Which Java distribution should I use for my cloud application?

Definitely supported by the respected and well known vendor. Image should be immediately updated after each security thread.

root@user-Aspire-ES1–431:~# docker run -it registry.access.redhat.com/ubi7
[root@96f7d38bf565 /]# yum install java-11-openjdk-headless
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
ubi-7 | 3.8 kB 00:00 
ubi-7-rhah | 3.7 kB 00:00 
ubi-7-server-extras-rpms | 3.7 kB 00:00 
ubi-7-server-optional-rpms | 3.7 kB 00:00 
ubi-server-rhscl-7-rpms | 3.8 kB 00:00 
(1/15): ubi-7/x86_64/group | 124 B 00:01 
(2/15): ubi-7/x86_64/updateinfo | 92 B 00:02 
(3/15): ubi-7-rhah/x86_64/group | 124 B 00:01 
(4/15): ubi-7-rhah/x86_64/updateinfo | 92 B 00:01 
(5/15): ubi-7/x86_64/primary_db | 675 kB 00:02 
(6/15): ubi-7-rhah/x86_64/primary_db | 4.0 kB 00:01 
(7/15): ubi-7-server-extras-rpms/x86_64/group | 124 B 00:01 
(8/15): ubi-7-server-extras-rpms/x86_64/updateinfo | 92 B 00:02 
(9/15): ubi-7-server-optional-rpms/x86_64/group | 124 B 00:00 
(10/15): ubi-7-server-extras-rpms/x86_64/primary_db | 4.6 kB 00:00 
(11/15): ubi-7-server-optional-rpms/x86_64/updateinfo | 92 B 00:00 
(12/15): ubi-server-rhscl-7-rpms/x86_64/group | 124 B 00:01 
(13/15): ubi-7-server-optional-rpms/x86_64/primary_db | 13 kB 00:01 
(14/15): ubi-server-rhscl-7-rpms/x86_64/updateinfo | 92 B 00:01 
(15/15): ubi-server-rhscl-7-rpms/x86_64/primary_db | 158 kB 00:01 
Resolving Dependencies
 → Running transaction check
 — -> Package java-11-openjdk-headless.x86_64 1:11.0.3.7–0.el7_6 will be installed
 → Processing Dependency: copy-jdk-configs >= 3.3 for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: tzdata-java >= 2015d for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: javapackages-tools for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libasound.so.2(ALSA_0.9)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libasound.so.2(ALSA_0.9.0rc4)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: lksctp-tools(x86–64) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libasound.so.2()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libfreetype.so.6()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64
 → Running transaction check
 — -> Package alsa-lib.x86_64 0:1.1.6–2.el7 will be installed
 — -> Package copy-jdk-configs.noarch 0:3.3–10.el7_5 will be installed
 — -> Package freetype.x86_64 0:2.8–12.el7_6.1 will be installed
 → Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: freetype-2.8–12.el7_6.1.x86_64
 → Processing Dependency: libpng15.so.15()(64bit) for package: freetype-2.8–12.el7_6.1.x86_64
 — -> Package javapackages-tools.noarch 0:3.4.1–11.el7 will be installed
 → Processing Dependency: python-javapackages = 3.4.1–11.el7 for package: javapackages-tools-3.4.1–11.el7.noarch
 → Processing Dependency: libxslt for package: javapackages-tools-3.4.1–11.el7.noarch
 — -> Package libjpeg-turbo.x86_64 0:1.2.90–6.el7 will be installed
 — -> Package lksctp-tools.x86_64 0:1.0.17–2.el7 will be installed
 — -> Package tzdata-java.noarch 0:2019b-1.el7 will be installed
 → Running transaction check
 — -> Package libpng.x86_64 2:1.5.13–7.el7_2 will be installed
 — -> Package libxslt.x86_64 0:1.1.28–5.el7 will be installed
 — -> Package python-javapackages.noarch 0:3.4.1–11.el7 will be installed
 → Processing Dependency: python-lxml for package: python-javapackages-3.4.1–11.el7.noarch
 → Running transaction check
 — -> Package python-lxml.x86_64 0:3.2.1–4.el7 will be installed
 → Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package Arch Version Repository
 Size
================================================================================
Installing:
 java-11-openjdk-headless x86_64 1:11.0.3.7–0.el7_6 ubi-7 38 M
Installing for dependencies:
 alsa-lib x86_64 1.1.6–2.el7 ubi-7 424 k
 copy-jdk-configs noarch 3.3–10.el7_5 ubi-7 21 k
 freetype x86_64 2.8–12.el7_6.1 ubi-7 380 k
 javapackages-tools noarch 3.4.1–11.el7 ubi-7 73 k
 libjpeg-turbo x86_64 1.2.90–6.el7 ubi-7 134 k
