Which Java distribution should I use for my cloud application?
Definitely supported by the respected and well known vendor. Image should be immediately updated after each security thread.
root@user-Aspire-ES1–431:~# docker run -it registry.access.redhat.com/ubi7
[root@96f7d38bf565 /]# yum install java-11-openjdk-headless
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
ubi-7 | 3.8 kB 00:00
ubi-7-rhah | 3.7 kB 00:00
ubi-7-server-extras-rpms | 3.7 kB 00:00
ubi-7-server-optional-rpms | 3.7 kB 00:00
ubi-server-rhscl-7-rpms | 3.8 kB 00:00
(1/15): ubi-7/x86_64/group | 124 B 00:01
(2/15): ubi-7/x86_64/updateinfo | 92 B 00:02
(3/15): ubi-7-rhah/x86_64/group | 124 B 00:01
(4/15): ubi-7-rhah/x86_64/updateinfo | 92 B 00:01
(5/15): ubi-7/x86_64/primary_db | 675 kB 00:02
(6/15): ubi-7-rhah/x86_64/primary_db | 4.0 kB 00:01
(7/15): ubi-7-server-extras-rpms/x86_64/group | 124 B 00:01
(8/15): ubi-7-server-extras-rpms/x86_64/updateinfo | 92 B 00:02
(9/15): ubi-7-server-optional-rpms/x86_64/group | 124 B 00:00
(10/15): ubi-7-server-extras-rpms/x86_64/primary_db | 4.6 kB 00:00
(11/15): ubi-7-server-optional-rpms/x86_64/updateinfo | 92 B 00:00
(12/15): ubi-server-rhscl-7-rpms/x86_64/group | 124 B 00:01
(13/15): ubi-7-server-optional-rpms/x86_64/primary_db | 13 kB 00:01
(14/15): ubi-server-rhscl-7-rpms/x86_64/updateinfo | 92 B 00:01
(15/15): ubi-server-rhscl-7-rpms/x86_64/primary_db | 158 kB 00:01
Resolving Dependencies
→ Running transaction check
— -> Package java-11-openjdk-headless.x86_64 1:11.0.3.7–0.el7_6 will be installed
→ Processing Dependency: copy-jdk-configs >= 3.3 for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: tzdata-java >= 2015d for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: javapackages-tools for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libasound.so.2(ALSA_0.9)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libasound.so.2(ALSA_0.9.0rc4)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: lksctp-tools(x86–64) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libasound.so.2()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libfreetype.so.6()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
→ Running transaction check
— -> Package alsa-lib.x86_64 0:1.1.6–2.el7 will be installed
— -> Package copy-jdk-configs.noarch 0:3.3–10.el7_5 will be installed
— -> Package freetype.x86_64 0:2.8–12.el7_6.1 will be installed
→ Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: freetype-2.8–12.el7_6.1.x86_64
→ Processing Dependency: libpng15.so.15()(64bit) for package: freetype-2.8–12.el7_6.1.x86_64
— -> Package javapackages-tools.noarch 0:3.4.1–11.el7 will be installed
→ Processing Dependency: python-javapackages = 3.4.1–11.el7 for package: javapackages-tools-3.4.1–11.el7.noarch
→ Processing Dependency: libxslt for package: javapackages-tools-3.4.1–11.el7.noarch
— -> Package libjpeg-turbo.x86_64 0:1.2.90–6.el7 will be installed
— -> Package lksctp-tools.x86_64 0:1.0.17–2.el7 will be installed
— -> Package tzdata-java.noarch 0:2019b-1.el7 will be installed
→ Running transaction check
— -> Package libpng.x86_64 2:1.5.13–7.el7_2 will be installed
— -> Package libxslt.x86_64 0:1.1.28–5.el7 will be installed
— -> Package python-javapackages.noarch 0:3.4.1–11.el7 will be installed
