Deprecate Mariner 2.0 (#123)

Luigi96 · web-flow · commit 03126c1cd970 · 2025-07-03T12:49:08.000-07:00
* Update distroless images to Azurelinux 3.0 * Mariner now points to Azurelinux * Remove mariner build * Test local build without pushing * Fix typo * echo build command * test registries * Use runtime expressions * Add mariner to REGISTRIES variable if Azure Linux is selected * Embeed mariner signing trigger into trigger job * Fix typo * Add support for mariner distribution * Enable image push * Remove multiple signing for azurelinux/mariner * Fix variable separator typo * Fix distroless releasever * Update distroless temurin to Azure Linux 3 * Code sugestion * Merge Distroless with Azure Linux 3.0 (#122)
diff --git a/.devops/build.yml b/.devops/build.yml
@@ -32,22 +32,15 @@ parameters:
         package: temurin-8
         image: "image-repository"
         tag: "3.0"
-      mariner_8:
-        new_LTS_image: false
-        distro: mariner
-        version: 8
-        package: temurin-8
-        image: "image-repository"
-        tag: "2.0"
       distroless_8:
         new_LTS_image: false
         distro: distroless
         version: 8
         package: temurin-8
         installer_image: "image-repository"
-        installer_tag: "2.0"
+        installer_tag: "3.0"
         base_image: "image-repository"
-        base_tag: "2.0"
+        base_tag: "3.0"
       ubuntu_11:
         new_LTS_image: false
         distro: ubuntu
@@ -62,22 +55,15 @@ parameters:
         package: msopenjdk-11
         image: "image-repository"
         tag: "3.0"
-      mariner_11:
-        new_LTS_image: false
-        distro: mariner
-        version: 11
-        package: msopenjdk-11
-        image: "image-repository"
-        tag: "2.0"
       distroless_11:
         new_LTS_image: false
         distro: distroless
         version: 11
         package: msopenjdk-11
         installer_image: "image-repository"
-        installer_tag: "2.0"
+        installer_tag: "3.0"
         base_image: "image-repository"
-        base_tag: "2.0"
+        base_tag: "3.0"
       ubuntu_17:
         new_LTS_image: false
         distro: ubuntu
@@ -92,22 +78,15 @@ parameters:
         package: msopenjdk-17
         image: "image-repository"
         tag: "3.0"
-      mariner_17:
-        new_LTS_image: false
-        distro: mariner
-        version: 17
-        package: msopenjdk-17
-        image: "image-repository"
-        tag: "2.0"
       distroless_17:
         new_LTS_image: false
         distro: distroless
         version: 17
         package: msopenjdk-17
         installer_image: "image-repository"
-        installer_tag: "2.0"
+        installer_tag: "3.0"
         base_image: "image-repository"
-        base_tag: "2.0"
+        base_tag: "3.0"
       ubuntu_21:
         new_LTS_image: false
         distro: ubuntu
@@ -122,22 +101,15 @@ parameters:
         package: msopenjdk-21
         image: "image-repository"
         tag: "3.0"
-      mariner_21:
-        new_LTS_image: false
-        distro: mariner
-        version: 21
-        package: msopenjdk-21
-        image: "image-repository"
-        tag: "2.0"
       distroless_21:
         new_LTS_image: false
         distro: distroless
         version: 21
         package: msopenjdk-21
         installer_image: "image-repository"
-        installer_tag: "2.0"
+        installer_tag: "3.0"
         base_image: "image-repository"
-        base_tag: "2.0"
+        base_tag: "3.0"
 
 resources:
   repositories:
@@ -180,6 +152,16 @@ extends:
                   FEED: ${{ parameters.feed }}
                   NAME: ${{ parameters.package }}
 
+              - bash: |
+                  REGISTRIES=msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-$(distro)
+                  if [[ "$(distro)" == "azurelinux" ]]; then
+                    REGISTRIES+=";msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-mariner"
+                  elif [[ "$(distro)" == "mariner" ]]; then
+                    REGISTRIES="msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-mariner-cm2"
+                  fi
+                  echo "##vso[task.setvariable variable=REGISTRIES]$REGISTRIES"
+                displayName: Set REGISTRIES variable
+
               - task: AzureCLI@2
                 displayName: Annotate previous image
                 condition: ne( variables['new_LTS_image'], true)
@@ -190,7 +172,7 @@ extends:
                   scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
                 env:
                   ACR_NAME: msopenjdk
-                  REGISTRY: msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-$(distro)
+                  REGISTRIES: $(REGISTRIES)
               - task: AzureCLI@2
                 inputs:
                   azureSubscription: "JEG-Infrastructure"
@@ -199,7 +181,7 @@ extends:
                   scriptPath: $(Build.SourcesDirectory)/scripts/build-image.sh
                 displayName: build image
                 env:
-                  REGISTRY_TAG: msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-$(distro)
+                  REGISTRY_TAGS: $(REGISTRIES)
                   IMAGE: $(image)
                   TAG: $(tag)
                   PACKAGE: $(package)
@@ -246,6 +228,19 @@ extends:
                   FEED: ${{ parameters.feed }}
                   NAME: ${{ parameters.package }}
 
