I'm trying to run a simple Java app:
package com.lbg.test_artifact;
import java.io.IOException;
public class App
{
public static void main( String[] args ) throws IOException
{
int i;
do {
System.out.write(i = System.in.read());
} while (i != -1);
}
}
I'm dockerising it like this:
FROM eclipse-temurin
WORKDIR /usr/src/app
COPY . .
RUN apt-get update && apt-get install -y --no-install-recommends maven
RUN mvn clean package
CMD ["java", "-jar", "./target/test-artifact-0.0.1-SNAPSHOT.jar"]
I'd like to lock down the versions of Java (eclipse-temurin) and Maven but I'm unsure how to do that. (I found the maven= way of specifying a package from apt-get but I always get 'package not found').
You can specify exactly which version of an image you want by using its SHA256 instead of a tag. Even if someone uploads a newer version with the same tag, you'll still get the one you want.
For packages, you can specify the version of the package you want. You can get a list of the available versions using apt-cache policy maven.
So to lock both the image version and the package version, you can do
FROM eclipse-temurin@sha256:88214b12ef97dcb4d44a96f23043041a78ab08fc035740309f1f0b026ce79940
RUN apt-get update && apt-get install -y maven=3.8.7-2
in your Dockerfile.
The SHA256 value can be found on Docker Hub or by inspecting an image you've pulled.
The one I've used is the one currently associated with eclipse-temurin:latest found here.