基于Linux Alpine 自建 oracle jdk8 基础镜像
前因
因为最近要上线项目了,都是容器去跑,但是呢通过容器镜像漏扫发现很多底包都有一些系统漏洞,这些呢上级要求必须无漏洞才能上线,因此就被迫自建个基础镜像拉,具体是否能上生产需要测试一波咯。
下载所需文件
可参考一下介绍进行下载glibc:https://github.com/sgerrand/alpine-pkg-glibc
# 密钥下载
https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
# 依赖库下载
https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.34-r0/glibc-2.34-r0.apk
https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.34-r0/glibc-bin-2.34-r0.apk
https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.34-r0/glibc-i18n-2.34-r0.apk
最新的
2.35-r1版本无法正常跑jdk, 目前验证2.34-r0没有问题;
中文locale.md文件
en_US
zh_CN
zh_HK
zh_SG
zu_ZA
Dockerfile文件
FROM alpine:3.17
CMD ["/bin/sh"]
MAINTAINER GLJ
ENV TIME_ZONE="Asia/Shanghai"
ENV ALPINE_GLIBC_PACKAGE_VERSION="2.34-r0"
# Install glibc
COPY locale.md glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk ./
COPY sgerrand.rsa.pub /etc/apk/keys/sgerrand.rsa.pub
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories \
&& apk add --no-cache ca-certificates libstdc++ fontconfig tzdata \
&& apk add --update ttf-dejavu \
&& fc-cache --force \
&& cp /usr/share/zoneinfo/$TIME_ZONE /etc/localtime \
&& echo $TIME_ZONE > /etc/timezone \
&& apk del tzdata \
&& mv /etc/nsswitch.conf /etc/nsswitch.conf.bak \
&& apk add --no-cache --force-overwrite glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk \
&& mv /etc/nsswitch.conf.bak /etc/nsswitch.conf \
&& cat locale.md | tr -d '\r' | xargs -i /usr/glibc-compat/bin/localedef -i {} -f UTF-8 {}.UTF-8 \
&& rm -f glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk locale.md \
&& rm -rf /var/cache/apk/* \
&& addgroup -g 2888 gzapps \
&& adduser -u 2888 -G gzapps -h /home/gzapps -D gzapps
# Support Chinese
ENV LANG=zh_CN.UTF-8
ENV LANGUAGE=zh_CN.UTF-8
# Install JDK1.8
ADD jdk-8u341-linux-x64.tar.gz /usr/local/jdk
ENV JAVA_HOME=/usr/local/jdk/jdk1.8.0_341
ENV JRE_HOME=$JAVA_HOME/jre
ENV CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib
ENV PATH=$JAVA_HOME/bin:$PATH
构建镜像
docker build -t base-jdk8:20230905 .
基于三方包
因为我懒,然后可以用现成的glibc镜像作为底包(基于alpine-glibc:alpine-3.17_glibc-2.34构建)这种方式快速部署
Dockerfile文件
# 基于alpine-glibc:alpine-3.17_glibc-2.34构建
FROM frolvlad/alpine-glibc:alpine-3.17_glibc-2.34
MAINTAINER GLJ
# Install JDK1.8
ADD jdk-8u341-linux-x64.tar.gz /usr/local/jdk
ENV JAVA_HOME=/usr/local/jdk/jdk1.8.0_341
ENV JRE_HOME ${JAVA_HOME}/jre
ENV CLASSPATH .:${JAVA_HOME}/lib:${JRE_HOME}/lib
ENV PATH=$JAVA_HOME/bin:$PATH
ENV TIME_ZONE="Asia/Shanghai"
# 安装 JRE
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories \
&& apk add --no-cache libstdc++ fontconfig tzdata \
&& apk add --update ttf-dejavu \
&& fc-cache --force \
&& cp /usr/share/zoneinfo/$TIME_ZONE /etc/localtime \
&& echo $TIME_ZONE > /etc/timezone \
&& apk del tzdata \
&& rm -rf /var/cache/apk/* \
&& addgroup -g 2888 gzapps \
&& adduser -u 2888 -G gzapps -h /home/gzapps -D gzapps
构建镜像
docker build -t base-jdk8:20230905 .
镜像漏扫验证
Java项目构建Dockerfile
FROM base-jdk8:20230905
USER gzapps
COPY --chown=gzapps:gzapps app.jar /home/gzapps/app.jar
# env for application
ENV PORT=""
ENV JAVA_OPTS=""
ENV AGENT_ARGS=""
EXPOSE $PORT
WORKDIR /home/gzapps
ENTRYPOINT ["/bin/bash","-c","java ${AGENT_ARGS} ${JAVA_OPTS} -jar app.jar"]
#ENTRYPOINT exec java -Djava.security.egd=file:/dev/./urandom -jar -Xms512m -Xmx512m -Xmn200M app.jar > app.jar.log
参考
1.https://github.com/sgerrand/alpine-pkg-glibc
2.https://hub.docker.com/r/frolvlad/alpine-glibc/tags
3.https://blog.csdn.net/duxing_langzi/article/details/125911398
4.https://blog.csdn.net/wangshui898/article/details/131767794