ROX-30858: Migrate scanner DB image from ubi8-minimal to ubi8-micro#17431
Open
ROX-30858: Migrate scanner DB image from ubi8-minimal to ubi8-micro#17431
Conversation
Contributor
|
Images are ready for the commit at b5ecb82. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #17431 +/- ##
==========================================
- Coverage 49.60% 49.59% -0.01%
==========================================
Files 2756 2756
Lines 208036 208036
==========================================
- Hits 103189 103184 -5
- Misses 97187 97192 +5
Partials 7660 7660
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
dcaravel
requested changes
Nov 26, 2025
99024b2 to
dd7d925
Compare
dd7d925 to
61618ff
Compare
fe8b45c to
292c59d
Compare
f09ff53 to
4d44c29
Compare
|
@janisz: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4d44c29 to
d6f9e04
Compare
This commit migrates the scanner database (PostgreSQL) container image from ubi8-minimal to ubi8-micro, completing the migration of all scanner images. - Changed base image from ubi8-minimal to ubi8-micro - Introduced dependency_builder stage for all runtime dependencies - PostgreSQL DB requires many packages for operation - Uses chroot to run user/group creation and locale setup - **PostgreSQL**: 4 RPMs (libs, server, client, contrib) via rpm --root - **System packages**: shadow-utils, ca-certificates, glibc-langpack-en, glibc-locale-source, libicu, libxslt, lz4, perl-libs, python3, systemd-sysv, zstd, tzdata, uuid (RHEL 9+) - **User setup**: postgres user (70:70) created via chroot - **Locale**: en_US.UTF-8 configured via chroot - Base image: ubi8-minimal → ubi8-micro - Builder stage: Uses ubi8 (full) for dnf --installroot - PostgreSQL: 4 RPMs installed via rpm --root - User creation: Uses chroot to run groupadd/adduser in /out/ - Locale setup: Uses chroot to run localedef in /out/ - No package managers in final image - **Size reduction**: ~60-70 MB smaller base image - **Security**: No package managers in runtime - **Consistency**: Same ubi8-micro pattern as other images - **Complete**: All scanner images now use ubi8-micro This is the most complex migration due to: - PostgreSQL server requirements (not just client) - User/group creation in builder (requires chroot) - Locale generation (requires chroot) - Many runtime dependencies for PostgreSQL operation Tested-by: Local analysis and pattern validation Relates-to: ROX-30858 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
The PostgreSQL RPMs automatically create the postgres user and group during installation with their default UID/GID (26). However, the Dockerfile requires UID/GID 70 to match the USER directive. This commit fixes the user creation logic to: - Check if postgres user/group already exist (created by RPM post-install) - If they exist with wrong IDs, use usermod/groupmod to change to UID/GID 70 - If they don't exist, create them with UID/GID 70 This resolves the build failure: > [dependency_builder 6/8] RUN chroot /out /bin/sh -c "groupadd -g 70 postgres && adduser postgres..." groupadd: group 'postgres' already exists Tested: Local build verified postgres user has UID/GID 70 in final image 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
The scanner-v4-db container was crashing with exit code 127 (command not found) because the migration to ubi8-micro removed essential shell utilities that the entrypoint scripts depend on. Root cause: - docker-entrypoint.sh uses #!/usr/bin/env bash - ubi8-micro has no utilities pre-installed (unlike ubi8-minimal) - The chroot commands for user creation need /bin/sh, id, etc. This fix adds the missing packages that PR #17406 correctly included for the main image: - bash: Required for entrypoint scripts - coreutils: Basic commands (id, mkdir, cat, etc.) - findutils: File operations - util-linux: System utilities These packages enable the existing chroot user creation and locale setup commands to execute successfully. Fixes: ROX-30858 Related: #17406 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
The scanner-v4-db was still crashing with exit code 127 because PostgreSQL binaries require the OpenLDAP runtime library (libldap_r-2.4.so.2). Image inspection revealed: ``` $ docker run scanner-v4-db:4.10.x-81-gcc55af9924 initdb --version initdb: error while loading shared libraries: libldap_r-2.4.so.2: cannot open shared object file: No such file or directory ``` PostgreSQL is compiled with LDAP support and requires these libraries at runtime even if LDAP authentication is not actively used. This adds the openldap package which provides libldap_r-2.4.so.2 and other LDAP client libraries needed by PostgreSQL. Fixes: ROX-30858 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Create /var/run/postgresql with proper ownership and permissions in the dependency_builder stage. PostgreSQL requires this directory to create lock files (.s.PGSQL.5432.lock) during startup. Without this directory, PostgreSQL fails with: FATAL: could not create lock file "/run/postgresql/.s.PGSQL.5432.lock": Permission denied The fix uses chroot to run chown/chmod in the /out/ context where the postgres user (UID/GID 70:70) exists, following the same pattern used for locale setup and user creation. Fixes scanner-v4-install-tests CI failure. Tested locally - PostgreSQL starts successfully and accepts connections. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Simplify comments to match style from other ubi-micro migrations: - Remove verbose section separators and header comments - Consolidate locale setup into user creation RUN command - Keep only meaningful comments explaining intent, not mechanics - Remove redundant comments that duplicate what code already shows No functional changes, only comment cleanup and minor consolidation. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Following the pattern from collector PR #3021, this commit: - Adds ubi-micro-base stage and copies it to /out/ before package installation to preserve rpmdb - Removes bash and coreutils from dnf install (already included in ubi-micro) The previous implementation installed packages to /out/ without first copying the ubi-micro base, which could break the RPM database. This pattern ensures the minimal ubi-micro base is preserved correctly. Co-Authored-By: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Tomasz Janiszewski <[email protected]>
PostgreSQL requires /usr/share/zoneinfo directory for timezone configuration. ubi9-micro ships with tzdata pre-installed in the RPM database but with an empty /usr/share/zoneinfo directory. Regular `dnf install tzdata` won't work because the package is already present - we must use `dnf reinstall` to force repopulation of timezone files. Use --setopt=reposdir to access build host repos since /out/etc/yum.repos.d doesn't exist yet. Fixes scanner-v4-db CrashLoopBackOff with error: "could not open directory /usr/share/zoneinfo: No such file or directory" Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
d6f9e04 to
b5ecb82
Compare
Contributor
|
/konflux-retest operator-bundle-on-push |
2 similar comments
Contributor
|
/konflux-retest operator-bundle-on-push |
Contributor
|
/konflux-retest operator-bundle-on-push |
dcaravel
reviewed
Apr 3, 2026
Comment on lines
+53
to
+54
| if [[ $(awk -F'=' '/VERSION_ID/{ gsub(/"/,""); print substr($2,1,1)}' /etc/os-release) -gt 8 ]]; then \ | ||
| dnf install --installroot=/out/ --releasever=8 --setopt=install_weak_deps=0 --nodocs -y uuid; \ |
Contributor
There was a problem hiding this comment.
This conditional still needed? given that --releasever is hardcoded to 9 above it doesn't seem like the dockerfile needs to be able to support both 8 and 9 anymore?
| COPY --from=ubi-micro-base / /out/ | ||
|
|
||
| # If this is updated, be sure to update postgres_major in download.sh and the signature file. | ||
| ENV PG_MAJOR=15 |
Contributor
There was a problem hiding this comment.
This one may be unnecessary? Is repeated in a later stage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit migrates the scanner database (PostgreSQL) container image from ubi8-minimal to ubi8-micro, completing the migration of all scanner images.
🤖 Generated with Claude Code