Java Container Mastery: Options For Optimizing Images

Transcript

1. March 2026 Java Container Mastery: Options For Optimizing Images Matthias

   Haeussler

2. 2

3. Abstract In today's cloud-native landscape, containerizing Java applications has become

   a standard practice, but the path to optimal implementation remains unclear. This presentation dissects the various approaches to containerizing Java applications beyond the basic Dockerfile. We'll examine the strengths and limitations of multiple container creation methods: traditional Dockerfiles, multi-stage Dockerfiles, Cloud-Native Buildpacks (buildpacks.io/paketo.io), Google's Jib, and custom solutions using jlink. Each approach will be evaluated through a comprehensive set of criteria: Build efficiency and speed Image size optimization Enterprise standardization capabilities Pipeline robustness JVM memory configuration strategies Security posture and vulnerability management Through live demonstrations focusing primarily on modern Java frameworks (Spring Boot, Quarkus, and Micronaut), attendees will gain practical insights into selecting the right containerization strategy for their specific use cases. We'll also explore how GraalVM native image compilation introduces new considerations and opportunities for Java containerization, particularly for startup time and resource utilization. While Java implementations serve as our primary examples, the principles discussed apply broadly across language ecosystems. Join this session to transform your containerization practices from merely functional to truly optimized for production environments. 3

4. @maeddes Situation 4

5. @maeddes Options 5

6. @maeddes Options 6

7. @maeddes Situation 7

8. @maeddes Lab Repo 8

9. @maeddes „What is the best Java base container image?“ 9

10. @maeddes 10

11. @maeddes 11

12. @maeddes „What is the best Java base container image?“ 12

13. @maeddes Container Images as Templates 13

14. @maeddes Container, Images & Layers 14

15. @maeddes Docker History 15 [1]

16. @maeddes 16 FROM ubuntu:24.04 RUN apt update && apt install

    openjdk-21-jre-headless -y COPY target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar CMD ["java","-jar","/opt/app.jar"] Dockerfile (simple)

17. @maeddes Java in containers today 17

18. @maeddes Alternative Dockerfile 18 FROM eclipse-temurin:25-jre COPY target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar CMD

    ["java", "-jar", "/opt/app.jar"]

19. @maeddes Alternative Dockerfile 19 FROM ibm-semeru-runtimes:open-25-jre COPY target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar CMD

    ["java", "-jar", "/opt/app.jar"]

20. @maeddes Beware! 20

21. @maeddes Be careful - This will still “work”! 21 FROM

    adoptopenjdk:11-jre-hotspot COPY target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar CMD ["java", "-jar", "/opt/app.jar"]

22. @maeddes Multi-Stage 22 [1]

23. @maeddes Multi-Stage Dockerfile 23 FROM maven:3-eclipse-temurin-25 AS build RUN mkdir

    -p /opt/app/src COPY src /opt/app/src COPY pom.xml /opt/app RUN mvn -f /opt/app/pom.xml package FROM eclipse-temurin:25-jre COPY --from=build /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar ENTRYPOINT ["java","-jar","/opt/app.jar"]

24. @maeddes Multi-Stage Dockerfile 24 FROM maven:3-eclipse-temurin-25 AS build RUN mkdir

    -p /opt/app/src COPY src /opt/app/src COPY pom.xml /opt/app RUN mvn -f /opt/app/pom.xml package FROM eclipse-temurin:25-jre COPY --from=build /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar ENTRYPOINT ["java","-jar","/opt/app.jar"]

25. @maeddes Multi-Stage Dockerfile 25 FROM maven:3-eclipse-temurin-25 AS build RUN mkdir

    -p /opt/app/src COPY src /opt/app/src COPY pom.xml /opt/app RUN mvn -f /opt/app/pom.xml package FROM eclipse-temurin:25-jre COPY --from=build /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar ENTRYPOINT ["java","-jar","/opt/app.jar"]

26. @maeddes Buildkit 26 [1]

