Ubuntu Chisel images for MS Build of OpenJDK (11, 17, 21)

.github/workflows/build-images.yml

@@ -39,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         jdkversion: [11, 17, 21, 25] # Only build LTS releases
-        baseimage: ["azurelinux", "ubuntu", "distroless"]
+        baseimage: ["azurelinux", "ubuntu", "distroless", "ubuntu-chisel"]
 
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

.github/workflows/check-versions.yml

@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        distros: [ "azurelinux", "distroless", "ubuntu" ]
+        distros: [ "azurelinux", "distroless", "ubuntu", "ubuntu-chisel" ]
         jdkvendor: [ "msopenjdk" ]
         jdkversion: [ { major: "11", expected: "11.0.28" }, { major: "17", expected: "17.0.16" }, { major: "21", expected: "21.0.8" }, { major: "25", expected: "25.0.0" }]
     steps:

docker/ubuntu-chisel/Dockerfile.msopenjdk-11-jdk

@@ -0,0 +1,71 @@
+# DisableDockerDetector "Base image is obtained from internal registry"
+ARG IMAGE="ubuntu"
+ARG TAG="22.04"
+FROM ${IMAGE}:${TAG} AS chisel-base
+
+ENV GO_VERSION="1.23.4" 
+ENV CHISEL_VERSION="1.0.0" 
+ENV CHISEL_WRAPPER_VERSION="1.1.2"
+
+# Update and install core dependencies
+RUN apt-get update \
+    && apt-get install -y wget file tar \
+    && wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
+    && tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz \
+    && rm go${GO_VERSION}.linux-amd64.tar.gz
+
+ENV GOBIN=/usr/local/go/bin
+ENV PATH=$PATH:$GOBIN
+
+# Install Go and Chisel
+RUN go install github.com/canonical/chisel/cmd/chisel@v${CHISEL_VERSION} \
+    && wget -O /usr/bin/chisel-wrapper https://raw.githubusercontent.com/canonical/rocks-toolbox/v${CHISEL_WRAPPER_VERSION}/chisel-wrapper \
+    && chmod 755 /usr/bin/chisel-wrapper
+
+ENV APP_UID="101"
+
+# Create app user
+RUN groupadd --gid=${APP_UID} app \
+    && useradd -l --uid=${APP_UID} --gid=${APP_UID} --shell /bin/false app \
+    && install -d -m 0755 -o ${APP_UID} -g ${APP_UID} "/rootfs/home/app" \
+    && mkdir -p "/rootfs/etc" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/rootfs/etc/group" 
+
+# Generate dpkg status for chisel
+RUN mkdir -p /rootfs/var/lib/dpkg/ 
+RUN chisel-wrapper --generate-dpkg-status /rootfs/var/lib/dpkg/status -- \
+        --release ubuntu-22.04 --root /rootfs \
+            base-files_base \
+            base-files_release-info \
+            ca-certificates-java_data \
+            libc6_libs \
+            libgcc-s1_libs \
+            libssl3_libs \
+            libstdc++6_libs \
+            zlib1g_libs \
+            bash_bins \
+            coreutils_bins \
+            tzdata_base \
+            tzdata_etc \
+            fontconfig-config_config 
+
+# Scratch image base
+FROM scratch
+
+COPY --from=chisel-base /rootfs /
+
+ENV APP_UID="101"
+
+# Workaround for https://github.com/moby/moby/issues/38710
+COPY --from=chisel-base --chown=$APP_UID:$APP_UID /rootfs/home/app /home/app
+
+USER root
+
+ENV JAVA_HOME=/usr/jdk
+ENV PATH=$PATH:$JAVA_HOME/bin
+
+COPY --from=mcr.microsoft.com/openjdk/jdk:11-ubuntu /usr/lib/jvm/msopenjdk-11-amd64 $JAVA_HOME
+
+ENTRYPOINT [ "/usr/jdk/bin/java" ]

