[DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

Hello,

during the release of the 1.15.2 images 
<https://github.com/docker-library/official-images/pull/13065> it was 
noted that we use the openjdk:8/11 images, which have been deprecated 
<https://github.com/docker-library/openjdk/issues/505> and thus no 
longer receive any updates.

There are a number of alternatives, the most promising being Eclipse 
Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of 
AdoptOpenJDK, since it's vendor neutral.

This would imply a switch of distros from Debian to most likely Ubuntu 
22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible 
with existing images using our images as a base). We are also running 
our CI on Ubuntu, so I don't expect any issues.

Let me know what you think.

The required changes on our side appear to be minimal; I have already 
prepared a PR <https://github.com/apache/flink-docker/pull/130>.

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Thomas Weise <th...@apache.org>]

+1, the change to Ubuntu (hopefully) also reduces the ripple effect for
downstream customizers of the image.


On Thu, Sep 1, 2022 at 10:00 AM Chesnay Schepler <ch...@apache.org> wrote:

> Unless anyone objects I will announce the switch on Monday via the
> mailing lists / twitter and execute it on Wednesday.
>
> On 01/09/2022 14:27, Chesnay Schepler wrote:
> > The e2e tests have passed successfully for the updated
> > 1.14/1.15/master images.
> >
> > On 01/09/2022 11:05, Chesnay Schepler wrote:
> >> Thanks Xingbo. Should've known that the Flink side relies on the
> >> distro name, sorry for the inconvenience.
> >>
> >> On 01/09/2022 06:55, Xingbo Huang wrote:
> >>> Thanks Chesnay for driving this. I found a problem with image name
> >>> change[1] and I have created a PR[2] to fix it.
> >>>
> >>> Best,
> >>> Xingbo
> >>>
> >>> [1] https://issues.apache.org/jira/browse/FLINK-29161
> >>> [2] https://github.com/apache/flink/pull/20726
> >>>
> >>> Chesnay Schepler <ch...@apache.org> 于2022年8月31日周三 17:15写道：
> >>>
> >>>> I will optimistically merge the PRs that make the switch so we can
> >>>> gather some e2e testing data.
> >>>>
> >>>> On 30/08/2022 14:51, Chesnay Schepler wrote:
> >>>>> yes, alpine would have similar issues as CentOS. As for usability,
> >>>>> from personal experience it has always been a bit of a drag to extend
> >>>>> or use manually because it is such a minimal image.
> >>>>>
> >>>>> On 30/08/2022 14:45, Matthias Pohl wrote:
> >>>>>> Thanks for bringing this up, Chesnay. Can you elaborate a bit
> >>>>>> more on
> >>>>>> what
> >>>>>> you mean when referring to Alpine as being "not as user-friendly"?
> >>>>>> Doesn't
> >>>>>> it come with the same issue that switching to CentOS comes with
> >>>>>> that we
> >>>>>> have to update our scripts (I'm thinking of apt in particular)?
> >>>>>> Or what
> >>>>>> else did you have in mind in terms of user-friendliness? I would
> >>>>>> imagine
> >>>>>> selecting the required packages would be a bit more tedious.
> >>>>>>
> >>>>>> I'm wondering whether we considered the security aspect. A more
> >>>>>> minimal
> >>>>>> Alpine base image might reduce the risk of running into CVEs. But
> >>>>>> then;
> >>>>>> it's also the question how fast those CVEs are actually fixed on
> >>>>>> average
> >>>>>> (now comparing Ubuntu and Alpine for instance). Or is this even a
> >>>>>> concern
> >>>>>> for us?
> >>>>>>
> >>>>>> I didn't find any clear answers around that topic with a quick
> >>>>>> Google
> >>>>>> search. [1] was kind of interesting to read.
> >>>>>>
> >>>>>> Anyway, I definitely see the benefits of just switching to Ubuntu
> >>>>>> due to
> >>>>>> the fact that it also relies on Debian's package management
> >>>>>> (reducing
> >>>>>> the
> >>>>>> migration effort) and that we're using it for our CI builds
> >>>>>> (consistency).
> >>>>>>
> >>>>>> +1 for going with Ubuntu if security is not a big concern
> >>>>>>
> >>>>>> Best,
> >>>>>> Matthias
> >>>>>>
> >>>>>> [1]
> >>>>>>
> >>>>
> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/
> >>>>
> >>>>>>
> >>>>>> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler
> >>>>>> <ch...@apache.org>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> during the release of the 1.15.2 images
> >>>>>>> <https://github.com/docker-library/official-images/pull/13065>
> >>>>>>> it was
> >>>>>>> noted that we use the openjdk:8/11 images, which have been
> >>>>>>> deprecated
> >>>>>>> <https://github.com/docker-library/openjdk/issues/505> and thus no
> >>>>>>> longer receive any updates.
> >>>>>>>
> >>>>>>> There are a number of alternatives, the most promising being
> >>>>>>> Eclipse
> >>>>>>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the
> >>>>>>> successor of
> >>>>>>> AdoptOpenJDK, since it's vendor neutral.
> >>>>>>>
> >>>>>>> This would imply a switch of distros from Debian to most likely
> >>>>>>> Ubuntu
> >>>>>>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely
> >>>>>>> incompatible
> >>>>>>> with existing images using our images as a base). We are also
> >>>>>>> running
> >>>>>>> our CI on Ubuntu, so I don't expect any issues.
> >>>>>>>
> >>>>>>> Let me know what you think.
> >>>>>>>
> >>>>>>> The required changes on our side appear to be minimal; I have
> >>>>>>> already
> >>>>>>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
> >>>>>>>
> >>>>
> >>
> >
>
>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

