Skip to content

ROX-30858: Migrate main image Dockerfiles to ubi9-micro #19653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
janisz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ROX-30858: Migrate main image Dockerfiles to ubi9-micro #19653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 46 additions & 32 deletions image/rhel/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,65 @@ ARG RPMS_REGISTRY=registry.access.redhat.com
ARG RPMS_BASE_IMAGE=ubi9
ARG RPMS_BASE_TAG=latest
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_IMAGE=ubi9-micro
ARG BASE_TAG=latest

FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS downloads
FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS ubi-base

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS ubi-micro-base

FROM ubi-base AS downloads

ARG DEBUG_BUILD=no

WORKDIR /
COPY download.sh /download.sh
RUN /download.sh

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS stackrox_data
FROM ubi-base AS stackrox_data

RUN mkdir /stackrox-data
RUN microdnf upgrade --nobest -y && microdnf install -y zip
RUN dnf install -y zip

WORKDIR /
COPY fetch-stackrox-data.sh .
RUN /fetch-stackrox-data.sh /stackrox-data
RUN mkdir /stackrox-data && /fetch-stackrox-data.sh /stackrox-data

FROM ubi-base AS package_installer

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
COPY --from=ubi-micro-base / /out/

RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
findutils \
ca-certificates && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

COPY --from=downloads /output/rpms/ /tmp/
COPY signatures/RPM-GPG-KEY-CentOS-Official /tmp/
RUN rpm --import /tmp/RPM-GPG-KEY-CentOS-Official && \
dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
/tmp/postgres-libs.rpm \
/tmp/postgres.rpm && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum /tmp/*.rpm /tmp/RPM-GPG-KEY-CentOS-Official

RUN mkdir -p /out/stackrox && \
mkdir -p /out/etc/pki/ca-trust/source/anchors /out/etc/ssl && \
mkdir -p /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox && \
chown -R 4000:4000 /out/etc/pki/ca-trust /out/etc/ssl /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox /out/tmp

COPY static-bin/* /out/stackrox/
RUN chroot /out /stackrox/save-dir-contents /etc/pki/ca-trust /etc/ssl

FROM ubi-micro-base

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand All @@ -45,32 +83,10 @@ ENV PATH="/stackrox:$PATH" \
ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR} \
ROX_PRODUCT_BRANDING=${ROX_PRODUCT_BRANDING}

COPY signatures/RPM-GPG-KEY-CentOS-Official /
COPY static-bin /stackrox/
COPY --from=package_installer /out/ /

COPY --from=downloads /output/rpms/ /tmp/
COPY --from=downloads /output/go/ /go/

RUN rpm --import RPM-GPG-KEY-CentOS-Official && \
microdnf -y upgrade --nobest && \
rpm -i --nodeps /tmp/postgres-libs.rpm && \
rpm -i --nodeps /tmp/postgres.rpm && \
microdnf install --setopt=install_weak_deps=0 --nodocs -y util-linux && \
microdnf clean all -y && \
rm /tmp/postgres.rpm /tmp/postgres-libs.rpm RPM-GPG-KEY-CentOS-Official && \
# (Optional) Remove line below to keep package management utilities
rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
# during the container start.
chown -R 4000:4000 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source && \
mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
chown -R 4000:4000 /tmp

COPY --from=stackrox_data /stackrox-data /stackrox/static-data
COPY ./docs/api/v1/swagger.json /stackrox/static-data/docs/api/v1/swagger.json
COPY ./docs/api/v2/swagger.json /stackrox/static-data/docs/api/v2/swagger.json
Expand All @@ -96,5 +112,3 @@ EXPOSE 8443
USER 4000:4000

ENTRYPOINT ["/stackrox/roxctl"]

HEALTHCHECK CMD curl --insecure --fail https://127.0.0.1:8443/v1/ping
47 changes: 34 additions & 13 deletions image/rhel/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,15 +59,43 @@ ENV UI_PKG_INSTALL_EXTRA_ARGS="--ignore-scripts"
RUN make -C ui build


FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68
FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base

FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer

ARG PG_VERSION

RUN microdnf -y module enable postgresql:${PG_VERSION} && \
microdnf -y install postgresql && \
microdnf -y clean all && \
rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum
COPY --from=ubi-micro-base / /out/

RUN dnf module enable -y \
--installroot=/out/ \
--setopt=reposdir=/etc/yum.repos.d \
--releasever=9 \
postgresql:${PG_VERSION} && \
dnf install -y \
--installroot=/out/ \
--setopt=reposdir=/etc/yum.repos.d \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
ca-certificates \
findutils \
openssl \
postgresql && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

RUN mkdir -p /out/stackrox && \
mkdir -p /out/etc/pki/ca-trust/source/anchors /out/etc/ssl && \
mkdir -p /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox && \
chown -R 4000:4000 /out/etc/pki/ca-trust /out/etc/ssl /out/var/lib/stackrox /out/var/log/stackrox /out/var/cache/stackrox /out/tmp

COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /out/stackrox/
RUN chroot /out /stackrox/save-dir-contents /etc/pki/ca-trust /etc/ssl

FROM ubi-micro-base

COPY --from=package_installer /out/ /

COPY --from=ui-builder /go/src/github.com/stackrox/rox/app/ui/build /ui/

Expand Down Expand Up @@ -123,11 +151,4 @@ COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/docs/api/v

COPY LICENSE /licenses/LICENSE

# The following paths are written to in Central.
RUN chown -R 4000:4000 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source && \
mkdir -p /var/lib/stackrox && chown -R 4000:4000 /var/lib/stackrox && \
mkdir -p /var/log/stackrox && chown -R 4000:4000 /var/log/stackrox && \
mkdir -p /var/cache/stackrox && chown -R 4000:4000 /var/cache/stackrox && \
chown -R 4000:4000 /tmp

USER 4000:4000
Loading