27. @maeddes 27

28. @maeddes 28

29. @maeddes Mount Cache 29 FROM maven:3-eclipse-temurin-25 AS build RUN mkdir

    -p /opt/app/src COPY src /opt/app/src COPY pom.xml /opt/app RUN --mount=type=cache,target=/root/.m2 mvn -f /opt/app/pom.xml package FROM eclipse-temurin:25-jre COPY --from=build /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar /opt/app.jar ENTRYPOINT ["java","-jar","/opt/app.jar"]

30. @maeddes „What makes a (Java) container image good?“ 30

31. @maeddes • Speed • Size • Structure • Simplicity •

    Security Criteria 31

32. @maeddes • Speed • Size • Structure • Simplicity •

    Security • Standardization Criteria 32

33. @maeddes The reality … 33

34. @maeddes Considerations for structure and size 34

35. @maeddes Considerations for Java 35

36. @maeddes Layers 36 FROM eclipse-temurin:25-jre AS builder COPY --from=maven /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar

    app.jar RUN java -Djarmode=tools -jar app.jar extract --layers --destination extracted FROM eclipse-temurin:25-jre COPY --from=builder extracted/dependencies/ ./ COPY --from=builder extracted/spring-boot-loader/ ./ COPY --from=builder extracted/snapshot-dependencies/ ./ COPY --from=builder extracted/application/ ./ ENTRYPOINT ["java","-jar", "application.jar"]

37. @maeddes Entire file 37 FROM maven:3-eclipse-temurin-25 AS builder WORKDIR /opt/app

    COPY src ./src COPY pom.xml . RUN --mount=type=cache,target=/root/.m2 mvn -f /opt/app/pom.xml package -DskipTests FROM eclipse-temurin:25-jre AS extractor WORKDIR /opt/app COPY --from=builder /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar application.jar RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted FROM eclipse-temurin:25-jre WORKDIR /opt/app COPY --from=extractor /opt/app/extracted/dependencies/ ./ COPY --from=extractor /opt/app/extracted/spring-boot-loader/ ./ COPY --from=extractor /opt/app/extracted/snapshot-dependencies/ ./ COPY --from=extractor /opt/app/extracted/application/ ./ ENTRYPOINT ["java", "-jar", "application.jar"]

38. @maeddes Dockerfile and jlink (and jdeps) 38 https://snyk.io/blog/jlink-create-docker-images-spring-boot-java/

39. 39

40. @maeddes jlink and jdeps 40 FROM maven:3-eclipse-temurin-25 AS build RUN

    --mount=type=cache,target=/root/.m2 mvn package RUN jdeps --ignore-missing-deps -q \ --recursive \ --multi-release 21 \ --print-module-deps \ --class-path 'BOOT-INF/lib/*' \ target/simplecode-0.0.1-SNAPSHOT.jar > deps.info RUN jlink \ --add-modules $(cat deps.info) \ --strip-debug \ --compress 2 \ --no-header-files \ --no-man-pages \ --output /myjre FROM debian:bookworm-slim COPY --from=build /myjre $JAVA_HOME COPY --from=build /usr/src/project/target/simplecode-0.0.1-SNAPSHOT.jar /project/

41. 41 FROM maven:3-eclipse-temurin-25 AS build RUN mkdir /opt/app COPY src

    /opt/app/src COPY pom.xml /opt/app WORKDIR /opt/app RUN --mount=type=cache,target=/root/.m2 mvn package -DskipTests RUN jar xf target/simplecode-0.0.1-SNAPSHOT.jar RUN jdeps --ignore-missing-deps -q \ --recursive \ --multi-release 21 \ --print-module-deps \ --class-path 'BOOT-INF/lib/*' \ target/simplecode-0.0.1-SNAPSHOT.jar > deps.info RUN jlink \ --add-modules $(cat deps.info) \ --strip-debug \ --compress 2 \ --no-header-files \ --no-man-pages \ --output /myjre FROM eclipse-temurin:25-jre AS extractor RUN mkdir /opt/app WORKDIR /opt/app COPY --from=build /opt/app/target/simplecode-0.0.1-SNAPSHOT.jar application.jar RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted FROM ubuntu:jammy ENV JAVA_HOME /opt/java/jdk25 ENV PATH $JAVA_HOME/bin:$PATH COPY --from=build /myjre $JAVA_HOME RUN mkdir /opt/app WORKDIR /opt/app COPY --from=extractor /opt/app/extracted/dependencies/ ./ COPY --from=extractor /opt/app/extracted/spring-boot-loader/ ./ COPY --from=extractor /opt/app/extracted/snapshot-dependencies/ ./ COPY --from=extractor /opt/app/extracted/application/ ./ ENTRYPOINT ["java", "-jar", "application.jar"]

