Re: [onap-discuss] [ONAP] [Integration] Java11 ONAP docker

[Morgan Richomme via Lists.Onap.Org]

Hi

see comments below

Le mercredi 08 janvier 2020 à 17:45 +0000, DRAGOSH, PAMELA L (PAM) a écrit :
Morgan,

We see that you added some group, user and directory to the Dockerfile. Not 
sure if you are also intending to start imposing that on the projects.
except if we had some scripts in gerrit, it is not really possible to impose 
the use of specific docker/user/group/directory, it can be overwritten without 
problem.

Currently, most of the projects already have some convention to them regarding 
group, user and where they place all their binaries etc. So if you expect 
changes for that, I don’t think that would be appropriate at this timeframe for 
Frankfurt.
agree, as said people can overwrite, for G and later, it makes sense to 
harmonize. The changes are a priori relatively trivial.
The main point is to avoid the multiplication of the images, by using the same 
source image, we will have a better control of the vulnerabilities.

Since we are not trying to retain Alpine and are simply going to pull from 
openjdk:11.0.5-jre-slim, then perhaps this image from Integration isn’t needed. 
We can discuss whether ONAP wants to impose group, user and directory structure 
for G release.
If the image is already there, projects can adopt it for F if they want (not 
mandatory) and we may discuss whether it makes sense to impose it from G.

Again, it would be good for the community to understand that we are no longer 
Alpine, nor are we going back to Ubuntu, but rather the base for the ONAP 
images will be Debian.
I think that the debate should not be on the distro.
It used to be in the past but my view is that we must follow the "Upstream" 
first principle and rely on the work of the upstream community dealing with the 
component we need, here openjdk.
As openjdk maintainer, they are the closest to the code we are interested in 
and the best ones to ensure the mainteance, fix vulnerabilities regularly,..
Openjdk produces several "official images", we must select the most accurate 
for our need.
Currently alpines is not officially supported for java 11, from my perspective, 
it is better to use an official distro supporting java11 rather than selecting 
a non official alpine docker integrating java11 or even rebuild the solution on 
our side.
Opendjk releases a java 11 on a slim Debian (69Mo) - An alpine 3.9 with jre8 
was 56Mo - when we move from Ubuntu (based on Debian BTW) to Alpine, the goal 
was to reduce the size (because full Ubuntu images were used) on one hand and 
to reduce the diveristy of distributions.
Here for java11, we still suggest only 1 disto and the size is almost the same 
than the alpine, I think it matches our need.

Moreover focusing on java11 and not on the distro should also allow to rebuild 
the dockers on any distro (CentOS, CoreOS, Ubuntu, Alpines, Debian, RHEL, 
Suze,...) or did I miss one of the interest of java? :)



Thanks,

Pam


From: "morgan.richo...@orange.com" <morgan.richo...@orange.com>
Date: Wednesday, January 8, 2020 at 11:29 AM
To: "DRAGOSH, PAMELA L (PAM)" <pdrag...@research.att.com>, 
"onap-discuss@lists.onap.org" <onap-discuss@lists.onap.org>, DESBUREAUX Sylvain 
TGI/OLN <sylvain.desbure...@orange.com>, "ZWARICO, AMY" <az9...@att.com>, 
"LUNANUOVA, DOMINIC (DOMINIC)" <d...@research.att.com>
Cc: "jwagant...@linuxfoundation.org" <jwagant...@linuxfoundation.org>
Subject: Re: [onap-discuss] [ONAP] [Integration] Java11 ONAP docker

I just updated the docker after Sylvain's comment :)

Le mercredi 08 janvier 2020 à 15:23 +0000, LUNANUOVA, DOMINIC (DOMINIC) a écrit 
:
Sylvain,
Perhaps you are suggestion is already  used by Morgan?
I find Morgan’s 
Dockerfile<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_blob_master_Dockerfile&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=0FjOjCMCCuX-0mcCsSDNbNWBaOfW-zQ0r6vB30H8RRk&s=5r1uV1JVyC3yGpc0AQ5EUFpAELN385-_H_5TeZTli0s&e=>
 to use base image: openjdk:11.0.5-jre-slim

If not, please provide a specific reference to what you mean by “we can use 
openjdk11 official jre-slim”.

