From 4dea2135d8b32b0b19d995b1cdb5b9454c17e85b Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Thu, 7 Apr 2022 13:27:37 +0200 Subject: [PATCH 1/5] Use scratch image for operator --- operator/Dockerfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index 579e7ab4453a0..bf4b7d83e7d22 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -46,20 +46,17 @@ COPY operator/build/status.sh status.sh RUN git init && git add . # Build the operator binary. -RUN GOOS=$(go env GOOS) scripts/go-build.sh operator +RUN GOOS=$(go env GOOS) CGO_ENABLED=0 scripts/go-build.sh operator # Copy the operator binary to a location from where it will be taken into the final image. RUN cp -a bin/$(go env GOOS)/operator stackrox-operator -# https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8-minimal -FROM registry.access.redhat.com/ubi8-minimal:8.5 +FROM scratch ARG roxpath ARG ROX_IMAGE_FLAVOR ENV ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR} -RUN microdnf update && microdnf clean all && rm -rf /var/cache/yum/* - COPY --from=builder ${roxpath}/stackrox-operator /usr/local/bin/ # The following are numeric uid and gid of `nobody` user in UBI. From eca3156feb82fa72d487de3a029c5bc86f49ee98 Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Fri, 8 Apr 2022 10:56:04 +0200 Subject: [PATCH 2/5] Use expeted_go_version to build operator --- operator/Dockerfile | 3 ++- operator/Makefile | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index bf4b7d83e7d22..b9edad1da72d7 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -1,7 +1,8 @@ # We have to emulate directory layout as in the repo so that imports in go files work fine. ARG roxpath=/workspace/src/github.com/stackrox/rox +ARG GO_VERSION=latest -FROM golang:1.17 as builder +FROM golang:${GO_VERSION} as builder # Build the manager binary ARG roxpath diff --git a/operator/Makefile b/operator/Makefile index 224ed5411c896..12edf39881b7d 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -7,6 +7,9 @@ # dropped (e.g. 3.0.61.1 -> 3.61.1) and development version ".x" is changed to ".0" (e.g. 3.0.61.x-123 -> 3.0.61.0-123). VERSION ?= $(shell $(MAKE) --quiet --no-print-directory -C .. tag | sed -E 's@^(([[:digit:]]+\.)+)x(-)?@\10\3@g' | sed -E 's@^3.0.([[:digit:]]+\.[[:digit:]]+)(-)?@3.\1\2@g') +GO_VERSION ?= $(shell cat ../EXPECTED_GO_VERSION | sed 's/go//') + + # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: @@ -284,6 +287,7 @@ docker-build: test ## Build docker image with the operator. "$${smuggled_status_sh}" ;\ ) DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build \ + --build-arg "GO_VERSION=${GO_VERSION}" \ -t ${IMG} \ --ssh default=${SSH_AUTH_SOCK} \ --build-arg ROX_IMAGE_FLAVOR=$(ROX_IMAGE_FLAVOR) \ From 32edb6d314529a393660d89a4df1d2e5b96cdc0a Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Fri, 8 Apr 2022 13:12:46 +0200 Subject: [PATCH 3/5] remove user --- operator/Dockerfile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index b9edad1da72d7..c38f74298b154 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -60,9 +60,4 @@ ENV ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR} COPY --from=builder ${roxpath}/stackrox-operator /usr/local/bin/ -# The following are numeric uid and gid of `nobody` user in UBI. -# We can't use symbolic names because otherwise k8s will fail to start the pod with an error like this: -# Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "stackrox-operator-controller-manager-75bc744454-bkbjr_stackrox-operator-system(49874aae-2695-4d3a-afd3-8723914d2af5)", container: manager) -USER 65534:65534 - ENTRYPOINT ["/usr/local/bin/stackrox-operator"] From 90bbc64925edbb2e62efe5fc1f071b02828e7db2 Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Fri, 8 Apr 2022 22:31:56 +0200 Subject: [PATCH 4/5] use ubi8-micro --- operator/Dockerfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index c38f74298b154..f3482b5f94f5d 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -47,11 +47,11 @@ COPY operator/build/status.sh status.sh RUN git init && git add . # Build the operator binary. -RUN GOOS=$(go env GOOS) CGO_ENABLED=0 scripts/go-build.sh operator +RUN GOOS=$(go env GOOS) scripts/go-build.sh operator # Copy the operator binary to a location from where it will be taken into the final image. RUN cp -a bin/$(go env GOOS)/operator stackrox-operator -FROM scratch +FROM registry.access.redhat.com/ubi8-micro:8.5 ARG roxpath @@ -60,4 +60,9 @@ ENV ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR} COPY --from=builder ${roxpath}/stackrox-operator /usr/local/bin/ +# The following are numeric uid and gid of `nobody` user in UBI. +# We can't use symbolic names because otherwise k8s will fail to start the pod with an error like this: +# Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "stackrox-operator-controller-manager-75bc744454-bkbjr_stackrox-operator-system(49874aae-2695-4d3a-afd3-8723914d2af5)", container: manager) +USER 65534:65534 + ENTRYPOINT ["/usr/local/bin/stackrox-operator"] From a673a416d855dc6dd109d06eb88e49c44f34c531 Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Mon, 11 Apr 2022 15:45:57 +0200 Subject: [PATCH 5/5] remove go version default value Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com> --- operator/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operator/Dockerfile b/operator/Dockerfile index f3482b5f94f5d..7047d1a8ff689 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -1,6 +1,6 @@ # We have to emulate directory layout as in the repo so that imports in go files work fine. ARG roxpath=/workspace/src/github.com/stackrox/rox -ARG GO_VERSION=latest +ARG GO_VERSION FROM golang:${GO_VERSION} as builder