[fix] Switch docker base image to avoid mixing musl & glibc libraries…

… at runtime Mixing musl & glibc libraries at runtime will result in compatibility issues. We need a solution with real glibc because of compatibility reasons. The previous solution with the Alpine base image has a critical issue since it mixes musl compiled and glibc compiled libraries at runtime while using real glibc. This is why the switch is needed. For example, snappy-java and Conscrypt show that this problem occurs.
apache · Sep 28, 2024 · 970c08b · 970c08b
1 parent 95bd1d1
commit 970c08b
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 268 deletions.
diff --git a/docker/glibc-package/Dockerfile b/docker/glibc-package/Dockerfile
diff --git a/docker/glibc-package/README.md b/docker/glibc-package/README.md
diff --git a/docker/glibc-package/scripts/APKBUILD b/docker/glibc-package/scripts/APKBUILD
diff --git a/docker/glibc-package/scripts/glibc-bin.trigger b/docker/glibc-package/scripts/glibc-bin.trigger
diff --git a/docker/glibc-package/scripts/ld.so.conf b/docker/glibc-package/scripts/ld.so.conf
diff --git a/docker/pulsar/Dockerfile b/docker/pulsar/Dockerfile
@@ -17,6 +17,9 @@
 # under the License.
 #
 
+# Final image uses the Liberica JDK image running on Alpaquita Linux as the base image
+ARG LIBERICA_RUNTIME_CONTAINER_TAG=jdk-all-17-cds-stream-glibc
+# Alpine is used for intermediate stages
 ARG ALPINE_VERSION=3.20
 
 # First create a stage with just the Pulsar tarball and scripts
@@ -50,55 +53,29 @@ RUN for SUBDIRECTORY in conf data download logs instances/deps packages-storage;
 RUN chmod -R g+rx /pulsar/bin
 RUN chmod -R o+rx /pulsar
 
-# Enable snappy-java to use system lib
-RUN echo 'OPTS="$OPTS -Dorg.xerial.snappy.use.systemlib=true"' >> /pulsar/conf/bkenv.sh
-
-###  Create one stage to include JVM distribution
-FROM amazoncorretto:21-alpine AS jvm
-
-RUN apk add --no-cache binutils
-
-# Use JLink to create a slimmer JDK distribution (see: https://adoptium.net/blog/2021/10/jlink-to-produce-own-runtime/)
-# This still includes all JDK modules, though in the future we could compile a list of required modules
-RUN /usr/lib/jvm/default-jvm/bin/jlink --add-modules ALL-MODULE-PATH --compress zip-9 --no-man-pages --no-header-files --strip-debug --output /opt/jvm
-RUN echo networkaddress.cache.ttl=1 >> /opt/jvm/conf/security/java.security
-RUN echo networkaddress.cache.negative.ttl=1 >> /opt/jvm/conf/security/java.security
-
-## Create one stage to include snappy-java native lib
-# Fix the issue when using snappy-java in x86 arch alpine
-# See https://github.com/xerial/snappy-java/issues/181 https://github.com/xerial/snappy-java/issues/579
-# We need to ensure that the version of the native library matches the version of snappy-java imported via Maven
-FROM alpine:$ALPINE_VERSION AS snappy-java
-
-ARG SNAPPY_VERSION
-RUN apk add git alpine-sdk util-linux cmake autoconf automake libtool openjdk17 maven curl bash tar
-ENV JAVA_HOME=/usr
-RUN curl -Ls https://github.com/xerial/snappy-java/archive/refs/tags/v$SNAPPY_VERSION.tar.gz | tar zxf - && cd snappy-java-$SNAPPY_VERSION && make clean-native native
-FROM apachepulsar/glibc-base:2.38 as glibc
-
-## Create final stage from Alpine image
-## and add OpenJDK and Python dependencies (for Pulsar functions)
-FROM alpine:$ALPINE_VERSION
+## Create final stage from liberica-runtime-container image
+## and add Python dependencies (for Pulsar functions)
+FROM bellsoft/liberica-runtime-container:$LIBERICA_RUNTIME_CONTAINER_TAG
 ENV LANG C.UTF-8
 
+# Upgrade all packages to get latest versions with security fixes
 # Install some utilities, some are required by Pulsar scripts
-RUN apk add --no-cache \
+RUN apk upgrade --no-cache && apk add --no-cache \
             bash \
             python3 \
             py3-pip \
             py3-grpcio \
             py3-yaml \
-            gcompat \
             ca-certificates \
             procps \
             curl \
-            bind-tools
+            bind-tools \
+            openssl
 
-# Upgrade all packages to get latest versions with security fixes
-RUN apk upgrade --no-cache
+# adjust default DNS caching TTL to 1 second
+RUN echo networkaddress.cache.ttl=1 >> $JAVA_HOME/conf/security/java.security && echo networkaddress.cache.negative.ttl=1 >> $JAVA_HOME/conf/security/java.security
 
 # Python dependencies
-
 # The [email protected] is installed by apk, and [email protected] requires grpcio>=1.60.0, which causes the grocio to be reinstalled by pip.
 # If pip cannot find the grpcio wheel that the doesn't match the OS, the grpcio will be compiled locally.
 # Once https://github.com/apache/pulsar-client-python/pull/211 is released, keep only the pulsar-client[all] and kazoo dependencies, and remove comments.
@@ -116,31 +93,16 @@ prometheus_client\n\
 ratelimit\n\
 # avro\n\
 fastavro>=1.9.2\n\
-" > /requirements.txt
-
-RUN pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /requirements.txt
-RUN rm /requirements.txt
-
-# Install GLibc compatibility library
-COPY --from=glibc /root/packages /root/packages
-RUN apk add --allow-untrusted --force-overwrite /root/packages/glibc-*.apk
-
-COPY --from=jvm /opt/jvm /opt/jvm
-ENV JAVA_HOME=/opt/jvm
-
-COPY --from=snappy-java /tmp/libsnappyjava.so /usr/lib/libsnappyjava.so
+" > /tmp/requirements.txt && RUN pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /tmp/requirements.txt && rm /tmp/requirements.txt
 
 # The default is /pulsat/bin and cannot be written.
 ENV PULSAR_PID_DIR=/pulsar/logs
-
 ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
-
 COPY --from=pulsar /pulsar /pulsar
-
 WORKDIR /pulsar
 ENV PATH=$PATH:$JAVA_HOME/bin:/pulsar/bin
 
 # The UID must be non-zero. Otherwise, it is arbitrary. No logic should rely on its specific value.
 ARG DEFAULT_USERNAME=pulsar
 RUN adduser ${DEFAULT_USERNAME} -u 10000 -G root -D -H -h /pulsar/data
-USER 10000
+USER 10000