Testing arm64 docker images

Author: AlexeyKuznetsov-DD

.github/workflows/ci.yml

@@ -9,10 +9,22 @@ on:
   schedule:
     - cron: '0 0 * * 0' 
   workflow_dispatch:
+    inputs:
+      run_amd64:
+        description: "Run the standard amd64 image build"
+        required: false
+        default: false
+        type: boolean
+      run_arm64:
+        description: "Run the experimental arm64 image build"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   build_push_check:
     name: Build docker image, publish it and run vuln scanner against it
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.run_amd64 == true }}
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -62,3 +74,58 @@ jobs:
         uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-results.sarif'
+
+  build_push_check_arm64:
+    name: Build arm64 docker image, publish it and run vuln scanner against it
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.run_arm64 == true }}
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+    runs-on: ubuntu-latest
+    environment:
+      name: ci-build
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e20b58169f0f89e8fb4a5c8a5ad9b65cb7e7b98a # 3.6.0
+        with:
+          platforms: arm64
+      - name: Set up Docker Buildx
+        id: buildx-arm64
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # 4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false
+      - name: Build arm64 image
+        id: build-arm64
+        run: bash ./build-arm64
+      - name: Test arm64 image
+        run: bash ./build-arm64 --test
+      - name: Describe arm64 image
+        run: bash ./build-arm64 --describe >> $GITHUB_STEP_SUMMARY
+      - name: Push arm64 image
+        run: bash ./build-arm64 --push
+      - name: Run Trivy vulnerability scanner on arm64 image
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          image-ref: '${{ steps.build-arm64.outputs.LATEST_IMAGE_TAG }}'
+          format: 'sarif'
+          output: 'trivy-results-arm64.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+      - name: Upload Trivy arm64 scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        with:
+          sarif_file: 'trivy-results-arm64.sarif'

