[fix] Switch docker base image to avoid mixing musl & glibc libraries…

… at runtime Mixing musl & glibc libraries at runtime will result in compatibility issues. We need a solution with real glibc because of compatibility reasons. The previous solution with the Alpine base image has a critical issue since it mixes musl compiled and glibc compiled libraries at runtime while using real glibc. This is why the switch is needed. For example, snappy-java and Conscrypt show that this problem occurs.
apache · Sep 30, 2024 · 6599366 · 6599366
1 parent 7d7dc80
commit 6599366
Show file tree

Hide file tree

Showing 12 changed files with 24 additions and 279 deletions.
diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml
@@ -474,7 +474,7 @@ jobs:
  env:
  DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
  CI_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
- IMAGE_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
+ PULSAR_BASE_IMAGE: bellsoft/liberica-runtime-container:jdk-${{ needs.preconditions.outputs.jdk_major_version }}-cds-stream-glibc
  steps:
  - name: checkout
  uses: actions/checkout@v4
@@ -830,7 +830,7 @@ jobs:
  env:
  DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
  CI_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
- IMAGE_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
+ PULSAR_BASE_IMAGE: bellsoft/liberica-runtime-container:jdk-${{ needs.preconditions.outputs.jdk_major_version }}-cds-stream-glibc
  steps:
  - name: checkout
  uses: actions/checkout@v4

diff --git a/docker/glibc-package/Dockerfile b/docker/glibc-package/Dockerfile
diff --git a/docker/glibc-package/README.md b/docker/glibc-package/README.md
diff --git a/docker/glibc-package/scripts/APKBUILD b/docker/glibc-package/scripts/APKBUILD
diff --git a/docker/glibc-package/scripts/glibc-bin.trigger b/docker/glibc-package/scripts/glibc-bin.trigger
diff --git a/docker/glibc-package/scripts/ld.so.conf b/docker/glibc-package/scripts/ld.so.conf
diff --git a/docker/pulsar/Dockerfile b/docker/pulsar/Dockerfile
@@ -17,8 +17,11 @@
 # under the License.
 #
 
+# Final image uses the Liberica JDK image running on Alpaquita Linux as the base image
+# maven build passes PULSAR_BASE_IMAGE environment variable to the build as PULSAR_BASE_IMAGE argument
+ARG PULSAR_BASE_IMAGE=bellsoft/liberica-runtime-container:jdk-17-cds-stream-glibc
+# Alpine is used for intermediate stages
 ARG ALPINE_VERSION=3.20
-ARG IMAGE_JDK_MAJOR_VERSION=21
 
 # First create a stage with just the Pulsar tarball and scripts
 FROM alpine:$ALPINE_VERSION as pulsar
@@ -51,56 +54,29 @@ RUN for SUBDIRECTORY in conf data download logs instances/deps packages-storage;
 RUN chmod -R g+rx /pulsar/bin
 RUN chmod -R o+rx /pulsar
 
-# Enable snappy-java to use system lib
-RUN echo 'OPTS="$OPTS -Dorg.xerial.snappy.use.systemlib=true"' >> /pulsar/conf/bkenv.sh
-
-### Create one stage to include JVM distribution
-FROM amazoncorretto:${IMAGE_JDK_MAJOR_VERSION}-alpine AS jvm
-
-RUN apk add --no-cache binutils
-
-# Use JLink to create a slimmer JDK distribution (see: https://adoptium.net/blog/2021/10/jlink-to-produce-own-runtime/)
-# This still includes all JDK modules, though in the future we could compile a list of required modules
-RUN /usr/lib/jvm/default-jvm/bin/jlink --add-modules ALL-MODULE-PATH --compress zip-9 --no-man-pages --no-header-files --strip-debug --output /opt/jvm
-RUN echo networkaddress.cache.ttl=1 >> /opt/jvm/conf/security/java.security
-RUN echo networkaddress.cache.negative.ttl=1 >> /opt/jvm/conf/security/java.security
-
-## Create one stage to include snappy-java native lib
-# Fix the issue when using snappy-java in x86 arch alpine
-# See https://github.com/xerial/snappy-java/issues/181 https://github.com/xerial/snappy-java/issues/579
-# We need to ensure that the version of the native library matches the version of snappy-java imported via Maven
-FROM alpine:$ALPINE_VERSION AS snappy-java
-
-ARG SNAPPY_VERSION
-RUN apk add git alpine-sdk util-linux cmake autoconf automake libtool openjdk17 maven curl bash tar
-ENV JAVA_HOME=/usr
-RUN curl -Ls https://github.com/xerial/snappy-java/archive/refs/tags/v$SNAPPY_VERSION.tar.gz | tar zxf - && cd snappy-java-$SNAPPY_VERSION && make clean-native native
-FROM apachepulsar/glibc-base:2.38 as glibc
-
-## Create final stage from Alpine image
-## and add OpenJDK and Python dependencies (for Pulsar functions)
-FROM alpine:$ALPINE_VERSION
+## Create final stage from liberica-runtime-container image
+## and add Python dependencies (for Pulsar functions)
+FROM $PULSAR_BASE_IMAGE
 ENV LANG C.UTF-8
 
