dockerfile: automated nightly updates (#525)

22/jdk/alpine/Dockerfile

@@ -0,0 +1,84 @@
+# ------------------------------------------------------------------------------
+#               NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py"
+#
+#                       PLEASE DO NOT EDIT IT DIRECTLY.
+# ------------------------------------------------------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM alpine:3.19
+
+ENV JAVA_HOME /opt/java/openjdk
+ENV PATH $JAVA_HOME/bin:$PATH
+
+# Default to UTF-8 file.encoding
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+RUN set -eux; \
+    apk add --no-cache \
+        # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
+        # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
+        # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
+        fontconfig ttf-dejavu \
+        # utilities for keeping Alpine and OpenJDK CA certificates in sync
+        # https://github.com/adoptium/containers/issues/293
+        ca-certificates p11-kit-trust \
+        # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
+        musl-locales musl-locales-lang \
+        # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351
+        # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory
+        binutils \
+        tzdata \
+    ; \
+    rm -rf /var/cache/apk/*
+
+ENV JAVA_VERSION jdk-22+36
+
+RUN set -eux; \
+    ARCH="$(apk --print-arch)"; \
+    case "${ARCH}" in \
+       aarch64|arm64) \
+         ESUM='e6c97db54afe145a8f93f9ca728b4df8a0490a45f0f999999c7464c64612e936'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_aarch64_alpine-linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       amd64|x86_64) \
+         ESUM='f88fbe6360276cc9aec406802838ff0cfb368e08c2b1cf7b6fa78a846266a7af'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_x64_alpine-linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       *) \
+         echo "Unsupported arch: ${ARCH}"; \
+         exit 1; \
+         ;; \
+    esac; \
+    wget -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    mkdir -p "$JAVA_HOME"; \
+    tar --extract \
+        --file /tmp/openjdk.tar.gz \
+        --directory "$JAVA_HOME" \
+        --strip-components 1 \
+        --no-same-owner \
+    ; \
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip;
+
+RUN set -eux; \
+    echo "Verifying install ..."; \
+    fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \
+    echo "javac --version"; javac --version; \
+    echo "java --version"; java --version; \
+    echo "Complete."
+COPY entrypoint.sh /__cacert_entrypoint.sh
+ENTRYPOINT ["/__cacert_entrypoint.sh"]
+
+CMD ["jshell"]

22/jdk/alpine/entrypoint.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env sh
+# Converted to POSIX shell to avoid the need for bash in the image
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ -n "$(ls -A /certificates 2>/dev/null)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT="$JAVA_HOME/lib/security/cacerts"
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT="$JAVA_HOME/jre/lib/security/cacerts"
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

22/jdk/ubi/ubi9-minimal/Dockerfile

@@ -0,0 +1,89 @@
+# ------------------------------------------------------------------------------
+#               NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py"
+#
+#                       PLEASE DO NOT EDIT IT DIRECTLY.
+# ------------------------------------------------------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM redhat/ubi9-minimal
+
+ENV JAVA_HOME /opt/java/openjdk
+ENV PATH $JAVA_HOME/bin:$PATH
+
+# Default to UTF-8 file.encoding
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+RUN set -eux; \
+    microdnf install -y \
+        gzip \
+        tar \
+        # Required for objdump and also jlink
+        binutils \
+        tzdata \
+        wget \
+        # utilities for keeping UBI and OpenJDK CA certificates in sync
+        # https://github.com/adoptium/containers/issues/293
+        ca-certificates \
+        # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
+        # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
+        # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
+        fontconfig \
+        glibc-langpack-en \
+    ; \
+    microdnf clean all
+
+ENV JAVA_VERSION jdk-22+36
+
+RUN set -eux; \
+    ARCH="$(objdump="$(command -v objdump)" && objdump --file-headers "$objdump" | awk -F '[:,]+[[:space:]]+' '$1 == "architecture" { print $2 }')"; \
+    case "${ARCH}" in \
+       aarch64|arm64) \
+         ESUM='4b52670caea44848cee893e35c804380817b6eff166cf64ee70ca2bfaac3d1c7'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_aarch64_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       amd64|i386:x86-64) \
+         ESUM='bc3d99e816d0c373f424cd7aa2b6d3e8081a7189fe55c1561616922200ec8e47'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_x64_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       ppc64el|powerpc:common64) \
+         ESUM='8c062e934d95c639f97b4e51b968eed694a6653248727c3db8bc5e0e55cfd7f4'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_ppc64le_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       *) \
+         echo "Unsupported arch: ${ARCH}"; \
+         exit 1; \
+         ;; \
+    esac; \
+    wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    mkdir -p "$JAVA_HOME"; \
+    tar --extract \
+        --file /tmp/openjdk.tar.gz \
+        --directory "$JAVA_HOME" \
+        --strip-components 1 \
+        --no-same-owner \
+    ; \
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip;
+
+RUN set -eux; \
+    echo "Verifying install ..."; \
+    fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \
+    echo "javac --version"; javac --version; \
+    echo "java --version"; java --version; \
+    echo "Complete."
+COPY entrypoint.sh /__cacert_entrypoint.sh
+ENTRYPOINT ["/__cacert_entrypoint.sh"]
+
+CMD ["jshell"]