Unless anyone objects I will announce the switch on Monday via the 
mailing lists / twitter and execute it on Wednesday.

On 01/09/2022 14:27, Chesnay Schepler wrote:
> The e2e tests have passed successfully for the updated 
> 1.14/1.15/master images.
>
> On 01/09/2022 11:05, Chesnay Schepler wrote:
>> Thanks Xingbo. Should've known that the Flink side relies on the 
>> distro name, sorry for the inconvenience.
>>
>> On 01/09/2022 06:55, Xingbo Huang wrote:
>>> Thanks Chesnay for driving this. I found a problem with image name
>>> change[1] and I have created a PR[2] to fix it.
>>>
>>> Best,
>>> Xingbo
>>>
>>> [1] https://issues.apache.org/jira/browse/FLINK-29161
>>> [2] https://github.com/apache/flink/pull/20726
>>>
>>> Chesnay Schepler <ch...@apache.org> 于2022年8月31日周三 17:15写道：
>>>
>>>> I will optimistically merge the PRs that make the switch so we can
>>>> gather some e2e testing data.
>>>>
>>>> On 30/08/2022 14:51, Chesnay Schepler wrote:
>>>>> yes, alpine would have similar issues as CentOS. As for usability,
>>>>> from personal experience it has always been a bit of a drag to extend
>>>>> or use manually because it is such a minimal image.
>>>>>
>>>>> On 30/08/2022 14:45, Matthias Pohl wrote:
>>>>>> Thanks for bringing this up, Chesnay. Can you elaborate a bit 
>>>>>> more on
>>>>>> what
>>>>>> you mean when referring to Alpine as being "not as user-friendly"?
>>>>>> Doesn't
>>>>>> it come with the same issue that switching to CentOS comes with 
>>>>>> that we
>>>>>> have to update our scripts (I'm thinking of apt in particular)? 
>>>>>> Or what
>>>>>> else did you have in mind in terms of user-friendliness? I would 
>>>>>> imagine
>>>>>> selecting the required packages would be a bit more tedious.
>>>>>>
>>>>>> I'm wondering whether we considered the security aspect. A more 
>>>>>> minimal
>>>>>> Alpine base image might reduce the risk of running into CVEs. But 
>>>>>> then;
>>>>>> it's also the question how fast those CVEs are actually fixed on 
>>>>>> average
>>>>>> (now comparing Ubuntu and Alpine for instance). Or is this even a
>>>>>> concern
>>>>>> for us?
>>>>>>
>>>>>> I didn't find any clear answers around that topic with a quick 
>>>>>> Google
>>>>>> search. [1] was kind of interesting to read.
>>>>>>
>>>>>> Anyway, I definitely see the benefits of just switching to Ubuntu 
>>>>>> due to
>>>>>> the fact that it also relies on Debian's package management 
>>>>>> (reducing
>>>>>> the
>>>>>> migration effort) and that we're using it for our CI builds
>>>>>> (consistency).
>>>>>>
>>>>>> +1 for going with Ubuntu if security is not a big concern
>>>>>>
>>>>>> Best,
>>>>>> Matthias
>>>>>>
>>>>>> [1]
>>>>>>
>>>> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/ 
>>>>
>>>>>>
>>>>>> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler 
>>>>>> <ch...@apache.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> during the release of the 1.15.2 images
>>>>>>> <https://github.com/docker-library/official-images/pull/13065> 
>>>>>>> it was
>>>>>>> noted that we use the openjdk:8/11 images, which have been 
>>>>>>> deprecated
>>>>>>> <https://github.com/docker-library/openjdk/issues/505> and thus no
>>>>>>> longer receive any updates.
>>>>>>>
>>>>>>> There are a number of alternatives, the most promising being 
>>>>>>> Eclipse
>>>>>>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the 
>>>>>>> successor of
>>>>>>> AdoptOpenJDK, since it's vendor neutral.
>>>>>>>
>>>>>>> This would imply a switch of distros from Debian to most likely 
>>>>>>> Ubuntu
>>>>>>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely 
>>>>>>> incompatible
>>>>>>> with existing images using our images as a base). We are also 
>>>>>>> running
>>>>>>> our CI on Ubuntu, so I don't expect any issues.
>>>>>>>
>>>>>>> Let me know what you think.
>>>>>>>
>>>>>>> The required changes on our side appear to be minimal; I have 
>>>>>>> already
>>>>>>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>>>>>>>
>>>>
>>
>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

The e2e tests have passed successfully for the updated 1.14/1.15/master 
images.

