ROX-33562: Migrate main image Dockerfiles to ubi9-micro by janisz · Pull Request #19653 · stackrox/stackrox

janisz · 2026-03-27T13:11:50Z

Description

This commit migrates the main container image from ubi-minimal (~92 MB) to ubi-micro (~28 MB) base image, reducing the final image size and improving security posture by minimizing the attack surface.

Changes

Base image: ubi8-minimal (~92 MB) → ubi8-micro (~28 MB)
Build strategy: Multi-stage build with ubi8 builder for dependencies
Final image size: 188 MB → 122 MB

Build Architecture

Builder stage (ubi8): Install runtime dependencies using dnf/rpm
Final stage (ubi8-micro): Copy dependencies, no package managers

Related Work

This continues the image optimization efforts:

ROX-9598: Use ubi-minimal image #1054 - Initial migration to ubi8-minimal
chore(deps): remove unix utils from release image #14487 - Removed linux-utils package
chore(deps): remove lz4 and bzip2 #14489 - Removed lz4 and bzip2 packages
Use ubi8-micro image for operator #1220 - Operator migrated to ubi8-micro
Earlier ubi-micro migration attempts

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

  export KUBECONFIG=/tmp/tests/kubeconfig
  kubectl -n stackrox set image deployment/central \
    central=quay.io/rhacs-eng/release-main:4.11.0-484-g90cc136570-fast
  kubectl -n stackrox set image deployment/scanner-v4-indexer \
    indexer=quay.io/rhacs-eng/release-scanner-v4:4.11.0-517-g99d643f394-fast

  kubectl -n stackrox set image deployment/scanner-v4-matcher \
    matcher=quay.io/rhacs-eng/release-scanner-v4:4.11.0-517-g99d643f394-fast

  kubectl -n stackrox rollout status deployment/central --timeout=5m
  kubectl -n stackrox rollout status deployment/scanner-v4-indexer --timeout=5m
  kubectl -n stackrox rollout status deployment/scanner-v4-matcher --timeout=5m

Then check in UI if everything is healthy and followed and check if scanner is working

# roxctl --insecure-skip-tls-verify -e https://tj0331aparttheeblank.demos.rox.systems:443 image scan --image=nginx:latest --output=table
Scan results for image: nginx:latest
(TOTAL-COMPONENTS: 57, TOTAL-VULNERABILITIES: 107, LOW: 87, MODERATE: 10, IMPORTANT: 9, CRITICAL: 1)

rhacs-bot · 2026-03-27T13:29:59Z

Images are ready for the commit at 90cc136.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-484-g90cc136570.

codecov · 2026-03-27T13:58:16Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.65%. Comparing base (df8c4bc) to head (90cc136).
⚠️ Report is 75 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19653      +/-   ##
==========================================
+ Coverage   49.39%   49.65%   +0.25%     
==========================================
  Files        2745     2747       +2     
  Lines      207225   207261      +36     
==========================================
+ Hits       102368   102919     +551     
+ Misses      97265    96689     -576     
- Partials     7592     7653      +61

Flag	Coverage Δ
go-unit-tests	`49.65% <ø> (+0.25%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

janisz · 2026-03-27T15:45:07Z

/retest

janisz · 2026-03-30T14:54:53Z

/retest

Migrate both image/rhel/Dockerfile and image/rhel/konflux.Dockerfile from ubi9-minimal to ubi9-micro base images following the proven pattern from PR #19500 (roxctl migration). Changes: - Use multi-stage build with package_installer pattern - Install packages to /out/ using dnf --installroot - Preserve ubi9-micro rpmdb by copying before package installation - Move directory setup and save-dir-contents to package_installer stage - Remove HEALTHCHECK from Dockerfile (curl not available in ubi9-micro) - Pin SHA digests in konflux.Dockerfile for reproducible builds - Use --setopt=reposdir=/etc/yum.repos.d for Cachi2 compatibility Expected benefits: - 30-35% image size reduction (from ~450MB to ~350MB) - Smaller attack surface and reduced CVE exposure - Faster image pull/push operations This migration maintains full functionality while following the pattern established in PR #17406 and successfully merged in PR #19500. Co-Authored-By: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Tomasz Janiszewski <[email protected]>

Signed-off-by: Tomasz Janiszewski <[email protected]>

github-actions · 2026-03-31T10:13:43Z

/konflux-retest operator-on-push

github-actions · 2026-03-31T10:45:02Z

/konflux-retest main-on-push

github-actions · 2026-03-31T12:23:16Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-03-31T12:38:06Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-03-31T12:49:42Z

/konflux-retest operator-bundle-on-push

coderabbitai · 2026-04-03T14:30:53Z

📝 Walkthrough

Summary by CodeRabbit

Chores
- Optimized container image configuration and build process for improved deployment efficiency.

