build: migration to java 11 runtime for better performance and memory…

… usage
wearefrank · Sep 14, 2023 · 153e521 · 153e521
1 parent 8e2a90e
commit 153e521
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 80 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,29 @@
-# Keep in sync with version in frank-runner.properties. Detailed instructions can be found in CONTRIBUTING.md.
-# Check whether java-orig files have changed in F!F and update custom code (java and java-orig files) accordingly
+FROM tomcat:8-jre11-temurin-jammy AS base
 
-# Before bumping make sure https://github.com/ibissource/iaf/issues/5356 is resolved or stuurgegevens-refactor PR is merged.
-FROM docker.io/wearefrank/frank-framework:7.9-20230905.223421
+ARG GID=1000
+ARG UID=1000
+
+# Secure files (CIS-DI-0008)
+RUN chmod -R 751 /usr/bin /usr/sbin
+
+# Create folder and user, and set file permissions
+RUN set -eux && \
+	# Create default directory for configurations, properties and credential filesystem
+	mkdir -p /opt/frank/secrets && \
+	# Create tomcat user for stepping down from root
+	groupadd -g ${GID} tomcat && \
+	useradd -u ${UID} -g tomcat -s /usr/sbin/nologin -l tomcat && \
+	# Change permissions and ownership of files
+	chown -hR tomcat:tomcat ${CATALINA_HOME} && \
+	chown -hR tomcat:tomcat /opt/frank
+
+# All previous actions are performed as root. Run following instructions and start container as tomcat.
+USER tomcat
+
+# Copy environment configuration
+COPY --from=docker.io/wearefrank/frank-framework:7.9-20230905.223421 --chown=tomcat /usr/local/tomcat/conf/catalina.properties /usr/local/tomcat/conf/catalina.properties
+COPY --from=docker.io/wearefrank/frank-framework:7.9-20230905.223421 --chown=tomcat /usr/local/tomcat/lib/ /usr/local/tomcat/lib/
+COPY --from=docker.io/wearefrank/frank-framework:7.9-20230905.223421 --chown=tomcat /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT
 
 # TempFix TODO: Move this to the credentialprovider.properties
 ENV credentialFactory.class=nl.nn.credentialprovider.PropertyFileCredentialFactory
@@ -21,14 +42,22 @@ COPY --chown=tomcat src/main/configurations/ /opt/frank/configurations/
 COPY --chown=tomcat src/main/resources/ /opt/frank/resources/
 COPY --chown=tomcat src/test/testtool/ /opt/frank/testtool/
 
-# Compile custom class, this should be changed to a buildstep in the future
-COPY --chown=tomcat src/main/java /tmp/java
-RUN javac \
+# Compile custom class
+FROM eclipse-temurin:8-jdk-jammy AS build
+
+COPY --from=base /usr/local/tomcat/lib/ /usr/local/tomcat/lib/
+COPY --from=base /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT
+
+COPY src/main/java /tmp/java
+RUN mkdir /tmp/classes \
+      && javac \
       /tmp/java/nl/nn/adapterframework/parameters/Parameter.java \
       -classpath "/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/*:/usr/local/tomcat/lib/*" \
-      -verbose -d /usr/local/tomcat/webapps/ROOT/WEB-INF/classes
-RUN rm -rf /tmp/java
+      -verbose -d /tmp/classes 
+
+FROM base AS final
+
+COPY --from=build --chown=tomcat /tmp/classes/ /usr/local/tomcat/webapps/ROOT/WEB-INF/classes
 