22/jdk/ubi/ubi9-minimal/entrypoint.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Shebang needs to be `bash`, see https://github.com/adoptium/containers/issues/415 for details
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+    update-ca-trust
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

22/jdk/ubuntu/jammy/Dockerfile

@@ -0,0 +1,98 @@
+# ------------------------------------------------------------------------------
+#               NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py"
+#
+#                       PLEASE DO NOT EDIT IT DIRECTLY.
+# ------------------------------------------------------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM ubuntu:22.04
+
+ENV JAVA_HOME /opt/java/openjdk
+ENV PATH $JAVA_HOME/bin:$PATH
+
+# Default to UTF-8 file.encoding
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        wget \
+        # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
+        # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
+        # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
+        fontconfig \
+        # utilities for keeping Ubuntu and OpenJDK CA certificates in sync
+        # https://github.com/adoptium/containers/issues/293
+        ca-certificates p11-kit \
+        # jlink --strip-debug on 13+ needs objcopy: https://github.com/docker-library/openjdk/issues/351
+        # Error: java.io.IOException: Cannot run program "objcopy": error=2, No such file or directory
+        binutils \
+        tzdata \
+        # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
+        locales \
+    ; \
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \
+    locale-gen en_US.UTF-8; \
+    rm -rf /var/lib/apt/lists/*
+
+ENV JAVA_VERSION jdk-22+36
+
+RUN set -eux; \
+    ARCH="$(dpkg --print-architecture)"; \
+    case "${ARCH}" in \
+       aarch64|arm64) \
+         ESUM='4b52670caea44848cee893e35c804380817b6eff166cf64ee70ca2bfaac3d1c7'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_aarch64_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       amd64|i386:x86-64) \
+         ESUM='bc3d99e816d0c373f424cd7aa2b6d3e8081a7189fe55c1561616922200ec8e47'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_x64_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       ppc64el|powerpc:common64) \
+         ESUM='8c062e934d95c639f97b4e51b968eed694a6653248727c3db8bc5e0e55cfd7f4'; \
+         BINARY_URL='https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22%2B36/OpenJDK22U-jdk_ppc64le_linux_hotspot_22_36.tar.gz'; \
+         ;; \
+       *) \
+         echo "Unsupported arch: ${ARCH}"; \
+         exit 1; \
+         ;; \
+    esac; \
+    wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    mkdir -p "$JAVA_HOME"; \
+    tar --extract \
+        --file /tmp/openjdk.tar.gz \
+        --directory "$JAVA_HOME" \
+        --strip-components 1 \
+        --no-same-owner \
+    ; \
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
+    find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
+    ldconfig; \
+    # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840
+    # https://openjdk.java.net/jeps/341
+    java -Xshare:dump;
+
+RUN set -eux; \
+    echo "Verifying install ..."; \
+    fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \
+    echo "javac --version"; javac --version; \
+    echo "java --version"; java --version; \
+    echo "Complete."
+COPY entrypoint.sh /__cacert_entrypoint.sh
+ENTRYPOINT ["/__cacert_entrypoint.sh"]
+
+CMD ["jshell"]

22/jdk/ubuntu/jammy/entrypoint.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Sheband needs to be `bash`, see https://github.com/adoptium/containers/issues/415 for details
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"