Skip to content

ROX-30858: Migrate main image to ubi-micro #17406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
janisz wants to merge 15 commits into from
Closed

ROX-30858: Migrate main image to ubi-micro #17406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e95cff5
feat(konflux): Migrate main image from ubi8-minimal to ubi8-micro
janisz Feb 9, 2026
e96429d
feat(images): Migrate main image Dockerfile to ubi8-micro
janisz Mar 11, 2026
2e1cb0c
refactor(konflux): Use ubi8/ubi for package_installer instead of ubi-…
janisz Mar 11, 2026
cbe714d
fix(images): Use dnf to install PostgreSQL RPMs in ubi8-micro build
janisz Mar 12, 2026
fdd7b3f
fix(konflux): Add --installroot to dnf module enable for PostgreSQL
janisz Mar 12, 2026
b217d21
fix(images): Remove curl and add openssl for FIPS compliance
janisz Mar 17, 2026
c4b4bc6
fix(konflux): Add all required RPMs to prefetch list for main image
janisz Mar 17, 2026
9a98e0c
Merge branch 'master' into ubi-micro
janisz Mar 20, 2026
094811c
Update image/rhel/konflux.Dockerfile
janisz Mar 23, 2026
664251b
Update image/rhel/Dockerfile
janisz Mar 23, 2026
26b876b
Apply suggestions from code review
janisz Mar 23, 2026
753ce9e
fix
janisz Mar 23, 2026
56f4c69
Update image/rhel/Dockerfile
janisz Mar 23, 2026
b30c520
Merge branch 'master' into ubi-micro
janisz Mar 24, 2026
505607e
Merge master into ubi-micro: Upgrade to UBI 9 with ubi-micro base
janisz Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 47 additions & 32 deletions image/rhel/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,65 @@ ARG RPMS_REGISTRY=registry.access.redhat.com
ARG RPMS_BASE_IMAGE=ubi9
ARG RPMS_BASE_TAG=latest
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_IMAGE=ubi9-micro
ARG BASE_TAG=latest

FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS downloads
FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS ubi-base
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS ubi-micro-base
FROM ubi-base AS downloads

ARG DEBUG_BUILD=no

WORKDIR /
COPY download.sh /download.sh
RUN /download.sh

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS stackrox_data
# Prepare stackrox-data using ubi9 (has zip utility)
FROM ubi-base AS stackrox_data

RUN mkdir /stackrox-data
RUN microdnf upgrade --nobest -y && microdnf install -y zip
RUN dnf install -y zip

WORKDIR /
COPY fetch-stackrox-data.sh .
RUN /fetch-stackrox-data.sh /stackrox-data
RUN mkdir /stackrox-data && /fetch-stackrox-data.sh /stackrox-data

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
FROM ubi-base AS package_installer

# Copy ubi-micro base to preserve rpmdb
COPY --from=ubi-micro-base / /out/

RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
findutils \
ca-certificates

# Copy PostgreSQL RPMs and install to /out/
COPY --from=downloads /output/rpms/ /tmp/
COPY signatures/RPM-GPG-KEY-CentOS-Official /tmp/
RUN rpm --import /tmp/RPM-GPG-KEY-CentOS-Official && \
dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
/tmp/postgres-libs.rpm \
/tmp/postgres.rpm && \
dnf --installroot=/out/ clean all && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

# Setup stackrox directories with correct ownership
RUN mkdir -p /out/stackrox && \
mkdir -p /out/etc/pki/ca-trust/source/anchors /out/etc/ssl && \
mkdir -p /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox && \
chown -R 4000:4000 /out/etc/pki/ca-trust /out/etc/ssl /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox /out/tmp
Comment on lines +54 to +58
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old content was:

    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
    # by the script `save-dir-contents` during the image build. The directory
    # contents are then restored by the script `restore-all-dir-contents`
    # during the container start.
    chown -R 4000:4000 /etc/pki/ca-trust /etc/ssl && save-dir-contents /etc/pki/ca-trust /etc/ssl && \
    mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
    mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
    mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
    chown -R 4000:4000 /tmp
  1. There was no creation of /stackrox, here you added /out/stackrox. Is this really needed now? I believe COPY command would happily create missing directories for you.
  2. The old thing trusted that /etc/pki/ca-trust already exists, here you create /out/etc/pki/ca-trust/source/anchors. Why, did something fail without it?
  3. The same about old /etc/ssl v.s. new /out/etc/ssl.
  4. The old comment was explaining what was happening around save-dir-contents and it's lost in the new version.

The same applies to the similar part of konflux.Dockerfile.

Copy link
Copy Markdown
Contributor Author

@janisz janisz Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to make it similar to konflux dockerfile


COPY static-bin/* /out/stackrox/
RUN chroot /out /stackrox/save-dir-contents /etc/pki/ca-trust /etc/ssl

FROM ubi-micro-base

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand All @@ -45,32 +83,11 @@ ENV PATH="/stackrox:$PATH" \
ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR} \
ROX_PRODUCT_BRANDING=${ROX_PRODUCT_BRANDING}

COPY signatures/RPM-GPG-KEY-CentOS-Official /
COPY static-bin /stackrox/
# Copy all dependencies and binaries from package_installer
COPY --from=package_installer /out/ /

