diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 51f4816..465af3e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,8 +17,9 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 1 # only needed to get the sha label - # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker - # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway. + # Don't attempt to cache Docker. Sensitive information can be stolen + # via forks, and login session ends up in ~/.docker. This is ok because + # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner. - name: Deploy env: # GH_USER= diff --git a/README.md b/README.md index ee21a77..21f6635 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,9 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope To try the image, run the `java -version` command: ```bash docker run --rm ghcr.io/openzipkin/java:1.7.0_285 -version -openjdk version "1.7.0_285" -OpenJDK Runtime Environment (Zulu 7.42.0.51-CA-linux64) (build 1.7.0_285-b01) -OpenJDK 64-Bit Server VM (Zulu 7.42.0.51-CA-linux64) (build 24.285-b01, mixed mode) +openjdk version "1.7.0_352" +OpenJDK Runtime Environment (Zulu 7.56.0.11-CA-linux64) (build 1.7.0_352-b01) +OpenJDK 64-Bit Server VM (Zulu 7.56.0.11-CA-linux64) (build 24.352-b01, mixed mode) ``` ## Release process @@ -26,9 +26,9 @@ Build the `Dockerfile` Next, verify the built image matches that version: ```bash docker run --rm openzipkin/java:test -version -openjdk version "1.7.0_285" -OpenJDK Runtime Environment (Zulu 7.42.0.51-CA-linux64) (build 1.7.0_285-b01) -OpenJDK 64-Bit Server VM (Zulu 7.42.0.51-CA-linux64) (build 24.285-b01, mixed mode) +openjdk version "1.7.0_352" +OpenJDK Runtime Environment (Zulu 7.56.0.11-CA-linux64) (build 1.7.0_352-b01) +OpenJDK 64-Bit Server VM (Zulu 7.56.0.11-CA-linux64) (build 24.352-b01, mixed mode) ``` To release the image, push a tag matching the arg to `build-bin/build` (ex `1.7.0_285`). diff --git a/build-bin/docker/configure_docker b/build-bin/docker/configure_docker index f71bb1a..476ca70 100755 --- a/build-bin/docker/configure_docker +++ b/build-bin/docker/configure_docker @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # # Defends against build outages caused by Docker Hub (docker.io) pull rate limits. @@ -23,6 +14,7 @@ set -ue # this is Docker related, it is coupled to integration tests configuration invoked with Maven. # * See https://www.testcontainers.org/supported_docker_environment/image_registry_rate_limiting/ # * checks.disable=true - saves time and a docker.io pull of alpine +# * ryuk doesn't count against docker.io rate limits because Docker approved testcontainers as OSS echo checks.disable=true >> ~/.testcontainers.properties # We don't use any docker.io images, but add a Google's mirror in case something implicitly does diff --git a/build-bin/docker/configure_docker_push b/build-bin/docker/configure_docker_push index a26fab3..c08d5cd 100755 --- a/build-bin/docker/configure_docker_push +++ b/build-bin/docker/configure_docker_push @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # # Ensures Docker is logged in and it can build multi-architecture. diff --git a/build-bin/docker/docker_arch b/build-bin/docker/docker_arch index d83063e..70e091a 100755 --- a/build-bin/docker/docker_arch +++ b/build-bin/docker/docker_arch @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # # This script gets a normalized name for the architecture as used in Docker. This will be a subset diff --git a/build-bin/docker/docker_args b/build-bin/docker/docker_args index 7f35ba3..1c27c13 100755 --- a/build-bin/docker/docker_args +++ b/build-bin/docker/docker_args @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # # This builds common docker arguments used by docker_build and docker_push. diff --git a/build-bin/docker/docker_build b/build-bin/docker/docker_build index 05d5450..cf7363f 100755 --- a/build-bin/docker/docker_build +++ b/build-bin/docker/docker_build @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # set -ue @@ -19,5 +10,10 @@ docker_tag=${1?full docker_tag is required. Ex openzipkin/zipkin:test} version=${2:-} docker_args=$($(dirname "$0")/docker_args ${version}) +# We don't need build kit, but Docker 20.10 no longer accepts --platform +# without it. It is simpler to always enable it vs require maintainers to use +# alternate OCI tools. See https://github.com/moby/moby/issues/41552 +export DOCKER_BUILDKIT=1 + echo "Building image ${docker_tag}" -DOCKER_BUILDKIT=1 docker build --network=host --pull ${docker_args} --tag ${docker_tag} . +docker build --network=host --pull ${docker_args} --tag ${docker_tag} . diff --git a/build-bin/docker/docker_push b/build-bin/docker/docker_push index 3d3c8f9..6aaa374 100755 --- a/build-bin/docker/docker_push +++ b/build-bin/docker/docker_push @@ -1,16 +1,7 @@ #!/bin/sh # -# Copyright 2019-2023 The OpenZipkin Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. +# Copyright The OpenZipkin Authors +# SPDX-License-Identifier: Apache-2.0 # # This script pushes images to GitHub Container Registry (ghcr.io). @@ -27,6 +18,10 @@ set -ue docker_image=${1?docker_image is required, notably without a tag. Ex openzipkin/zipkin} version=${2:-master} + +# We don't need build kit, but Docker 20.10 no longer accepts --platform +# without it. It is simpler to always enable it vs require maintainers to use +# alternate OCI tools. See https://github.com/moby/moby/issues/41552 export DOCKER_BUILDKIT=1 case ${version} in