Or should that be:

which java

TL;DR

Practices for installing and maintaining Java have evolved over time, which can lead to tension between teams who are set in a particular way, and other teams who see that as backward.

The present state of the art is not to have Java on hosts at all, and to containerise apps that use Java, but for when it is needed on hosts a Software Development Kit (SDK) manager such as SDKMAN provides a sensible way to take care of things.

Background

A colleague reached out to me asking whether Java should be installed from the OS package manager, or standalone? This raised a number of concerns:

1. Whose JDK – Oracle, OpenJDK, IBM, (Zing, Zulu, Corretto[1])?
2. Which major version?
3. If minor versions and patches aren’t updated by the OS manager then who/what is doing that?
4. Side by side installation for multiple app servers?
5. Are any system tools dependent on Java?
6. Does it matter is java is on the PATH?
7. How is CLASSPATH set?
8. How is the app/app server launched, and what does the script do to PATH and CLASSPATH?

I noted that:

Pretty much all of those questions stop mattering if using containers.

Evolution

I’d observe that practice has developed over time. In the early days of Enterprise Java I was pretty close to the action, but since then I’ve been a more distant observer:

• 2000 Install Sun Java from tarball into /opt/java
• 2005 Install IBM Java or jRockit from rpm/deb into wherever they went
• 2010 Install Oracle Java from rpm/deb (because the distros couldn’t package it)
• 2015 Install OpenJDK from yum/apt
• 2020 Put Java stuff into containers

As I was feeling out of touch a little I asked Twitter, though the results were far from conclusive:

Early voting had containerisation well ahead, but things later swung back to more established approaches.

What was new to me, which was the whole point of asking, was people pointing out that they used SDKMAN to solve this problem, and I think that’s probably the best answer for when Java is needed on hosts.

Safety and security

I recall the glorious days when the Java Virtual Machine (JVM) was considered a safe sandbox. Those days are long behind use, and the JVM looks more like a giant pile of Common Vulnerabilities and Exposures (CVEs) that need their own sandbox.

Then there’s the issue of dependency management (aka DLL Hell), where once clear and orderly installations can become a mess of intertwined dependencies that need the finest IT archaeologists to figure out what’s broken and how things ever worked.

For both of those reasons, I generally try to run Java apps in containers (along with anything using Node.js or Ruby).

Conclusion

Containerisation is the way to go for Java apps wherever possible, but for when Java does need to be installed on hosts SDKMAN seems to provide the best of both worlds between standalone Java installation and OS package managers.

Note

[1] Thanks to Mike Moate for reminding me about Amazon’s Corretto, which is their distribution of OpenJDK that comes with “long-term support that will include performance enhancements and security fixes”.