docker/ubuntu-chisel/Dockerfile.msopenjdk-17-jdk

@@ -0,0 +1,71 @@
+# DisableDockerDetector "Base image is obtained from internal registry"
+ARG IMAGE="ubuntu"
+ARG TAG="22.04"
+FROM ${IMAGE}:${TAG} AS chisel-base
+
+ENV GO_VERSION="1.23.4" 
+ENV CHISEL_VERSION="1.0.0" 
+ENV CHISEL_WRAPPER_VERSION="1.1.2"
+
+# Update and install core dependencies
+RUN apt-get update \
+    && apt-get install -y wget file tar \
+    && wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
+    && tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz \
+    && rm go${GO_VERSION}.linux-amd64.tar.gz
+
+ENV GOBIN=/usr/local/go/bin
+ENV PATH=$PATH:$GOBIN
+
+# Install Go and Chisel
+RUN go install github.com/canonical/chisel/cmd/chisel@v${CHISEL_VERSION} \
+    && wget -O /usr/bin/chisel-wrapper https://raw.githubusercontent.com/canonical/rocks-toolbox/v${CHISEL_WRAPPER_VERSION}/chisel-wrapper \
+    && chmod 755 /usr/bin/chisel-wrapper
+
+ENV APP_UID="101"
+
+# Create app user
+RUN groupadd --gid=${APP_UID} app \
+    && useradd -l --uid=${APP_UID} --gid=${APP_UID} --shell /bin/false app \
+    && install -d -m 0755 -o ${APP_UID} -g ${APP_UID} "/rootfs/home/app" \
+    && mkdir -p "/rootfs/etc" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/rootfs/etc/group" 
+
+# Generate dpkg status for chisel
+RUN mkdir -p /rootfs/var/lib/dpkg/ 
+RUN chisel-wrapper --generate-dpkg-status /rootfs/var/lib/dpkg/status -- \
+        --release ubuntu-22.04 --root /rootfs \
+            base-files_base \
+            base-files_release-info \
+            ca-certificates-java_data \
+            libc6_libs \
+            libgcc-s1_libs \
+            libssl3_libs \
+            libstdc++6_libs \
+            zlib1g_libs \
+            bash_bins \
+            coreutils_bins \
+            tzdata_base \
+            tzdata_etc \
+            fontconfig-config_config 
+
+# Scratch image base
+FROM scratch
+
+COPY --from=chisel-base /rootfs /
+
+ENV APP_UID="101"
+
+# Workaround for https://github.com/moby/moby/issues/38710
+COPY --from=chisel-base --chown=$APP_UID:$APP_UID /rootfs/home/app /home/app
+
+USER root
+
+ENV JAVA_HOME=/usr/jdk
+ENV PATH=$PATH:$JAVA_HOME/bin
+
+COPY --from=mcr.microsoft.com/openjdk/jdk:17-ubuntu /usr/lib/jvm/msopenjdk-17-amd64 $JAVA_HOME
+
+ENTRYPOINT [ "/usr/jdk/bin/java" ]

docker/ubuntu-chisel/Dockerfile.msopenjdk-21-jdk

@@ -0,0 +1,71 @@
+# DisableDockerDetector "Base image is obtained from internal registry"
+ARG IMAGE="ubuntu"
+ARG TAG="22.04"
+FROM ${IMAGE}:${TAG} AS chisel-base
+
+ENV GO_VERSION="1.23.4" 
+ENV CHISEL_VERSION="1.0.0" 
+ENV CHISEL_WRAPPER_VERSION="1.1.2"
+
+# Update and install core dependencies
+RUN apt-get update \
+    && apt-get install -y wget file tar \
+    && wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
+    && tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz \
+    && rm go${GO_VERSION}.linux-amd64.tar.gz
+
+ENV GOBIN=/usr/local/go/bin
+ENV PATH=$PATH:$GOBIN
+
+# Install Go and Chisel
+RUN go install github.com/canonical/chisel/cmd/chisel@v${CHISEL_VERSION} \
+    && wget -O /usr/bin/chisel-wrapper https://raw.githubusercontent.com/canonical/rocks-toolbox/v${CHISEL_WRAPPER_VERSION}/chisel-wrapper \
+    && chmod 755 /usr/bin/chisel-wrapper
+
+ENV APP_UID="101"
+
+# Create app user
+RUN groupadd --gid=${APP_UID} app \
+    && useradd -l --uid=${APP_UID} --gid=${APP_UID} --shell /bin/false app \
+    && install -d -m 0755 -o ${APP_UID} -g ${APP_UID} "/rootfs/home/app" \
+    && mkdir -p "/rootfs/etc" \
+    && rootOrAppRegex='^\(root\|app\):' \
+    && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
+    && cat /etc/group | grep $rootOrAppRegex > "/rootfs/etc/group" 
+
+# Generate dpkg status for chisel
+RUN mkdir -p /rootfs/var/lib/dpkg/ 
+RUN chisel-wrapper --generate-dpkg-status /rootfs/var/lib/dpkg/status -- \
+        --release ubuntu-22.04 --root /rootfs \
+            base-files_base \
+            base-files_release-info \
+            ca-certificates-java_data \
+            libc6_libs \
+            libgcc-s1_libs \
+            libssl3_libs \
+            libstdc++6_libs \
+            zlib1g_libs \
+            bash_bins \
+            coreutils_bins \
+            tzdata_base \
+            tzdata_etc \
+            fontconfig-config_config 
+
+# Scratch image base
+FROM scratch
+
+COPY --from=chisel-base /rootfs /
+
+ENV APP_UID="101"
+
+# Workaround for https://github.com/moby/moby/issues/38710
+COPY --from=chisel-base --chown=$APP_UID:$APP_UID /rootfs/home/app /home/app
+
+USER root
+
+ENV JAVA_HOME=/usr/jdk
+ENV PATH=$PATH:$JAVA_HOME/bin
+
+COPY --from=mcr.microsoft.com/openjdk/jdk:21-ubuntu /usr/lib/jvm/msopenjdk-21-amd64 $JAVA_HOME
+
+ENTRYPOINT [ "/usr/jdk/bin/java" ]

