;; - esac - variantVersion="$linuxVersion" - variantJavaHome="/usr/local/openjdk-$javaVersion" - variantArchCase="$linuxArchCase" - ;; - esac - - sedArgs+=( - -e "$(sed_s_pre 'FROM' "$from")" - -e "$(sed_s_pre 'ENV JAVA_VERSION' "$variantVersion")" - -e "$(sed_s_pre 'ENV JAVA_HOME' "$variantJavaHome")" - ) - [ -z "$variantArchCase" ] || sedArgs+=( -e "$(sed_s '%%ARCH-CASE%%' "$variantArchCase")" ) - - case "$javaType" in - jre) - sedArgs+=( - # no javac or jshell in JRE - -e '/javac --version/d' - -e '/jshell/d' - ) - ;; - esac - - if [ "$javaVersion" = '8' ]; then - sedArgs+=( - # no "--" style flags on OpenJDK 8 - -e 's! --version! -version!g' - - # and no "jshell" until OpenJDK 9 - -e '/jshell/d' - ) - fi - - if [ -z "$variantVersion" ]; then - echo >&2 "warning: missing '$dir/$variant' version!" - rm -f "$dir/$variant/Dockerfile" - continue - fi - - # extra sed to remove any blank line at EOF that removing "jshell" leaves behind - sed "${sedArgs[@]}" "$template" | sed -e '${/^$/d;}' > "$dir/$variant/Dockerfile" - done - done -done +./versions.sh "$@" +./apply-templates.sh "$@" diff --git a/versions.json b/versions.json new file mode 100644 index 00000000..df01825b --- /dev/null +++ b/versions.json @@ -0,0 +1,187 @@ +{ + "11": { + "jdk": { + "arches": { + "amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_11.0.10_9.tar.gz" + }, + "arm64v8": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_aarch64_linux_11.0.10_9.tar.gz" + }, + "windows-amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_windows_11.0.10_9.zip" + } + } + }, + "jre": { + "arches": { + "amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_linux_11.0.10_9.tar.gz" + }, + "arm64v8": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_aarch64_linux_11.0.10_9.tar.gz" + }, + "windows-amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jre_x64_windows_11.0.10_9.zip" + } + } + }, + "source": "adopt", + "variants": [ + "oraclelinux8", + "oraclelinux7", + "buster", + "slim-buster", + "windows/windowsservercore-1809", + "windows/windowsservercore-ltsc2016", + "windows/nanoserver-1809" + ], + "version": "11.0.10" + }, + "15": { + "jdk": { + "arches": { + "amd64": { + "sha256": "91ac6fc353b6bf39d995572b700e37a20e119a87034eeb939a6f24356fbcd207", + "url": "https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz" + }, + "arm64v8": { + "sha256": "3958f01858f9290c48c23e7804a0af3624e8eca6749b085c425df4c4f2f7dcbc", + "url": "https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-aarch64_bin.tar.gz" + }, + "windows-amd64": { + "sha256": "ecbe7f32bc6bff2b6c8e9b68f19cbf4ddf54a492c918ba471f32d645cf1c5cf4", + "url": "https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_windows-x64_bin.zip" + } + } + }, + "source": "oracle", + "variants": [ + "oraclelinux8", + "oraclelinux7", + "buster", + "slim-buster", + "windows/windowsservercore-1809", + "windows/windowsservercore-ltsc2016", + "windows/nanoserver-1809" + ], + "version": "15.0.2" + }, + "16": { + "alpine": { + "jdk": { + "arches": { + "amd64": { + "sha256": "f9ec3071fdea08ca5be7b149d6c2f2689814e3ee86ee15b7981f5eed76280985", + "url": "https://download.java.net/java/early_access/alpine/32/binaries/openjdk-16-ea+32_linux-x64-musl_bin.tar.gz" + } + } + }, + "version": "16-ea+32" + }, + "jdk": { + "arches": { + "amd64": { + "sha256": "11fd069e3a17a17268b9bb0c8bfd440016af686acfe8d3a4bfd71381fbce22dc", + "url": "https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-x64_bin.tar.gz" + }, + "arm64v8": { + "sha256": "9c294a8b7c440c45968fc16d3aa3261be71b00a7fad22b7aafa2a7b7381e5f2c", + "url": "https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_linux-aarch64_bin.tar.gz" + }, + "windows-amd64": { + "sha256": "3a3a6d963036a20df0ce9ed0a0e9eae6ea27ca34279d9f1960390d3cc56b0f0e", + "url": "https://download.java.net/java/early_access/jdk16/34/GPL/openjdk-16-ea+34_windows-x64_bin.zip" + } + } + }, + "source": "oracle", + "variants": [ + "oraclelinux8", + "oraclelinux7", + "buster", + "slim-buster", + "alpine3.13", + "alpine3.12", + "windows/windowsservercore-1809", + "windows/windowsservercore-ltsc2016", + "windows/nanoserver-1809" + ], + "version": "16-ea+34" + }, + "17": { + "alpine": { + "jdk": { + "arches": { + "amd64": { + "sha256": "709daae3577453dba8e4ea03e8b52daeb11370648d2da1d012df527556c0cda2", + "url": "https://download.java.net/java/early_access/alpine/5/binaries/openjdk-17-ea+5_linux-x64-musl_bin.tar.gz" + } + } + }, + "version": "17-ea+5" + }, + "jdk": { + "arches": { + "amd64": { + "sha256": "0e340613945c78b2eb714ba0850604a1a80a9678ba0e8d81f66629c0ca2c36b1", + "url": "https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-x64_bin.tar.gz" + }, + "arm64v8": { + "sha256": "f3f80fc9b41cfddd89d263ae66c0f514aaeb3db2eadd6c9bf3c31e1b2cdcf44e", + "url": "https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_linux-aarch64_bin.tar.gz" + }, + "windows-amd64": { + "sha256": "7fa795be0deebf36bbf21b5775a7aae0a671642dd431b0b068a9db3e6f8306e0", + "url": "https://download.java.net/java/early_access/jdk17/7/GPL/openjdk-17-ea+7_windows-x64_bin.zip" + } + } + }, + "source": "oracle", + "variants": [ + "oraclelinux8", + "oraclelinux7", + "buster", + "slim-buster", + "alpine3.13", + "alpine3.12", + "windows/windowsservercore-1809", + "windows/windowsservercore-ltsc2016", + "windows/nanoserver-1809" + ], + "version": "17-ea+7" + }, + "8": { + "jdk": { + "arches": { + "amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_8u282b08.tar.gz" + }, + "windows-amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_windows_8u282b08.zip" + } + } + }, + "jre": { + "arches": { + "amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_linux_8u282b08.tar.gz" + }, + "windows-amd64": { + "url": "https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jre_x64_windows_8u282b08.zip" + } + } + }, + "source": "adopt", + "variants": [ + "oraclelinux8", + "oraclelinux7", + "buster", + "slim-buster", + "windows/windowsservercore-1809", + "windows/windowsservercore-ltsc2016", + "windows/nanoserver-1809" + ], + "version": "8u282" + } +} diff --git a/versions.sh b/versions.sh new file mode 100755 index 00000000..72cec16d --- /dev/null +++ b/versions.sh @@ -0,0 +1,275 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" + +versions=( "$@" ) +if [ ${#versions[@]} -eq 0 ]; then + versions=( */ ) + json='{}' +else + json="$(< versions.json)" +fi +versions=( "${versions[@]%/}" ) + +tmp="$(mktemp -d)" +rmTmp="$(printf 'rm -rf %q' "$tmp")" +trap "$rmTmp" EXIT + +_get() { + local url="$1"; shift + local file="${url////_}" + file="${file//%/_}" + file="${file//+/_}" + file="${file//:/_}" + file="$tmp/$file" + if [ ! -s "$file" ]; then + curl -fsSL "$url" -o "$file" || return 1 + fi + cat "$file" +} + +abs-url() { + local url="$1"; shift + local base="$1"; shift + + case "$url" in + http://* | https://* ) ;; + + /*) + local extra="${base#*://*/}" + local baseBase="${base%$extra}" + baseBase="${baseBase%/}" + url="$baseBase$url" + ;; + + *) + echo >&2 "error: TODO parse '$url' relative to '$base'" + exit 1 + ;; + esac + + echo "$url" +} + +adopt-github-url() { + local javaVersion="$1"; shift + + local url + url="$( + curl -fsS --head "https://github.com/AdoptOpenJDK/openjdk${javaVersion}-upstream-binaries/releases/latest" | tac|tac \ + | tr -d '\r' \ + | awk 'tolower($1) == "location:" { print $2; found = 1; exit } END { if (!found) { exit 1 } }' + )" || return 1 + + url="$(abs-url "$url" 'https://github.com')" || return 1 + + echo "$url" +} + +adopt-sources-url() { + local githubUrl="$1"; shift + + local url + url="$( + _get "$githubUrl" \ + | grep -oEm1 'href="[^"]+-sources_[^"]+[.]tar[.]gz"' \ + | cut -d'"' -f2 \ + || : + )" + [ -n "$url" ] || return 1 + + url="$(abs-url "$url" "$githubUrl")" || return 1 + + echo "$url" +} + +adopt-version() { + local githubUrl="$1"; shift + + local version + version="$( + _get "$githubUrl" \ + | grep -oE '.+' \ + | grep -oE ' OpenJDK [^ ]+ ' \ + | cut -d' ' -f3 + )" || return 1 + + echo "$version" +} + +jdk-java-net-download-url() { + local javaVersion="$1"; shift + local fileSuffix="$1"; shift + _get "https://jdk.java.net/$javaVersion/" \ + | grep -Eom1 "https://download.java.net/[^\"]+$fileSuffix" +} + +jdk-java-net-download-version() { + local javaVersion="$1"; shift + local downloadUrl="$1"; shift + + downloadVersion="$(grep -Eom1 "openjdk-$javaVersion[^_]*_" <<<"$downloadUrl")" || return 1 + downloadVersion="${downloadVersion%_}" + downloadVersion="${downloadVersion#openjdk-}" + if [ "$javaVersion" = '11' ]; then + # 11 is now GA, so drop any +NN (https://github.com/docker-library/openjdk/pull/235#issuecomment-425378941) + # future releases will be 11.0.1, for example + downloadVersion="${downloadVersion%%+*}" + fi + + echo "$downloadVersion" +} + +# see https://stackoverflow.com/a/2705678/433558 +sed_escape_rhs() { + sed -e 's/[\/&]/\\&/g' <<<"$*" | sed -e ':a;N;$!ba;s/\n/\\n/g' +} +sed_s() { + local lhs="$1"; shift + local rhs="$1"; shift + rhs="$(sed_escape_rhs "$rhs")" + echo -n "s/$lhs/$rhs/g" +} +sed_s_pre() { + local lhs="$1"; shift + local rhs="$1"; shift + rhs="$(sed_escape_rhs "$rhs")" + echo -n "s/^($lhs) .*$/\1 $rhs/" +} + +for version in "${versions[@]}"; do + export version + doc='{}' + if [ "$version" -le 11 ]; then + githubUrl="$(adopt-github-url "$version")" + sourcesUrl="$(adopt-sources-url "$githubUrl")" + javaUrlBaseBase="${sourcesUrl%%-sources_*}-" + javaUrlVersion="${sourcesUrl#${javaUrlBaseBase}sources_}" + javaUrlVersion="${javaUrlVersion%.tar.gz}" + + adoptVersion="$(adopt-version "$githubUrl")" + echo "$version: $adoptVersion" + export adoptVersion + doc="$(jq <<<"$doc" -c ' + .version = env.adoptVersion + | .source = "adopt" + ')" + + possibleArches=( + # https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases + # https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases + 'aarch64_linux' + 'x64_linux' + 'x64_windows' + ) + + for javaType in jdk jre; do + export javaType + javaUrlBase="${javaUrlBaseBase}${javaType}_" # "jre_", "jdk_", etc + for arch in "${possibleArches[@]}"; do + case "$arch" in + *_linux) downloadSuffix='.tar.gz'; bashbrewArch= ;; + *_windows) downloadSuffix='.zip'; bashbrewArch='windows-' ;; + *) echo >&2 "error: unknown Adopt Upstream arch: '$arch'"; exit 1 ;; + esac + downloadUrl="${javaUrlBase}${arch}_${javaUrlVersion}${downloadSuffix}" + downloadFile="$(basename "$downloadUrl")" + if _get "$githubUrl" | grep -qF "$downloadFile"; then + case "$arch" in + aarch64_*) bashbrewArch+='arm64v8' ;; + x64_*) bashbrewArch+='amd64' ;; + *) echo >&2 "error: unknown Adopt Upstream arch: '$arch'"; exit 1 ;; + esac + export bashbrewArch downloadUrl + doc="$(jq <<<"$doc" -c ' + .[env.javaType].arches[env.bashbrewArch] = { + url: env.downloadUrl, + } + ')" + fi + done + done + else + doc="$(jq <<<"$doc" -c ' + .source = "oracle" + ')" + possibleArches=( + # https://jdk.java.net/15/ + # https://jdk.java.net/16/ + # https://jdk.java.net/17/ + 'linux-aarch64' + 'linux-x64' + 'linux-x64-musl' + 'windows-x64' + ) + for arch in "${possibleArches[@]}"; do + downloadSuffix="_${arch}_bin" + case "$arch" in + linux-*) downloadSuffix+='.tar.gz'; bashbrewArch= ;; + windows-*) downloadSuffix+='.zip'; bashbrewArch='windows-' ;; + *) echo >&2 "error: unknown Oracle arch: '$arch'"; exit 1 ;; + esac + jqExprPrefix= + if [[ "$arch" == *-musl ]]; then + jqExprPrefix='.alpine' + fi + if downloadUrl="$(jdk-java-net-download-url "$version" "$downloadSuffix")" \ + && [ -n "$downloadUrl" ] \ + && downloadSha256="$(_get "$downloadUrl.sha256")" \ + && [ -n "$downloadSha256" ] \ + ; then + downloadVersion="$(jdk-java-net-download-version "$version" "$downloadUrl")" + currentVersion="$(jq <<<"$doc" -r "$jqExprPrefix.version // \"\"")" + if [ -n "$currentVersion" ] && [ "$currentVersion" != "$downloadVersion" ]; then + echo >&2 "error: Oracle version mismatch: '$currentVersion' vs '$downloadVersion'" + exit 1 + elif [ -z "$currentVersion" ]; then + echo "$version: $downloadVersion${jqExprPrefix:+ (alpine)}" + fi + case "$arch" in + *-aarch64*) bashbrewArch+='arm64v8' ;; + *-x64*) bashbrewArch+='amd64' ;; + *) echo >&2 "error: unknown Oracle arch: '$arch'"; exit 1 ;; + esac + export arch bashbrewArch downloadUrl downloadSha256 downloadVersion + doc="$(jq <<<"$doc" -c ' + '"$jqExprPrefix"'.version = env.downloadVersion + | '"$jqExprPrefix"'.jdk.arches[env.bashbrewArch] = { + url: env.downloadUrl, + sha256: env.downloadSha256, + } + ')" + fi + done + fi + + json="$(jq <<<"$json" -c --argjson doc "$doc" ' + .[env.version] = $doc + { + variants: [ + ( + "8", + "7" + | "oraclelinux" + .), + ( + "buster" + | ., "slim-" + .), + if $doc.alpine then + "3.13", + "3.12" + | "alpine" + . else empty end, + if $doc.jdk.arches | keys | any(startswith("windows-")) then + ( + "1809", + "ltsc2016" + | "windows/windowsservercore-" + .), + ( + "1809" + | "windows/nanoserver-" + .) + else empty end + ], + } + ')" +done + +jq <<<"$json" -S . > versions.json