Matthias
#
YAML style recommendations
While Iβm not a particularly big fan of YAML overall, it does have some clear benefits over both JSON and XML for human-editable configuration files. And while there are some pretty compelling alternatives, YAML is currently ubiquitous, so it makes sense to make the best of it.
Here are my favorite simple style rules. I apply them aggressively whenever I see some YAML that isnβt bolted to the wall and fixed with superglue.
Rule 1. Indent enumerations.
Rule: Indent enumerated items relative to the key that defines them.
Reason: Adhering to the Rectangle Rule makes it easier to find where blocks begin and end.
Bad:
list1:
- item1
- item2
list2:
- item3
- item4
Good:
list1:
- item1
- item2
list2:
- item3
- item4
This is by far my favorite rule. Even if you do nothing else, it improves the readability of any YAML file by an order of magnitude.
Rule 2. Separate nested blocks by white space.
Rule: Use empty lines to separate blocks of nested content.
Hint: A good rule of thumb is that any block that has children should be surrounded by white space on both sides.
Reason: Empty lines make it easier to find where blocks begin and end.
Bad:
metadata:
name: mulkcms2
namespace: mulk
labels:
name: mulkcms2-web
app: mulkcms2
spec:
replicas: 1
selector:
matchLabels:
app: mulkcms2
group: mulk
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
Good:
metadata:
name: mulkcms2
namespace: mulk
labels:
name: mulkcms2-web
app: mulkcms2
spec:
replicas: 1
selector:
matchLabels:
app: mulkcms2
group: mulk
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
This is a rule that I apply not just to YAML, but to any type of code whatsoever. It not just helps with readability, but also with editability (by enabling me to navigate by block).
Official builds of OpenJ9, an alternate implementation of the JVM, from IBM.
While OpenJ9 is not OpenJDK, Semeru does use the OpenJDK class libraries.
Political slogans should target the center. But more importantly, the agenda should target the center. The Median Voter Theorem applies.
The package manager used by RedHat UBI Minimal container images. Like dnf, but written in C rather than Python.
Proposed to target JDK 19.
This is shaping up to be an interesting release (assuming you find preview features interesting).
A public API that you can query for available OpenJDK distributions and download links.
Ready-made container images for use with kubectl debug. There are images for Node, Python, Go, and Java.
A way to spin up ephemeral containers in a running Kubernetes pod that have access to the same process namespace as the running ones. Used to run debugging tools in production.
A bot that creates pull requests for project dependency updates. Supports multiple target languages.
A container system for GNU/Linux applications.
A free-as-in-freedom RHEL derivative similar to what CentOS was before it was converted into the CentOS Stream rolling release distribution, called into life by the original founder of CentOS.
A free-as-in-freedom RHEL derivative similar to what CentOS was before it was converted into the CentOS Stream rolling release distribution, by the people behind the commercial CloudLinux OS.
A collection of notes on application security (mostly web and mobile applications).
Highlight: cheat sheets related to the OWASP Top Ten web application security risks.
A CI-agnostic build and deployment pipeline definition tool. Works locally, too.
A general-purpose build system based on BuildKit.
A flexible build tool for container images. Capable of reproducible (timestamp-less) builds.
A composable container build tool chain.
A low-level build tool for OCI-compliant container images.
A container build tool that runs inside a container, requiring no additional privileges. Suitable for use inside a Kubernetes pod. Supports reproducible (timestamp-less) builds out of the box.
Matthias
#
Well-maintained (or not) OpenJDK Docker images
Here is a list of major OpenJDK vendors and the container images they offer.
| Vendor | Image name | Tag | Release cycle | Base OS | Remarks |
|---|---|---|---|---|---|
| Azul | docker.io/azul/zulu-openjdk |
17 |
LTS | Ubuntu | |
| Azul | docker.io/azul/zulu-openjdk-alpine |
17 |
LTS | Alpine Linux | |
| Azul | docker.io/azul/zulu-openjdk-centos |
17 |
LTS | CentOS | |
| Azul | docker.io/azul/zulu-openjdk-debian |
17 |
LTS | Debian | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-alpine |
17 |
LTS | Alpine (glibc) | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-alpine |
latest |
non-LTS | Alpine (glibc) | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-alpine-musl |
17 |
LTS | Alpine (musl) | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-alpine-musl |
latest |
non-LTS | Alpine (musl) | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-centos |
17 |
LTS | CentOS | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-centos |
latest |
non-LTS | CentOS | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-debian |
17 |
LTS | Debian | |
| BellSoft | docker.io/bellsoft/liberica-openjdk-debian |
latest |
non-LTS | Debian | |
| Eclipse | docker.io/library/eclipse-temurin |
latest |
non-LTS | Ubuntu | recommended non-LTS1 |
| Eclipse | docker.io/library/eclipse-temurin |
17 |
LTS | Ubuntu | recommended LTS1 |
| Eclipse | docker.io/library/eclipse-temurin |
17-alpine |
LTS | Alpine | |
gcr.io/distroless/java17-debian11 |
latest |
LTS | Debian | ||
| Microsoft | mcr.microsoft.com/openjdk/jdk |
17-ubuntu |
LTS | Ubuntu | |
| Microsoft | mcr.microsoft.com/openjdk/jdk |
17-mariner |
LTS | CentOS (derivative) | |
| Microsoft | mcr.microsoft.com/openjdk/jdk |
17-cbld |
LTS | Debian (derivative) | |
| Oracle | container-registry.oracle.com/java/openjdk |
latest |
non-LTS | Oracle Linux | recommended non-LTS2 |
| Red Hat | registry.access.redhat.com/ubi8/openjdk-17 |
latest |
LTS | RHEL (UBI)4 | recommended LTS3 |
| Red Hat | registry.access.redhat.com/ubi8/openjdk-17-runtime |
latest |
LTS | RHEL (UBI)4 |
General remarks:
As is apparent from the list, most vendors do not offer a rolling non-LTS image. Be careful when using a non-LTS image pinned to a specific version as its time under support will be quite limited. Rolling non-LTS images that always update to the latest OpenJDK version are fine (and may in fact be more secure and reliable than any LTS image considering that OpenJDK Updates primarily consists of backports from later versions).
Generally speaking, Docker images, particularly OpenJDK images, tend to drift from the latest update state of the base OS underlying them. It is probably a good idea to build your own runtime image (perhaps based on something like UBI Micro (manual)) and keep it up to date through a nightly CI job.
I cannot recommend any Alpine-based images at present because there are too many dependencies on glibc specifics (see also) in the ecosystem and using glibc on Alpine is not a supported configuration.
Footnotes:
Being a widely deployed image with lots of attention given to it, the Temurin image is probably the one you want if you prefer Ubuntu over RHEL.
Oracle is the main sponsor of OpenJDK. New OpenJDK releases tend to find their way into their image promptly. Oracle Linux is also a generally well-maintained and secure base; do note, however, that the OpenJDK image is typically only updated when a new OpenJDK is released, so you have to install system package updates yourself.
Red Hat is the second largest contributor to OpenJDK (after Oracle) and one of the sponsors of the OpenJDK 17 Updates project and is typically quick to release security patches. UBI8 is also a well-maintained and secure image base.
UBI is a trimmed-down version of RHEL that Red Hat distribute free of charge as part of their container image offerings.
Targeting JDK 19.