Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/github_actions/slsa-framework/s…
Browse files Browse the repository at this point in the history
…lsa-github-generator-1.9.0
  • Loading branch information
alicejli authored Sep 8, 2023
2 parents fd628a5 + 54e5c0f commit db1b0ab
Show file tree
Hide file tree
Showing 14 changed files with 76 additions and 27 deletions.
6 changes: 5 additions & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,14 @@ To run select integration tests, use `--tests=<testPattern>`, see [gradle docs](

# Development Tips

## Java version

Use Java 8 or 11 for development. https://sdkman.io/ is a helpful tool to switch between Java versions.

## Configuring Eclipse

Although jib is a mix of Gradle and Maven projects, we build everything using one
unifed gradle build. There is special code to include some projects directly as
unified gradle build. There is special code to include some projects directly as
source, but importing your project should be pretty straight forward.

1. Ensure you have installed the Gradle tooling for Eclipse, called
Expand Down
10 changes: 6 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@

Jib builds optimized Docker and [OCI](https://github.com/opencontainers/image-spec) images for your Java applications without a Docker daemon - and without deep mastery of Docker best-practices. It is available as plugins for [Maven](jib-maven-plugin) and [Gradle](jib-gradle-plugin) and as a Java library.

[Maven](https://maven.apache.org/): See documentation for [jib-maven-plugin](jib-maven-plugin).\
[Gradle](https://gradle.org/): See documentation for [jib-gradle-plugin](jib-gradle-plugin).\
[Jib Core](jib-core): A general-purpose container-building library for Java.\
[Jib CLI](jib-cli): A command-line interface for building images that uses Jib Core.
- [Maven](https://maven.apache.org/): See documentation for [jib-maven-plugin](jib-maven-plugin).
- [Gradle](https://gradle.org/): See documentation for [jib-gradle-plugin](jib-gradle-plugin).
- [Jib Core](jib-core): A general-purpose container-building library for Java.
- [Jib CLI](jib-cli): A command-line interface for building images that uses Jib Core.

Jib works well with Google Cloud Build. For details, see [how to use Jib on Google Cloud Build](docs/google-cloud-build.md).

For more information, check out the [official blog post](https://cloudplatform.googleblog.com/2018/07/introducing-jib-build-java-docker-images-better.html) or watch [this talk](https://www.youtube.com/watch?v=H6gR_Cv4yWI) ([slides](https://speakerdeck.com/coollog/build-containers-faster-with-jib-a-google-image-build-tool-for-java-applications)).

Expand Down
16 changes: 13 additions & 3 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ project.ext.dependencyStrings = [
GOOGLE_HTTP_CLIENT: 'com.google.http-client:google-http-client:1.42.2',
GOOGLE_HTTP_CLIENT_APACHE_V2: 'com.google.http-client:google-http-client-apache-v2:1.42.2',
GOOGLE_AUTH_LIBRARY_OAUTH2_HTTP: 'com.google.auth:google-auth-library-oauth2-http:1.10.0',
GUAVA: 'com.google.guava:guava:32.0.1-jre',
GUAVA: 'com.google.guava:guava:32.1.2-jre',
JSR305: 'com.google.code.findbugs:jsr305:3.0.2', // transitively pulled in by GUAVA

// for Build Plan and Jib Plugins Extension API
Expand All @@ -29,7 +29,7 @@ project.ext.dependencyStrings = [
MAVEN_EXTENSION: 'com.google.cloud.tools:jib-maven-plugin-extension-api:0.4.0',

COMMONS_COMPRESS: 'org.apache.commons:commons-compress:1.21',
ZSTD_JNI: 'com.github.luben:zstd-jni:1.5.5-4',
ZSTD_JNI: 'com.github.luben:zstd-jni:1.5.5-5',
COMMONS_TEXT: 'org.apache.commons:commons-text:1.10.0',
JACKSON_BOM: 'com.fasterxml.jackson:jackson-bom:2.15.2',
JACKSON_DATABIND: 'com.fasterxml.jackson.core:jackson-databind',
Expand All @@ -53,7 +53,7 @@ project.ext.dependencyStrings = [
MOCKITO_CORE: 'org.mockito:mockito-core:4.11.0',
SISU_PLEXUS: 'org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.5',
SLF4J_API: 'org.slf4j:slf4j-api:2.0.7',
SLF4J_SIMPLE: 'org.slf4j:slf4j-simple:2.0.7',
SLF4J_SIMPLE: 'org.slf4j:slf4j-simple:2.0.9',
SYSTEM_RULES: 'com.github.stefanbirkner:system-rules:1.19.0',
JBCRYPT: 'org.mindrot:jbcrypt:0.4',
]
Expand All @@ -79,6 +79,16 @@ subprojects {
apply plugin: 'net.ltgt.errorprone'
apply plugin: 'jacoco'