Dockerfile.arm64

@@ -0,0 +1,110 @@
+# syntax=docker/dockerfile:1.6
+
+ARG LATEST_VERSION
+FROM eclipse-temurin:${LATEST_VERSION}-jdk-noble AS temurin-latest
+
+FROM ubuntu:24.04 AS default-jdk
+ARG LATEST_VERSION
+
+COPY --from=eclipse-temurin:8-jdk-noble /opt/java/openjdk /usr/lib/jvm/8
+COPY --from=eclipse-temurin:11-jdk-noble /opt/java/openjdk /usr/lib/jvm/11
+COPY --from=eclipse-temurin:17-jdk-noble /opt/java/openjdk /usr/lib/jvm/17
+COPY --from=eclipse-temurin:21-jdk-noble /opt/java/openjdk /usr/lib/jvm/21
+COPY --from=eclipse-temurin:25-jdk-noble /opt/java/openjdk /usr/lib/jvm/25
+COPY --from=temurin-latest /opt/java/openjdk /usr/lib/jvm/${LATEST_VERSION}
+
+RUN <<-EOT
+	set -eux
+	rm -rf \
+		/usr/lib/jvm/*/lib/src.zip \
+		/usr/lib/jvm/*/demo \
+		/usr/lib/jvm/*/sample
+EOT
+
+FROM ubuntu:24.04 AS base
+ARG LATEST_VERSION
+ENV LATEST_VERSION=${LATEST_VERSION}
+
+LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
+
+RUN <<-EOT
+	set -eux
+	apt-get update
+	apt-get install -y sudo
+	groupadd --gid 1001 non-root-group
+	useradd --uid 1001 --gid non-root-group -m non-root-user
+	echo "non-root-user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/non-root-user
+	chmod 0440 /etc/sudoers.d/non-root-user
+	mkdir -p /home/non-root-user/.config
+	chown -R non-root-user:non-root-group /home/non-root-user/.config
+	apt-get clean
+	rm -rf /var/lib/apt/lists/*
+EOT
+
+USER non-root-user
+WORKDIR /home/non-root-user
+
+RUN <<-EOT
+	set -eux
+	sudo apt-get update
+	sudo apt-get install -y curl tar apt-transport-https ca-certificates gnupg socat less debian-goodies autossh ca-certificates-java python3-pip locales jq git gh yq lsb-release lsof unzip parallel xsltproc
+	sudo locale-gen en_US.UTF-8
+	sudo git config --system --add safe.directory "*"
+
+	sudo mkdir -p /tmp/docker-install
+	DOCKER_LATEST_VERSION=$(curl -s https://download.docker.com/linux/static/stable/$(uname -m)/ | grep -oP 'docker-\K([0-9]+\.[0-9]+\.[0-9]+)(?=\.tgz)' | sort -V | tail -n 1)
+	sudo curl -fsSL "https://download.docker.com/linux/static/stable/$(uname -m)/docker-${DOCKER_LATEST_VERSION}.tgz" | sudo tar -xz -C /tmp/docker-install
+	sudo mv /tmp/docker-install/docker/docker /usr/local/bin/
+	sudo rm -rf /tmp/docker-install
+	sudo mkdir -p /usr/local/lib/docker/cli-plugins
+	sudo curl -fsSL "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o /usr/local/lib/docker/cli-plugins/docker-compose
+	sudo chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
+
+	sudo apt-get clean
+	sudo rm -rf /var/lib/apt/lists/*
+EOT
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+COPY --from=default-jdk /usr/lib/jvm /usr/lib/jvm
+
+RUN <<-EOT
+	set -eux
+	sudo apt-get update
+	sudo pip3 install --break-system-packages awscli
+	sudo pip3 cache purge
+
+	ARCH=$(dpkg --print-architecture)
+	case "$ARCH" in
+		arm64) DD_CI_ARCH="arm64"; VAULT_ARCH="arm64" ;;
+		amd64) DD_CI_ARCH="x64"; VAULT_ARCH="amd64" ;;
+		*) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;;
+	esac
+
+	sudo curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-${DD_CI_ARCH}" --output "/usr/local/bin/datadog-ci"
+	sudo chmod +x /usr/local/bin/datadog-ci
+
+	VAULT_VERSION=1.20.4
+	curl -fsSL "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" -o vault.zip
+	unzip vault.zip
+	sudo mv vault /usr/local/bin/vault
+	chmod +x /usr/local/bin/vault
+	rm vault.zip
+
+	sudo apt-get clean
+	sudo rm -rf /var/lib/apt/lists/*
+EOT
+
+ENV JAVA_DEBIAN_VERSION=unused
+ENV JAVA_VERSION=unused
+
+ENV JAVA_8_HOME=/usr/lib/jvm/8
+ENV JAVA_11_HOME=/usr/lib/jvm/11
+ENV JAVA_17_HOME=/usr/lib/jvm/17
+ENV JAVA_21_HOME=/usr/lib/jvm/21
+ENV JAVA_25_HOME=/usr/lib/jvm/25
+ENV JAVA_${LATEST_VERSION}_HOME=/usr/lib/jvm/${LATEST_VERSION}
+
+ENV JAVA_HOME=${JAVA_8_HOME}
+ENV PATH=${JAVA_HOME}/bin:${PATH}
+

