feat(apps): add Java 25 Docker optimization examples and deployment scripts

Author: Yuriy Bezsonov

apps/dockerfiles-java25/Dockerfile.02-multi-stage

@@ -0,0 +1,20 @@
+FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp && mv target/store-spring-1.0.0-exec.jar store-spring.jar
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+COPY --from=builder store-spring.jar store-spring.jar
+
+RUN groupadd --system spring -g 1000
+RUN adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["java", "-jar", "-Dserver.port=8080", "/store-spring.jar"]

apps/dockerfiles-java25/Dockerfile.04-custom-jre

@@ -0,0 +1,41 @@
+FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
+
+RUN yum install -y tar gzip unzip
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp && \
+    mv target/store-spring-1.0.0-exec.jar target/store-spring.jar && \
+    cd target && unzip store-spring.jar
+
+# Analyze dependencies to determine required JDK modules
+RUN jdeps --ignore-missing-deps \
+    --multi-release 25 --print-module-deps \
+    --class-path="target/BOOT-INF/lib/*" \
+    target/store-spring.jar > jre-deps.info
+
+# Add jdk.crypto.ec for TLS 1.3 support
+RUN truncate --size -1 jre-deps.info && \
+    echo ",jdk.crypto.ec" >> jre-deps.info && cat jre-deps.info
+
+# Create custom JRE with only required modules
+RUN export JAVA_TOOL_OPTIONS="-Djdk.lang.Process.launchMechanism=vfork" && \
+    jlink --verbose --compress zip-6 --strip-java-debug-attributes \
+    --no-header-files --no-man-pages --output custom-jre \
+    --add-modules $(cat jre-deps.info)
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+COPY --from=builder target/store-spring.jar store-spring.jar
+COPY --from=builder custom-jre custom-jre
+
+RUN groupadd --system spring -g 1000
+RUN adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["./custom-jre/bin/java", "-jar", "-Dserver.port=8080", "/store-spring.jar"]

apps/dockerfiles-java25/Dockerfile.05-soci

@@ -0,0 +1,26 @@
+FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp -Psoci && \
+    mv target/store-spring-1.0.0.jar store-spring.jar && \
+    java -Djarmode=layertools -jar store-spring.jar extract
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+# Layers ordered by change frequency for optimal caching
+COPY --from=builder dependencies/ ./
+COPY --from=builder spring-boot-loader/ ./
+COPY --from=builder snapshot-dependencies/ ./
+COPY --from=builder application/ ./
+
+RUN groupadd --system spring -g 1000
+RUN adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["java", "-Dserver.port=8080", "org.springframework.boot.loader.launch.JarLauncher"]

apps/dockerfiles-java25/Dockerfile.06-cds

@@ -0,0 +1,34 @@
+FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
+
+ARG SPRING_DATASOURCE_URL
+ENV SPRING_DATASOURCE_URL=$SPRING_DATASOURCE_URL
+ARG SPRING_DATASOURCE_USERNAME
+ENV SPRING_DATASOURCE_USERNAME=$SPRING_DATASOURCE_USERNAME
+ARG SPRING_DATASOURCE_PASSWORD
+ENV SPRING_DATASOURCE_PASSWORD=$SPRING_DATASOURCE_PASSWORD
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp && mv target/store-spring-1.0.0-exec.jar store-spring.jar
+
+# CDS training - dump class archive after Spring context initialization
+RUN java -XX:ArchiveClassesAtExit=/app.jsa \
+    -Dspring.context.exit=onRefresh \
+    -jar /store-spring.jar || true && \
+    test -s /app.jsa
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+COPY --from=builder /store-spring.jar /store-spring.jar
+COPY --from=builder /app.jsa /app.jsa
+
+RUN groupadd --system spring -g 1000 && \
+    adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["java", "-XX:SharedArchiveFile=/app.jsa", "-jar", "-Dserver.port=8080", "/store-spring.jar"]