// Guava update breaks unit tests. Workaround mentioned in https://github.com/google/guava/issues/6612#issuecomment-1614992368.
sourceSets.all {
configurations.getByName(runtimeClasspathConfigurationName) {
attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm")
}
configurations.getByName(compileClasspathConfigurationName) {
attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm")
}
}

sourceCompatibility = JavaVersion.VERSION_1_8
targetCompatibility = JavaVersion.VERSION_1_8
compileJava.options.encoding = 'UTF-8'
Expand Down
2 changes: 1 addition & 1 deletion docs/configure-gcp-credentials.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Configuring Credentials for [Google Container Registry (GCR)](https://cloud.google.com/container-registry/)

There are a few ways of supplying Jib with the credentials to push and pull images from your private GCR regsitry.
There are a few ways of supplying Jib with the credentials to push and pull images from your private GCR registry.

## Using the Docker credential helper

Expand Down
2 changes: 1 addition & 1 deletion docs/default_base_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Some options:
* Prevent Jib from accessing Docker Hub (after Jib cached a base image locally).
- Pin to a specific base image using a SHA digest (for example, `jib.from.image='eclipse-temurin:11-jre@sha256:...'`).
- Do offline building.
- Read a base from a local Docker deamon.
- Read a base from a local Docker daemon.
- Set up a local registry, store a base image, and read it from the local registry.
* Retry with increasing backoffs.

Expand Down
6 changes: 3 additions & 3 deletions docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,7 @@ To inspect the image that is produced from the build using Docker, you can use c

### How do I specify a platform in the manifest list (or OCI index) of a base image?

Newer Jib verisons added an _incubating feature_ that provides support for selecting base images with the desired platforms from a manifest list. For example,
Newer Jib versions added an _incubating feature_ that provides support for selecting base images with the desired platforms from a manifest list. For example,

```xml
<from>
Expand Down Expand Up @@ -582,7 +582,7 @@ Some other alternatives to get around the rate limits:
* Prevent Jib from accessing Docker Hub (after Jib cached a base image locally).
- **Pin to a specific base image using a SHA digest.** For example, `jib.from.image='eclipse-temurin:11-jre@sha256:...'`. If you are not setting a base image with a SHA digest (which is the case if you don't set `jib.from.image` at all), then every time Jib runs, it reaches out to the registry to check if the base image is up-to-date. On the other hand, if you pin to a specific image with a digest, then the image is immutable. Therefore, if Jib has cached the image once (by running Jib online once to fully cache the image), Jib will not reach out to the Docker Hub. See [this Stack Overflow answer](https://stackoverflow.com/a/61190005/1701388) for more details.
- (Maven/Gradle plugins only) **Do offline building.** Pass `--offline` to Maven or Gradle. Before that, you need to run Jib online once to cache the image. However, `--offline` means you cannot push to a remote registry. See [this Stack Overflow answer](https://stackoverflow.com/a/61190005/1701388) for more details.
- **Retrieve a base image from a local Docker deamon.** Store an image to your local Docker daemon, and set, say, `jib.from.image='docker://eclipse-temurin:11-jre'`. It can be slow for an initial build where Jib has to cache the image in Jib's format. For performance reasons, we usually recommend using an image on a registry.
- **Retrieve a base image from a local Docker daemon.** Store an image to your local Docker daemon, and set, say, `jib.from.image='docker://eclipse-temurin:11-jre'`. It can be slow for an initial build where Jib has to cache the image in Jib's format. For performance reasons, we usually recommend using an image on a registry.
- **Set up a local registry, store a base image, and read it from the local registry.** Setting up a local registry is as simple as running `docker run -d -p5000:5000 registry:2`, but nevertheless, the whole process is a bit involved.
* Retry with increasing backoffs. For example, using the [`retry`](https://github.com/kadwanev/retry) tool.

Expand Down Expand Up @@ -759,7 +759,7 @@ When you're using latest Java versions to write an app (or using an old version
Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:dockerBuild (default-cli) on project demo: Execution default-cli of goal com.google.cloud.tools:jib-maven-plugin:3.2.0:dockerBuild failed: Unsupported class file major version 61
```