42. @maeddes Considerations for structure and size 42

43. @maeddes Considerations for security 43

44. @maeddes Considerations for standardization 44

45. @maeddes Considerations for standardization 45

46. @maeddes Considerations for standardization 46

47. @maeddes 47 Dockerfile Learnings

48. 48 & more …?

49. @maeddes 49 [2]

50. 50

51. @maeddes Jib 51

52. @maeddes Jib 52

53. @maeddes Jib 53

54. @maeddes Considerations - Recap 54

55. @maeddes Continued strategy 55

56. @maeddes Jib 56

57. 57 Cloud-Native Buildpacks buildpacks.io

58. @maeddes Buildpacks idea 58

59. @maeddes Multi Runtime/Language Support 59 [3]

60. @maeddes History 60

61. @maeddes Flow 61

62. @maeddes Rebase 62

63. @maeddes Considerations for standardization 63

64. 64 paketo.io

65. @maeddes 65 Flow

66. @maeddes Java settings 66

67. @maeddes 67

68. @maeddes Summary 68 • Be aware of options and possibilities

    • Be aware of the possibilities of your options • Keep your base images and layers as consistent as possible throughout your landscape • Avoid “wild growth” through dockerfiles • Automate and standardize as much as possible • There is no universally best option. There is a best fit depending on whether you optimize for control, developer speed, or platform standardization.

69. @maeddes 69 Dockerfile (simple) Dockerfile (multistage) Dockerfile (jlink/jdeps) Jib Buildpacks/

    Paketo Speed 🤩 Size 🤩 Structure 🙂 🙂 🤩 🤩 Standardization 🙂 🙂 🙂 🤩 Simplicity 🙂 🤩 🙂 Security 🙂 🤩 🙂

70. @maeddes Further information 70

71. None

72. @maeddes Native Images 72

73. @maeddes Optimization not possible 73 X

74. @maeddes Supply Chain Security, SBOMs, Attestations 74 • Container images

    are no longer just runtime artifacts — they are also verifiable delivery artifacts • SBOMs answer: What is inside the image? • Provenance / attestations answer: Where, how, and with what was it built? • Modern tooling such as BuildKit / Docker Build / Buildpacks supports SBOM and provenance attestations

75. @maeddes Secure Base Images / Hardened Images 75 • Secure

    images aim for minimal footprint, reduced CVE exposure, and strong provenance • Docker Hardened Images, Bellsoft & Chainguard/Wolfi images are positioned as minimal, production-ready, and security-focused • They also provide verifiable SBOMs, provenance information, and signed attestations • Additional features such as non-root defaults and compliance-oriented variants support regulated environments • New baseline question for production images: Is the base image only small — or also trusted, patchable, and verifiable?

76. @maeddes Docker Hardened Images 76 • Direct replacement of traditional

    images • Free since 2025 • Various levels of hardening / support • About 1000 images available • Categories ◦ Languages & Frameworks ◦ Databases & Messaging ◦ Service components of all kind

77. @maeddes Considerations for standardization 77

78. @maeddes Lab Repo 78

79. 79 VP Expert Matthias Haeussler Mobil: +49 175 222 5949

    E-Mail: [email protected] Bluesky: @maeddes.bsky.social

80. Sources @maeddes ▪ https://www.excalidraw.com ▪ https://docs.docker.com/engine/release-notes/prior-releases/ ▪ https://blog.codecentric.de/en/2020/11/buildpacks-spring-boot/ ▪ https://paketo.io/

    ▪ https://buildpacks.io/features/ ▪ https://github.com/GoogleContainerTools/jib ▪ https://www.baeldung.com/docker-layers-spring-boot ▪ https://spring.io/blog/2020/01/27/creating-docker-images-with- spring-boot-2-3-0-m1 ▪ https://github.com/openshift/source-to-image 80