amazoncorretto Docker 镜像 - 轩辕镜像

Quick reference

• Maintained by:
  the AWS JDK team

• Where to get help:
  the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow

Supported tags and respective Dockerfile links

• 8, 8u472, 8u472-al2, 8-al2-full, 8-al2-jdk, 8-al2-generic, 8u472-al2-generic, 8-al2-generic-jdk, latest

• 8-al2023, 8u472-al2023, 8-al2023-jdk, 8-al2023-jre, 8u472-al2023-jre

• 8-al2-native-jre, 8u472-al2-native-jre

• 8-al2-native-jdk, 8u472-al2-native-jdk

• 8-alpine3.20, 8u472-alpine3.20, 8-alpine3.20-full, 8-alpine3.20-jdk

• 8-alpine3.20-jre, 8u472-alpine3.20-jre

• 8-alpine3.21, 8u472-alpine3.21, 8-alpine3.21-full, 8-alpine3.21-jdk

• 8-alpine3.21-jre, 8u472-alpine3.21-jre

• 8-alpine3.22, 8u472-alpine3.22, 8-alpine3.22-full, 8-alpine3.22-jdk, 8-alpine, 8u472-alpine, 8-alpine-full, 8-alpine-jdk

• 8-alpine3.22-jre, 8u472-alpine3.22-jre, 8-alpine-jre, 8u472-alpine-jre

• 11, 11.0.29, 11.0.29-al2, 11-al2-full, 11-al2-jdk, 11-al2-generic, 11.0.29-al2-generic, 11-al2-generic-jdk

• 11-al2023, 11.0.29-al2023, 11-al2023-jdk

• 11-al2023-headless, 11.0.29-al2023-headless

• 11-al2023-headful, 11.0.29-al2023-headful

• 11-al2-native-headless, 11.0.29-al2-native-headless

• 11-al2-native-jdk, 11.0.29-al2-native-jdk

• 11-alpine3.20, 11.0.29-alpine3.20, 11-alpine3.20-full, 11-alpine3.20-jdk

• 11-alpine3.21, 11.0.29-alpine3.21, 11-alpine3.21-full, 11-alpine3.21-jdk

• 11-alpine3.22, 11.0.29-alpine3.22, 11-alpine3.22-full, 11-alpine3.22-jdk, 11-alpine, 11.0.29-alpine, 11-alpine-full, 11-alpine-jdk

• 17, 17.0.17, 17.0.17-al2, 17-al2-full, 17-al2-jdk, 17-al2-generic, 17.0.17-al2-generic, 17-al2-generic-jdk

• 17-al2023, 17.0.17-al2023, 17-al2023-jdk

• 17-al2023-headless, 17.0.17-al2023-headless

• 17-al2023-headful, 17.0.17-al2023-headful

• 17-al2-native-headless, 17.0.17-al2-native-headless

• 17-al2-native-headful, 17.0.17-al2-native-headful

• 17-al2-native-jdk, 17.0.17-al2-native-jdk

• 17-alpine3.20, 17.0.17-alpine3.20, 17-alpine3.20-full, 17-alpine3.20-jdk

• 17-alpine3.21, 17.0.17-alpine3.21, 17-alpine3.21-full, 17-alpine3.21-jdk

• 17-alpine3.22, 17.0.17-alpine3.22, 17-alpine3.22-full, 17-alpine3.22-jdk, 17-alpine, 17.0.17-alpine, 17-alpine-full, 17-alpine-jdk

• 21, 21.0.9, 21.0.9-al2, 21-al2-full, 21-al2-jdk, 21-al2-generic, 21.0.9-al2-generic, 21-al2-generic-jdk

• 21-al2023, 21.0.9-al2023, 21-al2023-jdk

• 21-al2023-headless, 21.0.9-al2023-headless

• 21-al2023-headful, 21.0.9-al2023-headful

• 21-alpine3.20, 21.0.9-alpine3.20, 21-alpine3.20-full, 21-alpine3.20-jdk

• 21-alpine3.21, 21.0.9-alpine3.21, 21-alpine3.21-full, 21-alpine3.21-jdk

• 21-alpine3.22, 21.0.9-alpine3.22, 21-alpine3.22-full, 21-alpine3.22-jdk, 21-alpine, 21.0.9-alpine, 21-alpine-full, 21-alpine-jdk

• 25-al2023, 25.0.1-al2023, 25-al2023-jdk, 25, 25-jdk, 25.0.1

• 25-al2023-headless, 25.0.1-al2023-headless, 25-headless

• 25-al2023-headful, 25.0.1-al2023-headful, 25-headful

• 25-alpine3.20, 25.0.1-alpine3.20, 25-alpine3.20-full, 25-alpine3.20-jdk

• 25-alpine3.21, 25.0.1-alpine3.21, 25-alpine3.21-full, 25-alpine3.21-jdk

• 25-alpine3.22, 25.0.1-alpine3.22, 25-alpine3.22-full, 25-alpine3.22-jdk, 25-alpine, 25.0.1-alpine, 25-alpine-full, 25-alpine-jdk

Quick reference (cont.)

