You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by Christian Bucheli <ch...@hotmail.com> on 2023/04/11 15:02:02 UTC

Use ubi9/OpenJDK-11 as base image

To whom it may concern,

Would it be possible to switch to the ubi9/OpenJDK-11 image instead of the one use at the moment. Security wise it receives more updates then the one already being used. I can do all the plumbing for making it work.

An example:
```Dockerfile
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

ARG IMAGE_NAME=ubi9/openjdk-11
ARG IMAGE_TAG=latest
ARG IMAGE_REGISTRY=registry.access.redhat.com
FROM ${IMAGE_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}
ARG MAINTAINER="Apache NiFi <de...@nifi.apache.org>"
LABEL maintainer="${MAINTAINER}"
LABEL site="https://nifi.apache.org"

ARG UID=1001
ARG GID=1001
ARG NIFI_VERSION=1.21.0
ARG BASE_URL=https://archive.apache.org/dist
ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
ARG DISTRO_PATH=${DISTRO_PATH:-${NIFI_VERSION}}
ARG NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${DISTRO_PATH}/nifi-${NIFI_VERSION}-bin.zip}
ARG NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${DISTRO_PATH}/nifi-toolkit-${NIFI_VERSION}-bin.zip}

ENV NIFI_BASE_DIR=/opt/nifi
ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current
ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current
ENV NIFI_PID_DIR=${NIFI_HOME}/run
ENV NIFI_LOG_DIR=${NIFI_HOME}/logs

ADD sh/ ${NIFI_BASE_DIR}/scripts/
USER root
RUN chmod -R +x ${NIFI_BASE_DIR}/scripts/*.sh

# Setup NiFi user and create necessary directories
# xmlstarlet could be installed by the official way by having a subscribed RHEL9 host that runs the build (you get free dev licenses)
# or we could install the CentOS Stream 9 Appstream version (more hacky)
# See http://fr2.rpmfind.net/linux/RPM/centos-stream/9/appstream/aarch64/xmlstarlet-1.6.1-20.el9.aarch64.html
RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \
    && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
    && mkdir -p ${NIFI_BASE_DIR} \
    && chown -R nifi:nifi ${NIFI_BASE_DIR} \
    && microdnf install -y jq procps unzip \
    && microdnf clean all

RUN chown -R :0 ${NIFI_BASE_DIR} \
    && chmod -R g+rwX ${NIFI_BASE_DIR}

USER 1001

# Download, validate, and expand Apache NiFi Toolkit binary.
RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
    && echo "$(curl ${BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
    && unzip ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
    && rm ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
    && mv ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION} ${NIFI_TOOLKIT_HOME} \
    && ln -s ${NIFI_TOOLKIT_HOME} ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}

# Download, validate, and expand Apache NiFi binary.
RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
    && echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
    && unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
    && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
    && mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \
    && mkdir -p ${NIFI_HOME}/conf \
    && mkdir -p ${NIFI_HOME}/database_repository \
    && mkdir -p ${NIFI_HOME}/flowfile_repository \
    && mkdir -p ${NIFI_HOME}/content_repository \
    && mkdir -p ${NIFI_HOME}/provenance_repository \
    && mkdir -p ${NIFI_HOME}/state \
    && mkdir -p ${NIFI_LOG_DIR} \
    && ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}

VOLUME ${NIFI_LOG_DIR} \
       ${NIFI_HOME}/conf \
       ${NIFI_HOME}/database_repository \
       ${NIFI_HOME}/flowfile_repository \
       ${NIFI_HOME}/content_repository \
       ${NIFI_HOME}/provenance_repository \
       ${NIFI_HOME}/state

# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile
RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh

# Web HTTP(s) & Socket Site-to-Site Ports
EXPOSE 8080 8443 10000 8000

WORKDIR ${NIFI_HOME}

# Apply configuration and start NiFi
#
# We need to use the exec form to avoid running our command in a subshell and omitting signals,
# thus being unable to shut down gracefully:
# https://docs.docker.com/engine/reference/builder/#entrypoint
#
# Also we need to use relative path, because the exec form does not invoke a command shell,
# thus normal shell processing does not happen:
# https://docs.docker.com/engine/reference/builder/#exec-form-entrypoint-example
ENTRYPOINT ["../scripts/start.sh"]
```

Cheers

Christian

Re: Use ubi9/OpenJDK-11 as base image

Posted by Kevin Doran <kd...@apache.org>.

 Hi Christian,

Thank you for your interest in the Apache NiFi project. At a high-level, I
think this proposal is aligned with the overall long term goals of the
project.

One of the many wished for Docker image improvements [1] is to support
image variants and a more modular image definition that decouples a base
image (with dependencies) from the NiFi-specific installation. Recent and
planned changes that consolidate our docker hub and docker maven source
code bring us closer to tackling this.

This is also related to OpenShift compatibility, which, from what I
understand, works best with RedHat base image. This has come up recently,
see NIFI-9605 [2] and PR #5684 [3], which did propose using ubi8/OpenJDK11.

