You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/06/22 21:42:59 UTC

[GitHub] [pulsar] lhotari opened a new pull request #11026: [Security] Use adoptopenjdk:11-jdk base image for Pulsar docker images

lhotari opened a new pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026


   ### Motivation
   
   - Pulsar docker images currently use openjdk:11-jdk-slim as the base image.
   
   - openjdk:11-jdk-slim/openjdk:11-jdk images are based on Debian 10 which contains a lot of unfixed vulnerabilities.
       - this causes the Pulsar docker images to get flagged in Docker image vulnerability
         scanning with docker image vulnerability scanning tools such as Clair
   
   ### Modifications
   
   - Switch the base image to `adoptopenjdk:11-jdk`.
   - `adoptopenjdk:11-jdk` is based on Ubuntu which has fixed all critical and high severity security vulnerabilities. New security vulnerabilities get quickly patched in Ubuntu.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] hangc0276 commented on pull request #11026: [Security] Use ubuntu:20.04 base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-906994388


   > @hangc0276 please advertise this on dev@
   > 
   > This is an important change, we must be sure that the community is up to date
   
   @eolivelli  Ok, I have sent an email to dev@ mail list, Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on pull request #11026: [Security] Use adoptopenjdk:11-jdk base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

sijie commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-878663534


   > Another choice for the adoptopenjdk base image would be to use the official ubuntu:20.04 base image and install the openjdk-11-jdk package in the container. 
   
   I think this is a better approach.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #11026: [Security] Use adoptopenjdk:11-jdk base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-867374901


   Another choice for the adoptopenjdk base image would be to use the official ubuntu:20.04 base image and install the openjdk-11-jdk package in the container. This would also resolve the security issues that come from using the Debian based openjdk docker base image.
   
   Switching to other than Ubuntu based OS would be more work since current Dockerfiles use apt to install packages and thus work for Debian/Ubuntu.
   
   @sijie Please provide advice how to proceed.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] hangc0276 commented on pull request #11026: [Security] Use ubuntu:20.04 base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-906918245


   Due to python3.7 is not  available in  openjdk:11-jdk image, this build exception is: https://github.com/apache/pulsar/runs/3428234664
   
   So i cherry picked this PR to branch-2.8, and release in Pulsar 2.8.1 to solve docker image build failed problem.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #11026: [Security] Use adoptopenjdk:11-jdk base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-867368769


   > who maintains adoptopenjdk?
   
   The JDK, [AdoptOpenJDK itself has moved to Eclipse Foundation and has been renamed to Adoptium](https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/). The GitHub organization is [adoptium](https://github.com/adoptium) and the transition from [AdoptOpenJDK](https://adoptopenjdk.net/) to [Adoptium](https://adoptium.net/) is still in progress.
   
   The adoptopenjdk docker images are maintained in 2 locations:
   * [official Docker Hub adoptopenjdk docker images](https://hub.docker.com/_/adoptopenjdk), source: https://github.com/AdoptOpenJDK/openjdk-docker . [Dockerfile](https://github.com/AdoptOpenJDK/openjdk-docker/blob/master/11/jdk/ubuntu/Dockerfile.hotspot.releases.full)
   * [adoptopenjdk docker images](https://hub.docker.com/r/adoptopenjdk/openjdk11) under `adoptopenjdk/`
   
   > Both images use the same underlying Java binaries from AdoptOpenJDK, but they support different OS flavours as below. Also the official DockerHub images are updated for underlying OS updates as and when the OS fixes are available. The AdoptOpenJDK maintained images are rebuilt everyday.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on pull request #11026: [Security] Use ubuntu:20.04 base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-906935537


   @hangc0276 please advertise this on dev@
   
   This is an important change, we must be sure that the community is up to date


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari merged pull request #11026: [Security] Use ubuntu:20.04 base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

lhotari merged pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on pull request #11026: [Security] Use adoptopenjdk:11-jdk base image for Pulsar docker images

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #11026:
URL: https://github.com/apache/pulsar/pull/11026#issuecomment-866954690


   @michaeljmarshall @sijie @rdhabalia @jerrypeng @codelipenghui 
   PTAL


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org