The document discusses best practices for running JVMs in containers. It recommends reducing container and application startup latency by minimizing layers and image sizes. The Java runtime can be optimized for containers by trimming modules, compressing files, and using lightweight operating systems. Class data sharing and GraalVM native images further improve startup times and footprints. The JVM should also behave in a container-aware way and the latest Java version should be used for security. Overall, following container security practices and choosing base images wisely is advised.

1. Copyright © 2019 Oracle and/or its affiliates.
JVMs in Containers
Best Practices
David Delabassée - @delabassee
DevRel
Java Platform Group - Oracle
November 2019

2. Copyright © 2019 Oracle and/or its affiliates.
@delabassee
Java Platform Group
Oracle

3. The following is intended to outline our general product direction. It is intended for information purposes
only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development,
release, timing, and pricing of any features or functionality described for Oracle’s products may change
and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and
prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed
discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and
Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q
under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website
at http://www.oracle.com/investor. All information in this presentation is current as of September 2019
and Oracle undertakes no duty to update any statement in light of new information or future events.
Safe Harbor
Copyright © 2019 Oracle and/or its affiliates.

4. Copyright © 2019 Oracle and/or its affiliates.
Containers

5. • Package Software into Standardized Units
- Development
- Shipment
- Deployment
• Runtimes
- Docker, CRI-O, Podman, LXC, rkt, runC, systemd-nspawn, OpenVZ, etc.
Copyright © 2019 Oracle and/or its affiliates.
Container

6. Copyright © 2019 Oracle and/or its affiliates.
Container vs. VM
Infrastructure
Infrastructure
Host OS
Host OS
Hypervisor
Container Daemon
Guest OS A
Bin/libs
App #1
Bin/libs
App #1
Bin/libs
App #2
Guest OS B
Bin/libs
App #2

7. Java
Copyright © 2019 Oracle and/or its affiliates.

8. Tools
docker-maven-plugin
Jib + jib-maven-plugin
Testcontainers
…
Copyright © 2019 Oracle and/or its affiliates.
JVM Container Tooling
FaaS
Fn Project
OpenFaaS
OpenWhisk
…
Frameworks
Helidon
Quarkus
Micronaut
…

9. • JVM should behave as a good (Container) citizen
• “Improved latency”
Copyright © 2019 Oracle and/or its affiliates.
JVM in Containers

10. Hello Container
Demo
Copyright © 2019 Oracle and/or its affiliates.

11. Latency
Copyright © 2019 Oracle and/or its affiliates.

12. Copyright © 2019 Oracle and/or its affiliates.
Latency
Container Start-Up

13. • 3 “core” layers
- Java application and its dependencies
- Java Runtime
- Operating System
• ⇨ Reduce layers size
Copyright © 2019 Oracle and/or its affiliates.
Stack of Layers

14. • Dependencies
• Leverage Container cache layer mechanism
• Anything that is (relatively) static in its own layer
• Fat JAR
• CDS Shared Archive
Copyright © 2019 Oracle and/or its affiliates.
Stack of Layers

15. Copyright © 2019 Oracle and/or its affiliates.
Java Runtime Image
Modules jlink flags MB
JDK Whole JDK! 316 100%
Runtime image All (explicit) --add-modules $(java --list-modules) 178 56% 100%
Custom runtime image Required modules only --add-modules $(jdeps --print-module-deps …) 50 16% 28%
… --no-header-files --no-man-pages
--strip-java-debug-attributes 44 14% 25%
… --compress=1 37 12% 21%
… --compress=2 34 11% 19%
316 MB 178 MB 50 MB 34 MB
Serverless Java function (Fn) - openjdk:13

16. • musl
Lightweight, fast, simple, free, C standard library implementation
https://www.musl-libc.org
• Alpine
Security-oriented, lightweight Linux distro with 4MB base image
https://www.alpinelinux.org
• Project Portola
Run the JVM on musl
https://openjdk.java.net/projects/portola/
Copyright © 2019 Oracle and/or its affiliates.
Operating System

17. Copyright © 2019 Oracle and/or its affiliates.

18. Copyright © 2019 Oracle and/or its affiliates.
Java Runtime Image
Minecraft server
java.base, java.compiler, java.desktop, java.management, java.naming,
java.rmi, java.scripting, java.sql, jdk.sctp, jdk.unsupported, jdk.zipfs
openjdk:13 - 12 modules 88 MB
--strip-debug --strip-java-debug-attributes -14 MB
--compress=1 -18 MB
--compress=2 -31 MB
--no-header-file --no-man-pages 0 MB (*)
openjdk-11-jdk (debian:buster) - all modules 554 MB (!!)
12 modules 469 MB
--strip-native-debug-symbols (new)

19. Copyright © 2019 Oracle and/or its affiliates.
Latency
Application Start-Up

20. 0
10
20
30
40
50
60
70
80
90
8 9 10 11 12 13
time(ms)
Hello World
Copyright © 2019 Oracle and/or its affiliates.
Startup Time
• Bootstrap regressions in JDK 9 fixed! Keep on fixing!
• +120 startup-related enhancements in JDK 10 through JDK 13!

21. • Reduce memory footprint between multiple JVMs by sharing
common class metadata
• Improve startup time
• How?
- Loads classes from JAR file into a private internal representation
- Dumps it to a shared archive
- When JVMs (re)starts, the archive is memory-mapped to allow sharing of
R/O JVM metadata for these classes among multiple JVMs
Copyright © 2019 Oracle and/or its affiliates.
Class Data Sharing

22. CDS
Demo
Copyright © 2019 Oracle and/or its affiliates.

23. Copyright © 2019 Oracle and/or its affiliates.
Application CDS

24. Copyright © 2019 Oracle and/or its affiliates.
Application CDS
jdk-08-u202-b08-hotspot
jruby -e 1
real 0m1.601s
user 0m4.434s
sys 0m0.234s
jruby --dev -e 1
real 0m1.216s
user 0m1.646s
sys 0m0.162s
jruby --disable-gems --dev -e 1
real 0m0.853s
user 0m1.030s
sys 0m0.113s
jdk-13.jdk
… -J-XX:SharedArchiveFile=jruby.jsa
real 0m1.491s
user 0m3.378s
sys 0m0.220s
… -J-XX:SharedArchiveFile=jruby.jsa
real 0m1.089s
user 0m1.644s
sys 0m0.133s
… -J-XX:SharedArchiveFile=jruby.jsa
real 0m0.717s
user 0m0.944s
sys 0m0.110s

25. • Java 5 - Limited to system classes and serial GC
• Java 9 - Application CDS and other GCs (commercial feature + JEP 250)
• Java 10 - Application CDS (JEP 310)
• Java 12 - Default CDS Archives (JEP 341)
• Java 13 - Dynamic CDS Archives (JEP 350)
- Dynamic archiving of classes at the end of application execution
-XX:ArchiveClassesAtExit=my-app-cds.jsa
Copyright © 2019 Oracle and/or its affiliates.
Class Data Sharing

26. • High Performance Universal Virtual Machine
• Polyglot
• …
• Native Image
- Reduced startup time
- Improved foot-print
- Reduced image size
Copyright © 2019 Oracle and/or its affiliates.
GraalVM
https://www.graalvm.org

27. • Java 8 & 11
• Not supported
- InvokeDynamic and Method Handles, Dynamic Class Un/Loading, Finalizers, Security
Manager
- JVMTI, JMX, other native VM interfaces
• Mostly supported, or supported via configuration
- Reflections, Dynamic Proxy, JNI, Unsafe Memory Access, Static Initializers, References
Copyright © 2019 Oracle and/or its affiliates.
GraalVM limitations
https://github.com/oracle/graal/blob/master/substratevm/LIMITATIONS.md

28. Copyright © 2019 Oracle and/or its affiliates.
Container
JVM should behave as a good citizen

29. JDK-8179498 attach should be relative to /proc/pid/root and namespace
aware as jcmd, jstack, ... fail to attach (10)
JDK-8146115 Improve Docker container detection & resource config usage (10)
JDK-8193710 jcmd –l & jps do not list Java processes running in containers (11)
JDK-8203357 Container Metrics (11)
JDK-8186248 More flexibility in selecting Heap % of available RAM (8u144)
JDK-8203359 JFR jdk.CPUInformation event reports incorrect information when
running in Docker container (open)
JDK-8228428 OperatingSystemMXBean should be made container aware (open 14)
…
Copyright © 2019 Oracle and/or its affiliates.
Container Awareness

30. • The JVM tunes itself based on the system it runs on
• Behavior-Based Tuning dynamically optimizes the sizes of the heap
to meet an expected behavior
- Maximum Pause-time (-XX:MaxGCPauseMillis)
- Or Application Throughput (-XX:GCTimeRatio)
• Sets defaults for the GC, heap size, and runtime compiler
Copyright © 2019 Oracle and/or its affiliates.
Ergonomics
https://docs.oracle.com/en/java/javase/13/gctuning/ergonomics.html

31. Ergonomics
Demo
Copyright © 2019 Oracle and/or its affiliates.

32. Copyright © 2019 Oracle and/or its affiliates.
Wrap-Up

33. • Reduced “latency”
- Container Startup
- Application Startup
• JVM behaves as a good (Container) citizen
Copyright © 2019 Oracle and/or its affiliates.
JVMs in Containers

34. • Use the latest Java version and never java:latest !!!
• Only rely on actively-supported versions!
• Use a JRE Java runtime image instead of a JDK
• Move startup costs to the build phase
• It’s “containers as usual”
- Docker-bench-security, Snyk, Clair, Anchore, etc.
- Small(er) is better
- Reduce the potential attack surface
- Multistage build, etc.
Copyright © 2019 Oracle and/or its affiliates.
JVMs in Containers

35. Copyright © 2019 Oracle and/or its affiliates.
Choose your base image wisely

36. Copyright © 2019 Oracle and/or its affiliates.
Choose your base image wisely
and secure it!

37. ありがとうございます
Copyright © 2019 Oracle and/or its affiliates.
DevRel
Java Platform Group - Oracle
October 2019
David Delabassée - @delabassee