build-arm64

@@ -0,0 +1,145 @@
+#!/usr/bin/env bash
+set -eu
+
+readonly IMAGE_NAME="ghcr.io/datadog/dd-trace-java-docker-build"
+readonly BASE_VARIANTS=(8 11 17 21 25 tip)
+
+function compute_metadata() {
+    GIT_BRANCH="${GITHUB_REF_NAME:-$(git branch --show-current)}"
+    readonly GIT_BRANCH="${GIT_BRANCH:-local}"
+    if [[ ${GIT_BRANCH} = master ]]; then
+        TAG_PREFIX=""
+    else
+        TAG_PREFIX="${GIT_BRANCH}-"
+        TAG_PREFIX="${TAG_PREFIX,,}"
+        TAG_PREFIX="${TAG_PREFIX//\//_}"
+    fi
+
+    BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+    GIT_HEAD_REF="$(git show-ref --head --hash ^HEAD)"
+}
+
+function compute_latest_version() {
+    local base_year=2025
+    local base_version=23
+
+    version="$((base_version + ($(date +%Y) - base_year) * 2))"
+    if [ "$(date +%m)" -ge 4 ]; then
+        version="$((version + 1))"
+    fi
+    if [ "$(date +%m)" -ge 10 ]; then
+        version="$((version + 1))"
+    fi
+
+    export LATEST_VERSION="$version"
+}
+
+function docker_build() {
+    local tag="$1"
+    docker buildx build \
+        --build-arg LATEST_VERSION=$LATEST_VERSION \
+        --platform linux/arm64 \
+        --label org.opencontainers.image.created="$BUILD_DATE" \
+        --label org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build \
+        --label org.opencontainers.image.revision="$GIT_HEAD_REF" \
+        --file Dockerfile.arm64 \
+        --target base \
+        --tag "$tag" \
+        --load \
+        .
+}
+
+function image_name() {
+    local variant="${1}"
+    echo -n "${IMAGE_NAME}:${TAG_PREFIX}arm64-${variant}"
+}
+
+function do_build() {
+    compute_metadata
+    compute_latest_version
+    docker_build "$(image_name base)"
+    if [ -n "${GITHUB_OUTPUT+unset}" ]; then
+        echo "LATEST_IMAGE_TAG=$(image_name base)" >>"$GITHUB_OUTPUT"
+    fi
+    for variant in "${BASE_VARIANTS[@]}"; do
+        variant="${variant,,}"
+        docker tag "$(image_name base)" "$(image_name "${variant}")"
+    done
+}
+
+function do_test() {
+    local image
+    compute_metadata
+    image="$(image_name base)"
+    docker run \
+        --platform linux/arm64 \
+        --rm \
+        "$image" \
+        bash -lc '
+            set -eux
+            "$JAVA_HOME/bin/java" -version
+            "$JAVA_8_HOME/bin/java" -version
+            "$JAVA_11_HOME/bin/java" -version
+            "$JAVA_17_HOME/bin/java" -version
+            "$JAVA_21_HOME/bin/java" -version
+            "$JAVA_25_HOME/bin/java" -version
+        '
+}
+
+function do_describe() {
+    local image
+    compute_metadata
+    compute_latest_version
+    image="$(image_name base)"
+    docker run \
+        --platform linux/arm64 \
+        --rm \
+        "$image" \
+        bash -lc '
+            echo "# arm64 image"
+            echo
+            echo "## Operating System"
+            echo
+            echo "* $(lsb_release --description --short)"
+            echo
+            echo "## Tools"
+            echo
+            echo "* $(git --version)"
+            echo "* $(docker --version)"
+            echo "* $(docker compose version)"
+            echo "* datadog-ci $(datadog-ci version)"
+            echo "* vault $(vault --version)"
+            echo
+            echo "## JDKs"
+            echo
+            for env_name in JAVA_8_HOME JAVA_11_HOME JAVA_17_HOME JAVA_21_HOME JAVA_25_HOME; do
+              echo "* ${env_name}"
+              echo "```"
+              "${!env_name}/bin/java" -version 2>&1
+              echo "```"
+              echo
+            done
+        '
+}
+
+function do_push() {
+    local tag
+    compute_metadata
+    for tag in base "${BASE_VARIANTS[@]}"; do
+        tag="${tag,,}"
+        docker push "$(image_name "${tag}")"
+    done
+}
+
+if [[ -z ${1:-} ]]; then
+    do_build
+elif [[ ${1} = "--test" ]]; then
+    do_test
+elif [[ ${1} = "--describe" ]]; then
+    do_describe
+elif [[ ${1} = "--push" ]]; then
+    do_push
+else
+    echo "Unknown argument: ${1}" >&2
+    exit 1
+fi