→ Processing Dependency: python-lxml for package: python-javapackages-3.4.1–11.el7.noarch
→ Running transaction check
— -> Package python-lxml.x86_64 0:3.2.1–4.el7 will be installed
→ Finished Dependency ResolutionDependencies Resolved================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
java-11-openjdk-headless x86_64 1:11.0.3.7–0.el7_6 ubi-7 38 M
Installing for dependencies:
alsa-lib x86_64 1.1.6–2.el7 ubi-7 424 k
copy-jdk-configs noarch 3.3–10.el7_5 ubi-7 21 k
freetype x86_64 2.8–12.el7_6.1 ubi-7 380 k
javapackages-tools noarch 3.4.1–11.el7 ubi-7 73 k
libjpeg-turbo x86_64 1.2.90–6.el7 ubi-7 134 k
libpng x86_64 2:1.5.13–7.el7_2 ubi-7 213 k
libxslt x86_64 1.1.28–5.el7 ubi-7 242 k
lksctp-tools x86_64 1.0.17–2.el7 ubi-7 88 k
python-javapackages noarch 3.4.1–11.el7 ubi-7 31 k
python-lxml x86_64 3.2.1–4.el7 ubi-7 758 k
tzdata-java noarch 2019b-1.el7 ubi-7 187 kTransaction Summary
================================================================================
Install 1 Package (+11 Dependent packages)Total download size: 41 M
Installed size: 166 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/ubi-7/packages/copy-jdk-configs-3.3–10.el7_5.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Public key for copy-jdk-configs-3.3–10.el7_5.noarch.rpm is not installed
(1/12): copy-jdk-configs-3.3–10.el7_5.noarch.rpm | 21 kB 00:00
(2/12): alsa-lib-1.1.6–2.el7.x86_64.rpm | 424 kB 00:01
(3/12): freetype-2.8–12.el7_6.1.x86_64.rpm | 380 kB 00:00
(4/12): javapackages-tools-3.4.1–11.el7.noarch.rpm | 73 kB 00:00
(5/12): libjpeg-turbo-1.2.90–6.el7.x86_64.rpm | 134 kB 00:00
(6/12): libpng-1.5.13–7.el7_2.x86_64.rpm | 213 kB 00:00
(7/12): libxslt-1.1.28–5.el7.x86_64.rpm | 242 kB 00:00
(8/12): lksctp-tools-1.0.17–2.el7.x86_64.rpm | 88 kB 00:00:00
(9/12): python-javapackages-3.4.1–11.el7.noarch.rpm | 31 kB 00:00:00
(10/12): python-lxml-3.2.1–4.el7.x86_64.rpm | 758 kB 00:00:01
(11/12): tzdata-java-2019b-1.el7.noarch.rpm | 187 kB 00:00:00
(12/12): java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64.rpm | 38 MB 00:00:40
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Total 1.0 MB/s | 41 MB 00:00:41
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
Userid : “Red Hat, Inc. (release key 2) <security@redhat.com>”
Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
Package : redhat-release-server-7.6–4.el7.x86_64 (@anaconda/7.6)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
Userid : “Red Hat, Inc. (auxiliary key) <security@redhat.com>”
Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
Package : redhat-release-server-7.6–4.el7.x86_64 (@anaconda/7.6)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libxslt-1.1.28–5.el7.x86_64 1/12
Installing : python-lxml-3.2.1–4.el7.x86_64 2/12
Installing : python-javapackages-3.4.1–11.el7.noarch 3/12
Installing : javapackages-tools-3.4.1–11.el7.noarch 4/12
Installing : libjpeg-turbo-1.2.90–6.el7.x86_64 5/12
Installing : lksctp-tools-1.0.17–2.el7.x86_64 6/12
Installing : 2:libpng-1.5.13–7.el7_2.x86_64 7/12
Installing : freetype-2.8–12.el7_6.1.x86_64 8/12
Installing : alsa-lib-1.1.6–2.el7.x86_64 9/12
Installing : tzdata-java-2019b-1.el7.noarch 10/12
Installing : copy-jdk-configs-3.3–10.el7_5.noarch 11/12
