feat: Use multistage Docker build for selecting JRE (besu-eth#9392)

-- Use multistage docker build to select JRE for Besu
-- Fix minor issues in Docker build file

Signed-off-by: Usman Saleem <usman@usmans.info>

Author: usmansaleem

CHANGELOG.md

@@ -19,6 +19,7 @@
 - Update to vertx 4.5.22 [#9375](https://github.com/hyperledger/besu/pull/9375)
 - Add `opcodes` optional parameter to RPC methods: `debug_standardTraceBlockToFile`, `debug_standardTraceBadBlockToFile`, `debug_traceBlockByNumber`, `debug_traceBlockByHash`, `debug_traceTransaction`, `debug_traceBlock`, `debug_traceCall` for tracing specified opcodes [#9335](https://github.com/hyperledger/besu/pull/9335)
 - eth_createAccessList now returns success result if execution reverted [#9358](https://github.com/hyperledger/besu/pull/9358)
+- Use Eclipse Temurin OpenJDK JRE in Besu docker image [#9392](https://github.com/hyperledger/besu/pull/9392)
 
 ### Bug fixes
 

build.gradle

@@ -702,7 +702,8 @@ application {
     "--add-exports",
     "java.base/jdk.internal.misc=ALL-UNNAMED",
     "--add-opens",
-    "java.base/java.nio=ALL-UNNAMED"
+    "java.base/java.nio=ALL-UNNAMED",
+    "--enable-native-access=ALL-UNNAMED"
   ]
 }
 

docker/Dockerfile

@@ -1,3 +1,9 @@
+# syntax=docker/dockerfile:1
+
+# Stage: Use Eclipse Temurin JRE
+FROM eclipse-temurin:21-jre AS java-base
+
+# Stage: Final Besu image
 FROM ubuntu:24.04
 ARG VERSION="dev"
 ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0"
@@ -6,18 +12,20 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true
 RUN apt-get update $NO_PROXY_CACHE  && \
   # $NO_PROXY_CACHE must not be used here or otherwise will trigger a hadolint error
   apt-get -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 \
-    --no-install-recommends -q --assume-yes install openjdk-21-jre-headless=21* libjemalloc-dev=5.* adduser=3*  && \
+    --no-install-recommends -q --assume-yes install libjemalloc-dev=5.* && \
   # Clean apt cache
   apt-get clean  && \
   rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/*  && \
   rm -rf /var/lib/apt/lists/*  && \
   # Starting from version 23.10, Ubuntu comes with an "ubuntu" user with uid 1000. We need 1000 for besu.
   userdel ubuntu 2>/dev/null || true && rm -rf /home/ubuntu  && \
   # Ensure we use a stable UID for besu, as file permissions are tied to UIDs.
-  adduser --uid 1000 --disabled-password --gecos "" --home /opt/besu besu  && \
-  chown besu:besu /opt/besu  && \
+  useradd --uid 1000 --create-home --home-dir /opt/besu --shell /bin/bash --user-group --skel /etc/skel besu && \
   chmod 0755 /opt/besu
 
+# Copy JRE from the java-base stage
+COPY --from=java-base /opt/java/openjdk /opt/java/openjdk
+
 ARG BESU_USER=besu
 USER ${BESU_USER}
 WORKDIR /opt/besu
@@ -43,14 +51,13 @@ ENV PYROSCOPE_CONFIGURATION_FILE=/etc/besu/pyroscope.properties
 EXPOSE 8545 8546 8547 8550 8551 30303
 
 # defaults for host interfaces
-ENV BESU_RPC_HTTP_HOST 0.0.0.0
-ENV BESU_RPC_WS_HOST 0.0.0.0
-ENV BESU_GRAPHQL_HTTP_HOST 0.0.0.0
-ENV BESU_PID_PATH "/tmp/pid"
+ENV BESU_RPC_HTTP_HOST=0.0.0.0
+ENV BESU_RPC_WS_HOST=0.0.0.0
+ENV BESU_GRAPHQL_HTTP_HOST=0.0.0.0
+ENV BESU_PID_PATH="/tmp/pid"
 ENV OTEL_RESOURCE_ATTRIBUTES="service.name=besu,service.version=$VERSION"
-
-ENV OLDPATH="${PATH}"
-ENV PATH="/opt/besu/bin:${OLDPATH}"
+ENV JAVA_HOME="/opt/java/openjdk"
+ENV PATH="/opt/besu/bin:${JAVA_HOME}/bin:${PATH}"
 
 # The entry script just sets permissions as needed based on besu config
 # and is replaced by the besu process running as besu user.

ethereum/evmtool/src/main/docker/Dockerfile

@@ -1,4 +1,9 @@
+# syntax=docker/dockerfile:1
 
+# Stage: Use Eclipse Temurin JRE
+FROM eclipse-temurin:21-jre AS java-base
+
+# Stage: Final Besu EVMTool image
 FROM ubuntu:24.04
 ARG VERSION="dev"
 ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0"
@@ -7,21 +12,27 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true
 RUN apt-get update $NO_PROXY_CACHE  && \
   # $NO_PROXY_CACHE must not be used here or otherwise will trigger a hadolint error
   apt-get -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 \
-    --no-install-recommends -q --assume-yes install openjdk-21-jre-headless=21* adduser=3* && \
+    --no-install-recommends -q --assume-yes install libjemalloc-dev=5.* && \
   # Clean apt cache  \
   apt-get clean  && \
   rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/*  && \
   rm -rf /var/lib/apt/lists/*  && \
-  # Creating a user for besu
-  adduser --disabled-password --gecos "" --home /opt/besu besu  && \
-  chown besu:besu /opt/besu
+  # Starting from version 23.10, Ubuntu comes with an "ubuntu" user with uid 1000. We need 1000 for besu.
+  userdel ubuntu 2>/dev/null || true && rm -rf /home/ubuntu  && \
+  # Ensure we use a stable UID for besu, as file permissions are tied to UIDs.
+  useradd --uid 1000 --create-home --home-dir /opt/besu-evmtool --shell /bin/bash --user-group --skel /etc/skel besu && \
+  chmod 0755 /opt/besu-evmtool
+
+# Copy JRE from the jre-base stage
+COPY --from=java-base /opt/java/openjdk /opt/java/openjdk
 
 USER besu
 WORKDIR /opt/besu-evmtool
 
 COPY --chown=besu:besu besu-evmtool /opt/besu-evmtool/
 
-ENV PATH="/opt/besu-evmtool/bin:${PATH}"
+ENV JAVA_HOME="/opt/java/openjdk"
+ENV PATH="/opt/besu-evmtool/bin:${JAVA_HOME}/bin:${PATH}"
 ENTRYPOINT ["evmtool"]
 
 # Build-time metadata as defined at http://label-schema.org