Jib uses the [ASM library](https://asm.ow2.io/) to examine compiled Java bytecode to automatically infer a main class (in other words, the class that defines `public static void main()` to start your app). In this way, if you have only one such class, Jib can automatically infer and use that class to set an image entrypoint (basically, a command to start your app). When new Java versions come out, often the ASM library version used in Jib doesn't support the new bytecode format. If this is the case, check if you are using the latest Jib. If you still get the error with the latest Jib, file a [bug](https://github.com/GoogleContainerTools/jib/issues/new/choose) to have the Jib team upgarde the ASM library.
Jib uses the [ASM library](https://asm.ow2.io/) to examine compiled Java bytecode to automatically infer a main class (in other words, the class that defines `public static void main()` to start your app). In this way, if you have only one such class, Jib can automatically infer and use that class to set an image entrypoint (basically, a command to start your app). When new Java versions come out, often the ASM library version used in Jib doesn't support the new bytecode format. If this is the case, check if you are using the latest Jib. If you still get the error with the latest Jib, file a [bug](https://github.com/GoogleContainerTools/jib/issues/new/choose) to have the Jib team upgrade the ASM library.

**Workaround**: to prevent Jib from doing auto-inference, you can manually set your desired main class via [`<container><mainClass>`](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#container-object) (for example, `<container><mainClass>com.example.your.Main</mainClass>`). As with other Jib parameters, it can be set through system/Maven properties or on the command-line (for example, `-Dcontainer.mainClass=...`).

Expand Down
33 changes: 33 additions & 0 deletions docs/google-cloud-build.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Jib on Google Cloud Build

You can use Jib on [Google Cloud Build](https://cloud.google.com/build) in a simple step:

```yaml
steps:
- name: 'gcr.io/cloud-builders/javac:8'
entrypoint: './gradlew'
args: ['--console=plain', '--no-daemon', ':server:jib', '-Djib.to.image=gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA']
```
Any Java container can be used for building, not only the `gcr.io/cloud-builders/javac:*` (from [gcr.io/cloud-builders/javac](https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/javac)), for example with [Temurin](https://adoptium.net/en-GB/temurin/)'s:

```yaml
steps:
- name: 'docker.io/library/eclipse-temurin:17'
entrypoint: './gradlew'
args: ['--console=plain', '--no-daemon', ':server:jib', '-Djib.to.image=gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA']
```

To use [Google "Distroless" Container Images](https://github.com/GoogleContainerTools/distroless) to build with Jib on Google Cloud Build, and avoid running into `Step #1: standard_init_linux.go:228: exec user process caused: no such file or directory` errors (because Google's _distroless_ containers are based on `busybox`), you have to do something like this:

```yaml
steps:
- name: 'gcr.io/distroless/java17-debian11:debug'
entrypoint: '/busybox/sh'
args:
- -c
- |
ln -s /busybox/sh /bin/sh
ln -s /busybox/env /usr/bin/env
/workspace/gradlew --console=plain --no-daemon --gradle-user-home=/home/.gradle :server:jib -Djib.to.image=gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA
```
2 changes: 1 addition & 1 deletion examples/multi-module/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ in gradle to achieve this. This configuration can be seen in the

Care must be taken when adding custom attributes to a `MANIFEST.MF`.
Attributes whose values change on every build can affect reproducibility even
with the modifications outlined aboved.
with the modifications outlined above.

# How to run

Expand Down
10 changes: 5 additions & 5 deletions jib-cli/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ slsa-verifier -artifact-path jib-jre-<version>.zip -provenance jib-jre-<version>

### Windows: Install with `choco`

On Windows, you can use the [`choco`](https://community.chocolatey.org/packages/jib) command. To install, upgradle, or uninstall Jib CLI, run the following commands from the command-line or PowerShell:
On Windows, you can use the [`choco`](https://community.chocolatey.org/packages/jib) command. To install, upgrade, or uninstall Jib CLI, run the following commands from the command-line or PowerShell:
```
choco install jib
choco upgrade jib
Expand Down Expand Up @@ -242,7 +242,7 @@ Credentials can be specified using credential helpers or username + password. Th

```
--credential-helper <credHelper> credential helper for communicating with both target and base image registries, either a path to the helper, or a suffix for an executable named `docker-credential-<suffix>`
--to-crendential-helper <credHelper> credential helper for communicating with target registry, either a path to the helper, or a suffix for an executable named `docker-credential-<suffix>
--to-credential-helper <credHelper> credential helper for communicating with target registry, either a path to the helper, or a suffix for an executable named `docker-credential-<suffix>
--from-credential-helper <credHelper> credential helper for communicating with base image registry, either a path to the helper, or a suffix for an executable named `docker-credential-<suffix>`

