diff --git a/build.sh b/build.sh index d3540faff..b4bd28f0d 100755 --- a/build.sh +++ b/build.sh @@ -119,7 +119,7 @@ function build_wdqs { docker build \ $DOCKER_BUILD_CACHE_OPT \ --build-arg DEBIAN_IMAGE_URL="$DEBIAN_IMAGE_URL" \ - --build-arg JDK_IMAGE_URL="$JDK_IMAGE_URL" \ + --build-arg JRE_IMAGE_URL="$JRE_IMAGE_URL" \ --build-arg WDQS_VERSION="$WDQS_VERSION" \ \ -t "$WIKIBASE_SUITE_WDQS_IMAGE_URL" \ diff --git a/build/WDQS/Dockerfile b/build/WDQS/Dockerfile index 6484fdcc8..d61ebc708 100644 --- a/build/WDQS/Dockerfile +++ b/build/WDQS/Dockerfile @@ -1,5 +1,10 @@ ARG DEBIAN_IMAGE_URL -ARG JDK_IMAGE_URL +ARG JRE_IMAGE_URL + +# ########################################################################### +# hadolint ignore=DL3006 +FROM ${JRE_IMAGE_URL} as jre + # ########################################################################### # hadolint ignore=DL3006 @@ -21,17 +26,32 @@ RUN set -x; \ mkdir /tmp/wdqs-service; \ tar zxvf $TARBALL -C /tmp/wdqs-service --strip-components=1 + # ########################################################################### # hadolint ignore=DL3006 -FROM ${JDK_IMAGE_URL} +FROM ${DEBIAN_IMAGE_URL} LABEL org.opencontainers.image.source="https://github.com/wmde/wikibase-release-pipeline" +# Base as many images as possible on debian. +# eclipse-temurin is not available for debian, so we copy the JRE over from +# an eclipse-temurin ubuntu container. +# https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#using-a-different-base-image +ENV JAVA_HOME=/opt/java/openjdk +COPY --from=jre $JAVA_HOME $JAVA_HOME +ENV PATH="${JAVA_HOME}/bin:${PATH}" + # Blazegraph scripts require bash -# Install gettext for envsubst command, (it needs libintl package) # Install curl for the loadData.sh wdqs script (if someone needs it) -RUN set -x ; \ - apk --no-cache add bash=\<4.5.0 gettext=\<0.19.8.2 libintl=\<0.19.8.2 curl=\<7.64.999 su-exec=\~0.2 && \ - addgroup -g 66 -S blazegraph && adduser -S -G blazegraph -u 666 -s /bin/bash blazegraph +SHELL [ "/bin/bash", "-o", "pipefail", "-c" ] +RUN apt-get update && \ + apt-get install --yes --no-install-recommends bash gettext curl && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + \ + addgroup --system blazegraph && \ + adduser --system \ + --gid "$(getent group blazegraph | cut -d: -f3)" \ + --shell /bin/bash blazegraph COPY --from=fetcher --chown=blazegraph:blazegraph /tmp/wdqs-service /wdqs diff --git a/build/WDQS/entrypoint.sh b/build/WDQS/entrypoint.sh index 9961142b8..5a174ecb3 100755 --- a/build/WDQS/entrypoint.sh +++ b/build/WDQS/entrypoint.sh @@ -17,12 +17,15 @@ export BLAZEGRAPH_OPTS="${BLAZEGRAPH_EXTRA_OPTS} -DwikibaseHost=${WIKIBASE_HOST} export UPDATER_OPTS="-DwikibaseHost=${WIKIBASE_HOST} -DwikibaseMaxDaysBack=${WIKIBASE_MAX_DAYS_BACK}" envsubst < /templates/mwservices.json > /wdqs/mwservices.json -chown 666:66 /wdqs/mwservices.json +chown blazegraph:blazegraph /wdqs/mwservices.json # The data directory should always be owned by the blazegraph user # This used to be owned by root (https://phabricator.wikimedia.org/T237248) if [ -d /wdqs/data/ ]; then - chown 666:66 -R /wdqs/data/ + chown blazegraph:blazegraph -R /wdqs/data/ fi -su-exec 666:66 "$@" +# Start as the blazegraph user. +# --preserve-environment does not preserve PATH, so we manually +# set the PATH again. Java cannot be found otherwise. +su --preserve-environment --command "export PATH=$PATH; $*" blazegraph diff --git a/variables.env b/variables.env index f59c1ec19..99e00e01b 100644 --- a/variables.env +++ b/variables.env @@ -85,10 +85,12 @@ NODE_IMAGE_URL=node:20.11.1-bookworm # https://hub.docker.com/_/php PHP_IMAGE_URL=php:8.1.27-apache-bookworm -# https://hub.docker.com/_/openjdk/ -# TODO: move to debian for consistency -# TODO: upgrade, end of life -JDK_IMAGE_URL=openjdk:8-jdk-alpine +# https://hub.docker.com/_/eclipse-temurin +# https://github.com/docker-library/docs/tree/master/eclipse-temurin/README.md#supported-tags-and-respective-dockerfile-links +# No debian based image released by eclipse-temurin, let take ubuntu here. +# As of March 2024, WDQS' startup scripts depend on the JRE 8 command line option PrintGCDateStamps. +# https://phabricator.wikimedia.org/T316103 +JRE_IMAGE_URL=eclipse-temurin:8u402-b06-jre-jammy # https://hub.docker.com/_/debian DEBIAN_IMAGE_URL=debian:bookworm-slim