Perhaps you should leave a comment on NIFI-9605, specifically with some of
the advantages of ubi9/OpenJDK-11 base, so that the dev community can make
an informed decision that takes your needs into account. Also it would be
helpful if you could mention any potential disadvantages we need to
consider. This part of your Dockerfile example seems concerning:

>   # xmlstarlet could be installed by the official way by having a
subscribed RHEL9 host that runs the build (you get free dev licenses)
>   # or we could install the CentOS Stream 9 Appstream version (more hacky)
>   # See
http://fr2.rpmfind.net/linux/RPM/centos-stream/9/appstream/aarch64/xmlstarlet-1.6.1-20.el9.aarch64.html

[1]
https://cwiki.apache.org/confluence/display/NIFI/NiFi+Docker+Container+Improvements

[2] https://issues.apache.org/jira/browse/NIFI-9605
[3] https://github.com/apache/nifi/pull/5684

Regards,
Kevin

On Apr 11, 2023 at 11:02:02, Christian Bucheli <
christian_bucheli@hotmail.com> wrote:

> To whom it may concern,
>
> Would it be possible to switch to the ubi9/OpenJDK-11 image instead of the
> one use at the moment. Security wise it receives more updates then the one
> already being used. I can do all the plumbing for making it work.
>
> An example:
> ```Dockerfile
> # Licensed to the Apache Software Foundation (ASF) under one
> # or more contributor license agreements. See the NOTICE file
> # distributed with this work for additional information
> # regarding copyright ownership. The ASF licenses this file
> # to you under the Apache License, Version 2.0 (the
> # "License"); you may not use this file except in compliance
> # with the License. You may obtain a copy of the License at
> #
> #   http://www.apache.org/licenses/LICENSE-2.0
> #
> # Unless required by applicable law or agreed to in writing,
> # software distributed under the License is distributed on an
> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> # KIND, either express or implied. See the License for the
> # specific language governing permissions and limitations
> # under the License.
> #
>
> ARG IMAGE_NAME=ubi9/openjdk-11
> ARG IMAGE_TAG=latest
> ARG IMAGE_REGISTRY=registry.access.redhat.com
> FROM ${IMAGE_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}
> ARG MAINTAINER="Apache NiFi <de...@nifi.apache.org>"
> LABEL maintainer="${MAINTAINER}"
> LABEL site="https://nifi.apache.org"
>
> ARG UID=1001
> ARG GID=1001
> ARG NIFI_VERSION=1.21.0
> ARG BASE_URL=https://archive.apache.org/dist
> ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
> ARG DISTRO_PATH=${DISTRO_PATH:-${NIFI_VERSION}}
> ARG
> NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${DISTRO_PATH}/nifi-${NIFI_VERSION}-bin.zip}
> ARG
> NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${DISTRO_PATH}/nifi-toolkit-${NIFI_VERSION}-bin.zip}
>
> ENV NIFI_BASE_DIR=/opt/nifi
> ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current
> ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current
> ENV NIFI_PID_DIR=${NIFI_HOME}/run
> ENV NIFI_LOG_DIR=${NIFI_HOME}/logs
>
> ADD sh/ ${NIFI_BASE_DIR}/scripts/
> USER root
> RUN chmod -R +x ${NIFI_BASE_DIR}/scripts/*.sh
>
> # Setup NiFi user and create necessary directories
> # xmlstarlet could be installed by the official way by having a subscribed
> RHEL9 host that runs the build (you get free dev licenses)
> # or we could install the CentOS Stream 9 Appstream version (more hacky)
> # See
> http://fr2.rpmfind.net/linux/RPM/centos-stream/9/appstream/aarch64/xmlstarlet-1.6.1-20.el9.aarch64.html
> RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut
> -d: -f1` \
>    && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \
>    && mkdir -p ${NIFI_BASE_DIR} \
>    && chown -R nifi:nifi ${NIFI_BASE_DIR} \
>    && microdnf install -y jq procps unzip \
>    && microdnf clean all
>
> RUN chown -R :0 ${NIFI_BASE_DIR} \
>    && chmod -R g+rwX ${NIFI_BASE_DIR}
>
> USER 1001
>
> # Download, validate, and expand Apache NiFi Toolkit binary.
> RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH} -o
> ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
>    && echo "$(curl ${BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH}.sha256)
> *${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
>    && unzip ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip -d
> ${NIFI_BASE_DIR} \
>    && rm ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
>    && mv ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}
> ${NIFI_TOOLKIT_HOME} \
>    && ln -s ${NIFI_TOOLKIT_HOME}
> ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}
>
> # Download, validate, and expand Apache NiFi binary.
> RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o
> ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
>    && echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256)
> *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
>    && unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d
> ${NIFI_BASE_DIR} \
>    && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
>    && mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \
>    && mkdir -p ${NIFI_HOME}/conf \
>    && mkdir -p ${NIFI_HOME}/database_repository \
>    && mkdir -p ${NIFI_HOME}/flowfile_repository \
>    && mkdir -p ${NIFI_HOME}/content_repository \
>    && mkdir -p ${NIFI_HOME}/provenance_repository \
>    && mkdir -p ${NIFI_HOME}/state \
>    && mkdir -p ${NIFI_LOG_DIR} \
>    && ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}
>
> VOLUME ${NIFI_LOG_DIR} \
>       ${NIFI_HOME}/conf \
>       ${NIFI_HOME}/database_repository \
>       ${NIFI_HOME}/flowfile_repository \
>       ${NIFI_HOME}/content_repository \
>       ${NIFI_HOME}/provenance_repository \
>       ${NIFI_HOME}/state
>
> # Clear nifi-env.sh in favour of configuring all environment variables in
> the Dockerfile
> RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
>
> # Web HTTP(s) & Socket Site-to-Site Ports
> EXPOSE 8080 8443 10000 8000
>
> WORKDIR ${NIFI_HOME}
>
> # Apply configuration and start NiFi
> #
> # We need to use the exec form to avoid running our command in a subshell
> and omitting signals,
> # thus being unable to shut down gracefully:
> # https://docs.docker.com/engine/reference/builder/#entrypoint
> #
> # Also we need to use relative path, because the exec form does not invoke
> a command shell,
> # thus normal shell processing does not happen:
> #
> https://docs.docker.com/engine/reference/builder/#exec-form-entrypoint-example
> ENTRYPOINT ["../scripts/start.sh"]
> ```
>
> Cheers
>
> Christian
>
>
>