adoptium · github-actions · Jul 10, 2024 · Jul 10, 2024
diff --git a/11/jdk/ubuntu/noble/Dockerfile b/11/jdk/ubuntu/noble/Dockerfile
@@ -0,0 +1,105 @@
+# ------------------------------------------------------------------------------
+#               NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py"
+#
+#                       PLEASE DO NOT EDIT IT DIRECTLY.
+# ------------------------------------------------------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM ubuntu:24.04
+
+ENV JAVA_HOME /opt/java/openjdk
+ENV PATH $JAVA_HOME/bin:$PATH
+
+# Default to UTF-8 file.encoding
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255
+        curl \
+        wget \
+        # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
+        # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
+        # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
+        fontconfig \
+        # utilities for keeping Ubuntu and OpenJDK CA certificates in sync
+        # https://github.com/adoptium/containers/issues/293
+        ca-certificates p11-kit \
+        tzdata \
+        # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
+        locales \
+    ; \
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \
+    locale-gen en_US.UTF-8; \
+    rm -rf /var/lib/apt/lists/*
+
+ENV JAVA_VERSION jdk-11.0.23+9
+
+RUN set -eux; \
+    ARCH="$(dpkg --print-architecture)"; \
+    case "${ARCH}" in \
+       amd64) \
+         ESUM='23e47ea7a3015be3240f21185fd902adebdcf76530757c9b482c7eb5bd3417c2'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_x64_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       arm64) \
+         ESUM='e00476a7be3c4adfa9b3d55d30768967fd246a8352e518894e183fa444d4d3ce'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_aarch64_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       armhf) \
+         ESUM='8077edc07a57d846c3d11286a7caf05ed6ca6d6c1234bf0e03611f18e187f075'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_arm_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       ppc64el) \
+         ESUM='f56068bb64c6bf858894f75c2bc261f54db32932422eb07527f36ae40046e9a0'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_ppc64le_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       s390x) \
+         ESUM='cf06c3e41acfaeda77112ac04f5a711cafe9fa9ac04dff758696fe7e8d66a0ea'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jdk_s390x_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       *) \
+         echo "Unsupported arch: ${ARCH}"; \
+         exit 1; \
+         ;; \
+    esac; \
+    wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    mkdir -p "$JAVA_HOME"; \
+    tar --extract \
+        --file /tmp/openjdk.tar.gz \
+        --directory "$JAVA_HOME" \
+        --strip-components 1 \
+        --no-same-owner \
+    ; \
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
+    find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
+    ldconfig; \
+    # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840
+    # https://openjdk.java.net/jeps/341
+    java -Xshare:dump;
+
+RUN set -eux; \
+    echo "Verifying install ..."; \
+    fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; \
+    echo "javac --version"; javac --version; \
+    echo "java --version"; java --version; \
+    echo "Complete."
+COPY entrypoint.sh /__cacert_entrypoint.sh
+ENTRYPOINT ["/__cacert_entrypoint.sh"]
+
+CMD ["jshell"]
diff --git a/11/jdk/ubuntu/noble/entrypoint.sh b/11/jdk/ubuntu/noble/entrypoint.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env sh
+# Converted to POSIX shell to avoid the need for bash in the image
+
+set -e
+
+# JDK truststore location
+CACERT=$JAVA_HOME/lib/security/cacerts
+
+# JDK8 puts its JRE in a subdirectory
+if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+    CACERT=$JAVA_HOME/jre/lib/security/cacerts
+fi
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    if [ ! -w /tmp ]; then
+        echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore."
+        exit 1
+    fi
+
+    # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not,
+    # we'll use a temporary truststore.
+    if [ ! -w "$CACERT" ]; then
+        # We cannot write to the JVM truststore, so we create a temporary one
+        CACERT_NEW=$(mktemp)
+        echo "Using a temporary truststore at $CACERT_NEW"
+        cp $CACERT $CACERT_NEW
+        CACERT=$CACERT_NEW
+        # If we use a custom truststore, we need to make sure that the JVM uses it
+        export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit"
+    fi
+
+    tmp_store=$(mktemp)
+
+    # Copy full system CA store to a temporary location
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store"
+
+    # Add the system CA certificates to the JVM truststore.
+    keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null
+
+    # Import the additional certificate into JVM truststore
+    for i in /certificates/*crt; do
+        if [ ! -f "$i" ]; then
+            continue
+        fi
+        keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null
+    done
+
+    # Add additional certificates to the system CA store. This requires write permissions to several system
+    # locations, which is not possible in a container with read-only filesystem and/or non-root container.
+    if [ "$(id -u)" -eq 0 ]; then
+
+        # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+        # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+        # system location, for whatever reason.
+        if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then
+
+            # UBI
+            if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
+            fi
+
+            # Ubuntu/Alpine
+            if [ -d /usr/local/share/ca-certificates/ ]; then
+                cp -La /certificates/* /usr/local/share/ca-certificates/
+            fi
+        fi
+
+        # UBI
+        if which update-ca-trust >/dev/null; then
+            update-ca-trust
+        fi
+
+        # Ubuntu/Alpine
+        if which update-ca-certificates >/dev/null; then
+            update-ca-certificates
+        fi
+    else
+        # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`,
+        # but since the JVM is the primary focus here, we can live with that.
