From 7f7eaa35e7b6093cfc24fa34720d3a4867017939 Mon Sep 17 00:00:00 2001
From: Samir Talwar <samir.talwar@digitalasset.com>
Date: Tue, 30 Jun 2020 14:01:43 +0200
Subject: [PATCH] Use Distroless for the Java Docker base image. (#6537)

* Use Distroless for the Java Docker base image.

We switched away from Distroless because it was causing issues with
`docker pull` when you had Docker configured to use `gcloud` for
authentication, but weren't actually authenticated.

Adding `docker-credential-gcloud` to dev-env should hopefully fix this,
meaning we can switch back to a base image that is better-maintained.

CHANGELOG_BEGIN
CHANGELOG_END

* Bump rules_docker to v0.14.3.

This fixes an issue when running `bazel sync`:

```
ERROR: java.io.IOException: Error downloading [http://central.maven.org/maven2/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar] to [...]/external/javax_servlet_api/javax.servlet-api-3.0.1.jar: Unknown host: central.maven.org
```
---
 WORKSPACE                            | 9 +++++----
 deps.bzl                             | 6 +++---
 dev-env/bin/docker-credential-gcloud | 1 +
 ledger/ledger-on-memory/BUILD.bazel  | 2 +-
 ledger/sandbox/BUILD.bazel           | 2 +-
 nix/default.nix                      | 3 ++-
 6 files changed, 13 insertions(+), 10 deletions(-)
 create mode 120000 dev-env/bin/docker-credential-gcloud

diff --git a/WORKSPACE b/WORKSPACE
index c76593acca43..9d73fa3e5688 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -737,10 +737,11 @@ container_deps()
 load("@io_bazel_rules_docker//container:container.bzl", "container_pull")
 
 container_pull(
-    name = "openjdk_base",
-    registry = "docker.io",
-    repository = "openjdk",
-    tag = "8-alpine",
+    name = "java_base",
+    digest = "sha256:7cef6d99241bc86e09659d41842e3656a1cab99adf0e440a44d2858c8e52a71a",
+    registry = "gcr.io",
+    repository = "distroless/java",
+    tag = "8",
 )
 
 load("@io_bazel_rules_docker//java:image.bzl", java_image_repositories = "repositories")
diff --git a/deps.bzl b/deps.bzl
index d140ed7430fd..29a2b9af085e 100644
--- a/deps.bzl
+++ b/deps.bzl
@@ -151,9 +151,9 @@ def daml_deps():
     if "io_bazel_rules_docker" not in native.existing_rules():
         http_archive(
             name = "io_bazel_rules_docker",
-            url = "https://github.com/bazelbuild/rules_docker/releases/download/v0.12.1/rules_docker-v0.12.1.tar.gz",
-            strip_prefix = "rules_docker-0.12.1",
-            sha256 = "14ac30773fdb393ddec90e158c9ec7ebb3f8a4fd533ec2abbfd8789ad81a284b",
+            url = "https://github.com/bazelbuild/rules_docker/releases/download/v0.14.3/rules_docker-v0.14.3.tar.gz",
+            strip_prefix = "rules_docker-0.14.3",
+            sha256 = "6287241e033d247e9da5ff705dd6ef526bac39ae82f3d17de1b69f8cb313f9cd",
         )
 
     if "com_google_protobuf" not in native.existing_rules():
diff --git a/dev-env/bin/docker-credential-gcloud b/dev-env/bin/docker-credential-gcloud
new file mode 120000
index 000000000000..943ba2d88c97
--- /dev/null
+++ b/dev-env/bin/docker-credential-gcloud
@@ -0,0 +1 @@
+../lib/dade-exec-nix-tool
\ No newline at end of file
diff --git a/ledger/ledger-on-memory/BUILD.bazel b/ledger/ledger-on-memory/BUILD.bazel
index ba917d877dbd..00cba7680a21 100644
--- a/ledger/ledger-on-memory/BUILD.bazel
+++ b/ledger/ledger-on-memory/BUILD.bazel
@@ -180,7 +180,7 @@ conformance_test(
 
 java_image(
     name = "app-image",
-    base = "@openjdk_base//image",
+    base = "@java_base//image",
     main_class = "com.daml.ledger.on.memory.Main",
     resources = ["src/app/resources/logback.xml"],
     visibility = ["//visibility:public"],
diff --git a/ledger/sandbox/BUILD.bazel b/ledger/sandbox/BUILD.bazel
index b7caaf3b11bd..a437fd545aee 100644
--- a/ledger/sandbox/BUILD.bazel
+++ b/ledger/sandbox/BUILD.bazel
@@ -178,7 +178,7 @@ genrule(
 
 container_image(
     name = "sandbox-image-base",
-    base = "@openjdk_base//image",
+    base = "@java_base//image",
     cmd = None,
     directory = "/usr/bin",
     files = [
diff --git a/nix/default.nix b/nix/default.nix
index b8ae375086b7..6131db87cc69 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -222,8 +222,9 @@ in rec {
     # Cloud tools
     aws = pkgs.awscli;
     gcloud = pkgs.google-cloud-sdk;
-    bq     = gcloud;
+    bq = gcloud;
     gsutil = gcloud;
+    docker-credential-gcloud = gcloud;
     # used to set up the webide CI pipeline in azure-cron.yml
     docker-credential-gcr = pkgs.docker-credential-gcr;
     # Note: we need to pin Terraform to 0.11 until nixpkgs includes a version