+              - bash: |
+                  REGISTRIES=msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-$(distro)
+                  TAGS="$(version)-$(distro)"
+                  if [[ "$(distro)" == "azurelinux" ]]; then
+                    REGISTRIES+=";msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-mariner"
+                  elif [[ "$(distro)" == "mariner" ]]; then
+                    REGISTRIES="msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-mariner-cm2"
+                    TAGS="$(version)-mariner-cm2"
+                  fi
+                  echo "##vso[task.setvariable variable=REGISTRIES]$REGISTRIES"
+                  echo "##vso[task.setvariable variable=TAGS]$TAGS"
+                displayName: Set environment variables
+
               - task: AzureCLI@2
                 displayName: Annotate previous image
                 condition: ne( variables['new_LTS_image'], true)
@@ -256,7 +251,7 @@ extends:
                   scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
                 env:
                   ACR_NAME: msopenjdk
-                  REGISTRY: msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-$(distro)
+                  REGISTRIES: $(REGISTRIES)
 
               - task: AzureCLI@2
                 inputs:
@@ -266,7 +261,7 @@ extends:
                   scriptPath: scripts/build-image.sh
                 displayName: build image
                 env:
-                  REGISTRY_TAG: msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-$(distro)
+                  REGISTRY_TAGS: $(REGISTRIES)
                   IMAGE: $(image)
                   TAG: $(tag)
                   PACKAGE: $(package)
@@ -288,6 +283,6 @@ extends:
                       --org ${{ parameters.organization }} \
                       --project $(OPENJDK_PROJECT) \
                       --id $(OPENJDK_SIGNING_ID) \
-                      --parameters openjdk_tags="- $(version)-$(distro)" \
+                      --parameters openjdk_tags="[$(TAGS)]" \
                         image_registry="msopenjdk.azurecr.io/public/openjdk" \
                         image_name="jdk"
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        baseimage: ["azurelinux", "mariner", "distroless"]
+        baseimage: ["azurelinux", "distroless"]
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -37,7 +37,7 @@ jobs:
       fail-fast: false
       matrix:
         jdkversion: [11, 17, 21] # Only build LTS releases
-        baseimage: ["azurelinux", "mariner", "ubuntu", "distroless"]
+        baseimage: ["azurelinux", "ubuntu", "distroless"]
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/docker/distroless/Dockerfile.msopenjdk-11-jdk b/docker/distroless/Dockerfile.msopenjdk-11-jdk
@@ -1,25 +1,29 @@
-ARG INSTALLER_IMAGE="mcr.microsoft.com/cbl-mariner/base/core"
-ARG INSTALLER_TAG="2.0"
-ARG BASE_IMAGE="mcr.microsoft.com/cbl-mariner/distroless/base"
-ARG BASE_TAG="2.0"
+ARG LINUX_VERSION="3.0"
+ARG JDK_VERSION="11"
+ARG INSTALLER_IMAGE="mcr.microsoft.com/azurelinux/base/core"
+ARG INSTALLER_TAG="${LINUX_VERSION}"
+ARG BASE_IMAGE="mcr.microsoft.com/azurelinux/distroless/base"
+ARG BASE_TAG="${LINUX_VERSION}"
 
 FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
 
-ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-11-linux-ARCH.tar.gz"
+# Redeclare ARG to make it available in this build stage
+ARG INSTALLER_TAG
+ARG JDK_VERSION
+ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-${JDK_VERSION}-linux-ARCH.tar.gz"
 
