Java Docker Skill
Containerize Java applications with optimized Dockerfiles and JVM settings.
Overview
This skill covers Docker best practices for Java including multi-stage builds, JVM container settings, security hardening, and layer optimization.
When to Use This Skill
Use when you need to:
- Create optimized Java Dockerfiles
- Configure JVM for containers
- Implement security best practices
- Reduce image size
- Set up health checks
Topics Covered
Dockerfile Optimization
- Multi-stage builds
- Layer caching strategy
- Spring Boot layered JARs
- Dependency caching
JVM Container Settings
- UseContainerSupport
- MaxRAMPercentage
- GC selection
- Exit on OOM
Security
- Non-root users
- Read-only filesystem
- Vulnerability scanning
- Secrets handling
Quick Reference
# Multi-stage optimized Dockerfile
FROM eclipse-temurin:21-jdk-alpine AS builder
WORKDIR /app
# Cache dependencies
COPY pom.xml .
COPY .mvn .mvn
RUN mvn dependency:go-offline -B
# Build and extract layers
COPY src ./src
RUN mvn package -DskipTests && \
java -Djarmode=layertools -jar target/*.jar extract
# Runtime stage
FROM eclipse-temurin:21-jre-alpine
# Security: non-root user
RUN addgroup -S app && adduser -S app -G app
USER app
WORKDIR /app
# Copy layers in order of change frequency
COPY --from=builder /app/dependencies/ ./
COPY --from=builder /app/spring-boot-loader/ ./
COPY --from=builder /app/snapshot-dependencies/ ./
COPY --from=builder /app/application/ ./
# JVM container settings
ENV JAVA_OPTS="-XX:+UseContainerSupport \
-XX:MaxRAMPercentage=75.0 \
-XX:+ExitOnOutOfMemoryError \
-XX:+UseG1GC"
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=30s \
CMD wget -qO- http://localhost:8080/actuator/health/liveness || exit 1
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS org.springframework.boot.loader.launch.JarLauncher"]
JVM Container Flags
# Recommended production settings
JAVA_OPTS="
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=75.0
-XX:InitialRAMPercentage=50.0
-XX:+ExitOnOutOfMemoryError
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/tmp/heapdump.hprof
-XX:+UseG1GC
-Djava.security.egd=file:/dev/./urandom
"
Base Image Comparison
| Image | Size | Security | Use Case |
|---|---|---|---|
| temurin:21-jre | ~200MB | Good | General use |
| temurin:21-jre-alpine | ~100MB | Good | Size-optimized |
| distroless/java21 | ~80MB | Best | Production |
Security Best Practices
# Non-root user
RUN addgroup -S app && adduser -S app -G app
USER app
# Read-only filesystem
# (Configure at runtime with --read-only)
# No shell access with distroless
FROM gcr.io/distroless/java21-debian12
# Health check
HEALTHCHECK --interval=30s --timeout=3s \
CMD wget -qO- localhost:8080/actuator/health || exit 1
Troubleshooting
Common Issues
| Problem | Cause | Solution |
|---|---|---|
| OOMKilled | Heap > limit | Set MaxRAMPercentage |
| Slow startup | Large image | Multi-stage build |
| Permission denied | Root required | Fix file permissions |
| No memory info | Old JVM | Update to Java 11+ |
Debug Checklist
□ Check container memory limits
□ Verify JVM sees container limits
□ Review health check configuration
□ Scan image for vulnerabilities
□ Test with resource constraints
Usage
Skill("java-docker")
Related Skills
java-maven-gradle- Build integrationjava-microservices- K8s deployment