Installing : 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64 12/12
Verifying : libxslt-1.1.28–5.el7.x86_64 1/12
Verifying : copy-jdk-configs-3.3–10.el7_5.noarch 2/12
Verifying : python-javapackages-3.4.1–11.el7.noarch 3/12
Verifying : tzdata-java-2019b-1.el7.noarch 4/12
Verifying : alsa-lib-1.1.6–2.el7.x86_64 5/12
Verifying : python-lxml-3.2.1–4.el7.x86_64 6/12
Verifying : freetype-2.8–12.el7_6.1.x86_64 7/12
Verifying : 2:libpng-1.5.13–7.el7_2.x86_64 8/12
Verifying : javapackages-tools-3.4.1–11.el7.noarch 9/12
Verifying : 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64 10/12
Verifying : lksctp-tools-1.0.17–2.el7.x86_64 11/12
Verifying : libjpeg-turbo-1.2.90–6.el7.x86_64 12/12Installed:
java-11-openjdk-headless.x86_64 1:11.0.3.7–0.el7_6Dependency Installed:
alsa-lib.x86_64 0:1.1.6–2.el7 copy-jdk-configs.noarch 0:3.3–10.el7_5 freetype.x86_64 0:2.8–12.el7_6.1
javapackages-tools.noarch 0:3.4.1–11.el7 libjpeg-turbo.x86_64 0:1.2.90–6.el7 libpng.x86_64 2:1.5.13–7.el7_2
libxslt.x86_64 0:1.1.28–5.el7 lksctp-tools.x86_64 0:1.0.17–2.el7 python-javapackages.noarch 0:3.4.1–11.el7
python-lxml.x86_64 0:3.2.1–4.el7 tzdata-java.noarch 0:2019b-1.el7Complete!
[root@96f7d38bf565 /]# java -version
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.3+7-LTS, mixed mode, sharing)
[root@96f7d38bf565 /]#
If you have really small base container (~30MB) use ubi7-minimal:
root@user-Aspire-ES1–431:~# docker run -it registry.access.redhat.com/ubi7-minimal
bash-4.2# microdnf install java-11-openjdk-headless — nodocs
Downloading metadata…
Downloading metadata…
Downloading metadata…
Downloading metadata…
Transaction: 15 packages
python-libs-2.7.5–80.el7_6.x86_64 (ubi-7)
javapackages-tools-3.4.1–11.el7.noarch (ubi-7)
python-2.7.5–80.el7_6.x86_64 (ubi-7)
gdbm-1.10–8.el7.x86_64 (ubi-7)
libxslt-1.1.28–5.el7.x86_64 (ubi-7)
libpng-2:1.5.13–7.el7_2.x86_64 (ubi-7)
alsa-lib-1.1.6–2.el7.x86_64 (ubi-7)
libjpeg-turbo-1.2.90–6.el7.x86_64 (ubi-7)
lksctp-tools-1.0.17–2.el7.x86_64 (ubi-7)
python-javapackages-3.4.1–11.el7.noarch (ubi-7)
copy-jdk-configs-3.3–10.el7_5.noarch (ubi-7)
freetype-2.8–12.el7_6.1.x86_64 (ubi-7)
python-lxml-3.2.1–4.el7.x86_64 (ubi-7)
tzdata-java-2019b-1.el7.noarch (ubi-7)
java-11-openjdk-headless-1:11.0.3.7–0.el7_6.x86_64 (ubi-7)
Downloading packages…
Running transaction test…
Installing: libxslt;1.1.28–5.el7;x86_64;ubi-7
Installing: tzdata-java;2019b-1.el7;noarch;ubi-7
Installing: copy-jdk-configs;3.3–10.el7_5;noarch;ubi-7
Installing: lksctp-tools;1.0.17–2.el7;x86_64;ubi-7
Installing: libjpeg-turbo;1.2.90–6.el7;x86_64;ubi-7
Installing: alsa-lib;1.1.6–2.el7;x86_64;ubi-7
Installing: libpng;2:1.5.13–7.el7_2;x86_64;ubi-7
Installing: (null)
Installing: freetype;2.8–12.el7_6.1;x86_64;ubi-7
Installing: (null)
Installing: gdbm;1.10–8.el7;x86_64;ubi-7
Installing: python-libs;2.7.5–80.el7_6;x86_64;ubi-7
Installing: (null)
Installing: python;2.7.5–80.el7_6;x86_64;ubi-7
Installing: (null)
Installing: python-lxml;3.2.1–4.el7;x86_64;ubi-7
Installing: python-javapackages;3.4.1–11.el7;noarch;ubi-7
Installing: (null)
Installing: javapackages-tools;3.4.1–11.el7;noarch;ubi-7
Installing: (null)
Installing: java-11-openjdk-headless;1:11.0.3.7–0.el7_6;x86_64;ubi-7
Installing: (null)
Installing: (null)
Complete.