On 01/09/2022 11:05, Chesnay Schepler wrote:
> Thanks Xingbo. Should've known that the Flink side relies on the 
> distro name, sorry for the inconvenience.
>
> On 01/09/2022 06:55, Xingbo Huang wrote:
>> Thanks Chesnay for driving this. I found a problem with image name
>> change[1] and I have created a PR[2] to fix it.
>>
>> Best,
>> Xingbo
>>
>> [1] https://issues.apache.org/jira/browse/FLINK-29161
>> [2] https://github.com/apache/flink/pull/20726
>>
>> Chesnay Schepler <ch...@apache.org> 于2022年8月31日周三 17:15写道：
>>
>>> I will optimistically merge the PRs that make the switch so we can
>>> gather some e2e testing data.
>>>
>>> On 30/08/2022 14:51, Chesnay Schepler wrote:
>>>> yes, alpine would have similar issues as CentOS. As for usability,
>>>> from personal experience it has always been a bit of a drag to extend
>>>> or use manually because it is such a minimal image.
>>>>
>>>> On 30/08/2022 14:45, Matthias Pohl wrote:
>>>>> Thanks for bringing this up, Chesnay. Can you elaborate a bit more on
>>>>> what
>>>>> you mean when referring to Alpine as being "not as user-friendly"?
>>>>> Doesn't
>>>>> it come with the same issue that switching to CentOS comes with 
>>>>> that we
>>>>> have to update our scripts (I'm thinking of apt in particular)? Or 
>>>>> what
>>>>> else did you have in mind in terms of user-friendliness? I would 
>>>>> imagine
>>>>> selecting the required packages would be a bit more tedious.
>>>>>
>>>>> I'm wondering whether we considered the security aspect. A more 
>>>>> minimal
>>>>> Alpine base image might reduce the risk of running into CVEs. But 
>>>>> then;
>>>>> it's also the question how fast those CVEs are actually fixed on 
>>>>> average
>>>>> (now comparing Ubuntu and Alpine for instance). Or is this even a
>>>>> concern
>>>>> for us?
>>>>>
>>>>> I didn't find any clear answers around that topic with a quick Google
>>>>> search. [1] was kind of interesting to read.
>>>>>
>>>>> Anyway, I definitely see the benefits of just switching to Ubuntu 
>>>>> due to
>>>>> the fact that it also relies on Debian's package management (reducing
>>>>> the
>>>>> migration effort) and that we're using it for our CI builds
>>>>> (consistency).
>>>>>
>>>>> +1 for going with Ubuntu if security is not a big concern
>>>>>
>>>>> Best,
>>>>> Matthias
>>>>>
>>>>> [1]
>>>>>
>>> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/ 
>>>
>>>>>
>>>>> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler 
>>>>> <ch...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> during the release of the 1.15.2 images
>>>>>> <https://github.com/docker-library/official-images/pull/13065> it 
>>>>>> was
>>>>>> noted that we use the openjdk:8/11 images, which have been 
>>>>>> deprecated
>>>>>> <https://github.com/docker-library/openjdk/issues/505> and thus no
>>>>>> longer receive any updates.
>>>>>>
>>>>>> There are a number of alternatives, the most promising being Eclipse
>>>>>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
>>>>>> AdoptOpenJDK, since it's vendor neutral.
>>>>>>
>>>>>> This would imply a switch of distros from Debian to most likely 
>>>>>> Ubuntu
>>>>>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely 
>>>>>> incompatible
>>>>>> with existing images using our images as a base). We are also 
>>>>>> running
>>>>>> our CI on Ubuntu, so I don't expect any issues.
>>>>>>
>>>>>> Let me know what you think.
>>>>>>
>>>>>> The required changes on our side appear to be minimal; I have 
>>>>>> already
>>>>>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>>>>>>
>>>
>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

Thanks Xingbo. Should've known that the Flink side relies on the distro 
name, sorry for the inconvenience.

