ci.docker icon indicating copy to clipboard operation
ci.docker copied to clipboard
verified publisher icon OpenLiberty

OL docker container base alignment

Open faandg opened this issue 11 months ago • 1 comments

Hi,

Our company extends the following images

  • icr.io/appcafe/open-liberty:25.0.0.1-kernel-slim-java8-openj9-ubi
  • icr.io/appcafe/open-liberty:25.0.0.1-kernel-slim-java17-openj9-ubi
  • icr.io/appcafe/open-liberty:25.0.0.1-kernel-slim-java21-openj9-ubi-minimal

Currently, we have to use split logic to handle extending the images for java8 and java17 versus the image from java21, here's why:

  • 25.0.0.1-kernel-slim-java8-openj9-ubi and 25.0.0.1-kernel-slim-java17-openj9-ubi are based on UBI8 -- additionally, minimal images for those 2 do not exist
  • 25.0.0.1-kernel-slim-java21-openj9-ubi-minimal is based on UBI9

Is there a specific reason that the java8 and java17 images are not being moved to UBI9 (and minimal images are not available)? If not for my use case, then please consider it for having to troubleshoot less behavioral issues / reproducibility reasons because this divergence means running on a completely different set of packages.

faandg avatar Jan 30 '25 09:01 faandg

@faandg Thank you for reaching out. UBI minimal is our strategic choice, hence we chose UBI 9 minimal when adding Liberty images with Java 21 last year. Due to FIPS compliance reasons, the Liberty images based on Java 8, 11, and 17 images need to stay with the UBI 8 standard. Hence, the naming difference you pointed out. We are considering adding UBI 9 minimal images for the other Java versions, which should remove the difference. We don't have concrete timelines to share at this time, but new images once available will be documented in the list of images: https://github.com/OpenLiberty/ci.docker/blob/main/docs/icr-images.md#latest-version

leochr avatar Feb 04 '25 20:02 leochr

I know of cases where ubi8-based images have not been able to be used because the security scan quality thresholds for images have not been met. This is mainly due to the installed Python version. However, with ubi9-based images this problem does not occur. It would be a great help in my case if all images were built from ubi9.

vnfjjimenez avatar Mar 06 '25 15:03 vnfjjimenez

UBI 9 minimal based Liberty images with Semeru 17/11/8 JRE and IBM Java 8 JRE are now added, starting with 25.0.0.4. They follow a similar naming to the Liberty images with Semeru 21.

  • Liberty container images: https://openliberty.io/docs/latest/container-images.html
  • See the full list of image tags at https://github.com/OpenLiberty/ci.docker/blob/main/docs/icr-images.md#latest-version

leochr avatar May 01 '25 19:05 leochr

These are perfect, thanks! We were able to remove all of the split logic and build every image the same way.

faandg avatar May 07 '25 08:05 faandg