Back to Details

java-docker

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Java Docker Skill

Java Docker 技能

Containerize Java applications with optimized Dockerfiles and JVM settings.
通过优化的Dockerfile和JVM配置将Java应用容器化。

Overview

概述

This skill covers Docker best practices for Java including multi-stage builds, JVM container settings, security hardening, and layer optimization.
本技能涵盖Java应用的Docker最佳实践,包括多阶段构建、JVM容器配置、安全加固以及镜像层优化。

When to Use This Skill

适用场景

Use when you need to:
  • Create optimized Java Dockerfiles
  • Configure JVM for containers
  • Implement security best practices
  • Reduce image size
  • Set up health checks
当你需要以下操作时使用本技能:
  • 创建优化的Java应用Dockerfile
  • 为容器环境配置JVM
  • 实施安全最佳实践
  • 减小镜像体积
  • 设置健康检查

Topics Covered

涵盖主题

Dockerfile Optimization

Dockerfile优化

  • Multi-stage builds
  • Layer caching strategy
  • Spring Boot layered JARs
  • Dependency caching
  • 多阶段构建
  • 镜像层缓存策略
  • Spring Boot分层JAR
  • 依赖缓存

JVM Container Settings

JVM容器配置

  • UseContainerSupport
  • MaxRAMPercentage
  • GC selection
  • Exit on OOM
  • UseContainerSupport
  • MaxRAMPercentage
  • 垃圾回收器(GC)选择
  • 内存不足时自动退出(Exit on OOM)

Security

安全防护

  • Non-root users
  • Read-only filesystem
  • Vulnerability scanning
  • Secrets handling
  • 非root用户运行
  • 只读文件系统
  • 漏洞扫描
  • 密钥管理

Quick Reference

快速参考

dockerfile
undefined
dockerfile
undefined

Multi-stage optimized Dockerfile

多阶段优化的Dockerfile

FROM eclipse-temurin:21-jdk-alpine AS builder
WORKDIR /app
FROM eclipse-temurin:21-jdk-alpine AS builder
WORKDIR /app

Cache dependencies

缓存依赖

COPY pom.xml . COPY .mvn .mvn RUN mvn dependency:go-offline -B
COPY pom.xml . COPY .mvn .mvn RUN mvn dependency:go-offline -B

Build and extract layers

构建并提取分层

COPY src ./src RUN mvn package -DskipTests &&
java -Djarmode=layertools -jar target/*.jar extract
COPY src ./src RUN mvn package -DskipTests &&
java -Djarmode=layertools -jar target/*.jar extract

Runtime stage

运行时阶段

FROM eclipse-temurin:21-jre-alpine
FROM eclipse-temurin:21-jre-alpine

Security: non-root user

安全:非root用户

RUN addgroup -S app && adduser -S app -G app USER app
WORKDIR /app
RUN addgroup -S app && adduser -S app -G app USER app
WORKDIR /app

Copy layers in order of change frequency

按变更频率顺序复制分层

COPY --from=builder /app/dependencies/ ./ COPY --from=builder /app/spring-boot-loader/ ./ COPY --from=builder /app/snapshot-dependencies/ ./ COPY --from=builder /app/application/ ./
COPY --from=builder /app/dependencies/ ./ COPY --from=builder /app/spring-boot-loader/ ./ COPY --from=builder /app/snapshot-dependencies/ ./ COPY --from=builder /app/application/ ./

JVM container settings

JVM容器配置

ENV JAVA_OPTS="-XX:+UseContainerSupport
-XX:MaxRAMPercentage=75.0
-XX:+ExitOnOutOfMemoryError
-XX:+UseG1GC"
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=30s
CMD wget -qO- http://localhost:8080/actuator/health/liveness || exit 1
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS org.springframework.boot.loader.launch.JarLauncher"]
undefined
ENV JAVA_OPTS="-XX:+UseContainerSupport
-XX:MaxRAMPercentage=75.0
-XX:+ExitOnOutOfMemoryError
-XX:+UseG1GC"
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=30s
CMD wget -qO- http://localhost:8080/actuator/health/liveness || exit 1
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS org.springframework.boot.loader.launch.JarLauncher"]
undefined

JVM Container Flags

JVM容器参数

bash
undefined
bash
undefined

Recommended production settings

推荐的生产环境配置

JAVA_OPTS=" -XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -XX:InitialRAMPercentage=50.0 -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/heapdump.hprof -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom "
undefined
JAVA_OPTS=" -XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -XX:InitialRAMPercentage=50.0 -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/heapdump.hprof -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom "
undefined

Base Image Comparison

基础镜像对比

ImageSizeSecurityUse Case
temurin:21-jre~200MBGoodGeneral use
temurin:21-jre-alpine~100MBGoodSize-optimized
distroless/java21~80MBBestProduction
镜像大小安全性适用场景
temurin:21-jre~200MB良好通用场景
temurin:21-jre-alpine~100MB良好体积优化场景
distroless/java21~80MB最优生产环境

Security Best Practices

安全最佳实践

dockerfile
undefined
dockerfile
undefined

Non-root user

非root用户

RUN addgroup -S app && adduser -S app -G app USER app
RUN addgroup -S app && adduser -S app -G app USER app

Read-only filesystem

只读文件系统

(Configure at runtime with --read-only)

(运行时通过--read-only配置)

No shell access with distroless

使用distroless镜像禁用shell访问

FROM gcr.io/distroless/java21-debian12
FROM gcr.io/distroless/java21-debian12

Health check

健康检查

HEALTHCHECK --interval=30s --timeout=3s
CMD wget -qO- localhost:8080/actuator/health || exit 1
undefined
HEALTHCHECK --interval=30s --timeout=3s
CMD wget -qO- localhost:8080/actuator/health || exit 1
undefined

Troubleshooting

故障排查

Common Issues

常见问题

ProblemCauseSolution
OOMKilledHeap > limitSet MaxRAMPercentage
Slow startupLarge imageMulti-stage build
Permission deniedRoot requiredFix file permissions
No memory infoOld JVMUpdate to Java 11+
问题原因解决方案
OOMKilled堆内存超过限制设置MaxRAMPercentage
启动缓慢镜像体积过大使用多阶段构建
权限拒绝需要root权限修复文件权限
无内存信息JVM版本过旧升级到Java 11+

Debug Checklist

调试检查清单

□ Check container memory limits
□ Verify JVM sees container limits
□ Review health check configuration
□ Scan image for vulnerabilities
□ Test with resource constraints
□ 检查容器内存限制
□ 验证JVM是否识别容器限制
□ 检查健康检查配置
□ 扫描镜像漏洞
□ 在资源约束下测试

Usage

使用方式

Skill("java-docker")
Skill("java-docker")

Related Skills

相关技能

  • java-maven-gradle
    - Build integration
  • java-microservices
    - K8s deployment
  • java-maven-gradle
    - 构建集成
  • java-microservices
    - K8s部署