On 01/09/2022 06:55, Xingbo Huang wrote:
> Thanks Chesnay for driving this. I found a problem with image name
> change[1] and I have created a PR[2] to fix it.
>
> Best,
> Xingbo
>
> [1] https://issues.apache.org/jira/browse/FLINK-29161
> [2] https://github.com/apache/flink/pull/20726
>
> Chesnay Schepler <ch...@apache.org> 于2022年8月31日周三 17:15写道：
>
>> I will optimistically merge the PRs that make the switch so we can
>> gather some e2e testing data.
>>
>> On 30/08/2022 14:51, Chesnay Schepler wrote:
>>> yes, alpine would have similar issues as CentOS. As for usability,
>>> from personal experience it has always been a bit of a drag to extend
>>> or use manually because it is such a minimal image.
>>>
>>> On 30/08/2022 14:45, Matthias Pohl wrote:
>>>> Thanks for bringing this up, Chesnay. Can you elaborate a bit more on
>>>> what
>>>> you mean when referring to Alpine as being "not as user-friendly"?
>>>> Doesn't
>>>> it come with the same issue that switching to CentOS comes with that we
>>>> have to update our scripts (I'm thinking of apt in particular)? Or what
>>>> else did you have in mind in terms of user-friendliness? I would imagine
>>>> selecting the required packages would be a bit more tedious.
>>>>
>>>> I'm wondering whether we considered the security aspect. A more minimal
>>>> Alpine base image might reduce the risk of running into CVEs. But then;
>>>> it's also the question how fast those CVEs are actually fixed on average
>>>> (now comparing Ubuntu and Alpine for instance). Or is this even a
>>>> concern
>>>> for us?
>>>>
>>>> I didn't find any clear answers around that topic with a quick Google
>>>> search. [1] was kind of interesting to read.
>>>>
>>>> Anyway, I definitely see the benefits of just switching to Ubuntu due to
>>>> the fact that it also relies on Debian's package management (reducing
>>>> the
>>>> migration effort) and that we're using it for our CI builds
>>>> (consistency).
>>>>
>>>> +1 for going with Ubuntu if security is not a big concern
>>>>
>>>> Best,
>>>> Matthias
>>>>
>>>> [1]
>>>>
>> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/
>>>>
>>>> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler <ch...@apache.org>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> during the release of the 1.15.2 images
>>>>> <https://github.com/docker-library/official-images/pull/13065> it was
>>>>> noted that we use the openjdk:8/11 images, which have been deprecated
>>>>> <https://github.com/docker-library/openjdk/issues/505> and thus no
>>>>> longer receive any updates.
>>>>>
>>>>> There are a number of alternatives, the most promising being Eclipse
>>>>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
>>>>> AdoptOpenJDK, since it's vendor neutral.
>>>>>
>>>>> This would imply a switch of distros from Debian to most likely Ubuntu
>>>>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible
>>>>> with existing images using our images as a base). We are also running
>>>>> our CI on Ubuntu, so I don't expect any issues.
>>>>>
>>>>> Let me know what you think.
>>>>>
>>>>> The required changes on our side appear to be minimal; I have already
>>>>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>>>>>
