cameleer/cameleer-saas
2
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: swap Chainguard JRE to BellSoft Liberica JRE 21
All checks were successful
CI / build (push) Successful in 2m16s
Details
CI / docker (push) Successful in 1m40s
Details

Browse Source 
Chainguard free tier only offers :latest (currently JDK 26, unpinned);
the :openjdk-21 tag requires a paid subscription, breaking CI.

Switch both Dockerfiles to bellsoft/liberica-runtime-container:jre-21-slim-glibc:
- Pinned to JDK 21 LTS
- Smallest image (199 MB vs 441/491 MB)
- glibc-based Alpaquita Linux, sh-only (no bash, no pkg manager)
- Free, multi-arch (amd64 + arm64)
- Has sh — required by cameleer-server's DeploymentExecutor (withCmd "sh -c")

Use nobody:nobody (65534) instead of Chainguard's nonroot (65532).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-28 16:52:55 +02:00
parent 966691f2c8
commit 2fa8ba07de
2 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
Dockerfile
View File

@@ -20,12 +20,11 @@ COPY src/ src/
COPY --from=frontend /ui/dist/ src/main/resources/static/ COPY --from=frontend /ui/dist/ src/main/resources/static/
RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B
# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default) # Runtime: BellSoft Liberica JRE 21 on Alpaquita Linux (glibc, minimal, 199 MB)
FROM cgr.dev/chainguard/jre:openjdk-21 FROM bellsoft/liberica-runtime-container:jre-21-slim-glibc
WORKDIR /app WORKDIR /app
USER root RUN mkdir -p /data/jars && chown -R nobody:nobody /data /app
RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data COPY --chown=nobody:nobody --from=build /build/target/*.jar app.jar
COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar USER nobody
USER nonroot
EXPOSE 8080 EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"] ENTRYPOINT ["java", "-jar", "app.jar"]

8
docker/runtime-base/Dockerfile
View File

@@ -1,7 +1,6 @@
# Wolfi-based JRE, glibc, daily-rebuilt with near-zero baseline CVEs, # BellSoft Liberica JRE 21 on Alpaquita Linux (glibc, minimal, 199 MB).
# signed images + SBOM published, non-root by default. Pin by digest in # Pin by digest in production overlays.
# production overlays. FROM bellsoft/liberica-runtime-container:jre-21-slim-glibc
FROM cgr.dev/chainguard/jre:openjdk-21
WORKDIR /app WORKDIR /app
@@ -15,3 +14,4 @@ COPY cameleer-log-appender.jar /app/cameleer-log-appender.jar
# -cp + main; native: exec) and overrides via withCmd("sh","-c",...). # -cp + main; native: exec) and overrides via withCmd("sh","-c",...).
# Setting one here only creates drift between this image and the actual # Setting one here only creates drift between this image and the actual
# runtime command. # runtime command.
USER nobody