+        true
+    fi
+fi
+
+# Let's provide a variable with the correct path for tools that want or need to use it
+export CACERT
+
+exec "$@"
diff --git a/11/jre/ubuntu/noble/Dockerfile b/11/jre/ubuntu/noble/Dockerfile
@@ -0,0 +1,101 @@
+# ------------------------------------------------------------------------------
+#               NOTE: THIS DOCKERFILE IS GENERATED VIA "generate_dockerfiles.py"
+#
+#                       PLEASE DO NOT EDIT IT DIRECTLY.
+# ------------------------------------------------------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM ubuntu:24.04
+
+ENV JAVA_HOME /opt/java/openjdk
+ENV PATH $JAVA_HOME/bin:$PATH
+
+# Default to UTF-8 file.encoding
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        # curl required for historical reasons, see https://github.com/adoptium/containers/issues/255
+        curl \
+        wget \
+        # java.lang.UnsatisfiedLinkError: libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
+        # java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
+        # https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
+        fontconfig \
+        # utilities for keeping Ubuntu and OpenJDK CA certificates in sync
+        # https://github.com/adoptium/containers/issues/293
+        ca-certificates p11-kit \
+        tzdata \
+        # locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
+        locales \
+    ; \
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \
+    locale-gen en_US.UTF-8; \
+    rm -rf /var/lib/apt/lists/*
+
+ENV JAVA_VERSION jdk-11.0.23+9
+
+RUN set -eux; \
+    ARCH="$(dpkg --print-architecture)"; \
+    case "${ARCH}" in \
+       amd64) \
+         ESUM='786a72296189ba8e43999532aa73730d87ec1fce558eb3c4e98b611b423375e3'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jre_x64_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       arm64) \
+         ESUM='7290ace47a030d89ea023c28e7aa555c9da72b4194f73b39ec9d058011bf06dd'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jre_aarch64_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       armhf) \
+         ESUM='025f994549708f7291ce3b0fa7c41f7e78ec3af3eae3f85fffe9c5fa4a54889f'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jre_arm_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       ppc64el) \
+         ESUM='3b3fbd324620fd914bd8462e292124493fcf846fd69195c4b9a231131dc68d5f'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jre_ppc64le_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       s390x) \
+         ESUM='25abb7f74f55847b0d509402111084bd7a244d904744f3bfffa89528bc3b8a69'; \
+         BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.23%2B9/OpenJDK11U-jre_s390x_linux_hotspot_11.0.23_9.tar.gz'; \
+         ;; \
+       *) \
+         echo "Unsupported arch: ${ARCH}"; \
+         exit 1; \
+         ;; \
+    esac; \
+    wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; \
+    echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; \
+    mkdir -p "$JAVA_HOME"; \
+    tar --extract \
+        --file /tmp/openjdk.tar.gz \
+        --directory "$JAVA_HOME" \
+        --strip-components 1 \
+        --no-same-owner \
+    ; \
+    rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip; \
+    # https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
+    find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
+    ldconfig; \
+    # https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840
+    # https://openjdk.java.net/jeps/341
+    java -Xshare:dump;
+
+RUN set -eux; \
+    echo "Verifying install ..."; \
+    echo "java --version"; java --version; \
+    echo "Complete."
+COPY entrypoint.sh /__cacert_entrypoint.sh
+ENTRYPOINT ["/__cacert_entrypoint.sh"]
diff --git a/11/jre/ubuntu/noble/entrypoint.sh b/11/jre/ubuntu/noble/entrypoint.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env sh
+# Converted to POSIX shell to avoid the need for bash in the image
+
+set -e
+
+# JDK truststore location
+CACERT=$JAVA_HOME/lib/security/cacerts
+
+# JDK8 puts its JRE in a subdirectory
+if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+    CACERT=$JAVA_HOME/jre/lib/security/cacerts
+fi
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    if [ ! -w /tmp ]; then
+        echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore."
+        exit 1
+    fi
+
+    # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not,
+    # we'll use a temporary truststore.
+    if [ ! -w "$CACERT" ]; then
+        # We cannot write to the JVM truststore, so we create a temporary one
+        CACERT_NEW=$(mktemp)
+        echo "Using a temporary truststore at $CACERT_NEW"
+        cp $CACERT $CACERT_NEW
+        CACERT=$CACERT_NEW
+        # If we use a custom truststore, we need to make sure that the JVM uses it
+        export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit"
+    fi
+
+    tmp_store=$(mktemp)
+
+    # Copy full system CA store to a temporary location
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store"
+
+    # Add the system CA certificates to the JVM truststore.
+    keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null
+
+    # Import the additional certificate into JVM truststore
+    for i in /certificates/*crt; do
+        if [ ! -f "$i" ]; then
+            continue
+        fi
+        keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null
+    done
+
+    # Add additional certificates to the system CA store. This requires write permissions to several system
+    # locations, which is not possible in a container with read-only filesystem and/or non-root container.
+    if [ "$(id -u)" -eq 0 ]; then
+
+        # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+        # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+        # system location, for whatever reason.
+        if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then
+
+            # UBI
+            if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
+            fi
+
+            # Ubuntu/Alpine
+            if [ -d /usr/local/share/ca-certificates/ ]; then
+                cp -La /certificates/* /usr/local/share/ca-certificates/
+            fi
+        fi
+
+        # UBI
+        if which update-ca-trust >/dev/null; then
+            update-ca-trust
+        fi
+
+        # Ubuntu/Alpine
+        if which update-ca-certificates >/dev/null; then
+            update-ca-certificates
+        fi
+    else
+        # If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`,
+        # but since the JVM is the primary focus here, we can live with that.
+        true
+    fi
+fi
+
+# Let's provide a variable with the correct path for tools that want or need to use it
+export CACERT
+
+exec "$@"