Walkthrough

Both RHEL Dockerfiles were updated to switch the final runtime base image from ubi9-minimal to ubi9-micro and reorganized multi-stage builds. Installation workflows were refactored to use dnf with chrooted installroot (/out/) instead of microdnf in the final stage, consolidating artifacts through staged filesystem preparation.

Changes

Cohort / File(s)	Summary
RHEL Dockerfile Updates `image/rhel/Dockerfile`, `image/rhel/konflux.Dockerfile`	Switched base image from `ubi9-minimal`/`ubi9/ubi-minimal` to `ubi9-micro`/`ubi9/ubi-micro`. Reorganized multi-stage builds with new `package_installer` stage. Replaced `microdnf` with `dnf` for package installation targeting a chrooted installroot. Moved `/etc/pki`, `/var/lib/stackrox`, `/var/log/stackrox`, `/var/cache/stackrox`, and `/tmp` creation to intermediate stage. Removed HEALTHCHECK instruction from standard Dockerfile.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating main image Dockerfiles to ubi9-micro, which is the primary objective of the PR.
Description check	✅ Passed	The PR description includes a clear explanation of changes, build strategy, related work, and validation steps. All required template sections are present and substantially filled out.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch ROX-30858/migrate_main_to_ubi_micro

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

image/rhel/konflux.Dockerfile (1)
96-154: ⚠️ Potential issue | 🟠 Major

Add missing ENTRYPOINT instruction for consistency with main Dockerfile.

The main image/rhel/Dockerfile includes ENTRYPOINT ["/stackrox/roxctl"] at line 106, but this Konflux variant omits it. Other Konflux Dockerfiles in the repository (roxctl, operator, postgres) all specify an ENTRYPOINT, indicating this is not an intentional pattern of omission. Add the ENTRYPOINT instruction to ensure consistent container behavior.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@image/rhel/konflux.Dockerfile` around lines 96 - 154, The Konflux Dockerfile
is missing the ENTRYPOINT used in the main Dockerfile; add an ENTRYPOINT that
points to the roxctl binary to match behavior and other Konflux images: add
ENTRYPOINT ["/stackrox/roxctl"] (same as main image) near the end of the
Dockerfile after USER 4000:4000 (or immediately before if USER must be applied
at runtime), ensuring the container launches /stackrox/roxctl by default.

🧹 Nitpick comments (2)

image/rhel/konflux.Dockerfile (1)

93-94: Redundant copy of static-bin/* files.

Line 93 copies static-bin/* into /out/stackrox/, and line 98 copies the entire /out/ to /. Then line 111 copies static-bin/* again to /stackrox/, overwriting the same files. This is redundant and slightly increases build time.

Remove redundant COPY

 COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/roxagent /stackrox/bin/
-COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /stackrox/
 RUN GOARCH=$(uname -m) ; \

Also applies to: 111-111

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@image/rhel/konflux.Dockerfile` around lines 93 - 94, The Dockerfile
duplicates copying static binaries: the COPY --from=go-builder
/go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /out/stackrox/ and a
later COPY that again places static-bin/* into /stackrox/ (overwriting the same
files); remove the redundant COPY (either the first one to /out/stackrox/ or the
later one to /stackrox/, depending on which target you need preserved) so the
static-bin files are only copied once, keep the chroot /out
/stackrox/save-dir-contents step intact and ensure the remaining COPY uses the
final target path (/stackrox/ or /out/stackrox/) expected by subsequent steps.

image/rhel/Dockerfile (1)

20-26: Consider adding dnf clean all to reduce intermediate layer size.

