构建Python3+Java8的 Docker 镜像

基于官方Python3镜像来添加Java8环境（参考官方Dockerfile）

Dockerfile内容如下：

#
# NOTE: this docker file is used to build runtime environment.
# The project is a python app which contains a java jar lib.

FROM python:3
MAINTAINER yangpf <cherishpf@163.com>

# COPY ./requirements.txt /usr/local/src/requirements.txt

RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        bzip2 \
        unzip \
        xz-utils \
        \
# utilities for keeping Debian and OpenJDK CA certificates in sync
        ca-certificates p11-kit \
#       \
# java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
# java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
# https://github.com/docker-library/openjdk/pull/235#issuecomment-424466077
        fontconfig libfreetype6 \
    ; \
    rm -rf /var/lib/apt/lists/*

# Default to UTF-8 file.encoding
ENV LANG C.UTF-8

ENV JAVA_HOME /usr/local/openjdk-8
ENV PATH $JAVA_HOME/bin:$PATH

# backwards compatibility shim
RUN { echo '#/bin/sh'; echo 'echo "$JAVA_HOME"'; } > /usr/local/bin/docker-java-home && chmod +x /usr/local/bin/docker-java-home && [ "$JAVA_HOME" = "$(docker-java-home)" ]

# https://adoptopenjdk.net/upstream.html
# >
# > What are these binaries?
# >
# > These binaries are built by Red Hat on their infrastructure on behalf of the OpenJDK jdk8u and jdk11u projects. The binaries are created from the unmodified source code at OpenJDK. Although no formal support agreement is provided, please report any bugs you may find to https://bugs.java.com/.
# >
ENV JAVA_VERSION 8u252
ENV JAVA_BASE_URL https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u252-b09/OpenJDK8U-jre_
ENV JAVA_URL_VERSION 8u252b09
# https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246
# >
# > I am the OpenJDK 8 and 11 Updates OpenJDK project lead.
# > ...
# > While it is true that the OpenJDK Governing Board has not sanctioned those releases, they (or rather we, since I am a member) didn't sanction Oracle's OpenJDK releases either. As far as I am aware, the lead of an OpenJDK project is entitled to release binary builds, and there is clearly a need for them.
# >

RUN set -eux; \
    \
    dpkgArch="$(dpkg --print-architecture)"; \
    case "$dpkgArch" in \
        amd64) upstreamArch='x64' ;; \
        arm64) upstreamArch='aarch64' ;; \
        *) echo >&2 "error: unsupported architecture: $dpkgArch" ;; \
    esac; \
    \
    wget -O openjdk.tgz.asc "${JAVA_BASE_URL}${upstreamArch}_linux_${JAVA_URL_VERSION}.tar.gz.sign"; \
    wget -O openjdk.tgz "${JAVA_BASE_URL}${upstreamArch}_linux_${JAVA_URL_VERSION}.tar.gz" --progress=dot:giga; \
    \
    export GNUPGHOME="$(mktemp -d)"; \
# TODO find a good link for users to verify this key is right (https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html is one of the only mentions of it I can find); perhaps a note added to https://adoptopenjdk.net/upstream.html would make sense?
# no-self-sigs-only: https://salsa.debian.org/debian/gnupg2/commit/c93ca04a53569916308b369c8b218dad5ae8fe07
    gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F; \
# also verify that key was signed by Andrew Haley (the OpenJDK 8 and 11 Updates OpenJDK project lead)
# (https://github.com/docker-library/openjdk/pull/322#discussion_r286839190)
    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671; \
    gpg --batch --list-sigs --keyid-format 0xLONG CA5F11C6CE22644D42C6AC4492EF8D39DC13168F \
        | tee /dev/stderr \
        | grep '0xA5CD6035332FA671' \
        | grep 'Andrew Haley'; \
    gpg --batch --verify openjdk.tgz.asc openjdk.tgz; \
    gpgconf --kill all; \
    rm -rf "$GNUPGHOME"; \
    \
    mkdir -p "$JAVA_HOME"; \
    tar --extract \
        --file openjdk.tgz \
        --directory "$JAVA_HOME" \
        --strip-components 1 \
        --no-same-owner \
    ; \
    rm openjdk.tgz*; \
    \
# TODO strip "demo" and "man" folders?
    \
# update "cacerts" bundle to use Debian's CA certificates (and make sure it stays up-to-date with changes to Debian's store)
# see https://github.com/docker-library/openjdk/issues/327
#     http://rabexc.org/posts/certificates-not-working-java#comment-4099504075
#     https://salsa.debian.org/java-team/ca-certificates-java/blob/3e51a84e9104823319abeb31f880580e46f45a98/debian/jks-keystore.hook.in
#     https://git.alpinelinux.org/aports/tree/community/java-cacerts/APKBUILD?id=761af65f38b4570093461e6546dcf6b179d2b624#n29
    { \
        echo '#!/usr/bin/env bash'; \
        echo 'set -Eeuo pipefail'; \
        echo 'if ! [ -d "$JAVA_HOME" ]; then echo >&2 "error: missing JAVA_HOME environment variable"; exit 1; fi'; \
# 8-jdk uses "$JAVA_HOME/jre/lib/security/cacerts" and 8-jre and 11+ uses "$JAVA_HOME/lib/security/cacerts" directly (no "jre" directory)
        echo 'cacertsFile=; for f in "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/jre/lib/security/cacerts"; do if [ -e "$f" ]; then cacertsFile="$f"; break; fi; done'; \
        echo 'if [ -z "$cacertsFile" ] || ! [ -f "$cacertsFile" ]; then echo >&2 "error: failed to find cacerts file in $JAVA_HOME"; exit 1; fi'; \
        echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$cacertsFile"'; \
    } > /etc/ca-certificates/update.d/docker-openjdk; \
    chmod +x /etc/ca-certificates/update.d/docker-openjdk; \
    /etc/ca-certificates/update.d/docker-openjdk; \
    \
# https://github.com/docker-library/openjdk/issues/331#issuecomment-498834472
    find "$JAVA_HOME/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; \
    ldconfig; \
    \
# basic smoke test
    java -version
    