COPY --from=downloads /output/rpms/ /tmp/
COPY --from=downloads /output/go/ /go/

RUN rpm --import RPM-GPG-KEY-CentOS-Official && \
microdnf -y upgrade --nobest && \
rpm -i --nodeps /tmp/postgres-libs.rpm && \
rpm -i --nodeps /tmp/postgres.rpm && \
microdnf install --setopt=install_weak_deps=0 --nodocs -y util-linux && \
microdnf clean all -y && \
rm /tmp/postgres.rpm /tmp/postgres-libs.rpm RPM-GPG-KEY-CentOS-Official && \
# (Optional) Remove line below to keep package management utilities
rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
chown -R 4000:4000 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source && \
mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
chown -R 4000:4000 /tmp

COPY --from=stackrox_data /stackrox-data /stackrox/static-data
COPY ./docs/api/v1/swagger.json /stackrox/static-data/docs/api/v1/swagger.json
COPY ./docs/api/v2/swagger.json /stackrox/static-data/docs/api/v2/swagger.json
Expand All @@ -96,5 +113,3 @@ EXPOSE 8443
USER 4000:4000

ENTRYPOINT ["/stackrox/roxctl"]

HEALTHCHECK CMD curl --insecure --fail https://127.0.0.1:8443/v1/ping
59 changes: 43 additions & 16 deletions image/rhel/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,47 @@ RUN mkdir -p image/rhel/docs/api/v1 && \
RUN make copy-go-binaries-to-image-dir


FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base

FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer

ARG PG_VERSION

# Copy ubi-micro base to preserve rpmdb
COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nitpick, but...

This comment

# Install packages directly to /out/ using --installroot

is present in konflux.Dockerfile but absent in Dockerfile although both do the same thing in this regard.

I suggest you stick with one way of doing things and do it consistently in this PR and in other ongoing PRs.

# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
RUN dnf module enable -y \
--installroot=/out/ \
--setopt=reposdir=/etc/yum.repos.d \
--releasever=9 \
postgresql:${PG_VERSION} && \
dnf install -y \
--installroot=/out/ \
--setopt=reposdir=/etc/yum.repos.d \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
ca-certificates \
findutils \
openssl \
postgresql \
util-linux && \
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's with util-linux in konflux.Dockerfile, is it needed?
Similar to #17406 (comment)

dnf --installroot=/out/ clean all && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

# Setup stackrox directories with correct ownership
RUN mkdir -p /out/stackrox && \
mkdir -p /out/etc/pki/ca-trust/source/anchors /out/etc/ssl && \
mkdir -p /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox && \
chown -R 4000:4000 /out/etc/pki/ca-trust /out/etc/ssl /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox /out/tmp
Comment on lines +72 to +75
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look what a mess we have here. I think, committing suggestions from GitHub UI is not safe for the time being.


COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /out/stackrox/
RUN chroot /out /stackrox/save-dir-contents /etc/pki/ca-trust /etc/ssl
Comment on lines +77 to +78
Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be copied and executed (without chroot) in the final stage. Is there a reason to have it here?

Copy link
Copy Markdown
Contributor Author

@janisz janisz Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My idea was to not add unnecessary layers in the final image

Copy link
Copy Markdown
Contributor

@msugakov msugakov Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need to worry about layers in the Konflux image. They get all squashed.

You also don't need to worry about layers in the GHA-built image, we did not attempt to reduce them historically.



FROM registry.access.redhat.com/ubi9/nodejs-20:latest@sha256:ad30ca76c555dafd2c0c772f8a12aae41cadc767c9654761c6fb706fd1659920 AS ui-builder

WORKDIR /go/src/github.com/stackrox/rox/app
Expand All @@ -59,15 +100,9 @@ ENV UI_PKG_INSTALL_EXTRA_ARGS="--ignore-scripts"
RUN make -C ui build


FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68

ARG PG_VERSION
FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10

RUN microdnf -y module enable postgresql:${PG_VERSION} && \
microdnf -y install postgresql && \
microdnf -y clean all && \
rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum
COPY --from=package_installer /out/ /

COPY --from=ui-builder /go/src/github.com/stackrox/rox/app/ui/build /ui/

Expand All @@ -80,7 +115,6 @@ COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/sensor
COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/admission-control /stackrox/bin/
COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/config-controller /stackrox/bin/
COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/roxagent /stackrox/bin/
COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /stackrox/
RUN GOARCH=$(uname -m) ; \
case $GOARCH in x86_64) GOARCH=amd64 ;; aarch64) GOARCH=arm64 ;; esac ; \
ln -s /assets/downloads/cli/roxctl-linux-$GOARCH /stackrox/roxctl ; \
Expand Down Expand Up @@ -123,11 +157,4 @@ COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/docs/api/v

COPY LICENSE /licenses/LICENSE

# The following paths are written to in Central.
RUN chown -R 4000:4000 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source && \
mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
chown -R 4000:4000 /tmp

USER 4000:4000
7 changes: 5 additions & 2 deletions rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,15 @@
packages:
# builder stage in image/rhel/konflux.Dockerfile
- jq
# final stage in image/rhel/konflux.Dockerfile
# package_installer stage in image/rhel/konflux.Dockerfile
- findutils
- util-linux
- ca-certificates
- openssl
- postgresql
# builder stage in operator/konflux.bundle.Dockerfile
- python3.12-pyyaml
# package_installer stage in operator/konflux.Dockerfile and image/roxctl/konflux.Dockerfile
# package_installer stage in: operator/konflux.Dockerfile, image/roxctl/konflux.Dockerfile, image/rhel/konflux.Dockerfile
- ca-certificates
- openssl
moduleEnable:
Expand Down
Loading