scripts/build-all-images.sh

@@ -40,7 +40,7 @@ for d in $(ls -d $basepath/*); do
         fi
 
         # Validate the image
-        if [[ "${distro}" == "distroless" ]]; then
+        if [[ "${distro}" == "distroless" || "${distro}" == "ubuntu-chisel" ]]; then
             java_version=$(docker run --rm $image -version 2>&1 | head -n 1 | awk -F '"' '{print $2}')
         else
             java_version=$(docker run --rm $image /bin/bash -c "source \$JAVA_HOME/release && echo \$JAVA_VERSION")

scripts/build-image.sh

@@ -4,7 +4,7 @@ docker buildx create --name mybuilder --driver docker-container --driver-opt ima
 
 az acr login -n msopenjdk
 
-if [[ '$DISTRIBUTION' != 'distroless' ]]; then
+if [[ "${DISTRIBUTION}" != "distroless" && "${DISTRIBUTION}" != "ubuntu-chisel" ]]; then
     BUILD_ARGS="--build-arg IMAGE=$IMAGE --build-arg TAG=$TAG --build-arg package=$PACKAGE"
 else
     BUILD_ARGS="--build-arg INSTALLER_IMAGE=$INSTALLER_IMAGE --build-arg INSTALLER_TAG=$INSTALLER_TAG --build-arg BASE_IMAGE=$(base_image) --build-arg BASE_TAG=$(base_tag) --build-arg package=$PACKAGE"

scripts/test-image.sh

@@ -11,7 +11,7 @@ basemcr="${basemcr:-$DEFAULT_MCR}"
 image="${basemcr}:${jdkversion}-${distro}"
 
 testfolder="regular"
-if [[ $distro == "distroless" ]]; then
+if [[ "$distro" == "distroless" || "$distro" == "ubuntu-chisel" ]]; then
     testfolder="distroless"
 fi
 

scripts/validate-image.sh

@@ -44,7 +44,7 @@ fi
 
 # Validate the image if expectedversion is set (not blank)
 if [[ ! -z "$expectedversion" ]]; then
-  if [[ "${distro}" == "distroless" ]]; then
+  if [[ "${distro}" == "distroless" || "${distro}" == "ubuntu-chisel" ]]; then
       java_version=$(docker run --rm $image -version 2>&1 | head -n 1 | awk -F '"' '{print $2}')
   else
       java_version=$(docker run --rm $image /bin/bash -c "source \$JAVA_HOME/release && echo \$JAVA_VERSION")
@@ -62,7 +62,7 @@ if [[ ! -z "$expectedversion" ]]; then
 fi
 
 # Check if CDS is enabled
-if [[ "${distro}" == "distroless" ]]; then
+if [[ "${distro}" == "distroless" || "${distro}" == "ubuntu-chisel" ]]; then
     java_version_string=$(docker run --rm $image -version 2>&1)
 else
     java_version_string=$(docker run --rm $image /bin/bash -c "java -version 2>&1")