+# Upgrade all packages to get latest versions with security fixes
 # Install some utilities, some are required by Pulsar scripts
-RUN apk add --no-cache \
+RUN apk update && apk upgrade --no-cache && apk add --no-cache \
  bash \
  python3 \
  py3-pip \
  py3-grpcio \
  py3-yaml \
- gcompat \
  ca-certificates \
  procps \
  curl \
  bind-tools \
  openssl
 
-# Upgrade all packages to get latest versions with security fixes
-RUN apk upgrade --no-cache
+# adjust default DNS caching TTL to 1 second
+RUN echo networkaddress.cache.ttl=1 >> $JAVA_HOME/conf/security/java.security && echo networkaddress.cache.negative.ttl=1 >> $JAVA_HOME/conf/security/java.security
 
 # Python dependencies
-
 # The [email protected] is installed by apk, and [email protected] requires grpcio>=1.60.0, which causes the grocio to be reinstalled by pip.
 # If pip cannot find the grpcio wheel that the doesn't match the OS, the grpcio will be compiled locally.
 # Once https://github.com/apache/pulsar-client-python/pull/211 is released, keep only the pulsar-client[all] and kazoo dependencies, and remove comments.
@@ -118,31 +94,16 @@ prometheus_client\n\
 ratelimit\n\
 # avro\n\
 fastavro>=1.9.2\n\
-" > /requirements.txt
-
-RUN pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /requirements.txt
-RUN rm /requirements.txt
-
-# Install GLibc compatibility library
-COPY --from=glibc /root/packages /root/packages
-RUN apk add --allow-untrusted --force-overwrite /root/packages/glibc-*.apk
-
-COPY --from=jvm /opt/jvm /opt/jvm
-ENV JAVA_HOME=/opt/jvm
-
-COPY --from=snappy-java /tmp/libsnappyjava.so /usr/lib/libsnappyjava.so
+" > /tmp/requirements.txt && pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /tmp/requirements.txt && rm /tmp/requirements.txt
 
 # The default is /pulsat/bin and cannot be written.
 ENV PULSAR_PID_DIR=/pulsar/logs
-
 ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
-
 COPY --from=pulsar /pulsar /pulsar
-
 WORKDIR /pulsar
 ENV PATH=$PATH:$JAVA_HOME/bin:/pulsar/bin
 
 # The UID must be non-zero. Otherwise, it is arbitrary. No logic should rely on its specific value.
 ARG DEFAULT_USERNAME=pulsar
 RUN adduser ${DEFAULT_USERNAME} -u 10000 -G root -D -H -h /pulsar/data
-USER 10000
+USER 10000
diff --git a/docker/pulsar/build-scripts/remove-unnecessary-native-binaries.sh b/docker/pulsar/build-scripts/remove-unnecessary-native-binaries.sh
@@ -41,9 +41,9 @@ unzip $ROCKSDB_JAR > /dev/null
 
 if [ "$ARCH" = "x86_64" ]
 then
- ROCKSDB_TO_KEEP=linux64-musl
+ ROCKSDB_TO_KEEP=linux64
 else
- ROCKSDB_TO_KEEP=linux-$ARCH-musl
+ ROCKSDB_TO_KEEP=linux-$ARCH
 fi
 
 ls librocksdbjni-* | grep -v librocksdbjni-${ROCKSDB_TO_KEEP}.so | xargs rm

diff --git a/docker/pulsar/pom.xml b/docker/pulsar/pom.xml
@@ -83,7 +83,7 @@
  <PULSAR_TARBALL>target/pulsar-server-distribution-${project.version}-bin.tar.gz</PULSAR_TARBALL>
  <PULSAR_CLIENT_PYTHON_VERSION>${pulsar.client.python.version}</PULSAR_CLIENT_PYTHON_VERSION>
  <SNAPPY_VERSION>${snappy.version}</SNAPPY_VERSION>
- <IMAGE_JDK_MAJOR_VERSION>${IMAGE_JDK_MAJOR_VERSION}</IMAGE_JDK_MAJOR_VERSION>
+ <PULSAR_BASE_IMAGE>${PULSAR_BASE_IMAGE}</PULSAR_BASE_IMAGE>
  </args>
  <contextDir>${project.basedir}</contextDir>
  <tags>