>>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Xingbo Huang <hx...@gmail.com>]

Thanks Chesnay for driving this. I found a problem with image name
change[1] and I have created a PR[2] to fix it.

Best,
Xingbo

[1] https://issues.apache.org/jira/browse/FLINK-29161
[2] https://github.com/apache/flink/pull/20726

Chesnay Schepler <ch...@apache.org> 于2022年8月31日周三 17:15写道：

> I will optimistically merge the PRs that make the switch so we can
> gather some e2e testing data.
>
> On 30/08/2022 14:51, Chesnay Schepler wrote:
> > yes, alpine would have similar issues as CentOS. As for usability,
> > from personal experience it has always been a bit of a drag to extend
> > or use manually because it is such a minimal image.
> >
> > On 30/08/2022 14:45, Matthias Pohl wrote:
> >> Thanks for bringing this up, Chesnay. Can you elaborate a bit more on
> >> what
> >> you mean when referring to Alpine as being "not as user-friendly"?
> >> Doesn't
> >> it come with the same issue that switching to CentOS comes with that we
> >> have to update our scripts (I'm thinking of apt in particular)? Or what
> >> else did you have in mind in terms of user-friendliness? I would imagine
> >> selecting the required packages would be a bit more tedious.
> >>
> >> I'm wondering whether we considered the security aspect. A more minimal
> >> Alpine base image might reduce the risk of running into CVEs. But then;
> >> it's also the question how fast those CVEs are actually fixed on average
> >> (now comparing Ubuntu and Alpine for instance). Or is this even a
> >> concern
> >> for us?
> >>
> >> I didn't find any clear answers around that topic with a quick Google
> >> search. [1] was kind of interesting to read.
> >>
> >> Anyway, I definitely see the benefits of just switching to Ubuntu due to
> >> the fact that it also relies on Debian's package management (reducing
> >> the
> >> migration effort) and that we're using it for our CI builds
> >> (consistency).
> >>
> >> +1 for going with Ubuntu if security is not a big concern
> >>
> >> Best,
> >> Matthias
> >>
> >> [1]
> >>
> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/
> >>
> >>
> >> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler <ch...@apache.org>
> >> wrote:
> >>
> >>> Hello,
> >>>
> >>> during the release of the 1.15.2 images
> >>> <https://github.com/docker-library/official-images/pull/13065> it was
> >>> noted that we use the openjdk:8/11 images, which have been deprecated
> >>> <https://github.com/docker-library/openjdk/issues/505> and thus no
> >>> longer receive any updates.
> >>>
> >>> There are a number of alternatives, the most promising being Eclipse
> >>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
> >>> AdoptOpenJDK, since it's vendor neutral.
> >>>
> >>> This would imply a switch of distros from Debian to most likely Ubuntu
> >>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible
> >>> with existing images using our images as a base). We are also running
> >>> our CI on Ubuntu, so I don't expect any issues.
> >>>
> >>> Let me know what you think.
> >>>
> >>> The required changes on our side appear to be minimal; I have already
> >>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
> >>>
> >
>
>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

I will optimistically merge the PRs that make the switch so we can 
gather some e2e testing data.

On 30/08/2022 14:51, Chesnay Schepler wrote:
> yes, alpine would have similar issues as CentOS. As for usability, 
> from personal experience it has always been a bit of a drag to extend 
> or use manually because it is such a minimal image.
>
> On 30/08/2022 14:45, Matthias Pohl wrote:
>> Thanks for bringing this up, Chesnay. Can you elaborate a bit more on 
>> what
>> you mean when referring to Alpine as being "not as user-friendly"? 
>> Doesn't
>> it come with the same issue that switching to CentOS comes with that we
>> have to update our scripts (I'm thinking of apt in particular)? Or what
>> else did you have in mind in terms of user-friendliness? I would imagine
>> selecting the required packages would be a bit more tedious.
>>
>> I'm wondering whether we considered the security aspect. A more minimal
>> Alpine base image might reduce the risk of running into CVEs. But then;
>> it's also the question how fast those CVEs are actually fixed on average
>> (now comparing Ubuntu and Alpine for instance). Or is this even a 
>> concern
>> for us?
>>
>> I didn't find any clear answers around that topic with a quick Google
>> search. [1] was kind of interesting to read.
>>
>> Anyway, I definitely see the benefits of just switching to Ubuntu due to
>> the fact that it also relies on Debian's package management (reducing 
>> the
>> migration effort) and that we're using it for our CI builds 
>> (consistency).
>>
>> +1 for going with Ubuntu if security is not a big concern
>>
>> Best,
>> Matthias
>>
>> [1]
>> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/ 
>>
>>
>> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>
>>> Hello,
>>>
>>> during the release of the 1.15.2 images
>>> <https://github.com/docker-library/official-images/pull/13065> it was
>>> noted that we use the openjdk:8/11 images, which have been deprecated
>>> <https://github.com/docker-library/openjdk/issues/505> and thus no
>>> longer receive any updates.
>>>
>>> There are a number of alternatives, the most promising being Eclipse
>>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
>>> AdoptOpenJDK, since it's vendor neutral.
>>>
>>> This would imply a switch of distros from Debian to most likely Ubuntu
>>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible
>>> with existing images using our images as a base). We are also running
>>> our CI on Ubuntu, so I don't expect any issues.
>>>
>>> Let me know what you think.
>>>
>>> The required changes on our side appear to be minimal; I have already
>>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>>>
>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Chesnay Schepler <ch...@apache.org>]

yes, alpine would have similar issues as CentOS. As for usability, from 
personal experience it has always been a bit of a drag to extend or use 
manually because it is such a minimal image.