 # Add dynamically linked packages: zlib
 # Distroless base image already has tzdata ca-certificates openssl glibc
 # Create a non-root user and group (just like .NET's image)
 RUN mkdir /staging \
     && tdnf update -y \
-    && tdnf install -y --releasever=2.0 --installroot /staging zlib \
+    && tdnf install -y --releasever=${INSTALLER_TAG} --installroot /staging zlib \
     && tdnf install -y gawk shadow-utils ca-certificates tar \
     && groupadd --system --gid=101 app \
-    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && useradd -l --uid=101 --gid=101 --shell /bin/false --system --create-home app  \
     && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
-    && rootOrAppRegex='^\(root\|app\):' \
-    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
-    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+    && cat /etc/passwd | grep '^\(root\|app\):' > "/staging/etc/passwd" \
+    && cat /etc/group | grep '^\(root\|app\):' > "/staging/etc/group"
 
 # Get JDK
 RUN mkdir -p /usr/lib/jvm && \
@@ -57,3 +61,4 @@ ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 
 ENTRYPOINT [ "/usr/jdk/bin/java" ]
+CMD [ "-version" ]
diff --git a/docker/distroless/Dockerfile.msopenjdk-17-jdk b/docker/distroless/Dockerfile.msopenjdk-17-jdk
@@ -1,25 +1,29 @@
-ARG INSTALLER_IMAGE="mcr.microsoft.com/cbl-mariner/base/core"
-ARG INSTALLER_TAG="2.0"
-ARG BASE_IMAGE="mcr.microsoft.com/cbl-mariner/distroless/base"
-ARG BASE_TAG="2.0"
+ARG LINUX_VERSION="3.0"
+ARG JDK_VERSION="17"
+ARG INSTALLER_IMAGE="mcr.microsoft.com/azurelinux/base/core"
+ARG INSTALLER_TAG="${LINUX_VERSION}"
+ARG BASE_IMAGE="mcr.microsoft.com/azurelinux/distroless/base"
+ARG BASE_TAG="${LINUX_VERSION}"
 
 FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
 
-ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-17-linux-ARCH.tar.gz"
+# Redeclare ARG to make it available in this build stage
+ARG INSTALLER_TAG
+ARG JDK_VERSION
+ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-${JDK_VERSION}-linux-ARCH.tar.gz"
 
 # Add dynamically linked packages: zlib
 # Distroless base image already has tzdata ca-certificates openssl glibc
 # Create a non-root user and group (just like .NET's image)
 RUN mkdir /staging \
     && tdnf update -y \
-    && tdnf install -y --releasever=2.0 --installroot /staging zlib \
+    && tdnf install -y --releasever=${INSTALLER_TAG} --installroot /staging zlib \
     && tdnf install -y gawk shadow-utils ca-certificates tar \
     && groupadd --system --gid=101 app \
-    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && useradd -l --uid=101 --gid=101 --shell /bin/false --system --create-home app  \
     && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
-    && rootOrAppRegex='^\(root\|app\):' \
-    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
-    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+    && cat /etc/passwd | grep '^\(root\|app\):' > "/staging/etc/passwd" \
+    && cat /etc/group | grep '^\(root\|app\):' > "/staging/etc/group"
 
 # Get JDK
 RUN mkdir -p /usr/lib/jvm && \
@@ -57,3 +61,4 @@ ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 
 ENTRYPOINT [ "/usr/jdk/bin/java" ]
+CMD [ "-version" ]
diff --git a/docker/distroless/Dockerfile.msopenjdk-21-jdk b/docker/distroless/Dockerfile.msopenjdk-21-jdk
@@ -1,25 +1,29 @@
-ARG INSTALLER_IMAGE="mcr.microsoft.com/cbl-mariner/base/core"
-ARG INSTALLER_TAG="2.0"
-ARG BASE_IMAGE="mcr.microsoft.com/cbl-mariner/distroless/base"
-ARG BASE_TAG="2.0"
+ARG LINUX_VERSION="3.0"
+ARG JDK_VERSION="21"
+ARG INSTALLER_IMAGE="mcr.microsoft.com/azurelinux/base/core"
+ARG INSTALLER_TAG="${LINUX_VERSION}"
+ARG BASE_IMAGE="mcr.microsoft.com/azurelinux/distroless/base"
+ARG BASE_TAG="${LINUX_VERSION}"
 
 FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
 
-ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-21-linux-ARCH.tar.gz"
+# Redeclare ARG to make it available in this build stage
+ARG INSTALLER_TAG
+ARG JDK_VERSION
+ARG JDK_URL="https://aka.ms/download-jdk/microsoft-jdk-${JDK_VERSION}-linux-ARCH.tar.gz"
 