 libpng x86_64 2:1.5.13–7.el7_2 ubi-7 213 k
 libxslt x86_64 1.1.28–5.el7 ubi-7 242 k
 lksctp-tools x86_64 1.0.17–2.el7 ubi-7 88 k
 python-javapackages noarch 3.4.1–11.el7 ubi-7 31 k
 python-lxml x86_64 3.2.1–4.el7 ubi-7 758 k
 tzdata-java noarch 2019b-1.el7 ubi-7 187 k
Transaction Summary
================================================================================
Install 1 Package (+11 Dependent packages)
Total download size: 41 M
Installed size: 166 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/ubi-7/packages/copy-jdk-configs-3.3–10.el7_5.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Public key for copy-jdk-configs-3.3–10.el7_5.noarch.rpm is not installed
(1/12): copy-jdk-configs-3.3–10.el7_5.noarch.rpm | 21 kB 00:00 
(2/12): alsa-lib-1.1.6–2.el7.x86_64.rpm | 424 kB 00:01 
(3/12): freetype-2.8–12.el7_6.1.x86_64.rpm | 380 kB 00:00 
(4/12): javapackages-tools-3.4.1–11.el7.noarch.rpm | 73 kB 00:00 
(5/12): libjpeg-turbo-1.2.90–6.el7.x86_64.rpm | 134 kB 00:00 
(6/12): libpng-1.5.13–7.el7_2.x86_64.rpm | 213 kB 00:00 
(7/12): libxslt-1.1.28–5.el7.x86_64.rpm | 242 kB 00:00 
(8/12): lksctp-tools-1.0.17–2.el7.x86_64.rpm | 88 kB 00:00:00 
(9/12): python-javapackages-3.4.1–11.el7.noarch.rpm | 31 kB 00:00:00 
(10/12): python-lxml-3.2.1–4.el7.x86_64.rpm | 758 kB 00:00:01 
(11/12): tzdata-java-2019b-1.el7.noarch.rpm | 187 kB 00:00:00 
(12/12): java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64.rpm | 38 MB 00:00:40 
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
Total 1.0 MB/s | 41 MB 00:00:41 
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid : “Red Hat, Inc. (release key 2) <security@redhat.com>”
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package : redhat-release-server-7.6–4.el7.x86_64 (@anaconda/7.6)
 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
 Userid : “Red Hat, Inc. (auxiliary key) <security@redhat.com>”
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package : redhat-release-server-7.6–4.el7.x86_64 (@anaconda/7.6)
 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Installing : libxslt-1.1.28–5.el7.x86_64 1/12 
 Installing : python-lxml-3.2.1–4.el7.x86_64 2/12 
 Installing : python-javapackages-3.4.1–11.el7.noarch 3/12 
 Installing : javapackages-tools-3.4.1–11.el7.noarch 4/12 
 Installing : libjpeg-turbo-1.2.90–6.el7.x86_64 5/12 
 Installing : lksctp-tools-1.0.17–2.el7.x86_64 6/12 
 Installing : 2:libpng-1.5.13–7.el7_2.x86_64 7/12 
 Installing : freetype-2.8–12.el7_6.1.x86_64 8/12 
 Installing : alsa-lib-1.1.6–2.el7.x86_64 9/12 
 Installing : tzdata-java-2019b-1.el7.noarch 10/12 
 Installing : copy-jdk-configs-3.3–10.el7_5.noarch 11/12 
 Installing : 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64 12/12 
 Verifying : libxslt-1.1.28–5.el7.x86_64 1/12 
 Verifying : copy-jdk-configs-3.3–10.el7_5.noarch 2/12 
 Verifying : python-javapackages-3.4.1–11.el7.noarch 3/12 
 Verifying : tzdata-java-2019b-1.el7.noarch 4/12 
 Verifying : alsa-lib-1.1.6–2.el7.x86_64 5/12 
 Verifying : python-lxml-3.2.1–4.el7.x86_64 6/12 
 Verifying : freetype-2.8–12.el7_6.1.x86_64 7/12 
 Verifying : 2:libpng-1.5.13–7.el7_2.x86_64 8/12 
 Verifying : javapackages-tools-3.4.1–11.el7.noarch 9/12 
 Verifying : 1:java-11-openjdk-headless-11.0.3.7–0.el7_6.x86_64 10/12 
 Verifying : lksctp-tools-1.0.17–2.el7.x86_64 11/12 
 Verifying : libjpeg-turbo-1.2.90–6.el7.x86_64 12/12
Installed:
 java-11-openjdk-headless.x86_64 1:11.0.3.7–0.el7_6
Dependency Installed:
 alsa-lib.x86_64 0:1.1.6–2.el7 copy-jdk-configs.noarch 0:3.3–10.el7_5 freetype.x86_64 0:2.8–12.el7_6.1 
 javapackages-tools.noarch 0:3.4.1–11.el7 libjpeg-turbo.x86_64 0:1.2.90–6.el7 libpng.x86_64 2:1.5.13–7.el7_2 
 libxslt.x86_64 0:1.1.28–5.el7 lksctp-tools.x86_64 0:1.0.17–2.el7 python-javapackages.noarch 0:3.4.1–11.el7 
 python-lxml.x86_64 0:3.2.1–4.el7 tzdata-java.noarch 0:2019b-1.el7
Complete!
[root@96f7d38bf565 /]# java -version
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.3+7-LTS, mixed mode, sharing)
[root@96f7d38bf565 /]#

