Introducing Canonical builds of OpenJDK

Java has long been the most popular language for software development in large enterprises, with 90% of Fortune 500 companies using it for backend development, particularly in industries like finance, healthcare, and government. 

Java developers, more than most, are tasked with balancing the implementation of new features against the critical requirements of legacy application security, stability, and performance. The management of distinct Java versions, security updates, and deployment artifacts introduces considerable complexity.

For these reasons we have decided to double down on our investment in the toolchain by providing an even more comprehensive offering that both enterprises and community members can benefit from. Canonical’s OpenJDK support offering is centered around the following core tenets:

• Industry leading security maintenance with Ubuntu Pro, providing security support to OpenJDK 8 until 2034 and at least 12 years on every other OpenJDK LTS release.
• Timely access to new Java releases by including the latest OpenJDK release in the subsequent Ubuntu release. This also extends to the LTS releases.
• Performance optimization for containers, combining the size reduction of Chiseled OpenJRE with novel technologies like CRaC (Coordinated Restore at Checkpoint).
• Verified correctness testing OpenJDK release against the Technology Compatibility Kit (TCK) using the Eclipse AQAvit by Adoptium testing framework.
• Broad architecture support including AMD64, ARM64, S390x, RISC-V and ppc64el.

Let’s explore each of these elements in greater detail.

Enhanced security assurance: long term security and stability

An Ubuntu Pro subscription extends a minimum 10-year security support guarantee for all OpenJDK LTS builds, thereby reducing the necessity for frequent application modernization efforts. This means that developers can simultaneously extend the life of their existing legacy applications and prioritize the development of features that directly benefit and enhance the user experience. 

This is especially crucial for legacy workloads running on Java 8, which according to a recent New Relic report still accounts for as much as 33% of production deployments. For workloads running on 24.04 LTS, Ubuntu Pro will extend  security maintenance to at least 2034, 8 years longer than Red Hat and 4 years longer than Azul Zulu.

Supported OpenJDK LTS versions within Ubuntu LTS releases 

Facilitating innovation: timely access to new Java releases

With Ubuntu, long term support does not come at the expense of rapid releases. We aim to enable teams’ experimentation efforts by making new versions of OpenJDK available in Ubuntu right after their release. 

Starting with Ubuntu 24.04 LTS we are planning to align the OpenJDK and Ubuntu releases cadences as follows:

• New OpenJDK LTS releases land in subsequent Ubuntu LTS releases, ensuring stability for your long-term projects.
• Non-LTS OpenJDK releases become available in subsequent Ubuntu interim releases, perfect for testing new language features, APIs, and performance improvements as soon as they drop.

This dual approach gives you the flexibility to innovate rapidly while maintaining enterprise-grade stability for critical production deployments.

In addition we are also using innovative technologies like CRaC (Coordinated Restore at Checkpoint) to reduce containerized and traditional Java application startup and warmup times by allowing a running JVM and application state to be checkpointed and later restored. 

Deployment optimization: secure, minimal Chiseled JRE containers

Bloated container images slow down CI/CD pipelines and increase security risks. Ubuntu Chiseled OpenJRE containers offer a radically smaller footprint for the Java runtimes, cutting away all unnecessary packages and slices of dependencies. The smaller size does not compromise throughput, which falls in line with images from alternative OpenJDK distributions.

You can download the images from the following public registries and get additional long term security and support through the Ubuntu Pro subscription:

• Dockerhub 
• Amazon Container Registry (ECR)

Chiseled JRE container statistics:

Over the coming weeks we will publish a set of detailed benchmarks comparing Chiseled Ubuntu OpenJRE containers to similar products of other major OpenJDK distributions.

Verified correctness and simplified compliance

When building enterprise applications, the last thing you need is wasting time debugging unexpected runtime behaviour. Since joining the Eclipse Foundation’s Adoptium Working Group in 2023 we have worked hard to make sure all our OpenJDK builds of versions 17 and 21 are verified for correctness so that all Ubuntu users can build their latest Java applications on a foundation they can trust.

“Canonical is a strong example of how our members contribute to and benefit from their involvement in the Adoptium Working Group,” said Mike Milinkovich, executive director of the Eclipse Foundation. “They are helping to drive innovation across the open source Java ecosystem and are using the Eclipse AQAvit testing framework to efficiently test and certify their builds with the Java TCK. I’m excited about what we can accomplish together as our collaboration continues to evolve.”

Our OpenJDK builds are rigorously tested against the Technology Compatibility Kit (TCK) using the AQAvit testing framework. This applies to the build for all the following architectures (on Ubuntu 22.04 LTS and 24.04 LTS):

• AMD64
• ARM64
• s390x
• Ppc64el
• RISC-V

The same approach applies to cryptographic compliance requirements. Ubuntu Pro provides access to openjdk-11-fips (with FIPS 140-2 certified BouncyCastle). We’re also actively pursuing FIPS 140-3 certification for a dedicated OpenSSL-FIPS Java provider, simplifying compliance for developers in regulated industries and government departments.

Improved cloud native workload performance with GraalVM and CRaC

Java applications have strong runtime performance but suffer from slow startup time due to Java Virtual Machine (JVM) initialization and Just-In-Time (JIT) compilation processes. Over the past few years GraalVM and CRaC  (Coordinated Restore at Checkpoint) emerged as two different solutions to help developers create efficient cloud native applications.

We recognise the importance of these projects for the future of the Java ecosystem and we have decided to make them even easier to adopt and maintain on Ubuntu by packaging all necessary components and making them available either as debs or snaps.

GraalVM is a high-performance polyglot virtual machine that offers significant advantages for Java developers. It enables ahead-of-time (AOT) compilation of Java bytecode into native executables. This AOT compilation eliminates the need for JIT compilation at runtime, leading to substantially faster startup times and reduced memory footprint. We have created a snap to make it easier for developers to access the latest GraalVM features and build smaller, faster applications on 24.04 and future releases.

CRaC, on the other hand, allows a running JVM to be frozen, its state saved to disk, and then restored rapidly at a later point. By pre-warming the application and taking a checkpoint, subsequent startups can be significantly accelerated, often taking just milliseconds. We have packaged and added to the archive both CRaC OpenJDK builds and CRIU (Checkpoint/Restore In Userspace), delivering an effortless developer setup and minimum of 10 years of security maintenance with Ubuntu Pro (starting from Ubuntu 26.04 LTS)

Learn more about Canonical builds of OpenJDK

• Canonical builds of OpenJDK
• Install the GraalVM snap
• Download the OpenJRE containers
• Get long term security maintenance with Ubuntu Pro
• Learn about Canonical’s Container offering