-# The part after "||" is to make sure the response of the health-endpoint call is included in the logs, for debugging purposes.
 HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=60 \
   CMD curl --fail --silent http://localhost:8080/iaf/api/server/health || (curl --silent http://localhost:8080/iaf/api/server/health && exit 1)
diff --git a/Dockerfile.java11 b/Dockerfile.java11
diff --git a/Dockerfile.java8 b/Dockerfile.java8
@@ -0,0 +1,34 @@
+# Keep in sync with version in frank-runner.properties. Detailed instructions can be found in CONTRIBUTING.md.
+# Check whether java-orig files have changed in F!F and update custom code (java and java-orig files) accordingly
+
+# Before bumping make sure https://github.com/ibissource/iaf/issues/5356 is resolved or stuurgegevens-refactor PR is merged.
+FROM docker.io/wearefrank/frank-framework:7.9-20230905.223421
+
+# TempFix TODO: Move this to the credentialprovider.properties
+ENV credentialFactory.class=nl.nn.credentialprovider.PropertyFileCredentialFactory
+ENV credentialFactory.map.properties=/opt/frank/resources/credentials.properties
+ENV zaakbrug.zds.timezone=UTC
+
+# Copy dependencies
+COPY --chown=tomcat lib/server/ /usr/local/tomcat/lib/
+COPY --chown=tomcat lib/webapp/ /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/
+
+# When deploying the "context.xml" should be copied to /usr/local/tomcat/conf/Catalina/localhost/ROOT.xml
+COPY --chown=tomcat src/main/webapp/META-INF/context.xml /usr/local/tomcat/conf/Catalina/localhost/ROOT.xml
+
+# Copy Frank!
+COPY --chown=tomcat src/main/configurations/ /opt/frank/configurations/
+COPY --chown=tomcat src/main/resources/ /opt/frank/resources/
+COPY --chown=tomcat src/test/testtool/ /opt/frank/testtool/
+
+# Compile custom class, this should be changed to a buildstep in the future
+COPY --chown=tomcat src/main/java /tmp/java
+RUN javac \
+      /tmp/java/nl/nn/adapterframework/parameters/Parameter.java \
+      -classpath "/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/*:/usr/local/tomcat/lib/*" \
+      -verbose -d /usr/local/tomcat/webapps/ROOT/WEB-INF/classes
+RUN rm -rf /tmp/java
+
+# The part after "||" is to make sure the response of the health-endpoint call is included in the logs, for debugging purposes.
+HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=60 \
+  CMD curl --fail --silent http://localhost:8080/iaf/api/server/health || (curl --silent http://localhost:8080/iaf/api/server/health && exit 1)
diff --git a/docker-compose.zaakbrug.dev.perf-tests.yml b/docker-compose.zaakbrug.dev.perf-tests.yml
@@ -2,9 +2,7 @@ version: '3.8'
 
 services:
   zaakbrug:
-    build:
-      context: .
-      dockerfile: ./Dockerfile.java11
+    build: .
     environment:
       - zaakbrug.zgw.zaken-api.timeout=120000
       - zaakbrug.zgw.catalogi-api.timeout=120000

diff --git a/src/main/resources/DeploymentSpecifics.properties b/src/main/resources/DeploymentSpecifics.properties
@@ -18,22 +18,25 @@ configurations.names=Translate
 classloader.type=DirectoryClassLoader
 ibistesttool.custom=Custom
 
+#large files
+soap.bus.org.apache.cxf.stax.maxTextLength=1000000000
+
 zaakbrug.zgw.zaken-api.root-url=http://localhost:8000/zaken/api/v1/
-zaakbrug.zgw.zaken-api.timeout=20000
+zaakbrug.zgw.zaken-api.timeout=60000
 # Options: 'jwt', 'basic', 'value'. 'value' uses the password field of the given authAlias as Authorization header
 zaakbrug.zgw.zaken-api.auth-type=jwt
 # reference to an auth alias configured in credentials.properties
 zaakbrug.zgw.zaken-api.auth-alias=zaken-api.jwt
 zaakbrug.zgw.catalogi-api.root-url=http://localhost:8000/catalogi/api/v1/
-zaakbrug.zgw.catalogi-api.timeout=20000
+zaakbrug.zgw.catalogi-api.timeout=60000
 zaakbrug.zgw.catalogi-api.auth-type=jwt
 zaakbrug.zgw.catalogi-api.auth-alias=zaken-api.jwt
 zaakbrug.zgw.documenten-api.root-url=http://localhost:8000/documenten/api/v1/
-zaakbrug.zgw.documenten-api.timeout=20000
+zaakbrug.zgw.documenten-api.timeout=60000
 zaakbrug.zgw.documenten-api.auth-type=jwt
 zaakbrug.zgw.documenten-api.auth-alias=zaken-api.jwt
 zaakbrug.zgw.besluiten-api.root-url=http://localhost:8000/besluiten/api/v1/
-zaakbrug.zgw.besluiten-api.timeout=20000
+zaakbrug.zgw.besluiten-api.timeout=60000
 zaakbrug.zgw.besluiten-api.auth-type=jwt
 zaakbrug.zgw.besluiten-api.auth-alias=zaken-api.jwt