Search code examples
javadockeropenjdk-11

OpenJDK JRE docker image and fixes/patches

I am currently using the openjdk:11.0.11-jre-slim docker image.

By using the minor version of 11, do I lose out on patches / security fixes?

If a bug fix is made, will it be made in 11.0.11 or only in 11.0 and 11.0.12 for example?

Also, the same question for timezone IANA updates. Will they only be available in the major version and the next minor version?

Solution

  • In general, they will not change an existing minor version, so if you use 11.0.11, that will always be the same version. Unless there are real blocking issues that would make it unuseable, so they might revoke the existing one and build a new one later.

    Patches or security fixes will result in newer minor numbers, so 11.0.12, 11.0.13, etc.

    The actual docker versions also include the os, for example 11.0.13-jre-slim-bullseye is OpenJDK JRE 11.0.13 on the slimmed down Debian 11 (Bullseye) OS.

    To get the latest updates, it's better to use one of the aliases. They will change the alias when new release come out, either for the OS or for the JDK.

    E.g. 11-jre-slim first was an alias for 11.0.8 on Debian 10 (Buster), but now is an alias for 11.0.13 on Debian 11 (Bullseye).

    However, this does not mean that existing images are updated automatically. If you use an alias, you should monitor it, and if the alias points to a new version, you still need to rebuild your images that were built on top of it.

    So if you use an alias like 11-jre-slim, you will get the latest version of both the JDK and the OS (the latest version that the openjdk docker maintainers released anyway). On the other hand, this could also mean that your application can break if it's not compatible with a JDK patch or OS update. So you best have a continuous integration pipeline to test the build thoroughly before going to production.

    The alternative is to use a fixed base version, e.g. 11.0.13-jre-slim-bullseye, and manually monitor when updates are needed, so you can plan time to manually verify and update each patch, or choose to stay on an older patch when possible. That requires a long-time investment, however.