Chainguard has released OpenJDK Java images which are JCK conformant, adhering to the strict Java standard but also with a twist. The twist is that the images are minimalist and based on Wolfi Linux (Un)Distribution. What's the deal with that?

Wolfi is a community Linux (un)distribution that is built with security measures necessary for securing the software supply chain such as signing and sensible defaults. The defaults that it enforces on container images are:

• build-time SBOM as standard for all packages
  
  
• packages are designed to be granular and independent to support minimal images
  
  
• uses the proven and reliable APK package format
  
  
• enables fully declarative and reproducible build systems
  
  
• supports glibc and musl

As far as the 'un' in (un)distribution goes, it means that Wolfi is not a full Linux distribution designed to run on bare metal. Instead it is a stripped-down version designed for the cloud era as it doesn't include a Linux kernel but relies on the environment, such as the container runtime, to provide it. This is so, so that dependencies are as much as possible minimized in order to reduce potential attack surfaces and to simplify actions such as auditing, updating and transferring images. Chainguard's ultimate aim is to eradicate CVEs from containers.

On top of that we now get JCK certified Java runtimes. The JCK is a comprehensive test suite provided by Oracle that validates adherence to the Java specification. This conformance now applies to any Chainguard Image that contains the JDK and JRE latest builds for OpenJDK Java 21.0.3 and Java 22.0.1.
JCK compliance ensures that Java applications will run consistently across different platforms and devices, and that they are compatible with other Java implementations.

This means that Chainguard's Java base images are fully compatible and conform to the rigorous standards set out for Java SE 21 and 22 for both compiler and runtime.
It's a scheme akin to Bellsoft adding CRaC enabled OpenJDKs in its Alpaquita containers, as we examined in "Liberica Alpaquita Containers Now Come With CRaC"

The Chainguard images are available on cgr.dev and can be pulled with:

for JRE

docker pull cgr.dev/chainguard/jre:latest

for JDK

docker pull cgr.dev/chainguard/jdk

To put it into practice, if you've written a simple Java class say HelloWolfi.java, to containerize it you would:

Following that, you can build the image:

docker build -t my-java-app .

and run it by referencing this tag, as in the following command:

docker run my-java-app

This way you get the best of two worlds; solid Java on secure containers. 

More Information

JDK image

JRE image
 

Related Articles

Happy Birthday To Wolfi Linux Undistro

Liberica Alpaquita Containers Now Come With CRaC  

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info