Morgan, We see that you added some group, user and directory to the Dockerfile. Not sure if you are also intending to start imposing that on the projects.
Currently, most of the projects already have some convention to them regarding group, user and where they place all their binaries etc. So if you expect changes for that, I don’t think that would be appropriate at this timeframe for Frankfurt. Since we are not trying to retain Alpine and are simply going to pull from openjdk:11.0.5-jre-slim, then perhaps this image from Integration isn’t needed. We can discuss whether ONAP wants to impose group, user and directory structure for G release. Again, it would be good for the community to understand that we are no longer Alpine, nor are we going back to Ubuntu, but rather the base for the ONAP images will be Debian. Thanks, Pam From: "[email protected]" <[email protected]> Date: Wednesday, January 8, 2020 at 11:29 AM To: "DRAGOSH, PAMELA L (PAM)" <[email protected]>, "[email protected]" <[email protected]>, DESBUREAUX Sylvain TGI/OLN <[email protected]>, "ZWARICO, AMY" <[email protected]>, "LUNANUOVA, DOMINIC (DOMINIC)" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [onap-discuss] [ONAP] [Integration] Java11 ONAP docker I just updated the docker after Sylvain's comment :) Le mercredi 08 janvier 2020 à 15:23 +0000, LUNANUOVA, DOMINIC (DOMINIC) a écrit : Sylvain, Perhaps you are suggestion is already used by Morgan? I find Morgan’s Dockerfile<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_blob_master_Dockerfile&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=0FjOjCMCCuX-0mcCsSDNbNWBaOfW-zQ0r6vB30H8RRk&s=5r1uV1JVyC3yGpc0AQ5EUFpAELN385-_H_5TeZTli0s&e=> to use base image: openjdk:11.0.5-jre-slim If not, please provide a specific reference to what you mean by “we can use openjdk11 official jre-slim”. -Dom From: [email protected] [mailto:[email protected]] On Behalf Of Sylvain Desbureaux via Lists.Onap.Org Sent: Wednesday, January 8, 2020 7:36 AM To: RICHOMME Morgan TGI/OLN <[email protected]>; DRAGOSH, PAMELA L (PAM) <[email protected]>; ZWARICO, AMY <[email protected]> Cc: [email protected]; [email protected] Subject: Re: [onap-discuss] [ONAP] [Integration] Java11 ONAP docker Hi Morgan I believe that instead of openjdk11 official slim images images as we don’t compile AFAIK in our Docker (and if we are, I believe it’s a bad pattern). We move from 215Mo to 70Mo compressed (and maybe we get rid of some CVEs). Regards, --- Sylvain Desbureaux De : RICHOMME Morgan TGI/OLN <[email protected]<mailto:[email protected]>> Date : mardi 7 janvier 2020 à 11:12 À : "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc : "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, DESBUREAUX Sylvain TGI/OLN <[email protected]<mailto:[email protected]>> Objet : [ONAP] [Integration] Java11 ONAP docker Hi Amy and Pam as discussed during the PTL meeting yesterday, I generated a dockerfile for java11. For the moment I do everything in gitlab.com as I do not have the repositories in ONAP. You can find the code here: https://gitlab.com/onap-integration/docker/onap-java<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=HrGJFF8M2LNC-RuONclvrHysZ7TGmMnwOE_smL5YV9o&e=> One of the advantages is that we automatically leverage all the built-in features of gitlab.com (it will take time to do the same from LF repos) - registry: docker built automatically and available in registry.gitlab.com/onap-integration/docker/onap-java:latest - CI including several addons such as container_scanning (with klar '2.4.0' and clair 'v2.1.2') or licence verification https://gitlab.com/onap-integration/docker/onap-java/pipelines/107470068<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_pipelines_107470068&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=oH_SeHZvyUF9WRKn46qgQx7-ji1CmxFzkiohIVqAq0A&e=> - security scan results: https://gitlab.com/onap-integration/docker/onap-java/security/dashboard/?project_id=15652149&scope=dismissed&page=1&days=90<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_security_dashboard_-3Fproject-5Fid-3D15652149-26scope-3Ddismissed-26page-3D1-26days-3D90&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=QKISQu2nXNj7EAA1qnaOB4FrCyYfCJ3eXf3tJroUsb0&e=> - 46 vulnearbilities found linked to Debian vulnerabilities which is used by openjdk to build their image (1 high (CVE-2019-18224 in libidn2) , 4 medium, 41 low). the docker itself is very basic I started from openjdk11 official slim images (1 layer, 215Mo (compressed)) I added a onap group and an onap user I created two env variables: - JAVA_SEC_OPTS="" - JAVA_OPTS="-Xms256m -Xmx1g" so it is possible through env variables to overwrite these values. I assume that the jar file is put in /opt/onap/app.jar and I set the entry point as java $JAVA_SEC_OPTS $JAVA_OPTS -jar /opt/$user/app.jar so if you create your docker from this docker, you in theory needs to copy your jar and it should be OK...to be tested Any comments/modifications/suggestions on the Dockerfile welcome The gitlab.com project is under Apache v2 licence and fully Open Source If you wand to be added as member of the gitlab.com project, do not hesitate. /Morgan _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19737): https://lists.onap.org/g/onap-discuss/message/19737 Mute This Topic: https://lists.onap.org/mt/69499333/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
