From 2fa8ba07de74bea43830218ead485c78a3000c2d Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Tue, 28 Apr 2026 16:52:55 +0200 Subject: [PATCH] fix: swap Chainguard JRE to BellSoft Liberica JRE 21 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Chainguard free tier only offers :latest (currently JDK 26, unpinned); the :openjdk-21 tag requires a paid subscription, breaking CI. Switch both Dockerfiles to bellsoft/liberica-runtime-container:jre-21-slim-glibc: - Pinned to JDK 21 LTS - Smallest image (199 MB vs 441/491 MB) - glibc-based Alpaquita Linux, sh-only (no bash, no pkg manager) - Free, multi-arch (amd64 + arm64) - Has sh — required by cameleer-server's DeploymentExecutor (withCmd "sh -c") Use nobody:nobody (65534) instead of Chainguard's nonroot (65532). Co-Authored-By: Claude Opus 4.6 (1M context) --- Dockerfile | 11 +++++------ docker/runtime-base/Dockerfile | 8 ++++---- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 969019a..1621ef3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,12 +20,11 @@ COPY src/ src/ COPY --from=frontend /ui/dist/ src/main/resources/static/ RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B -# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default) -FROM cgr.dev/chainguard/jre:openjdk-21 +# Runtime: BellSoft Liberica JRE 21 on Alpaquita Linux (glibc, minimal, 199 MB) +FROM bellsoft/liberica-runtime-container:jre-21-slim-glibc WORKDIR /app -USER root -RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data -COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar -USER nonroot +RUN mkdir -p /data/jars && chown -R nobody:nobody /data /app +COPY --chown=nobody:nobody --from=build /build/target/*.jar app.jar +USER nobody EXPOSE 8080 ENTRYPOINT ["java", "-jar", "app.jar"] diff --git a/docker/runtime-base/Dockerfile b/docker/runtime-base/Dockerfile index f48daa8..ca75e8f 100644 --- a/docker/runtime-base/Dockerfile +++ b/docker/runtime-base/Dockerfile @@ -1,7 +1,6 @@ -# Wolfi-based JRE, glibc, daily-rebuilt with near-zero baseline CVEs, -# signed images + SBOM published, non-root by default. Pin by digest in -# production overlays. -FROM cgr.dev/chainguard/jre:openjdk-21 +# BellSoft Liberica JRE 21 on Alpaquita Linux (glibc, minimal, 199 MB). +# Pin by digest in production overlays. +FROM bellsoft/liberica-runtime-container:jre-21-slim-glibc WORKDIR /app @@ -15,3 +14,4 @@ COPY cameleer-log-appender.jar /app/cameleer-log-appender.jar # -cp + main; native: exec) and overrides via withCmd("sh","-c",...). # Setting one here only creates drift between this image and the actual # runtime command. +USER nobody