jetty-runtime icon indicating copy to clipboard operation
jetty-runtime copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Upgrade base image to Debian 10 ("buster")

Open joakime opened this issue 5 years ago • 5 comments
trafficstars

The current image is based on Debian 9 ("stretch") which has now been superseded by Debian 10 ("buster").

From https://www.debian.org/releases/stretch/

Debian 9 has been superseded by Debian 10 (buster). Security updates have been discontinued as of July 6th, 2020.

We should update to Debian 10 ("buster") to get security updates, and also to stay current with openjdk-11 which is no longer receiving updates on stretch.

  • Stretch Backports is still on openjdk 11.0.6 - https://packages.debian.org/stretch-backports/openjdk-11-jre-headless
  • Buster Stable is on openjdk 11.0.8 - https://packages.debian.org/buster/openjdk-11-jdk-headless

joakime avatar Aug 17 '20 12:08 joakime

@joakime Last I asked we were not allowed to upgrade jetty-runtime to jdk-11 as that needed to be coordinated with the wider jdk-11. However, if "buster" also supports jdk-8, then upgrading now would be a good step to be ready. @donmccasland Do you see any reason we can't do this?

gregw avatar Aug 17 '20 16:08 gregw

The current image is based on FROM gcr.io/google-appengine/openjdk:8

It would be easy enough to base it FROM gcr.io/google-appengine/debian10:latest and just install openjdk-8-jdk-headless as the default.

joakime avatar Aug 17 '20 16:08 joakime

Correction. Debian 10 ("buster") has no openjdk-8 package available.

https://packages.debian.org/buster/java/

Seems to only support openjdk-11 or newer. We could install the archive from adoptopenjdk easily enough though.

joakime avatar Aug 17 '20 16:08 joakime

So we are now in the predicament.

We cannot continue to use Debian 9 ("stretch") due to lack of security updates, and no support for openjdk-11. We cannot upgrade to Debian 10 ("buster") due lack of Java 8 JDK packages.

Can we create a new branch of the jetty-runtime images? perhaps with a new label like jetty-runtime-11:latest (or jetty-runtime:11-latest?) which is Debian 10 ("buster") and OpenJDK 11?

joakime avatar Aug 17 '20 16:08 joakime

@joakime again I don't believe we can make an official jdk-11 image until all others are ready to go to jdk-11. Surely there is a way to get a back port of jdk8 for debian 10? jdk8 is going to live forever!

gregw avatar Aug 17 '20 16:08 gregw