--username <username> username for communicating with both target and base image registries
Expand Down Expand Up @@ -298,7 +298,7 @@ Some options can be set in the global Jib configuration file. The file is at the
### Properties
* `disableUpdateCheck`: when set to true, disables the periodic up-to-date version check.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfuly pull a base image.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfully pull a base image.
```json
{
Expand Down Expand Up @@ -428,7 +428,7 @@ layers:
- src: file.txt
dest: /file.txt
```
- Parent directories that are not exiplicitly defined in a layer will the default properties in jib-core (permissions: 755, modification-time: epoch+1). In the following example, `/somewhere` on the container will have the directory permissions `755`, not `777` as some might expect.
- Parent directories that are not explicitly defined in a layer will the default properties in jib-core (permissions: 755, modification-time: epoch+1). In the following example, `/somewhere` on the container will have the directory permissions `755`, not `777` as some might expect.
```
- name: layer
properties:
Expand All @@ -445,7 +445,7 @@ layers:
#### Base Image Parameter Inheritance
Some values defined in the base image may be preserved and propogated into the new container.
Some values defined in the base image may be preserved and propagated into the new container.
Parameters will append to base image value:
- `volumes`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -434,7 +434,7 @@ public void testParse_incompatibleCredentialOptions(String[] authArgs) {
new Jar(), ArrayUtils.addAll(authArgs, "--target=ignored", "my-app.jar")));
assertThat(meae)
.hasMessageThat()
.containsMatch("^Error: (--(from-|to-)?credential-helper|\\[--username)");
.containsMatch("^Error: (\\[)*(--(from-|to-)?credential-helper|\\[--(username|password))");
}

@Test
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public class ContainerizerTest {
public void testTo() throws CacheDirectoryCreationException, InvalidImageReferenceException {
RegistryImage registryImage = RegistryImage.named("registry/image");
DockerDaemonImage dockerDaemonImage = DockerDaemonImage.named("daemon/image");
TarImage tarImage = TarImage.at(Paths.get("ignored")).named("tar/iamge");
TarImage tarImage = TarImage.at(Paths.get("ignored")).named("tar/image");
DockerClient dockerClient = new AnotherDockerClient();

verifyTo(Containerizer.to(registryImage));
Expand Down Expand Up @@ -107,10 +107,10 @@ public void testGetImageConfiguration_registryImage() throws InvalidImageReferen

@Test
public void testGetImageConfiguration_dockerDaemonImage() throws InvalidImageReferenceException {
Containerizer containerizer = Containerizer.to(DockerDaemonImage.named("docker/deamon/image"));
Containerizer containerizer = Containerizer.to(DockerDaemonImage.named("docker/daemon/image"));

ImageConfiguration imageConfiguration = containerizer.getImageConfiguration();
Assert.assertEquals("docker/deamon/image", imageConfiguration.getImage().toString());
Assert.assertEquals("docker/daemon/image", imageConfiguration.getImage().toString());
Assert.assertEquals(0, imageConfiguration.getCredentialRetrievers().size());
}

Expand Down
2 changes: 1 addition & 1 deletion jib-gradle-plugin/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,7 @@ Some options can be set in the global Jib configuration file. The file is at the
#### Properties

* `disableUpdateCheck`: when set to true, disables the periodic up-to-date version check.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfuly pull a base image.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfully pull a base image.

```json
{
Expand Down
2 changes: 1 addition & 1 deletion jib-maven-plugin/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ Some options can be set in the global Jib configuration file. The file is at the
#### Properties

* `disableUpdateCheck`: when set to true, disables the periodic up-to-date version check.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfuly pull a base image.
* `registryMirrors`: a list of mirror settings for each base image registry. In the following example, if the base image configured in Jib is for a Docker Hub image, then `mirror.gcr.io`, `localhost:5000`, and the Docker Hub (`registry-1.docker.io`) are tried in order until Jib can successfully pull a base image.

```json
{
Expand Down
4 changes: 2 additions & 2 deletions proposals/jib-cli-surface.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ build build a container
registry://gcr.io/project/image
docker://some-image-ref
tar://relative/path.tar
tar:///aboslute/path.tar
tar:///absolute/path.tar
```

### Optional
Expand Down Expand Up @@ -49,7 +49,7 @@ build build a container
Credentials can be specified using credential helpers or username + password. The following options are available
```
--credential-helper <credHelper> credential helper to use for registries, a path or name suffix (docker-credential-<suffix>)
--to-crendential-helper <credHelper> credential helper to use only for the target registry
--to-credential-helper <credHelper> credential helper to use only for the target registry
--from-credential-helper <credHelper> credential helper to use only for the base image registry
--username <username> configure a username for authenticating against registries
Expand Down

0 comments on commit db1b0ab

Please sign in to comment.