T345425 update wdqs base image

build.sh

@@ -119,7 +119,7 @@ function build_wdqs {
     docker build \
         $DOCKER_BUILD_CACHE_OPT \
         --build-arg DEBIAN_IMAGE_URL="$DEBIAN_IMAGE_URL" \
-        --build-arg JDK_IMAGE_URL="$JDK_IMAGE_URL" \
+        --build-arg JRE_IMAGE_URL="$JRE_IMAGE_URL" \
         --build-arg WDQS_VERSION="$WDQS_VERSION" \
         \
         -t "$WIKIBASE_SUITE_WDQS_IMAGE_URL" \

build/WDQS/Dockerfile

@@ -1,5 +1,10 @@
 ARG DEBIAN_IMAGE_URL
-ARG JDK_IMAGE_URL
+ARG JRE_IMAGE_URL
+
+# ###########################################################################
+# hadolint ignore=DL3006
+FROM ${JRE_IMAGE_URL} as jre
+
 
 # ###########################################################################
 # hadolint ignore=DL3006
@@ -21,17 +26,32 @@ RUN set -x; \
     mkdir /tmp/wdqs-service; \
     tar zxvf $TARBALL -C /tmp/wdqs-service --strip-components=1
 
+
 # ###########################################################################
 # hadolint ignore=DL3006
-FROM ${JDK_IMAGE_URL}
+FROM ${DEBIAN_IMAGE_URL}
 LABEL org.opencontainers.image.source="https://github.com/wmde/wikibase-release-pipeline"
 
+# Base as many images as possible on debian.
+# eclipse-temurin is not available for debian, so we copy the JRE over from
+# an eclipse-temurin ubuntu container.
+# https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#using-a-different-base-image
+ENV JAVA_HOME=/opt/java/openjdk
+COPY --from=jre $JAVA_HOME $JAVA_HOME
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
 # Blazegraph scripts require bash
-# Install gettext for envsubst command, (it needs libintl package)
 # Install curl for the loadData.sh wdqs script (if someone needs it)
-RUN set -x ; \
-    apk --no-cache add bash=\<4.5.0 gettext=\<0.19.8.2 libintl=\<0.19.8.2 curl=\<7.64.999 su-exec=\~0.2 && \
-    addgroup -g 66 -S blazegraph && adduser -S -G blazegraph -u 666 -s /bin/bash blazegraph
+SHELL [ "/bin/bash", "-o", "pipefail", "-c" ]
+RUN apt-get update && \
+    apt-get install --yes --no-install-recommends bash gettext curl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    \
+    addgroup --system blazegraph && \
+    adduser --system \
+        --gid "$(getent group blazegraph | cut -d: -f3)" \
+        --shell /bin/bash blazegraph
 
 COPY --from=fetcher --chown=blazegraph:blazegraph /tmp/wdqs-service /wdqs
 

build/WDQS/entrypoint.sh

@@ -17,12 +17,15 @@ export BLAZEGRAPH_OPTS="${BLAZEGRAPH_EXTRA_OPTS} -DwikibaseHost=${WIKIBASE_HOST}
 export UPDATER_OPTS="-DwikibaseHost=${WIKIBASE_HOST} -DwikibaseMaxDaysBack=${WIKIBASE_MAX_DAYS_BACK}"
 
 envsubst < /templates/mwservices.json > /wdqs/mwservices.json
-chown 666:66 /wdqs/mwservices.json
+chown blazegraph:blazegraph /wdqs/mwservices.json
 
 # The data directory should always be owned by the blazegraph user
 # This used to be owned by root (https://phabricator.wikimedia.org/T237248)
 if [ -d /wdqs/data/ ]; then
-  chown 666:66 -R /wdqs/data/
+  chown blazegraph:blazegraph -R /wdqs/data/
 fi
 
-su-exec 666:66 "$@"
+# Start as the blazegraph user.
+# --preserve-environment does not preserve PATH, so we manually
+# set the PATH again. Java cannot be found otherwise.
+su --preserve-environment --command "export PATH=$PATH; $*" blazegraph

variables.env

@@ -85,10 +85,10 @@ NODE_IMAGE_URL=node:20.11.1-bookworm
 # https://hub.docker.com/_/php
 PHP_IMAGE_URL=php:8.1.27-apache-bookworm
 
-# https://hub.docker.com/_/openjdk/
-# TODO: move to debian for consistency
-# TODO: upgrade, end of life
-JDK_IMAGE_URL=openjdk:8-jdk-alpine
+# https://hub.docker.com/_/eclipse-temurin
+# https://github.com/docker-library/docs/tree/master/eclipse-temurin/README.md#supported-tags-and-respective-dockerfile-links
+# No debian based image released by eclipse-temurin, let take ubuntu here.
+JRE_IMAGE_URL=eclipse-temurin:21.0.2_13-jre-jammy
 
 # https://hub.docker.com/_/debian
 DEBIAN_IMAGE_URL=debian:bookworm-slim