ROX-33562: Migrate main image Dockerfiles to ubi9-micro#19653
ROX-33562: Migrate main image Dockerfiles to ubi9-micro#19653
Conversation
d3344ba to
57976be
Compare
|
Images are ready for the commit at 90cc136. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19653 +/- ##
=======================================
Coverage 49.58% 49.58%
=======================================
Files 2766 2766
Lines 208523 208535 +12
=======================================
+ Hits 103387 103409 +22
+ Misses 97460 97448 -12
- Partials 7676 7678 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/retest |
1 similar comment
|
/retest |
57976be to
aedfb9a
Compare
📝 WalkthroughSummary by CodeRabbit
WalkthroughBoth RHEL Dockerfiles were updated to switch the final runtime base image from Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
image/rhel/konflux.Dockerfile (1)
96-154:⚠️ Potential issue | 🟠 MajorAdd missing
ENTRYPOINTinstruction for consistency with main Dockerfile.The main
image/rhel/DockerfileincludesENTRYPOINT ["/stackrox/roxctl"]at line 106, but this Konflux variant omits it. Other Konflux Dockerfiles in the repository (roxctl, operator, postgres) all specify an ENTRYPOINT, indicating this is not an intentional pattern of omission. Add the ENTRYPOINT instruction to ensure consistent container behavior.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@image/rhel/konflux.Dockerfile` around lines 96 - 154, The Konflux Dockerfile is missing the ENTRYPOINT used in the main Dockerfile; add an ENTRYPOINT that points to the roxctl binary to match behavior and other Konflux images: add ENTRYPOINT ["/stackrox/roxctl"] (same as main image) near the end of the Dockerfile after USER 4000:4000 (or immediately before if USER must be applied at runtime), ensuring the container launches /stackrox/roxctl by default.
🧹 Nitpick comments (2)
image/rhel/konflux.Dockerfile (1)
93-94: Redundant copy ofstatic-bin/*files.Line 93 copies
static-bin/*into/out/stackrox/, and line 98 copies the entire/out/to/. Then line 111 copiesstatic-bin/*again to/stackrox/, overwriting the same files. This is redundant and slightly increases build time.Remove redundant COPY
COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/roxagent /stackrox/bin/ -COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /stackrox/ RUN GOARCH=$(uname -m) ; \Also applies to: 111-111
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@image/rhel/konflux.Dockerfile` around lines 93 - 94, The Dockerfile duplicates copying static binaries: the COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /out/stackrox/ and a later COPY that again places static-bin/* into /stackrox/ (overwriting the same files); remove the redundant COPY (either the first one to /out/stackrox/ or the later one to /stackrox/, depending on which target you need preserved) so the static-bin files are only copied once, keep the chroot /out /stackrox/save-dir-contents step intact and ensure the remaining COPY uses the final target path (/stackrox/ or /out/stackrox/) expected by subsequent steps.image/rhel/Dockerfile (1)
20-26: Consider addingdnf clean allto reduce intermediate layer size.The
dnf install -y zipcommand lacks cache cleanup. While this is an intermediate build stage and the cache won't reach the final image (only/stackrox-datais copied via line 82), adding cleanup would reduce CI cache/layer size.Suggested fix
FROM ubi-base AS stackrox_data -RUN dnf install -y zip +RUN dnf install -y zip && dnf clean all && rm -rf /var/cache/dnf /var/cache/yum WORKDIR /🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@image/rhel/Dockerfile` around lines 20 - 26, The RUN that installs zip in the stackrox_data stage leaves DNF caches and should be cleaned in the same layer to reduce intermediate size; update the RUN that contains "dnf install -y zip" (in the stackrox_data stage) to perform DNF cache cleanup after install (e.g., run dnf clean all and remove /var/cache/dnf) so caches are removed in the same layer that installs zip, keeping the rest of the Dockerfile (COPY fetch-stackrox-data.sh and creation of /stackrox-data) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@image/rhel/konflux.Dockerfile`:
- Around line 96-154: The Konflux Dockerfile is missing the ENTRYPOINT used in
the main Dockerfile; add an ENTRYPOINT that points to the roxctl binary to match
behavior and other Konflux images: add ENTRYPOINT ["/stackrox/roxctl"] (same as
main image) near the end of the Dockerfile after USER 4000:4000 (or immediately
before if USER must be applied at runtime), ensuring the container launches
/stackrox/roxctl by default.