bash-4.2# microdnf clean all
Complete.
bash-4.2# java -version
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.3+7-LTS, mixed mode, sharing)
bash-4.2#
Please notice that:
- Java on DockerHub is taken from Debian. See: https://dzone.com/articles/docker-snafu-vulnerable-jdk.
- Public ibmjava requires invoice.
- You are not enough brave to use Eclipse OpenJ9 on production unless you are CXX executive backed by the management board.
- Customers from US would not be happy seeing Java from Alibaba Cloud in your container. Trade war changed everything.
- Red Hat’s UBI license is business friendly: https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf
- Today you’ve got 3 Java vendors: Oracle, IBM and Azul Systems.
- When you are on Amazon, you must run Java from Amazon. Joke ;)
root@user-Aspire-ES1–431:~# docker run -it — rm azul/zulu-openjdk-centos:11 java -version
Unable to find image ‘azul/zulu-openjdk-centos:11’ locally
11: Pulling from azul/zulu-openjdk-centos
8ba884070f61: Pull complete
1c1ed3a62a09: Pull complete
ae433eae3bd1: Pull complete
01cb59793d17: Pull complete
e795e312fd6f: Pull complete
Digest: sha256:1a3ef48131dc3838bdf30dc5a11b63e09a0712988295841c74cb8d93d5fa10e0
Status: Downloaded newer image for azul/zulu-openjdk-centos:11
openjdk version “11.0.4” 2019–07–16 LTS
OpenJDK Runtime Environment Zulu11.33+15-CA (build 11.0.4+11-LTS)
OpenJDK 64-Bit Server VM Zulu11.33+15-CA (build 11.0.4+11-LTS, mixed mode)
root@user-Aspire-ES1–431:~#
It looks like Zulu latest is really latest.
root@user-Aspire-ES1–431:~# docker run -it — rm amazoncorretto java -version
Unable to find image ‘amazoncorretto:latest’ locally
latest: Pulling from library/amazoncorretto
72d97abdfae3: Pull complete
6f7fd16d8008: Pull complete
Digest: sha256:9f78e7b5f70f7a1babd736aed407a944c2e0190a7dce193bf3afe1a6447964bf
Status: Downloaded newer image for amazoncorretto:latest
openjdk version “1.8.0_222”
OpenJDK Runtime Environment Corretto-8.222.10.1 (build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM Corretto-8.222.10.1 (build 25.222-b10, mixed mode)
Azul for Azure is free Enterprise version with licensing doubt:
root@user-Aspire-ES1–431:~# docker run -it — rm mcr.microsoft.com/java/jre-headless:11u3-zulu-centos java -version
Unable to find image ‘mcr.microsoft.com/java/jre-headless:11u3-zulu-centos’ locally
11u3-zulu-centos: Pulling from java/jre-headless
8ba884070f61: Already exists
e3b7da723b96: Pull complete
Digest: sha256:30039445f3fad8770a855beb7e1573fc71ef531736c5e0e46c040bdffc206d13
Status: Downloaded newer image for mcr.microsoft.com/java/jre-headless:11u3-zulu-centos
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 19.4-(Zulu-11.31+11-linux_x64)-Microsoft-Azure-restricted (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 19.4-(Zulu-11.31+11-linux_x64)-Microsoft-Azure-restricted (build 11.0.3+7-LTS, mixed mode)
Java inside container requires also base OS. If security and reliability are top priorities I would go with UBI or cloud dedicated images.
Azul and Amazon release quickly, see: https://adoptopenjdk.net/archive.html?variant=openjdk8&jvmVariant=hotspot. There is a reason for that — security bugfixes, see: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-July/001423.html
To be prepared for Java 11 updates see: https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u.