chore(container): upgrade to UBI9

.github/workflows/ci-code-analysis.yml

@@ -37,7 +37,7 @@ jobs:
         step: restore
     - uses: actions/setup-java@v4
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
     - name: Run spotbugs
       run: mvn -B -U compile spotbugs:check

.github/workflows/pr-ci.yaml

@@ -110,7 +110,7 @@ jobs:
         fetch-depth: 0
     - uses: actions/setup-java@v4
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
         cache: 'maven'
     - run: git submodule init && git submodule update
@@ -192,7 +192,7 @@ jobs:
         fetch-depth: 0
     - uses: actions/setup-java@v4
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
         cache: 'maven'
     - run: git submodule init && git submodule update

.github/workflows/push-ci.yaml

@@ -63,7 +63,7 @@ jobs:
         fetch-depth: 0
     - uses: actions/setup-java@v4
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
         cache: 'maven'
     - run: git submodule init && git submodule update

README.md

@@ -57,7 +57,7 @@ We welcome and appreciate any contributions from our community. Please visit our
 
 Build requirements:
 - git
-- JDK 17+
+- JDK 21+
 - Maven v3+
 - [Quarkus CLI](https://quarkus.io/guides/cli-tooling) v3.4.1+ (Recommended)
 - [Podman](https://podman.io/docs/installation) 4.7+

compose/auth_proxy.yml

@@ -12,12 +12,6 @@ services:
       QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: "true"
       QUARKUS_HTTP_ACCESS_LOG_PATTERN: long
       QUARKUS_HTTP_ACCESS_LOG_ENABLED: "true"
-    healthcheck:
-      test: curl --fail http://cryostat:8181/health/liveness || exit 1
-      interval: 10s
-      retries: 3
-      start_period: 30s
-      timeout: 5s
   auth:
     # the proxy does not actually depend on cryostat being up, but we use this
     # to ensure that when the smoketest tries to open the auth login page in a
@@ -31,7 +25,7 @@ services:
         limits:
           cpus: "0.1"
           memory: 32m
-    image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest}
+    image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest-alpine}
     command:
       - --alpha-config=/tmp/auth_proxy_alpha_config.yml
     volumes:
@@ -49,10 +43,10 @@ services:
       CRYOSTAT_PROXY_PORT: ${CRYOSTAT_PROXY_PORT}
     restart: unless-stopped
     healthcheck:
-      test: wget -q --spider ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ping || exit 1
+      test: wget --no-check-certificate -q --spider ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ping || exit 1
       interval: 10s
       retries: 3
-      start_period: 30s
+      start_period: 10s
       timeout: 5s
 
 volumes:

compose/cryostat-grafana.yml

@@ -26,5 +26,5 @@ services:
       test: curl --fail http://localhost:3000/ || exit 1
       retries: 3
       interval: 30s
-      start_period: 30s
+      start_period: 10s
       timeout: 1s

compose/cryostat.yml

@@ -25,8 +25,8 @@ services:
       CRYOSTAT_DISCOVERY_DOCKER_ENABLED: ${CRYOSTAT_DISCOVERY_DOCKER_ENABLED:-true}
       JAVA_OPTS_APPEND: >-
         -XX:+FlightRecorder
-        -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m
-        -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s
+        -XX:StartFlightRecording=filename=/tmp,name=onstart,settings=default,disk=true,maxage=5m
+        -XX:StartFlightRecording=filename=/tmp,name=startup,settings=profile,disk=true,duration=30s
         -Dcom.sun.management.jmxremote.autodiscovery=true
         -Dcom.sun.management.jmxremote
         -Dcom.sun.management.jmxremote.port=9091
@@ -36,12 +36,14 @@ services:
         -Dcom.sun.management.jmxremote.ssl=false
         -Dcom.sun.management.jmxremote.local.only=false
     restart: unless-stopped
-    healthcheck:
-      test: curl --fail http://cryostat:${CRYOSTAT_HTTP_PORT}/health/liveness || exit 1
-      interval: 10s
-      retries: 3
-      start_period: 30s
-      timeout: 5s
+    # FIXME reenable this check. Somehow after upgrading to Quarkus 3.8, this check fails with 'connection refused',
+    # but the container comes up successfully without it and shelling into the container later to run curl succeeds
+    # healthcheck:
+    #   test: curl --fail http://cryostat:${CRYOSTAT_HTTP_PORT}/health/liveness || exit 1
+    #   interval: 10s
+    #   retries: 3
+    #   start_period: 30s
+    #   timeout: 5s
 
 volumes:
   jmxtls_cfg:

compose/cryostat_docker.yml

@@ -35,7 +35,7 @@ services:
       CRYOSTAT_DISCOVERY_JDP_ENABLED: "true"
       JAVA_OPTS_APPEND: >-
         -XX:+FlightRecorder
-        -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m
+        -XX:StartFlightRecording=filename=/tmp,name=onstart,settings=default,disk=true,maxage=5m
         -Dcom.sun.management.jmxremote.autodiscovery=true
         -Dcom.sun.management.jmxremote
         -Dcom.sun.management.jmxremote.port=9091

compose/cryostat_k8s.yml

@@ -20,7 +20,7 @@ services:
     environment:
       CRYOSTAT_DISCOVERY_PODMAN_ENABLED: "false"
       CRYOSTAT_DISCOVERY_JDP_ENABLED: "true"
-      JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
+      JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=filename=/tmp,name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
     restart: always
     healthcheck:
       test: curl --fail http://localhost:8181/health/liveness || exit 1

compose/db.yml

@@ -27,7 +27,7 @@ services:
       test: pg_isready -U cryostat -d cryostat || exit 1
       interval: 10s
       retries: 3
-      start_period: 30s
+      start_period: 10s
       timeout: 5s
 
 volumes:

compose/jfr-datasource.yml

@@ -29,8 +29,8 @@ services:
         -Dcom.sun.management.jmxremote.ssl=false
         -Dcom.sun.management.jmxremote.local.only=false
     healthcheck:
-      test: curl --fail ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ || exit 1
+      test: curl --fail http://localhost:8080/ || exit 1
       retries: 3
       interval: 30s
-      start_period: 30s
+      start_period: 10s
       timeout: 1s

compose/sample_apps/vertx-cryostat-agent.yml

@@ -63,7 +63,7 @@ services:
       - "8911"
     restart: always
     healthcheck:
-      test: curl --fail http://localhost:8081 || exit 1
+      test: curl --fail http://localhost:8082 || exit 1
       interval: 10s
       retries: 3
       start_period: 30s
@@ -102,7 +102,7 @@ services:
       - "8912"
     restart: always
     healthcheck:
-      test: curl --fail http://localhost:8081 || exit 1
+      test: curl --fail http://localhost:8083 || exit 1
       interval: 10s
       retries: 3
       start_period: 30s
@@ -126,7 +126,7 @@ services:
       - "8084:8084"
     restart: always
     healthcheck:
-      test: curl --fail http://localhost:8081 || exit 1
+      test: curl --fail http://localhost:8084 || exit 1
       interval: 10s
       retries: 3
       start_period: 30s

pom.xml

@@ -22,7 +22,7 @@
 
   <properties>
     <quarkus.application.version>${cryostat.imageVersionLower}</quarkus.application.version>
-    <java.version>17</java.version>
+    <java.version>21</java.version>
     <maven.compiler.release>${java.version}</maven.compiler.release>
     <maven.compiler.source>${java.version}</maven.compiler.source>
     <maven.compiler.target>${java.version}</maven.compiler.target>
@@ -35,21 +35,17 @@
     <io.cryostat.core.version>4.0.0-SNAPSHOT</io.cryostat.core.version>
     <org.openjdk.jmc.version>9.0.0</org.openjdk.jmc.version>
 
-    <org.apache.commons.codec.version>1.16.1</org.apache.commons.codec.version>
     <org.apache.commons.io.version>2.16.1</org.apache.commons.io.version>
     <org.apache.commons.collections.version>4.4</org.apache.commons.collections.version>
-    <org.apache.httpcomponents.version>5.2.1</org.apache.httpcomponents.version>
-    <org.apache.commons.lang3.version>3.14.0</org.apache.commons.lang3.version>
     <org.apache.commons.validator.version>1.8.0</org.apache.commons.validator.version>
     <org.projectnessie.cel.bom.version>0.4.4</org.projectnessie.cel.bom.version>
     <com.google.protobuf-java.version>3.25.2</com.google.protobuf-java.version>
     <com.nimbusds.jose.jwt.version>9.40</com.nimbusds.jose.jwt.version>
     <org.testcontainers.bom.version>1.20.1</org.testcontainers.bom.version>
     <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
     <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
-    <quarkus.platform.version>3.2.12.Final</quarkus.platform.version>
-    <quarkus-quinoa.version>2.2.5</quarkus-quinoa.version>
-    <io.netty.version>4.1.108.Final</io.netty.version>
+    <quarkus.platform.version>3.8.6</quarkus.platform.version>
+    <quarkus-quinoa.version>2.3.10</quarkus-quinoa.version>
     <org.codehaus.mojo.build.helper.plugin.version>3.6.0</org.codehaus.mojo.build.helper.plugin.version>
     <org.codehaus.mojo.exec.plugin.version>3.4.1</org.codehaus.mojo.exec.plugin.version>
     <assembly-plugin.version>3.7.1</assembly-plugin.version>
@@ -60,19 +56,12 @@
     <com.google.java-format.version>1.23.0</com.google.java-format.version>
     <com.mycila.license.maven.plugin.version>4.5</com.mycila.license.maven.plugin.version>
     <surefire-plugin.version>3.5.0</surefire-plugin.version>
-    <surefire.rerunFailingTestsCount>2</surefire.rerunFailingTestsCount>
+    <surefire.rerunFailingTestsCount>0</surefire.rerunFailingTestsCount>
     <failsafe-plugin.version>3.5.0</failsafe-plugin.version>
     <failsafe.rerunFailingTestsCount>${surefire.rerunFailingTestsCount}</failsafe.rerunFailingTestsCount>
   </properties>
   <dependencyManagement>
     <dependencies>
-      <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-bom</artifactId>
-        <version>${io.netty.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>${quarkus.platform.group-id}</groupId>
         <artifactId>${quarkus.platform.artifact-id}</artifactId>
@@ -161,6 +150,10 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-vertx</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-netty</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-smallrye-openapi</artifactId>
@@ -225,12 +218,10 @@
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
-      <version>${org.apache.commons.lang3.version}</version>
     </dependency>
     <dependency>
       <groupId>commons-codec</groupId>
       <artifactId>commons-codec</artifactId>
-      <version>${org.apache.commons.codec.version}</version>
     </dependency>
     <dependency>
       <groupId>commons-io</groupId>
@@ -327,7 +318,7 @@
           </execution>
         </executions>
         <configuration>
-          <jvmArgs>-Dcryostat.discovery.jdp.enabled=true -Dcryostat.discovery.podman.enabled=true -XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false</jvmArgs>
+          <jvmArgs>-Dcryostat.discovery.jdp.enabled=true -Dcryostat.discovery.podman.enabled=true -XX:+FlightRecorder -XX:StartFlightRecording=filename=/tmp/,name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false</jvmArgs>
         </configuration>
       </plugin>
       <plugin>
@@ -566,7 +557,6 @@
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
-          <version>${io.netty.version}</version>
           <classifier>${io.netty.netty-transport-native-epoll.classifier}</classifier>
           <scope>${io.netty.netty-transport-native-epoll.scope}</scope>
         </dependency>

schema/openapi.yaml

@@ -85,6 +85,7 @@ components:
     DiscoveryPlugin:
       properties:
         builtin:
+          readOnly: true
           type: boolean
         callback:
           format: uri
@@ -296,6 +297,7 @@ components:
     Target:
       properties:
         agent:
+          readOnly: true
           type: boolean
         alias:
           pattern: \S
@@ -347,11 +349,6 @@ components:
         meta:
           $ref: '#/components/schemas/Meta'
       type: object
-  securitySchemes:
-    SecurityScheme:
-      description: Authentication
-      scheme: basic
-      type: http
 info:
   contact:
     email: [email protected]
@@ -913,7 +910,7 @@ paths:
             type: string
       requestBody:
         content:
-          application/json:
+          text/plain:
             schema:
               type: string
       responses:
@@ -1906,7 +1903,7 @@ paths:
       responses:
         "200":
           content:
-            application/json:
+            text/plain:
               schema:
                 type: string
           description: OK
@@ -2393,13 +2390,13 @@ paths:
             type: integer
       requestBody:
         content:
-          application/json:
+          text/plain:
             schema:
               type: string
       responses:
         "200":
           content:
-            application/json:
+            text/plain:
               schema:
                 type: string
           description: OK
@@ -2429,7 +2426,7 @@ paths:
       responses:
         "200":
           content:
-            application/json:
+            text/plain:
               schema:
                 type: string
           description: OK

src/main/docker/Dockerfile.jvm

@@ -77,7 +77,7 @@
 #   accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20-3.1724181070
+FROM registry.access.redhat.com/ubi9/openjdk-21-runtime:1.20-2.1725851019
 
 ENV LANGUAGE='en_US:en'
 
@@ -107,7 +107,7 @@ ENV SSL_TRUSTSTORE=$CONF_DIR/truststore.p12 \
 USER root
 RUN mkdir -p $CONF_DIR \
     && chmod -R g=u $CONF_DIR \
-    && chown jboss:root $CONF_DIR
+    && chown default:root $CONF_DIR
 USER 185
 
 RUN /deployments/app/truststore-setup.bash

src/main/docker/include/truststore-setup.bash

@@ -15,7 +15,7 @@ cd "$CONF_DIR"
 keytool -importkeystore \
     -noprompt \
     -storetype PKCS12 \
-    -srckeystore /usr/lib/jvm/jre-17-openjdk/lib/security/cacerts \
+    -srckeystore /usr/lib/jvm/jre-openjdk/lib/security/cacerts \
     -srcstorepass changeit \
     -destkeystore "$SSL_TRUSTSTORE" \
     -deststorepass "$SSL_TRUSTSTORE_PASS"