---
Nitpick comments:
In `@image/rhel/Dockerfile`:
- Around line 20-26: The RUN that installs zip in the stackrox_data stage leaves
DNF caches and should be cleaned in the same layer to reduce intermediate size;
update the RUN that contains "dnf install -y zip" (in the stackrox_data stage)
to perform DNF cache cleanup after install (e.g., run dnf clean all and remove
/var/cache/dnf) so caches are removed in the same layer that installs zip,
keeping the rest of the Dockerfile (COPY fetch-stackrox-data.sh and creation of
/stackrox-data) unchanged.
In `@image/rhel/konflux.Dockerfile`:
- Around line 93-94: The Dockerfile duplicates copying static binaries: the COPY
--from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/*
/out/stackrox/ and a later COPY that again places static-bin/* into /stackrox/
(overwriting the same files); remove the redundant COPY (either the first one to
/out/stackrox/ or the later one to /stackrox/, depending on which target you
need preserved) so the static-bin files are only copied once, keep the chroot
/out /stackrox/save-dir-contents step intact and ensure the remaining COPY uses
the final target path (/stackrox/ or /out/stackrox/) expected by subsequent
steps.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 5da37e4c-1ef7-4dbf-9c59-e968fc17ecb7
📒 Files selected for processing (2)
image/rhel/Dockerfileimage/rhel/konflux.Dockerfile
msugakov
left a comment
There was a problem hiding this comment.
I've some dejavu feeling that I already reviewed and even commented on the same things.
image/rhel/Dockerfile
Outdated
| chown -R 4000:4000 /out/etc/pki/ca-trust /out/etc/ssl /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox /out/tmp | ||
|
|
||
| COPY static-bin/* /out/stackrox/ | ||
| RUN chroot /out /stackrox/save-dir-contents /etc/pki/ca-trust/source /etc/ssl |
There was a problem hiding this comment.
Please note there's still a lot of COPY commands in the final stage which means we don't save too many layers. Maybe these mkdir, chown, COPY commands don't need to be moved at all and package_installer would only do RPMs installation?
There was a problem hiding this comment.
Make sense, I moved it to final image
Migrate both image/rhel/Dockerfile and image/rhel/konflux.Dockerfile from ubi9-minimal to ubi9-micro base images following the proven pattern from PR #19500 (roxctl migration). Changes: - Use multi-stage build with package_installer pattern - Install packages to /out/ using dnf --installroot - Preserve ubi9-micro rpmdb by copying before package installation - Move directory setup and save-dir-contents to package_installer stage - Remove HEALTHCHECK from Dockerfile (curl not available in ubi9-micro) - Pin SHA digests in konflux.Dockerfile for reproducible builds - Use --setopt=reposdir=/etc/yum.repos.d for Cachi2 compatibility Expected benefits: - 30-35% image size reduction (from ~450MB to ~350MB) - Smaller attack surface and reduced CVE exposure - Faster image pull/push operations This migration maintains full functionality while following the pattern established in PR #17406 and successfully merged in PR #19500. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
2e747fd to
660d694
Compare
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
🚀 Build Images ReadyImages are ready for commit 2ece508. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-599-g2ece508791 |
🚀 Build Images ReadyImages are ready for commit 660d694. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-597-g660d694bb4 |
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
|
/konflux-retest operator-bundle-on-push |
|
/konflux-retest operator-bundle-on-push |
1 similar comment
|
/konflux-retest operator-bundle-on-push |
|
@janisz: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
This commit migrates the main container image from ubi-minimal (~92 MB) to ubi-micro (~28 MB) base image, reducing the final image size and improving security posture by minimizing the attack surface.
Changes
Build Architecture
Related Work
This continues the image optimization efforts:
User-facing documentation
Testing and quality
Automated testing
How I validated my change
Then check in UI if everything is healthy and followed and check if scanner is working