update some java docker images for crypto security

Author: daggerok

gradle/Dockerfile

@@ -1,15 +1,32 @@
-FROM openjdk:8u151-jdk-alpine
+FROM openjdk:8u151-jre-alpine3.7
 MAINTAINER Maksim Kostromin https://github.com/daggerok
-RUN apk --no-cache add busybox-suid bash curl sudo \
+RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow wget \
  && adduser -h /home/appuser -s /bin/bash -D -u 1025 appuser wheel \
  && echo "appuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
  && sed -i "s/.*requiretty$/Defaults !requiretty/" /etc/sudoers \
- && apk del busybox-suid \
- && rm -rf /tmp/* /var/cache/apk/*
+ && wget --no-cookies \
+         --no-check-certificate \
+         --header "Cookie: oraclelicense=accept-securebackup-cookie" \
+                  "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" \
+         -O /tmp/jce_policy-8.zip \
+ && unzip -o /tmp/jce_policy-8.zip -d /tmp \
+ && mv -f ${JAVA_HOME}/lib/security ${JAVA_HOME}/lib/backup-security \
+ && mv -f /tmp/UnlimitedJCEPolicyJDK8 ${JAVA_HOME}/lib/security \
+ && apk del busybox-suid unzip openssh-client shadow wget \
+ && rm -rf /var/cache/apk/* /tmp/*
 USER appuser
 WORKDIR /home/appuser
 VOLUME /home/appuser
-ENTRYPOINT java -XX:+UnlockExperimentalVMOptions \
+# ARG JAVA_OPTS_ARGS="\
+#  -Djava.net.preferIPv4Stack=true \
+#  -XX:+UnlockExperimentalVMOptions \
+#  -XX:+UseCGroupMemoryLimitForHeap \
+#  -XshowSettings:vm "
+# ENV JAVA_OPTS="${JAVA_OPTS} ${JAVA_OPTS_ARGS}"
+# ENTRYPOINT java ${JAVA_OPTS} -jar ./app.jar
+# CMD /bin/bash
+ENTRYPOINT java -Djava.net.preferIPv4Stack=true \
+                -XX:+UnlockExperimentalVMOptions \
                 -XX:+UseCGroupMemoryLimitForHeap \
                 -XshowSettings:vm \
                 -jar ./app.jar

maven/Dockerfile

@@ -1,21 +1,38 @@
-FROM openjdk:8u151-jre-alpine
+FROM openjdk:8u151-jre-alpine3.7
 MAINTAINER Maksim Kostromin https://github.com/daggerok
-RUN apk --no-cache add busybox-suid bash curl sudo \
+RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow wget \
  && adduser -h /home/appuser -s /bin/bash -D -u 1025 appuser wheel \
  && echo "appuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
  && sed -i "s/.*requiretty$/Defaults !requiretty/" /etc/sudoers \
- && apk del busybox-suid \
- && rm -rf /tmp/* /var/cache/apk/*
+ && wget --no-cookies \
+         --no-check-certificate \
+         --header "Cookie: oraclelicense=accept-securebackup-cookie" \
+                  "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" \
+         -O /tmp/jce_policy-8.zip \
+ && unzip -o /tmp/jce_policy-8.zip -d /tmp \
+ && mv -f ${JAVA_HOME}/lib/security ${JAVA_HOME}/lib/backup-security \
+ && mv -f /tmp/UnlimitedJCEPolicyJDK8 ${JAVA_HOME}/lib/security \
+ && apk del busybox-suid unzip openssh-client shadow wget \
+ && rm -rf /var/cache/apk/* /tmp/*
 USER appuser
 WORKDIR /home/appuser
 VOLUME /home/appuser
-ENTRYPOINT java -XX:+UnlockExperimentalVMOptions \
-                -XX:+UseCGroupMemoryLimitForHeap \
-                -XshowSettings:vm \
-                -jar ./app.jar
+ARG JAVA_OPTS_ARGS="\
+ -Djava.net.preferIPv4Stack=true \
+ -XX:+UnlockExperimentalVMOptions \
+ -XX:+UseCGroupMemoryLimitForHeap \
+ -XshowSettings:vm "
+ENV JAVA_OPTS="${JAVA_OPTS} ${JAVA_OPTS_ARGS}"
+ENTRYPOINT java ${JAVA_OPTS} -jar ./app.jar
 CMD /bin/bash
+# ENTRYPOINT java -Djava.net.preferIPv4Stack=true \
+#                 -XX:+UnlockExperimentalVMOptions \
+#                 -XX:+UseCGroupMemoryLimitForHeap \
+#                 -XshowSettings:vm \
+#                 -jar ./app.jar
+# CMD /bin/bash
 EXPOSE 8080
-HEALTHCHECK --timeout=1s \
-            --retries=35 \
+HEALTHCHECK --timeout=2s \
+            --retries=22 \
             CMD curl -f http://127.0.0.1:8080/actuator/health || exit 1
 COPY --chown=appuser ./target/*.jar ./app.jar