# RUN pip install --no-cache-dir -r /usr/local/src/requirements.txt  -i https://pypi.tuna.tsinghua.edu.cn/simple

# If you're reading this and have any feedback on how this image could be
# improved, please open an issue or a pull request so we can discuss it!
#
# https://github.com/docker-library/openjdk/issues

构建过程中遇到的问题：

下载失败（网络问题导致）

Errors during downloading metadata for repository 'base':
 - Curl error (6): Couldn't resolve host name for http://mirrors.cloud.aliyuncs.com/centos/8/os/x86_64/repodata/repomd.xml [Could not resolve host: mirrors.cloud.aliyuncs.com]
 - Curl error (28): Timeout was reached for http://mirrors.aliyuncs.com/centos/8/os/x86_64/repodata/repomd.xml [Connection timed out after 30003 milliseconds]
 - Status code: 404 for http://mirrors.aliyun.com/centos/8/os/x86_64/repodata/repomd.xml (IP: 219.238.20.87)
CentOS-8 - Base - mirrors.aliyun.com 80 B/s | 2.5 kB 00:31 
Error: Failed to download metadata for repo 'base': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

+ wget -O openjdk.tgz.asc https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u252-b09/OpenJDK8U-jre_aarch64_linux_8u252b09.tar.gz.sign
--2020-07-09 08:38:05-- https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u252-b09/OpenJDK8U-jre_aarch64_linux_8u252b09.tar.gz.sign
Resolving github.com (github.com)... 52.74.223.119
Connecting to github.com (github.com)|52.74.223.119|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2020-07-09 08:38:06 ERROR 404: Not Found.

The command '/bin/sh -c set -eux; dpkgArch="$(dpkg --print-architecture)"; case "$dpkgArch" in amd64) upstreamArch='x64' ;; arm64) upstreamArch='aarch64' ;; *) echo >&2 "error: unsupported architecture: $dpkgArch" ;; esac;

Saving to: ‘openjdk.tgz’

0K ........ ........ ........ . 65% 103K=4m8s

2020-07-09 03:38:29 (103 KB/s) - Read error at byte 26233397/40097077 (Error in the pull function.). Retrying.

--2020-07-09 03:38:30-- (try: 2) https://github-production-release-asset-2e65be.s3.amazonaws.com/177164113/e847a580-7ea3-11ea-9384-66e465e55281?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200709%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200709T032918Z&X-Amz-Expires=300&X-Amz-Signature=8bd859665240280a28c00d6fc517d380e50f0fae6821f6a592d1afa4ef6d3823&X-Amz-SignedHeaders=host&actor_id=0&repo_id=177164113&response-content-disposition=attachment%3B%20filename%3DOpenJDK8U-jre_x64_linux_8u252b09.tar.gz&response-content-type=application%2Foctet-stream
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.217.100.204|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2020-07-09 03:38:31 ERROR 403: Forbidden.

Saving to: ‘openjdk.tgz’

0K ........ ........ ........ ........ 83% 141K 45s
 32768K ...... 100% 59.1K=5m41s

2020-07-09 12:15:53 (115 KB/s) - ‘openjdk.tgz’ saved [40097077/40097077]

+ mktemp -d
+ export GNUPGHOME=/tmp/tmp.VA3iB01iUY
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --keyserver-options no-self-sigs-only --recv-keys CA5F11C6CE22644D42C6AC4492EF8D39DC13168F
gpg: keybox '/tmp/tmp.VA3iB01iUY/pubring.kbx' created

构建成功提示：

+ /etc/ca-certificates/update.d/docker-openjdk
+ find /usr/local/openjdk-8/lib -name *.so -exec dirname {} ;
+ sort -u
+ ldconfig
+ java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)
 ---> cbdae72b3264
Removing intermediate container 2edfd928cd45
Successfully built cbdae72b3264

拉取该镜像（1.04 GB）

docker pull cherishpf/python3-java8:1.0