 # Add dynamically linked packages: zlib
 # Distroless base image already has tzdata ca-certificates openssl glibc
 # Create a non-root user and group (just like .NET's image)
 RUN mkdir /staging \
     && tdnf update -y \
-    && tdnf install -y --releasever=2.0 --installroot /staging zlib \
+    && tdnf install -y --releasever=${INSTALLER_TAG} --installroot /staging zlib \
     && tdnf install -y gawk shadow-utils ca-certificates tar \
     && groupadd --system --gid=101 app \
-    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && useradd -l --uid=101 --gid=101 --shell /bin/false --system --create-home app  \
     && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
-    && rootOrAppRegex='^\(root\|app\):' \
-    && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
-    && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
+    && cat /etc/passwd | grep '^\(root\|app\):' > "/staging/etc/passwd" \
+    && cat /etc/group | grep '^\(root\|app\):' > "/staging/etc/group"
 
 # Get JDK
 RUN mkdir -p /usr/lib/jvm && \
@@ -57,3 +61,4 @@ ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 
 ENTRYPOINT [ "/usr/jdk/bin/java" ]
+CMD [ "-version" ]
diff --git a/docker/distroless/Dockerfile.temurin-8-jdk b/docker/distroless/Dockerfile.temurin-8-jdk
@@ -1,21 +1,25 @@
-ARG INSTALLER_IMAGE="mcr.microsoft.com/cbl-mariner/base/core"
-ARG INSTALLER_TAG="2.0"
-ARG BASE_IMAGE="mcr.microsoft.com/cbl-mariner/distroless/base"
-ARG BASE_TAG="2.0"
+ARG LINUX_VERSION="3.0"
+ARG JDK_VERSION="8"
+ARG INSTALLER_IMAGE="mcr.microsoft.com/azurelinux/base/core"
+ARG INSTALLER_TAG="${LINUX_VERSION}"
+ARG BASE_IMAGE="mcr.microsoft.com/azurelinux/distroless/base"
+ARG BASE_TAG="${LINUX_VERSION}"
 
 FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
 
-ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/8/ga/linux/ARCH/jdk/hotspot/normal/eclipse?project=jdk"
+ARG INSTALLER_TAG
+ARG JDK_VERSION
+ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/${JDK_VERSION}/ga/linux/ARCH/jdk/hotspot/normal/eclipse?project=jdk"
 
 # Add dynamically linked packages: zlib
 # Distroless base image already has tzdata ca-certificates openssl glibc
 # Create a non-root user and group (just like .NET's image)
 RUN mkdir /staging \
     && tdnf update -y \
-    && tdnf install -y --releasever=2.0 --installroot /staging zlib \
+    && tdnf install -y --releasever=${INSTALLER_TAG} --installroot /staging zlib \
     && tdnf install -y gawk shadow-utils ca-certificates tar \
     && groupadd --system --gid=101 app \
-    && adduser --uid 101 --gid 101 --shell /bin/false --system app \
+    && adduser --uid 101 --gid 101 --shell /bin/false --system --create-home app \
     && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
     && rootOrAppRegex='^\(root\|app\):' \
     && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
@@ -56,3 +60,4 @@ ENV JAVA_HOME=/usr/jdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 
 ENTRYPOINT [ "/usr/jdk/bin/java" ]
+CMD [ "-version" ]
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
@@ -10,4 +10,9 @@ else
     BUILD_ARGS="--build-arg INSTALLER_IMAGE=$INSTALLER_IMAGE --build-arg INSTALLER_TAG=$INSTALLER_TAG --build-arg BASE_IMAGE=$(base_image) --build-arg BASE_TAG=$(base_tag) --build-arg package=$PACKAGE"
 fi
 
-docker buildx build --platform linux/amd64,linux/arm64 ${BUILD_ARGS} -t $REGISTRY_TAG -f docker/$DISTRIBUTION/Dockerfile.$PACKAGE-jdk . --push
+REGISTRY_TAGS="-t ${REGISTRY_TAGS/;/ -t }"
+
+# To push to a registry use --push
+# To build locally use --output=type=image,push=false
+echo "docker buildx build --platform linux/amd64,linux/arm64 ${BUILD_ARGS} ${REGISTRY_TAGS} -f docker/$DISTRIBUTION/Dockerfile.$PACKAGE-jdk . --push"
+docker buildx build --platform linux/amd64,linux/arm64 ${BUILD_ARGS} ${REGISTRY_TAGS} -f docker/$DISTRIBUTION/Dockerfile.$PACKAGE-jdk . --push
diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
