This buildpack provides a highly secure Java Runtime Environment (JRE) designed for environments requiring FIPS 140-3 compliance. It integrates BouncyCastle FIPS cryptographic modules and enforces strict security policies while maintaining enterprise-grade observability and performance tuning.
| Variable | Description | Default |
|---|---|---|
BP_JVM_TYPE |
JRE or JDK |
--- |
BP_JVM_VERSION |
java version | 21 |
BPL_JVM_HEAD_ROOM |
Percentage of memory to leave as headroom for the OS (0-100). | 25 |
BPL_JAVA_NMT_ENABLED |
Enables Native Memory Tracking (NMT). | true |
BPL_JAVA_NMT_LEVEL |
Detail level for NMT output (summary or detail). |
summary |
BPL_JMX_ENABLED |
Enables remote JMX monitoring. | false |
BPL_JMX_PORT |
Port for JMX monitoring. | 5000 |
BPL_DEBUG_ENABLED |
Enables remote debugging support. | false |
BPL_DEBUG_PORT |
Port for remote debugging. | 8000 |
BPL_DEBUG_SUSPEND |
Whether the JVM should wait for a debugger to attach. | false |
BPL_JFR_ENABLED |
Enables Java Flight Recording (JFR). | false |
BPL_HEAP_DUMP_PATH |
Path to write heap dumps on OutOfMemoryError. | (Disabled) |
The buildpack automatically configures the following low-level settings for container stability:
- FIPS Enforcement: Enforces BouncyCastle FIPS as the primary provider and disables non-approved cryptographic algorithms.
- Dynamic Memory Calculator: Includes an integrated python-compiled memory calculator via the CNB
exec.dlifecycle layer. It dynamically parses cgroups limits and automatically configures exact-Xmxand-Xmsoptions. - Memory Arena Management: Sets
MALLOC_ARENA_MAX=2to reduce memory fragmentation and prevent excessive virtual memory growth in containers. - DNS TTL Fix: Sets the network address cache TTL to 60 seconds to ensure the JVM respects DNS changes in dynamic environments like Kubernetes.
- Encoding: Forces
UTF-8file encoding globally.
- Integrated Memory Calculator: Fully matches Paketo's behavior by utilizing a native dynamic memory calculator that executes during the container launch phase (
exec.d). This bypasses the old container percentage configurations (MaxRAMPercentage) and strictly controls JRE heap allocation relative to host boundaries.
- Jlink Support: This buildpack does not support the
jlinktool for creating custom, minified JRE distributions at build time.
- No GraalVM / Native Image: This buildpack does not include GraalVM or support for compiling applications into Native Images. It is strictly optimized for standard JRE/JDK execution with FIPS compliance.