Skip to content

ROX-33563: Migrate scanner image to ubi-micro #17430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
janisz wants to merge 35 commits into
base: master
Choose a base branch
from
Open

ROX-33563: Migrate scanner image to ubi-micro #17430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
52a567b
ROX-30858: Migrate scanner image from ubi8-minimal to ubi8-micro
janisz Oct 21, 2025
7717709
Fix scanner-v4-indexer and scanner-v4-matcher crashes with ubi8-micro
janisz Oct 23, 2025
a472c1a
Update scanner/image/scanner/Dockerfile
janisz Oct 24, 2025
ad63a4d
ROX-33562: Migrate scanner konflux.Dockerfile to ubi8-micro
janisz Mar 11, 2026
6242002
refactor: Simplify comments in scanner konflux.Dockerfile
janisz Mar 12, 2026
e2c1eb5
fix(scanner): Add RPM prefetch to Konflux build configuration
janisz Mar 12, 2026
650ac8a
fix(scanner): Add ACTIVATION_KEY parameter for RPM prefetch
janisz Mar 13, 2026
f765179
fix(scanner): Move RPM prefetch params to scanner-v4-pipeline
janisz Mar 16, 2026
1b5b79d
refactor(scanner): Clean up scanner Dockerfile and preserve ubi-micro…
janisz Mar 17, 2026
df11284
fix
janisz Mar 19, 2026
4c27914
Apply suggestion from @janisz
janisz Mar 19, 2026
ef3a0e5
Apply suggestion from @janisz
janisz Mar 19, 2026
97746fa
add missing comments
janisz Mar 19, 2026
4d8f51e
Update scanner/image/scanner/konflux.Dockerfile
janisz Mar 23, 2026
0a74399
Apply suggestion from @msugakov
janisz Mar 23, 2026
08cccc6
Apply suggestion from @msugakov
janisz Mar 23, 2026
8416bfa
Apply suggestion from @msugakov
janisz Mar 23, 2026
2eb02ea
fix comment
janisz Mar 23, 2026
e672b40
remove args
janisz Mar 23, 2026
934fe1e
Apply suggestion from @janisz
janisz Mar 23, 2026
557483a
Merge branch 'master' into ubi-mirco-scanner
janisz Mar 23, 2026
db8d1f8
Merge branch 'master' into ubi-mirco-scanner
janisz Mar 24, 2026
1a4eebe
Merge branch 'master' into ubi-mirco-scanner
janisz Mar 25, 2026
0ddcc29
Apply suggestion from @janisz
janisz Mar 25, 2026
0614429
Apply suggestion from @janisz
janisz Mar 25, 2026
1ef0139
fix
janisz Mar 25, 2026
c3162fe
WIP: just for testing remove findutils and util-linx to check if we n…
janisz Mar 25, 2026
e78bb32
move comment to rpms.in.yaml
janisz Mar 25, 2026
1ae3297
remove findutils and util-linux
janisz Mar 26, 2026
48486bb
add missing pacakges
janisz Mar 26, 2026
d71626a
Fix scanner mapping files path in ubi-micro Dockerfile
janisz Mar 30, 2026
bc0ed6e
Remove unnecessary findutils and util-linux packages
janisz Mar 30, 2026
0df4ddf
Remove findutils and util-linux from rpms.in.yaml
janisz Mar 30, 2026
8656442
revert rpms.lock.yaml
janisz Mar 30, 2026
99d643f
Merge branch 'master' into ubi-mirco-scanner
janisz Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .tekton/scanner-v4-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,11 @@ spec:
- name: hermetic
value: "true"
- name: prefetch-input
value: '{"type": "gomod", "path": "."}'
value: |
[
{ "type": "gomod", "path": "." },
{ "type": "rpm", "path": "." }
]
- name: build-source-image
value: 'true'
- name: clone-depth
Expand Down
2 changes: 2 additions & 0 deletions .tekton/scanner-v4-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,8 @@ spec:
value: $(params.output-image-repo):konflux-$(params.revision).prefetch
- name: ociArtifactExpiresAfter
value: $(params.oci-artifact-expires-after)
- name: ACTIVATION_KEY
value: subscription-manager-activation-key-prod
taskRef:
params:
- name: name
Expand Down
5 changes: 2 additions & 3 deletions rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@ packages:
# builder stage in image/rhel/konflux.Dockerfile
- jq
# final stage in image/rhel/konflux.Dockerfile
- findutils
- postgresql
# builder stage in operator/konflux.bundle.Dockerfile
- python3.12-pyyaml
# package_installer stage in operator/konflux.Dockerfile and image/roxctl/konflux.Dockerfile
# package_installer stage in: operator/konflux.Dockerfile, image/roxctl/konflux.Dockerfile, scanner/image/scanner/konflux.Dockerfile
- ca-certificates
- openssl
- openssl # required for FIPS support
moduleEnable:
# final stage in image/rhel/konflux.Dockerfile
- postgresql:15
Expand Down
67 changes: 39 additions & 28 deletions scanner/image/scanner/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,45 @@
ARG MAPPINGS_REGISTRY=registry.access.redhat.com
ARG MAPPINGS_BASE_IMAGE=ubi9
ARG MAPPINGS_BASE_TAG=latest
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest
FROM registry.access.redhat.com/ubi9:latest AS ubi-base
FROM registry.access.redhat.com/ubi9/ubi-micro:latest AS ubi-micro-base