If you have really small base container (~30MB) use ubi7-minimal:

root@user-Aspire-ES1–431:~# docker run -it registry.access.redhat.com/ubi7-minimal
bash-4.2# microdnf install java-11-openjdk-headless — nodocs
Downloading metadata…
Downloading metadata…
Downloading metadata…
Downloading metadata…
Transaction: 15 packages
python-libs-2.7.5–80.el7_6.x86_64 (ubi-7)
javapackages-tools-3.4.1–11.el7.noarch (ubi-7)
python-2.7.5–80.el7_6.x86_64 (ubi-7)
gdbm-1.10–8.el7.x86_64 (ubi-7)
libxslt-1.1.28–5.el7.x86_64 (ubi-7)
libpng-2:1.5.13–7.el7_2.x86_64 (ubi-7)
alsa-lib-1.1.6–2.el7.x86_64 (ubi-7)
libjpeg-turbo-1.2.90–6.el7.x86_64 (ubi-7)
lksctp-tools-1.0.17–2.el7.x86_64 (ubi-7)
python-javapackages-3.4.1–11.el7.noarch (ubi-7)
copy-jdk-configs-3.3–10.el7_5.noarch (ubi-7)
freetype-2.8–12.el7_6.1.x86_64 (ubi-7)
python-lxml-3.2.1–4.el7.x86_64 (ubi-7)
tzdata-java-2019b-1.el7.noarch (ubi-7)
java-11-openjdk-headless-1:11.0.3.7–0.el7_6.x86_64 (ubi-7)
Downloading packages…
Running transaction test…
Installing: libxslt;1.1.28–5.el7;x86_64;ubi-7
Installing: tzdata-java;2019b-1.el7;noarch;ubi-7
Installing: copy-jdk-configs;3.3–10.el7_5;noarch;ubi-7
Installing: lksctp-tools;1.0.17–2.el7;x86_64;ubi-7
Installing: libjpeg-turbo;1.2.90–6.el7;x86_64;ubi-7
Installing: alsa-lib;1.1.6–2.el7;x86_64;ubi-7
Installing: libpng;2:1.5.13–7.el7_2;x86_64;ubi-7
Installing: (null)
Installing: freetype;2.8–12.el7_6.1;x86_64;ubi-7
Installing: (null)
Installing: gdbm;1.10–8.el7;x86_64;ubi-7
Installing: python-libs;2.7.5–80.el7_6;x86_64;ubi-7
Installing: (null)
Installing: python;2.7.5–80.el7_6;x86_64;ubi-7
Installing: (null)
Installing: python-lxml;3.2.1–4.el7;x86_64;ubi-7
Installing: python-javapackages;3.4.1–11.el7;noarch;ubi-7
Installing: (null)
Installing: javapackages-tools;3.4.1–11.el7;noarch;ubi-7
Installing: (null)
Installing: java-11-openjdk-headless;1:11.0.3.7–0.el7_6;x86_64;ubi-7
Installing: (null)
Installing: (null)
Complete.
bash-4.2# microdnf clean all
Complete.
bash-4.2# java -version
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.3+7-LTS, mixed mode, sharing)
bash-4.2#

