Skip to content

feat: Use multistage Docker build for selecting JRE #9392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
usmansaleem merged 8 commits into from
Nov 11, 2025
Merged

feat: Use multistage Docker build for selecting JRE #9392

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
02a3154
feat: Use multistage Docker build for selecting JRE
usmansaleem Nov 3, 2025
320bf13
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 3, 2025
8a6eccf
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 4, 2025
0cbce3f
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 5, 2025
e3ff9ad
update changelog
usmansaleem Nov 5, 2025
42a830c
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 7, 2025
e5020b1
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 8, 2025
8a17ad6
Merge remote-tracking branch 'upstream/main' into update_docker_jvm
usmansaleem Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -702,7 +702,8 @@ application {
"--add-exports",
"java.base/jdk.internal.misc=ALL-UNNAMED",
"--add-opens",
"java.base/java.nio=ALL-UNNAMED"
"java.base/java.nio=ALL-UNNAMED",
"--enable-native-access=ALL-UNNAMED"
Copy link
Copy Markdown
Contributor

@fab-10 fab-10 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this change?

Copy link
Copy Markdown
Contributor Author

@usmansaleem usmansaleem Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to avoid warning message that JVM 24+ issues when starting Besu because we are using JNA to load native libraries. It seems to be backward compatible (at least no error is raised) with Java 21 as well.

Copy link
Copy Markdown
Contributor Author

@usmansaleem usmansaleem Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.oracle.com/en/java/javase/24/core/restricted-methods.html

]
}

Expand Down
27 changes: 17 additions & 10 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# syntax=docker/dockerfile:1

# Stage: Use Eclipse Temurin JRE
FROM eclipse-temurin:21-jre AS java-base

# Stage: Final Besu image
FROM ubuntu:24.04
ARG VERSION="dev"
ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0"
Expand All @@ -6,18 +12,20 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true
RUN apt-get update $NO_PROXY_CACHE && \
# $NO_PROXY_CACHE must not be used here or otherwise will trigger a hadolint error
apt-get -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 \
--no-install-recommends -q --assume-yes install openjdk-21-jre-headless=21* libjemalloc-dev=5.* adduser=3* && \
--no-install-recommends -q --assume-yes install libjemalloc-dev=5.* && \
# Clean apt cache
apt-get clean && \
rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* && \
rm -rf /var/lib/apt/lists/* && \
# Starting from version 23.10, Ubuntu comes with an "ubuntu" user with uid 1000. We need 1000 for besu.
userdel ubuntu 2>/dev/null || true && rm -rf /home/ubuntu && \
# Ensure we use a stable UID for besu, as file permissions are tied to UIDs.
adduser --uid 1000 --disabled-password --gecos "" --home /opt/besu besu && \
chown besu:besu /opt/besu && \
useradd --uid 1000 --create-home --home-dir /opt/besu --shell /bin/bash --user-group --skel /etc/skel besu && \
chmod 0755 /opt/besu

# Copy JRE from the java-base stage
COPY --from=java-base /opt/java/openjdk /opt/java/openjdk

ARG BESU_USER=besu
USER ${BESU_USER}
WORKDIR /opt/besu
Expand All @@ -43,14 +51,13 @@ ENV PYROSCOPE_CONFIGURATION_FILE=/etc/besu/pyroscope.properties
EXPOSE 8545 8546 8547 8550 8551 30303

# defaults for host interfaces
ENV BESU_RPC_HTTP_HOST 0.0.0.0
ENV BESU_RPC_WS_HOST 0.0.0.0
ENV BESU_GRAPHQL_HTTP_HOST 0.0.0.0
ENV BESU_PID_PATH "/tmp/pid"
ENV BESU_RPC_HTTP_HOST=0.0.0.0
ENV BESU_RPC_WS_HOST=0.0.0.0
ENV BESU_GRAPHQL_HTTP_HOST=0.0.0.0
ENV BESU_PID_PATH="/tmp/pid"
ENV OTEL_RESOURCE_ATTRIBUTES="service.name=besu,service.version=$VERSION"

ENV OLDPATH="${PATH}"
ENV PATH="/opt/besu/bin:${OLDPATH}"
ENV JAVA_HOME="/opt/java/openjdk"
ENV PATH="/opt/besu/bin:${JAVA_HOME}/bin:${PATH}"

# The entry script just sets permissions as needed based on besu config
# and is replaced by the besu process running as besu user.
Expand Down
21 changes: 16 additions & 5 deletions ethereum/evmtool/src/main/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# syntax=docker/dockerfile:1

# Stage: Use Eclipse Temurin JRE
FROM eclipse-temurin:21-jre AS java-base

# Stage: Final Besu EVMTool image
FROM ubuntu:24.04
ARG VERSION="dev"
ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0"
Expand All @@ -7,21 +12,27 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true
RUN apt-get update $NO_PROXY_CACHE && \
# $NO_PROXY_CACHE must not be used here or otherwise will trigger a hadolint error
apt-get -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 \
--no-install-recommends -q --assume-yes install openjdk-21-jre-headless=21* adduser=3* && \
--no-install-recommends -q --assume-yes install libjemalloc-dev=5.* && \
# Clean apt cache \
apt-get clean && \
rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* && \
rm -rf /var/lib/apt/lists/* && \
# Creating a user for besu
adduser --disabled-password --gecos "" --home /opt/besu besu && \
chown besu:besu /opt/besu
# Starting from version 23.10, Ubuntu comes with an "ubuntu" user with uid 1000. We need 1000 for besu.
userdel ubuntu 2>/dev/null || true && rm -rf /home/ubuntu && \
# Ensure we use a stable UID for besu, as file permissions are tied to UIDs.
useradd --uid 1000 --create-home --home-dir /opt/besu-evmtool --shell /bin/bash --user-group --skel /etc/skel besu && \
chmod 0755 /opt/besu-evmtool

# Copy JRE from the jre-base stage
COPY --from=java-base /opt/java/openjdk /opt/java/openjdk

USER besu
WORKDIR /opt/besu-evmtool

COPY --chown=besu:besu besu-evmtool /opt/besu-evmtool/

ENV PATH="/opt/besu-evmtool/bin:${PATH}"
ENV JAVA_HOME="/opt/java/openjdk"
ENV PATH="/opt/besu-evmtool/bin:${JAVA_HOME}/bin:${PATH}"
ENTRYPOINT ["evmtool"]

# Build-time metadata as defined at http://label-schema.org
Expand Down
Loading