FROM ${MAPPINGS_REGISTRY}/${MAPPINGS_BASE_IMAGE}:${MAPPINGS_BASE_TAG} AS mappings
FROM ubi-base AS mappings

COPY download-mappings.sh /download-mappings.sh
RUN /download-mappings.sh /mappings

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
FROM ubi-base AS package_installer

# Copy ubi-micro base to preserve rpmdb
COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
RUN dnf install \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=False \
--nodocs \
-y \
ca-certificates && \
dnf --installroot=/out/ clean all && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

COPY scripts/entrypoint.sh \
scripts/import-additional-cas \
scripts/restore-all-dir-contents \
scripts/save-dir-contents /out/usr/local/bin/
COPY bin/scanner /out/usr/local/bin/
COPY THIRD_PARTY_NOTICES/ /out/THIRD_PARTY_NOTICES/

COPY --from=mappings /mappings/repository-to-cpe.json /mappings/container-name-repos-map.json /out/run/mappings/

# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
# Setup CA trust directories with proper permissions in /out/
RUN chown -R 65534:65534 /out/etc/pki/ca-trust /out/etc/ssl /out/tmp && \
chroot /out /usr/local/bin/save-dir-contents /etc/pki/ca-trust/source

FROM ubi-micro-base

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand All @@ -25,27 +54,9 @@ LABEL name="scanner-v4" \
release="${LABEL_RELEASE}" \
quay.expires-after="${QUAY_TAG_EXPIRATION}"

SHELL ["/bin/sh", "-o", "pipefail", "-c"]
COPY --from=package_installer /out/ /

COPY scripts/entrypoint.sh \
scripts/import-additional-cas \
scripts/restore-all-dir-contents \
scripts/save-dir-contents /usr/local/bin/
COPY bin/scanner /usr/local/bin/
COPY THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
COPY --from=mappings /mappings/repository-to-cpe.json /mappings/container-name-repos-map.json /run/mappings/

RUN microdnf upgrade -y --nobest && \
microdnf clean all && \
# (Optional) Remove line below to keep package management utilities
rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
chown -R 65534:65534 /tmp && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
chown -R 65534:65534 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source
SHELL ["/bin/sh", "-o", "pipefail", "-c"]

# This is equivalent to nobody:nobody.
USER 65534:65534
Expand Down
78 changes: 49 additions & 29 deletions scanner/image/scanner/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,55 @@ WORKDIR /src
RUN make -C scanner NODEPS=1 CGO_ENABLED=1 image/scanner/bin/scanner copy-scripts


FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68
FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base

FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer

# Copy ubi-micro base to preserve rpmdb
COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=False \
--setopt=reposdir=/etc/yum.repos.d \
--nodocs \
ca-certificates \
openssl && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

COPY --from=builder \
/src/scanner/image/scanner/scripts/entrypoint.sh \
/src/scanner/image/scanner/scripts/import-additional-cas \
/src/scanner/image/scanner/scripts/restore-all-dir-contents \
/src/scanner/image/scanner/scripts/save-dir-contents \
/src/scanner/image/scanner/bin/scanner \
/out/usr/local/bin/

# The mapping files are not optional.
# The helm chart hard codes in the indexer config the path to the mapping
# files. If the file does not exist, the indexer raises an error during bootstrap.
# (Note that the file is downloaded from Central after initial seeding.)
# Mapping files required by indexer config
COPY .konflux/scanner-data/repository-to-cpe.json .konflux/scanner-data/container-name-repos-map.json /out/run/mappings/

COPY LICENSE /out/licenses/LICENSE

# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
RUN chown -R 65534:65534 /out/tmp /out/etc/pki/ca-trust /out/etc/ssl && \
chroot /out /usr/local/bin/save-dir-contents /etc/pki/ca-trust/source


FROM ubi-micro-base

COPY --from=package_installer /out/ /

ARG BUILD_TAG

Expand All @@ -40,34 +88,6 @@ LABEL \
# We also set it to not inherit one from a base stage in case it's RHEL or UBI.
release="1"

COPY --from=builder \
/src/scanner/image/scanner/scripts/entrypoint.sh \
/src/scanner/image/scanner/scripts/import-additional-cas \
/src/scanner/image/scanner/scripts/restore-all-dir-contents \
/src/scanner/image/scanner/scripts/save-dir-contents \
/src/scanner/image/scanner/bin/scanner \
/usr/local/bin/

# The mapping files are not optional.
# The helm chart hard codes in the indexer config the path to the mapping
# files. If the file does not exist, the indexer raises an error during bootstrap.
# (Note that the file is downloaded from Central after initial seeding.)

COPY .konflux/scanner-data/repository-to-cpe.json .konflux/scanner-data/container-name-repos-map.json /run/mappings/

RUN microdnf clean all && \
# (Optional) Remove line below to keep package management utilities
rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
chown -R 65534:65534 /tmp && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
chown -R 65534:65534 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source

COPY LICENSE /licenses/LICENSE

# This is equivalent to nobody:nobody.
USER 65534:65534

Expand Down
Loading