apps/dockerfiles-java25/Dockerfile.07-aot

@@ -0,0 +1,63 @@
+FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp \
+    -Dspring-boot.aot.enabled=true && \
+    mv target/store-spring-1.0.0-exec.jar app.jar
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023 AS trainer
+
+COPY --from=builder app.jar app.jar
+
+# Explode fat jar for AOT training
+RUN mkdir -p /ex && (cd /ex && jar -xf /app.jar) && \
+    mkdir -p /opt/app/training /opt/app/lib && \
+    (cd /ex/BOOT-INF/classes && jar -cf /opt/app/training/classes.jar .) && \
+    cp -r /ex/BOOT-INF/lib/* /opt/app/lib/
+
+# Create sorted classpath for deterministic ordering between training and runtime
+RUN ls /opt/app/lib/*.jar | sort | tr '\n' ':' | sed 's/:$//' > /opt/app/lib-cp.txt
+
+ENV MAIN_CLASS="com.unicorn.store.StoreApplication"
+
+# Optional: pass DB props for training to capture Hibernate/JDBC classes
+#   docker build --build-arg TRAINING_JAVA_OPTS="-Dspring.datasource.url=... -Dspring.datasource.username=... -Dspring.datasource.password=..." ...
+ARG TRAINING_JAVA_OPTS=""
+ENV TRAINING_JAVA_OPTS=${TRAINING_JAVA_OPTS}
+ENV TRAINING_JAVA_OPTS_DEFAULT="-Dspring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration -Dspring.main.lazy-initialization=true"
+
+# Record AOT configuration
+RUN set -e; \
+    OPTS="${TRAINING_JAVA_OPTS}"; [ -z "${OPTS}" ] && OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    java -XX:AOTMode=record -XX:AOTConfiguration=/app.aotconf \
+    -cp "/opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt)" \
+    -Dspring.context.exit=onRefresh ${OPTS} ${MAIN_CLASS} || true && \
+    test -s /app.aotconf
+
+# Create AOT cache
+RUN set -e; \
+    OPTS="${TRAINING_JAVA_OPTS}"; [ -z "${OPTS}" ] && OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    java -XX:AOTMode=create -XX:AOTConfiguration=/app.aotconf \
+    -XX:AOTCache=/opt/app/app.aot \
+    -cp "/opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt)" \
+    ${OPTS} ${MAIN_CLASS} || true && \
+    test -s /opt/app/app.aot
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+COPY --from=trainer /opt/app/training/classes.jar /opt/app/training/classes.jar
+COPY --from=trainer /opt/app/lib/ /opt/app/lib/
+COPY --from=trainer /opt/app/app.aot /opt/app/app.aot
+COPY --from=trainer /opt/app/lib-cp.txt /opt/app/lib-cp.txt
+
+RUN groupadd --system spring -g 1000
+RUN adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["sh", "-c", "exec java -XX:AOTCache=/opt/app/app.aot -Dserver.port=8080 -cp /opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt) com.unicorn.store.StoreApplication"]

apps/dockerfiles-java25/Dockerfile.08-native

@@ -0,0 +1,30 @@
+FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-25 AS builder
+
+USER root
+RUN microdnf install -y unzip zip
+
+USER 1001
+RUN \
+    curl -s "https://get.sdkman.io" | bash; \
+    bash -c "source $HOME/.sdkman/bin/sdkman-init.sh; \
+    sdk install maven;"
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+ENV MAVEN_OPTS='-Xmx8g'
+RUN bash -c "source $HOME/.sdkman/bin/sdkman-init.sh && mvn -DskipTests -ntp clean package -Pnative"
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
+
+RUN yum install -y shadow-utils
+
+COPY --from=builder /project/target/store-spring /
+
+RUN groupadd --system spring -g 1000
+RUN adduser spring -u 1000 -g 1000
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["./store-spring", "-Dserver.port=8080"]

apps/dockerfiles-java25/Dockerfile.09-crac

@@ -0,0 +1,37 @@
+FROM azul/zulu-openjdk:25-jdk-crac-latest AS builder
+
+RUN apt-get -qq update && apt-get -qq install -y curl maven
+
+ARG SPRING_DATASOURCE_URL
+ENV SPRING_DATASOURCE_URL=$SPRING_DATASOURCE_URL
+ARG SPRING_DATASOURCE_USERNAME
+ENV SPRING_DATASOURCE_USERNAME=$SPRING_DATASOURCE_USERNAME
+ARG SPRING_DATASOURCE_PASSWORD
+ENV SPRING_DATASOURCE_PASSWORD=$SPRING_DATASOURCE_PASSWORD
+
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp && mv target/store-spring-1.0.0-exec.jar store-spring.jar
+
+# Take checkpoint using Warp engine (no CRIU, no extra privileges)
+RUN java -Dspring.context.checkpoint=onRefresh \
+    -Djdk.crac.collect-fd-stacktraces=true \
+    -XX:CRaCEngine=warp \
+    -XX:CPUFeatures=generic \
+    -XX:CRaCCheckpointTo=/opt/crac-files \
+    -jar /store-spring.jar & PID=$! && wait ${PID} || true
+
+FROM azul/zulu-openjdk:25-jdk-crac-latest
+
+RUN apt-get -qq update && apt-get -qq install -y adduser \
+    && addgroup --system --gid 1000 spring \
+    && adduser --system --disabled-password --gecos "" --uid 1000 --gid 1000 spring
+
+COPY --from=builder --chown=1000:1000 /opt/crac-files /opt/crac-files
+COPY --from=builder --chown=1000:1000 /store-spring.jar /store-spring.jar
+
+USER 1000:1000
+EXPOSE 8080
+
+ENTRYPOINT ["java", "-XX:CRaCEngine=warp", "-XX:CRaCRestoreFrom=/opt/crac-files", "-Dserver.port=8080"]

apps/unicorn-store-spring-java25/pom.xml

@@ -275,6 +275,13 @@
             <activation>
                 <activeByDefault>true</activeByDefault>
             </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.crac</groupId>
+                    <artifactId>crac</artifactId>
+                    <version>1.5.0</version>
+                </dependency>
+            </dependencies>
             <build>
                 <plugins>
                     <plugin>

infra/cfn/java-ai-agents-stack.yaml

@@ -400,7 +400,10 @@ Resources:
               - arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/*
               - arn:aws:iam::*:role/aws-service-role/cloudtrail.amazonaws.com/*
             Sid: CreateServiceLinkedRole
-          - Action: iam:GetRole
+          - Action:
+              - iam:GetRole
+              - iam:ListRoles
+              - iam:PassRole
             Effect: Allow
             Resource: "*"
             Sid: GetRole
@@ -772,6 +775,16 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
@@ -923,16 +936,6 @@ Resources:
           - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
             - ","
             - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215: