Spring Boot Docker

Many people are using containers to wrap their Spring Boot applications, and building containers is not a simple thing to do.
许多人正在使用容器打包他们的Spring Boot应用程序,但是构建容器并不是一件简单的事情。

This is a guide for developers of Spring Boot applications, and containers are not always a good abstraction for developers - they force you to learn about and think about very low level concerns - but you will on occasion be called on to create or use a container, so it pays to understand the building blocks.
这是一篇写给Spring Boot 应用程序开发人员的指南,容器对于开发人员来说并不总是一个好的抽象-它们迫使你去学习思考非常低层次的问题-但是你有时又需要去创建或使用容器,所以理解构造模块是有好处的。

Here we aim to show you some of the choices you can make if you are faced with the prospect of needing to create your own container.

We will assume that you know how to create and build a basic Spring Boot application. If you don’t, go to one of the Getting Started Guides, for example the one on building a REST Service.
我们假设你知道如何去创建和构建一个基础的Spring Boot应用程序。如果你不知道,建议你去找一个入门指南Getting Started Guides, 例如那个关于构建REST服务REST Service的指南.

Copy the code from there and practise with some of the ideas below.

There is also a Getting Started Guide on Docker, which would also be a good starting point, but it doesn’t cover the range of choices that we have here, or in as much detail.


A Basic Dockerfile

A Spring Boot application is easy to convert into an executable JAR file.
一个Spring Boot 应用程序能够非常容易的被打包为一个可执行的JAR文件。

All the Getting Started Guides do this, and every app that you download from Spring Initializr will have a build step to create an executable JAR.
所有的入门指南都会介绍如何将Spring Boot应用程序打包为一个可执行的Jar文件,并且每个你从Spring Initializr网站上下载的应用程序都有创建一个可执行JAR文件的步骤。

With Maven you ./mvnw install and with Gradle you ./gradlew build
Maven使用 ./mvnw install 创建可执行jar文件,Gradle使用 ./gradlew build创建可执行jar文件

A basic Dockerfile to run that JAR would then look like this, at the top level of your project:

FROM openjdk:8-jdk-alpine			#使用openjdk:8-jdk-alpine作为基础镜像
VOLUME /tmp							#设置与主机的共享目录tmp
ARG JAR_FILE						#定义JAR_FILE变量,在使用docker build时可以使用--build-arg <varname>=<value>对他赋值
COPY ${JAR_FILE} app.jar			#将JAR_FILE路径下的文件拷贝成app.jar文件
ENTRYPOINT ["java","-jar","/app.jar"]#使用java -jar命令运行app.jar文件

The JAR_FILE could be passed in as part of the docker command (it will be different for Maven and Gradle). E.g. for Maven:
JAR_FILE变量能够作为docker命令的一部分进行传递(Maven和Gradle的用法会有所不同). Maven如下:

# build 命令用于创建镜像,--build-args选项这里用于指定jar的文件路径,-t命令用于设置镜像标签,.其实是DockerFile的路径
# 这里就是利用当前目录下的DockerFile文件创建标签为myorg/myapp的镜像,并将jar文件的路径传入到DockerFile中
$ docker build --build-args=target/*.jar -t myorg/myapp .

# 在本地实验环境 Docker version 19.03.2中
docker build --build-arg JAR_FILE=target/*.jar -t myorg/myapp .

Gradle 如下:

# SpringBoot官网命令
$ docker build --build-args=build/libs/*.jar -t myorg/myapp .

Of course, once you have chosen a build system, you don’t need the ARG - you can just hard code the jar location. E.g. for Maven:

FROM openjdk:8-jdk-alpine
COPY target/*.jar app.jar
ENTRYPOINT ["java", "-jar", "/app.jar"]

Then we can simply build an image with

$ docker build -t myorg/myapp .

and run it like this:

# run命令用于运行镜像(也叫创建容器),并将主机的8080端口和容器的8080端口连接
$ docker run -p 8080:8080 myorg/myapp

docker修改arl灯塔里面的配置 docker build args_jar

If you want to poke around inside the image you can open a shell in it like this (the base image does not have bash):

如果你想浏览镜像里的内容你可以像下面一样打开一个shell(基础镜像是没有bash shell的):

docker run -ti --entrypoint /bin/sh myorg/myapp

docker修改arl灯塔里面的配置 docker build args_应用程序_02

The docker configuration is very simple so far, and the generated image is not very efficient.


The docker image has a single filesystem layer with the fat jar in it, and every change we make to the application code changes that layer, which might be 10MB or more (even as much as 50MB for some apps).

We can improve on that by splitting the JAR up into multiple layers.

Smaller Images(JRE)

Notice that the base image in the example above is openjdk:8-jdk-alpine.

The alpine images are smaller than the standard openjdk library images from Dockerhub.

There is no official alpine image for Java 11 yet (AdoptOpenJDK had one for a while but it no longer appears on their Dockerhub page).
现在还没有官方的java 11的alpine镜像(AdoptOpenJDK 曾经有过一段时间,但是已经不再出现在他们的Dockerhub page上了)。

You can also save about 20MB in the base image by using the “jre” label instead of “jdk”.

Not all apps work with a JRE (as opposed to a JDK), but most do, and indeed some organizations enforce a rule that every app has to because of the risk of misuse of some of the JDK features (like compilation).

Another trick that could get you a smaller image is to use JLink, which is bundled with OpenJDK 11.
另一能让你获得一个更小的镜像的技巧是使用捆绑在OpenJDK 11中的JLink

JLink allows you to build a custom JRE distribution from a subset of modules in the full JDK, so you don’t need a JRE or JDK in the base image.

In principle this would get you a smaller total image size than using the openjdk official docker images.

In practice, you won’t (yet) be able to use the alpine base image with JDK 11, so your choice of base image will be limited and will probably result in a larger final image size.
实际上,你还不能使用JDK 11alpine版本的基础镜像,所以你对与基础镜像的选择将受到限制并且最终得到一个更大的镜像。

Also, a custom JRE in your own base image cannot be shared amongst other applications, since they would need different customizations.

So you might have smaller images for all your applications, but they still take longer to start because they don’t benefit from caching the JRE layer.

That last point highlights a really important concern for image builders: the goal is not necessarily always going to be to build the smallest image possible.

Smaller images are generally a good idea because they take less time to upload and download, but only if none of the layers in them are already cached.

Image registries are quite sophisticated these days and you can easily lose the benefit of those features by trying to be clever with the image construction.

If you use common base layers, the total size of an image is less of a concern, and will probably become even less of one as the registries and platforms evolve.

Having said that, it is still important, and useful, to try and optimize the layers in our application image, but the goal should always be to put the fastest changing stuff in the highest layers, and to share as many of the large, lower layers as possible with other applications.

A Better Dockerfile

A Spring Boot fat jar naturally has “layers” because of the way that the jar itself is packaged.

If we unpack it first it will already be divided into external and internal dependencies.

To do this in one step in the docker build, we need to unpack the jar first.

For example (sticking with Maven, but the Gradle version is pretty similar):
例如(仍然使用Maven, 但是Gradle版本非常类似):

$ mkdir target/dependency
$ (cd target/denpency; jar -xf ../*.jar)
$ docker build -t myorg/myapp .

with this Dockerfile

FROM openjdk:8-jdk-alpine
ARG DEPENDENCY=target/dependency
ENTRYPOINT ["java","-cp","app:app/lib/*","hello.Application"]

There are now 3 layers, with all the application resources in the later 2 layers.

If the application dependencies don’t change, then the first layer (from BOOT-INF/lib) will not change, so the build will be faster, and so will the startup of the container at runtime as long as the base layers are already cached.

We used a hard-coded main application class hello.Application. This will probably be different for your application. You could parameterize it with another ARG if you wanted. You could also copy the Spring Boot fat JarLauncher into the image and use it to run the app - it would work and you wouldn’t need to specify the main class, but it would be a bit slower on startup.

我们使用了一个硬编码主程序类文件hello.Application。这可能和你的应用程序不同。如果你想的话,你能够使用一个ARG变量参数化它。你也能够复制Spring Boot Jar启动器到镜像中,并且通过它去运行应用程序-这将会运行成功并且你不需要去指定主类,但是它在启动的时候会有一点慢。


docker修改arl灯塔里面的配置 docker build args_应用程序_03

ENTRYPOINT改写为ENTRYPOINT [“java”,"-cp",“app:app/lib/*”,“com.waichan.docker.DockerApplication”]


If you want to start your app as quickly as possible (most people do) there are some tweaks you might consider. Here are some ideas

  • Use the spring-context-indexer (link to docs). It’s not going to add much for small apps, but every little helps.
  • 使用spring-context-indexer。它不会让小应用程序启动加速很多,但是没一点都有帮助。
  • Don’t use actuators if you can afford not to.
  • 如果可以的话不要使用执行器。
  • Use Spring Boot 2.1 and Spring 5.1.
  • 使用Spring Boot 2.1 和 Spring 5.1版本。
  • Fix the location of the Spring Boot config file(s) with spring.config.location (command line argument or System property etc.).
  • 用spring.config.location(命令行参数或系统属性等)修复Spring Boot配置文件的位置。
  • Switch off JMX - you probably don’t need it in a container - with spring.jmx.enabled=false
  • 关闭JMX-在一个容器中你很可能不需要开启JMX - 使用spring.jmx.enabled=false配置。
  • Run the JVM with -noverify. Also consider -XX:TieredStopAtLevel=1 (that will slow down the JIT later at the expense of the saved startup time).
  • 使用-noverify选项运行JVM。也可以考虑-XX:TieredStopAlLevel=1参数配置(将会以降低JIT时间为代价节省启动时间)
  • Use the container memory hints for Java 8: -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap. With Java 11 this is automatic by default.
  • 为Java 8使用容器内存提示: -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap。在Java11中这些都默认自动配置。

Your app might not need a full CPU at runtime, but it will need multiple CPUs to start up as quickly as possible (at least 2, 4 are better).

If you don’t mind a slower startup you could throttle the CPUs down below 4.

If you are forced to start with less than 4 CPUs it might help to set -Dspring.backgroundpreinitializer.ignore=true since it prevents Spring Boot from creating a new thread that it probably won’t be able to use (this works with Spring Boot 2.1.0 and above).
如果你被强制要求使用数量少于4块的CPU启动应用程序,设置Dspring.backgroundpreinitializer.ignore=true可能会有所帮助它能够防止Spring Boot框架创建可能不被使用的新线程(使用Spring Boot 2.1.0或者更高版本可以使用)。

Multi-Stage Build

The Dockerfile above assumed that the fat JAR was already built on the command line.

You can also do that step in docker using a multi-stage build, copying the result from one image to another. Example, using Maven:

FROM openjdk:8-jdk-alpine as build
WORKDIR /workspace/app

COPY mvnw .
COPY .mvn .mvn
COPY pom.xml .
COPY src src

RUN ./mvnw install -DskipTests
RUN mkdir -p target/dependency && (cd target/dependency; jar -xf ../*.jar)

FROM openjdk:8-jdk-alpine
ARG DEPENDENCY=/workspace/app/target/dependency
COPY --from=build ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY --from=build ${DEPENDENCY}/BOOT-INF/classes /app
ENTRYPOINT ["java","-cp","app:app/lib/*","hello.Application"]

The first image is labelled “build” and it is used to run Maven and build the fat jar, then unpack it.

The unpacking could also be done by Maven or Gradle (this is the approach taken in the Getting Started Guide) - there really isn’t much difference, except that the build configuration would have to be edited and a plugin added.
解压缩的操作同样也能够被Maven或者Gradle执行(这是在入门指南中被采用的方法)- 这里并没有太多的不同,除非构建配置将被修改或者一个插件被添加。

Notice that the source code has been split into 4 layers.

The later layers contain the build configuration and the source code for the app, and the earlier layers contain the build system itself (the Maven wrapper).

This is a small optimization, and it also means that we don’t have to copy the target directory to a docker image, even a temporary one used for the build.

Every build where the source code changes will be slow because the Maven cache has to be re-created in the first RUN section.

But you have a completely standalone build that anyone can run to get your application running as long as they have docker.

That can be quite useful in some environments, e.g. where you need to share your code with people who don’t know Java.

Experimental Features

Docker 18.06 comes with some “experimental” features that includes a way to cache build dependencies.
Docker 18.06 带来了一些实验特性,里面包含了缓存构建依赖的方法。

To switch them on you need a flag in the daemon (dockerd) and also an environment variable when you run the client, and then you can add a magic first line to your

and then you can add a magic first line to your Dokerfile:


# syntax=docker/dockerfile:experimental

and the RUN directive then accepts a new flag --mount. Here’s a full example:

# syntax=docker/dockerfile:experimental
FROM openjdk:8-jdk-alpine as build
WORKDIR /workspace/app

COPY mvnw .
COPY .mvn .mvn
COPY pom.xml .
COPY src src

RUN --mount=type=cache,target=/root/.m2 ./mvnw install -DskipTests
RUN mkdir -p target/dependency && (cd target/dependency; jar -xf ../*.jar)

FROM openjdk:8-jdk-alpine
ARG DEPENDENCY=/workspace/app/target/dependency
COPY --from=build ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY --from=build ${DEPENDENCY}/BOOT-INF/classes /app
ENTRYPOINT ["java","-cp","app:app/lib/*","hello.Application"]

Then run it:

$ DOCKER_BUILDKIT=1 docker build -t myorg/myapp .
 => /bin/sh -c ./mvnw install -DskipTests              5.7s
 => exporting to image                                 0.0s
 => => exporting layers                                0.0s
 => => writing image sha256:3defa...
 => => naming to docker.io/myorg/myapp

With the experimental features you get a different output on the console, but you can see that a Maven build now only takes a few seconds instead of minutes, once the cache is warm.