-Dom

From: onap-discuss@lists.onap.org [mailto:onap-discuss@lists.onap.org] On 
Behalf Of Sylvain Desbureaux via Lists.Onap.Org
Sent: Wednesday, January 8, 2020 7:36 AM
To: RICHOMME Morgan TGI/OLN <morgan.richo...@orange.com>; DRAGOSH, PAMELA L 
(PAM) <pdrag...@research.att.com>; ZWARICO, AMY <az9...@att.com>
Cc: jwagant...@linuxfoundation.org; onap-discuss@lists.onap.org
Subject: Re: [onap-discuss] [ONAP] [Integration] Java11 ONAP docker

Hi Morgan
I believe that instead of openjdk11 official slim images images as we don’t 
compile AFAIK in our Docker (and if we are, I believe it’s a bad pattern).
We move from 215Mo to 70Mo compressed (and maybe we get rid of some CVEs).

Regards,
---
Sylvain Desbureaux

De : RICHOMME Morgan TGI/OLN 
<morgan.richo...@orange.com<mailto:morgan.richo...@orange.com>>
Date : mardi 7 janvier 2020 à 11:12
À : "pdrag...@research.att.com<mailto:pdrag...@research.att.com>" 
<pdrag...@research.att.com<mailto:pdrag...@research.att.com>>, 
"az9...@att.com<mailto:az9...@att.com>" <az9...@att.com<mailto:az9...@att.com>>
Cc : "jwagant...@linuxfoundation.org<mailto:jwagant...@linuxfoundation.org>" 
<jwagant...@linuxfoundation.org<mailto:jwagant...@linuxfoundation.org>>, 
"onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>" 
<onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>>, DESBUREAUX 
Sylvain TGI/OLN 
<sylvain.desbure...@orange.com<mailto:sylvain.desbure...@orange.com>>
Objet : [ONAP] [Integration] Java11 ONAP docker

Hi Amy and Pam

as discussed during the PTL meeting yesterday, I generated a dockerfile for 
java11.

For the moment I do everything in gitlab.com as I do not have the repositories 
in ONAP.
You can find the code here: 
https://gitlab.com/onap-integration/docker/onap-java<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=HrGJFF8M2LNC-RuONclvrHysZ7TGmMnwOE_smL5YV9o&e=>
One of the advantages is that we automatically leverage all the built-in 
features of gitlab.com (it will take time to do the same from LF repos)
- registry: docker built automatically and available in 
registry.gitlab.com/onap-integration/docker/onap-java:latest
- CI including several addons such as container_scanning (with klar '2.4.0' and 
clair 'v2.1.2') or licence verification 
https://gitlab.com/onap-integration/docker/onap-java/pipelines/107470068<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_pipelines_107470068&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=oH_SeHZvyUF9WRKn46qgQx7-ji1CmxFzkiohIVqAq0A&e=>
- security scan results: 
https://gitlab.com/onap-integration/docker/onap-java/security/dashboard/?project_id=15652149&scope=dismissed&page=1&days=90<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_security_dashboard_-3Fproject-5Fid-3D15652149-26scope-3Ddismissed-26page-3D1-26days-3D90&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=v8y78CJgU1E442V1xJ_se8QNllGvdL-VQdottFPig00&s=QKISQu2nXNj7EAA1qnaOB4FrCyYfCJ3eXf3tJroUsb0&e=>
 - 46 vulnearbilities found linked to Debian vulnerabilities which is used by 
openjdk to build their image (1 high (CVE-2019-18224 in libidn2)  , 4 medium, 
41 low).

the docker itself is very basic
I started from openjdk11 official slim images (1 layer, 215Mo (compressed))
I added a onap group and an onap user
I created two env variables:
- JAVA_SEC_OPTS=""
- JAVA_OPTS="-Xms256m -Xmx1g"
so it is possible through env variables to overwrite these values.
I assume that the jar file is put in /opt/onap/app.jar
and I set the entry point as java $JAVA_SEC_OPTS $JAVA_OPTS -jar 
/opt/$user/app.jar

so if you create your docker from this docker, you in theory needs to copy your 
jar and it should be OK...to be tested

Any comments/modifications/suggestions on the Dockerfile welcome
The gitlab.com project is under Apache v2 licence and fully Open Source
If you wand to be added as member of the gitlab.com project, do not hesitate.

/Morgan

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.



This message and its attachments may contain confidential or privileged 
information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete 
this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.

Thank you.


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.



This message and its attachments may contain confidential or privileged 
information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete 
this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#19748): https://lists.onap.org/g/onap-discuss/message/19748
Mute This Topic: https://lists.onap.org/mt/69499333/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-