The dnf install -y zip command lacks cache cleanup. While this is an intermediate build stage and the cache won't reach the final image (only /stackrox-data is copied via line 82), adding cleanup would reduce CI cache/layer size.
Suggested fix
 FROM ubi-base AS stackrox_data

-RUN dnf install -y zip
+RUN dnf install -y zip && dnf clean all && rm -rf /var/cache/dnf /var/cache/yum

 WORKDIR /
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@image/rhel/Dockerfile` around lines 20 - 26, The RUN that installs zip in the
stackrox_data stage leaves DNF caches and should be cleaned in the same layer to
reduce intermediate size; update the RUN that contains "dnf install -y zip" (in
the stackrox_data stage) to perform DNF cache cleanup after install (e.g., run
dnf clean all and remove /var/cache/dnf) so caches are removed in the same layer
that installs zip, keeping the rest of the Dockerfile (COPY
fetch-stackrox-data.sh and creation of /stackrox-data) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@image/rhel/konflux.Dockerfile`:
- Around line 96-154: The Konflux Dockerfile is missing the ENTRYPOINT used in
the main Dockerfile; add an ENTRYPOINT that points to the roxctl binary to match
behavior and other Konflux images: add ENTRYPOINT ["/stackrox/roxctl"] (same as
main image) near the end of the Dockerfile after USER 4000:4000 (or immediately
before if USER must be applied at runtime), ensuring the container launches
/stackrox/roxctl by default.

---

Nitpick comments:
In `@image/rhel/Dockerfile`:
- Around line 20-26: The RUN that installs zip in the stackrox_data stage leaves
DNF caches and should be cleaned in the same layer to reduce intermediate size;
update the RUN that contains "dnf install -y zip" (in the stackrox_data stage)
to perform DNF cache cleanup after install (e.g., run dnf clean all and remove
/var/cache/dnf) so caches are removed in the same layer that installs zip,
keeping the rest of the Dockerfile (COPY fetch-stackrox-data.sh and creation of
/stackrox-data) unchanged.

In `@image/rhel/konflux.Dockerfile`:
- Around line 93-94: The Dockerfile duplicates copying static binaries: the COPY
--from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/*
/out/stackrox/ and a later COPY that again places static-bin/* into /stackrox/
(overwriting the same files); remove the redundant COPY (either the first one to
/out/stackrox/ or the later one to /stackrox/, depending on which target you
need preserved) so the static-bin files are only copied once, keep the chroot
/out /stackrox/save-dir-contents step intact and ensure the remaining COPY uses
the final target path (/stackrox/ or /out/stackrox/) expected by subsequent
steps.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5da37e4c-1ef7-4dbf-9c59-e968fc17ecb7

📥 Commits

Reviewing files that changed from the base of the PR and between df8c4bc and 90cc136.

📒 Files selected for processing (2)

image/rhel/Dockerfile
image/rhel/konflux.Dockerfile

github-actions · 2026-04-03T14:48:35Z

/konflux-retest roxctl-on-push

github-actions · 2026-04-03T14:50:03Z

/konflux-retest scanner-v4-db-on-push

janisz requested review from a team and rhacs-bot as code owners March 27, 2026 13:11

rhacs-bot requested a review from a team March 27, 2026 13:11

github-actions bot added area/helm konflux-build Run Konflux in PR. Push commit to trigger it. labels Mar 27, 2026

janisz force-pushed the ROX-30858/migrate_main_to_ubi_micro branch from d3344ba to 57976be Compare March 27, 2026 13:25

janisz force-pushed the ROX-30858/migrate_main_to_ubi_micro branch from 57976be to aedfb9a Compare March 30, 2026 15:33

janisz added the auto-retest PRs with this label will be automatically retested if prow checks fails label Mar 30, 2026

fix save-dir-contents

90cc136

Signed-off-by: Tomasz Janiszewski <[email protected]>

janisz requested a review from msugakov April 1, 2026 10:43

janisz mentioned this pull request Apr 1, 2026

ROX-30858: Migrate main image to ubi-micro #17406

Closed

janisz changed the title ~~ROX-30858: Migrate main image Dockerfiles to ubi9-micro~~ ROX-33562: Migrate main image Dockerfiles to ubi9-micro Apr 2, 2026

parametalol added the coderabbit-review label Apr 3, 2026

coderabbitai bot reviewed Apr 3, 2026

View reviewed changes

Conversation

janisz commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Changes

Build Architecture

Related Work

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

rhacs-bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

janisz commented Mar 27, 2026

Uh oh!

janisz commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

coderabbitai bot commented Apr 3, 2026

Summary by CodeRabbit

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

janisz commented Mar 27, 2026 •

edited

Loading

rhacs-bot commented Mar 27, 2026 •

edited

Loading

codecov bot commented Mar 27, 2026 •

edited

Loading