ROX-33561: Migrate roxctl Dockerfile to ubi9-micro by janisz · Pull Request #19500 · stackrox/stackrox

janisz · 2026-03-19T13:19:53Z

Description

Following the pattern from konflux.Dockerfile and collector PR #3021:

Add ubi-micro-base stage and copy to /out/ before package installation to preserve rpmdb
Install ca-certificates and openssl using dnf --installroot pattern
Move roxctl binary to /usr/bin/roxctl for consistency

This aligns the main Dockerfile with the konflux.Dockerfile pattern, providing a minimal but functional base image.

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

docker run --net=host -e ROX_API_TOKEN=$ROX_TOKEN quay.io/rhacs-eng/roxctl:4.11.x-382-gd02d44306c central whoami -e acs-cii18grublkv81uil8gg.acs.rhcloud.com:443
UserID:
        sso:b24d7872-1a98-5212-924d-19bcf84db211:54263162
User name:
        Tomasz Janiszewski ([email protected])
Roles:
        - Analyst with image write
Access:
        -- Access
        r- Administration
        r- Alert
        -- CVE
        r- Cluster
        -- Compliance
        r- Deployment
        -- DeploymentExtension
        -- Detection
        rw Image
        -- Integration
        -- K8sRole
        -- K8sRoleBinding
        -- K8sSubject
        r- Namespace
        r- NetworkGraph
        r- NetworkPolicy
        r- Node
        r- Secret
        -- ServiceAccount
        -- VulnerabilityManagementApprovals
        -- VulnerabilityManagementRequests
        rw WatchedImage
        r- WorkflowAdministration

rhacs-bot · 2026-03-19T13:40:31Z

Images are ready for the commit at 74ea45b.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-432-g74ea45ba6a.

codecov · 2026-03-19T13:55:35Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.28%. Comparing base (e26150c) to head (74ea45b).
⚠️ Report is 40 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19500      +/-   ##
==========================================
+ Coverage   49.23%   49.28%   +0.05%     
==========================================
  Files        2735     2735              
  Lines      206123   206213      +90     
==========================================
+ Hits       101489   101637     +148     
+ Misses      97102    97034      -68     
- Partials     7532     7542      +10

Flag	Coverage Δ
go-unit-tests	`49.28% <ø> (+0.05%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Following the pattern from konflux.Dockerfile and collector PR #3021: - Add ubi-micro-base stage and copy to /out/ before package installation to preserve rpmdb - Install ca-certificates and openssl using dnf --installroot pattern - Move roxctl binary to /usr/bin/roxctl for consistency This aligns the main Dockerfile with the konflux.Dockerfile pattern, providing a minimal but functional base image. Co-Authored-By: Claude Sonnet 4.5 <[email protected]> # Conflicts: # image/roxctl/Dockerfile

Signed-off-by: Tomasz Janiszewski <[email protected]>

janisz · 2026-03-25T07:50:56Z

/retest

image/roxctl/Dockerfile

Migrate both image/rhel/Dockerfile and image/rhel/konflux.Dockerfile from ubi9-minimal to ubi9-micro base images following the proven pattern from PR #19500 (roxctl migration). Changes: - Use multi-stage build with package_installer pattern - Install packages to /out/ using dnf --installroot - Preserve ubi9-micro rpmdb by copying before package installation - Move directory setup and save-dir-contents to package_installer stage - Remove HEALTHCHECK from Dockerfile (curl not available in ubi9-micro) - Pin SHA digests in konflux.Dockerfile for reproducible builds - Use --setopt=reposdir=/etc/yum.repos.d for Cachi2 compatibility Expected benefits: - 30-35% image size reduction (from ~450MB to ~350MB) - Smaller attack surface and reduced CVE exposure - Faster image pull/push operations This migration maintains full functionality while following the pattern established in PR #17406 and successfully merged in PR #19500. Co-Authored-By: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Tomasz Janiszewski <[email protected]>

github-actions bot added the area/helm label Mar 19, 2026

janisz requested a review from a team March 20, 2026 12:39

janisz force-pushed the ROX-33561-roxctl-ubi-micro branch from d02d443 to 889d6fd Compare March 24, 2026 15:10

janisz changed the title ~~ROX-33561: Migrate roxctl Dockerfile to ubi8-micro~~ ROX-33561: Migrate roxctl Dockerfile to ubi9-micro Mar 24, 2026

openshift-ci bot added the needs-rebase label Mar 24, 2026

janisz added 2 commits March 24, 2026 16:33

ubi-9

07f63e3

Signed-off-by: Tomasz Janiszewski <[email protected]>

janisz force-pushed the ROX-33561-roxctl-ubi-micro branch from 889d6fd to 07f63e3 Compare March 24, 2026 15:33

openshift-ci bot removed the needs-rebase label Mar 24, 2026

janisz commented Mar 25, 2026

View reviewed changes

image/roxctl/Dockerfile Outdated Show resolved Hide resolved

Apply suggestion from @janisz

736c945

guzalv approved these changes Mar 25, 2026

View reviewed changes

image/roxctl/Dockerfile Show resolved Hide resolved

image/roxctl/Dockerfile Show resolved Hide resolved

janisz commented Mar 26, 2026

View reviewed changes

image/roxctl/Dockerfile Outdated Show resolved Hide resolved

Apply suggestion from @janisz

74ea45b

janisz merged commit 42bd5ac into master Mar 27, 2026
97 checks passed

janisz deleted the ROX-33561-roxctl-ubi-micro branch March 27, 2026 12:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-33561: Migrate roxctl Dockerfile to ubi9-micro#19500

ROX-33561: Migrate roxctl Dockerfile to ubi9-micro#19500
janisz merged 4 commits intomasterfrom
ROX-33561-roxctl-ubi-micro

janisz commented Mar 19, 2026 •

edited

Loading

Uh oh!

rhacs-bot commented Mar 19, 2026 •

edited

Loading

Uh oh!

codecov bot commented Mar 19, 2026 •

edited

Loading

Uh oh!

janisz commented Mar 25, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

janisz commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

rhacs-bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

janisz commented Mar 25, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

janisz commented Mar 19, 2026 •

edited

Loading

rhacs-bot commented Mar 19, 2026 •

edited

Loading

codecov bot commented Mar 19, 2026 •

edited

Loading