spring-boot/Dockerfile

@@ -1,23 +1,32 @@
-FROM openjdk:8u131-jre-alpine
+FROM openjdk:8u151-jre-alpine3.7
 MAINTAINER Maksim Kostromin https://github.com/daggerok
-RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow \
- && addgroup app-group \
- && echo "app ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
+RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow wget \
+ && adduser -h /home/appuser -s /bin/bash -D -u 1025 appuser wheel \
+ && echo "appuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
  && sed -i "s/.*requiretty$/Defaults !requiretty/" /etc/sudoers \
- && adduser -h /home/app -s /bin/bash -D -u 1025 app app-group \
- && usermod -a -G wheel app \
- && apk del busybox-suid unzip openssh-client shadow \
+ && wget --no-cookies \
+         --no-check-certificate \
+         --header "Cookie: oraclelicense=accept-securebackup-cookie" \
+                  "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" \
+         -O /tmp/jce_policy-8.zip \
+ && unzip -o /tmp/jce_policy-8.zip -d /tmp \
+ && mv -f ${JAVA_HOME}/lib/security ${JAVA_HOME}/lib/backup-security \
+ && mv -f /tmp/UnlimitedJCEPolicyJDK8 ${JAVA_HOME}/lib/security \
+ && apk del busybox-suid unzip openssh-client shadow wget \
  && rm -rf /var/cache/apk/* /tmp/*
-USER app
-WORKDIR /home/app
-VOLUME ["/home/app"]
-ENTRYPOINT java -XX:+UnlockExperimentalVMOptions \
-                -XX:+UseCGroupMemoryLimitForHeap \
-                -XshowSettings:vm \
-                -jar ./app.jar
+USER appuser
+WORKDIR /home/appuser
+VOLUME /home/appuser
+ARG JAVA_OPTS_ARGS="\
+ -Djava.net.preferIPv4Stack=true \
+ -XX:+UnlockExperimentalVMOptions \
+ -XX:+UseCGroupMemoryLimitForHeap \
+ -XshowSettings:vm "
+ENV JAVA_OPTS="${JAVA_OPTS} ${JAVA_OPTS_ARGS}"
+ENTRYPOINT java ${JAVA_OPTS} -jar ./app.jar
 CMD /bin/bash
 EXPOSE 8080
-HEALTHCHECK --timeout=1s \
-            --retries=33 \
+HEALTHCHECK --timeout=2s \
+            --retries=22 \
             CMD curl -f http://127.0.0.1:8080/actuator/health || exit 1
-COPY --chown=app ./build/libs/*.jar ./app.jar
+COPY --chown=appuser ./build/libs/*.jar ./app.jar

spring-boot/config-server/Dockerfile

@@ -1,25 +1,32 @@
-#FROM openjdk:8u131-jre-alpine
-FROM openjdk:8u151-jre-alpine
+FROM openjdk:8u151-jre-alpine3.7
 MAINTAINER Maksim Kostromin https://github.com/daggerok
-RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow \
- && addgroup appuser-group \
+RUN apk --no-cache --update add busybox-suid bash curl unzip sudo openssh-client shadow wget \
+ && adduser -h /home/appuser -s /bin/bash -D -u 1025 appuser wheel \
  && echo "appuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
  && sed -i "s/.*requiretty$/Defaults !requiretty/" /etc/sudoers \
- && adduser -h /home/appuser -s /bin/bash -D -u 1025 appuser appuser-group \
- && usermod -a -G wheel appuser \
- && apk del busybox-suid unzip openssh-client shadow \
+ && wget --no-cookies \
+         --no-check-certificate \
+         --header "Cookie: oraclelicense=accept-securebackup-cookie" \
+                  "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" \
+         -O /tmp/jce_policy-8.zip \
+ && unzip -o /tmp/jce_policy-8.zip -d /tmp \
+ && mv -f ${JAVA_HOME}/lib/security ${JAVA_HOME}/lib/backup-security \
+ && mv -f /tmp/UnlimitedJCEPolicyJDK8 ${JAVA_HOME}/lib/security \
+ && apk del busybox-suid unzip openssh-client shadow wget \
  && rm -rf /var/cache/apk/* /tmp/*
 USER appuser
 WORKDIR /home/appuser
-VOLUME ["/home/appuser"]
-ENTRYPOINT java -XX:+UnlockExperimentalVMOptions \
-                -XX:+UseCGroupMemoryLimitForHeap \
-                -XshowSettings:vm \
-                -jar ./app.jar
+VOLUME /home/appuser
+ARG JAVA_OPTS_ARGS="\
+ -Djava.net.preferIPv4Stack=true \
+ -XX:+UnlockExperimentalVMOptions \
+ -XX:+UseCGroupMemoryLimitForHeap \
+ -XshowSettings:vm "
+ENV JAVA_OPTS="${JAVA_OPTS} ${JAVA_OPTS_ARGS}"
+ENTRYPOINT java ${JAVA_OPTS} -jar ./app.jar
 CMD /bin/bash
 EXPOSE 8888
-HEALTHCHECK --interval=1s \
-            --timeout=1s \
-            --retries=33 \
+HEALTHCHECK --timeout=2s \
+            --retries=22 \
             CMD curl -f http://127.0.0.1:8888/health || exit 1
 COPY --chown=appuser ./build/libs/*.jar ./app.jar