Please notice that:

1. Java on DockerHub is taken from Debian. See: https://dzone.com/articles/docker-snafu-vulnerable-jdk.
2. Public ibmjava requires invoice.
3. You are not enough brave to use Eclipse OpenJ9 on production unless you are CXX executive backed by the management board.
4. Customers from US would not be happy seeing Java from Alibaba Cloud in your container. Trade war changed everything.
5. Red Hat’s UBI license is business friendly: https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf
6. Today you’ve got 3 Java vendors: Oracle, IBM and Azul Systems.
7. When you are on Amazon, you must run Java from Amazon. Joke ;)

root@user-Aspire-ES1–431:~# docker run -it — rm azul/zulu-openjdk-centos:11 java -version
Unable to find image ‘azul/zulu-openjdk-centos:11’ locally
11: Pulling from azul/zulu-openjdk-centos
8ba884070f61: Pull complete 
1c1ed3a62a09: Pull complete 
ae433eae3bd1: Pull complete 
01cb59793d17: Pull complete 
e795e312fd6f: Pull complete 
Digest: sha256:1a3ef48131dc3838bdf30dc5a11b63e09a0712988295841c74cb8d93d5fa10e0
Status: Downloaded newer image for azul/zulu-openjdk-centos:11
openjdk version “11.0.4” 2019–07–16 LTS
OpenJDK Runtime Environment Zulu11.33+15-CA (build 11.0.4+11-LTS)
OpenJDK 64-Bit Server VM Zulu11.33+15-CA (build 11.0.4+11-LTS, mixed mode)
root@user-Aspire-ES1–431:~#

It looks like Zulu latest is really latest.

root@user-Aspire-ES1–431:~# docker run -it — rm amazoncorretto java -version
Unable to find image ‘amazoncorretto:latest’ locally
latest: Pulling from library/amazoncorretto
72d97abdfae3: Pull complete 
6f7fd16d8008: Pull complete 
Digest: sha256:9f78e7b5f70f7a1babd736aed407a944c2e0190a7dce193bf3afe1a6447964bf
Status: Downloaded newer image for amazoncorretto:latest
openjdk version “1.8.0_222”
OpenJDK Runtime Environment Corretto-8.222.10.1 (build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM Corretto-8.222.10.1 (build 25.222-b10, mixed mode)

Azul for Azure is free Enterprise version with licensing doubt:

root@user-Aspire-ES1–431:~# docker run -it — rm mcr.microsoft.com/java/jre-headless:11u3-zulu-centos java -version
Unable to find image ‘mcr.microsoft.com/java/jre-headless:11u3-zulu-centos’ locally
11u3-zulu-centos: Pulling from java/jre-headless
8ba884070f61: Already exists 
e3b7da723b96: Pull complete 
Digest: sha256:30039445f3fad8770a855beb7e1573fc71ef531736c5e0e46c040bdffc206d13
Status: Downloaded newer image for mcr.microsoft.com/java/jre-headless:11u3-zulu-centos
openjdk version “11.0.3” 2019–04–16 LTS
OpenJDK Runtime Environment 19.4-(Zulu-11.31+11-linux_x64)-Microsoft-Azure-restricted (build 11.0.3+7-LTS)
OpenJDK 64-Bit Server VM 19.4-(Zulu-11.31+11-linux_x64)-Microsoft-Azure-restricted (build 11.0.3+7-LTS, mixed mode)

Java inside container requires also base OS. If security and reliability are top priorities I would go with UBI or cloud dedicated images.

Azul and Amazon release quickly, see: https://adoptopenjdk.net/archive.html?variant=openjdk8&jvmVariant=hotspot. There is a reason for that — security bugfixes, see: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-July/001423.html

To be prepared for Java 11 updates see: https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u.