On 30/08/2022 14:45, Matthias Pohl wrote:
> Thanks for bringing this up, Chesnay. Can you elaborate a bit more on what
> you mean when referring to Alpine as being "not as user-friendly"? Doesn't
> it come with the same issue that switching to CentOS comes with that we
> have to update our scripts (I'm thinking of apt in particular)? Or what
> else did you have in mind in terms of user-friendliness? I would imagine
> selecting the required packages would be a bit more tedious.
>
> I'm wondering whether we considered the security aspect. A more minimal
> Alpine base image might reduce the risk of running into CVEs. But then;
> it's also the question how fast those CVEs are actually fixed on average
> (now comparing Ubuntu and Alpine for instance). Or is this even a concern
> for us?
>
> I didn't find any clear answers around that topic with a quick Google
> search. [1] was kind of interesting to read.
>
> Anyway, I definitely see the benefits of just switching to Ubuntu due to
> the fact that it also relies on Debian's package management (reducing the
> migration effort) and that we're using it for our CI builds (consistency).
>
> +1 for going with Ubuntu if security is not a big concern
>
> Best,
> Matthias
>
> [1]
> https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/
>
> On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
>> Hello,
>>
>> during the release of the 1.15.2 images
>> <https://github.com/docker-library/official-images/pull/13065> it was
>> noted that we use the openjdk:8/11 images, which have been deprecated
>> <https://github.com/docker-library/openjdk/issues/505> and thus no
>> longer receive any updates.
>>
>> There are a number of alternatives, the most promising being Eclipse
>> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
>> AdoptOpenJDK, since it's vendor neutral.
>>
>> This would imply a switch of distros from Debian to most likely Ubuntu
>> 22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible
>> with existing images using our images as a base). We are also running
>> our CI on Ubuntu, so I don't expect any issues.
>>
>> Let me know what you think.
>>
>> The required changes on our side appear to be minimal; I have already
>> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>>

Re: [DISCUSS] Switch docker iamge base to Eclipse Temurin

[Matthias Pohl <ma...@aiven.io.INVALID>]

Thanks for bringing this up, Chesnay. Can you elaborate a bit more on what
you mean when referring to Alpine as being "not as user-friendly"? Doesn't
it come with the same issue that switching to CentOS comes with that we
have to update our scripts (I'm thinking of apt in particular)? Or what
else did you have in mind in terms of user-friendliness? I would imagine
selecting the required packages would be a bit more tedious.

I'm wondering whether we considered the security aspect. A more minimal
Alpine base image might reduce the risk of running into CVEs. But then;
it's also the question how fast those CVEs are actually fixed on average
(now comparing Ubuntu and Alpine for instance). Or is this even a concern
for us?

I didn't find any clear answers around that topic with a quick Google
search. [1] was kind of interesting to read.

Anyway, I definitely see the benefits of just switching to Ubuntu due to
the fact that it also relies on Debian's package management (reducing the
migration effort) and that we're using it for our CI builds (consistency).

+1 for going with Ubuntu if security is not a big concern

Best,
Matthias

[1]
https://jfrog.com/knowledge-base/why-use-ubuntu-as-a-docker-base-image-when-alpine-exists/

On Tue, Aug 30, 2022 at 11:40 AM Chesnay Schepler <ch...@apache.org>
wrote:

> Hello,
>
> during the release of the 1.15.2 images
> <https://github.com/docker-library/official-images/pull/13065> it was
> noted that we use the openjdk:8/11 images, which have been deprecated
> <https://github.com/docker-library/openjdk/issues/505> and thus no
> longer receive any updates.
>
> There are a number of alternatives, the most promising being Eclipse
> Temurin <https://hub.docker.com/_/eclipse-temurin>, the successor of
> AdoptOpenJDK, since it's vendor neutral.
>
> This would imply a switch of distros from Debian to most likely Ubuntu
> 22.04 (Alpine isn't as user-friendly, and CentOS is likely incompatible
> with existing images using our images as a base). We are also running
> our CI on Ubuntu, so I don't expect any issues.
>
> Let me know what you think.
>
> The required changes on our side appear to be minimal; I have already
> prepared a PR <https://github.com/apache/flink-docker/pull/130>.
>