• Where to file issues:
  [***]

• Supported architectures: (more info)
  amd64, arm64v8

• Published image artifact details:
  repo-info repo's repos/amazoncorretto/ directory (history)
  (image metadata, transfer size, etc)

• Image updates:
  official-images repo's library/amazoncorretto label
  official-images repo's library/amazoncorretto file (history)

• Source of this description:
  docs repo's amazoncorretto/ directory (history)

What is Amazon Corretto?

Corretto is a binary distribution of the Open Java Development Kit (OpenJDK) with long-term support from Amazon. Corretto is certified using the Java Technical Compatibility Kit (TCK) to ensure it meets the Java SE standard and is available on Linux, Windows, and macOS. It includes patches from Amazon that have proven useful in running our own services.

!logo

Why should I use Corretto?

Corretto is a reliable binary distribution of OpenJDK with the assurance of long-term support provided at no cost to you. Amazon runs Corretto internally on thousands of production services. Every modification we make to Corretto fixes or mitigates a problem we found running OpenJDK. Amazon also plans to apply urgent fixes (including security) when they are available and ready to use, outside of the regular quarterly cycle.

How is Corretto different from OpenJDK?

Corretto is a distribution of Open JDK with patches included by Amazon that are not yet integrated in the corresponding OpenJDK update projects. We focus on patches that improve performance or stability in OpenJDK, chosen based on Amazon's observations running large services.

What kinds of patches does Amazon intend to include in Corretto?

Patches will include security fixes, performance enhancements (e.g., speeding up frequently used functions), garbage collection scheduling, and preventing out-of-memory situations, as well as improved monitoring, reporting, and thread management.

Is there any cost associated with using Corretto?

Corretto is distributed by Amazon under an Open Source license at no cost to you. It is licensed under the terms of the GNU Public License version 2 with the Class Path Exception (GPLv2 with CPE). Amazon does not charge for its use or distribution.

What is included in Corretto's long-term support?

Amazon will provide security updates for Corretto 8 until at least June 2023. Updates are planned to be released quarterly. Corretto 11, corresponding to OpenJDK 11, will be available during the first half of 2019. Amazon will support Corretto 11 with quarterly updates until at least August 2024.

Can I use Corretto as a drop-in replacement for other JDKs?

Corretto is designed as a drop-in replacement for all Java SE distributions unless you are using features (e.g., Java Flight Recorder) not available in OpenJDK. Once Corretto binaries are installed on a host and correctly invoked to run your Java applications (e.g., using the alternatives command on Linux), existing command-line options, tuning parameters, monitoring, and anything else in place will continue to work as before.

Why does security scanner show that a docker image has a CVE?

If a security scanner reports that an amazoncorretto image includes a CVE, the first recommended action is to pull an updated version of this image.

If no updated image is available, run the appropriate command to update packages for the platform, ie. run "apk -U upgrade" for Alpine or "yum update -y --security" for AmazonLinux in your Dockerfiles or systems to resolve the issue immediately.

If no updated package is available, please treat this as a potential security issue and follow these instructions or email AWS security directly at ***.

It is the responsibility of the base docker image supplier to provide timely security updates to images and packages. The amazoncorretto images are automatically rebuilt when a new base image is made available, but we do not make changes to our Dockerfiles to pull in one-off package updates. If a new base image has not yet been made generally available by a base docker image maintainer, please contact that maintainer to request that the issue be addressed.

Note that there are multiple reasons why a CVE may appear to be present in a docker image, as explained in the docker library FAQs.

Image Variants

The amazoncorretto images come in many flavors, each designed for a specific use case.

amazoncorretto:<version>

This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.

amazoncorretto:<version>-alpine

This image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

This variant is useful when final image size being as small as possible is your primary concern. The main caveat to note is that it does use musl libc instead of glibc and friends, so software will often run into issues depending on the depth of their libc requirements/assumptions. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

To minimize image size, it's uncommon for additional related tools (such as git or bash) to be included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar).

License

Amazon Corretto is released under the same open source license as OpenJDK, which is licensed under the GNU Public License version 2 with the Class Path Exception (GPLv2 with CPE).

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

Some additional license information which was able to be auto-detected might be found in the repo-info repository's amazoncorretto/ directory.

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.