While these features are in the experimental phase, the options for switching buildkit on and off depend on the version of docker that you are using.

Check the documentation for the version you have (the example above is correct for docker 18.0.6).
查询你现在正在使用的docker版本的文档(上面的例子在docker 18.0.6实验正确)

Build Plugins

If you don’t want to call docker directly in your build, there is quite a rich set of plugins for Maven and Gradle that can do that work for you. Here are just a few.

Spotify Maven Plugin(使用上述第二种Dockerfile进行实验)

The Spotify Maven Plugin is a popular choice. It requires the application developer to write a Dockerfile and then runs docker for you, just as if you were doing it on the command line.
Spotify Maven Plugin 是一个受欢迎的选择。它要求应用程序开发者为你编写Dockerfile同时运行docker,就好像你在命令行上操作一样。

There are some configuration options for the docker image tag and other stuff, but it keeps the docker knowledge in your application concentrated in a Dockerfile, which many people like.

For really basic usage it will work out of the box with no extra configuration:

$ mvn com.spotify:dockerfile-maven-plugin:build
[INFO] Building Docker context /home/dsyer/dev/demo/workspace/myapp
[INFO] Image will be built without a name
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.630 s
[INFO] Finished at: 2018-11-06T16:03:16+00:00
[INFO] Final Memory: 26M/595M
[INFO] ------------------------------------------------------------------------

That builds an anonymous docker image. We can tag it with docker on the command line now, or use Maven configuration to set it as the repository. Example (without changing the pom.xml):

$ mvn com.spotify:dockerfile-maven-plugin:build -Ddockerfile.repository=myorg/myapp

Or in the pom.xml:


Continuous Integration

Automation is part of every application lifecycle these days (or should be).

The tools that people use to do the automation tend to be quite good at just invoking the build system from the source code.

So if that gets you a docker image, and the environment in the build agents is sufficiently aligned with developer’s own environment, that might be good enough.

Authenticating to the docker registry is likely to be the biggest challenge, but there are features in all the automation tools to help with that.

However, sometimes it is better to leave container creation completely to an automation layer, in which case the user’s code might not need to be polluted.

Container creation is tricky, and developers sometimes don’t really care about it.

If the user code is cleaner there is more chance that a different tool can “do the right thing”, applying security fixes, optimizing caches etc.

There are multiple options for automation and they will all come with some features related to containers these days. We are just going to look at a couple.


Cloud Foundry has used containers internally for many years now, and part of the technology used to transform user code into containers is Build Packs, an idea originally borrowed from Heroku.
Cloud Foundry已经在内部使用容器很多年,Build Packs技术的一部分被用来将用户代码转换为容器,这个想法来自Heroku

The current generation of buildpacks (v2) generates generic binary output that is assembled into a container by the platform.

The new generation of buildpacks (v3) is a collaboration between Heroku and other companies including Pivotal, and it builds container images directly and explicitly.

This is very interesting for developers and operators.

Developers don’t need to care so much about the details of how to build a container, but they can easily create one if they need to.

Buildpacks also have lots of features for caching build results and dependencies, so often a buildpack will run much quicker than a native docker build.
Buildpacks 有许多缓存构建结果和依赖地特性,因此往往一个buildpack比本地docker构建运行地更快。

Operators can scan the containers to audit their contents and transform them to patch them for security updates.

And you can run the buildpacks locally (e.g. on a developer machine, or in a CI service), or in a platform like Cloud Foundry.

The output from a buildpack lifecycle is a container image, but you don’t need docker or a Dockerfile, so it’s CI and automation friendly.

The filesystem layers in the output image are controlled by the buildpack, and typically many optimizations will be made without the developer having to know or care about them.

There is also an Application Binary Interface between the lower level layers, like the base image containing the operating system, and the upper layers, containing middleware and language specific dependencies.

This makes it possible for a platform, like Cloud Foundry, to patch lower layers if there are security updates without affecting the integrity and functionality of the application.
这使得平台化成为可能,例如Cloud Foundry,修补下层如果这里有安全更新而不会影响到应用程序的完整性和功能。