ROX-34148: Migrate all Scanner Dockerfiles to ubi9-micro base images#3095
ROX-34148: Migrate all Scanner Dockerfiles to ubi9-micro base images#3095janisz wants to merge 10 commits intokonflux-ubi9-rhel9-migrationfrom
Conversation
Migrates scanner, scanner-db, and vulnerabilities images from ubi9-minimal to ubi9-micro base, following established patterns from stackrox/stackrox and stackrox/collector repositories. Changes: - Scanner images: Multi-stage build with package_installer for runtime deps - Scanner-DB images: Complex migration with PostgreSQL via chroot user/locale setup - Vulnerabilities image: Simple base image change (minimal deps) - Tekton configs: Added RPM prefetch + ACTIVATION_KEY for hermetic builds - rpms.in.yaml: Scanner packages (excludes coreutils - ubi9-micro has coreutils-single) - rpms.lock.yaml: Generated lockfile for all architectures Benefits: - ~30-35% image size reduction (ubi9-micro ~28MB vs ubi9-minimal ~92MB) - Improved security - package managers removed from runtime - Reduced CVE exposure surface - Alignment with organization-wide ubi9-micro standardization Technical details: - Scanner keeps rpm package (required for image scanning functionality) - PostgreSQL user created as UID/GID 70 via chroot - Locale set to en_US.UTF-8 via chroot - Konflux builds use SHA256-pinned base images - All scripts require bash (not sh) Reference PRs: - stackrox/stackrox#17431 (scanner-db migration) - stackrox/stackrox#17430 (scanner migration) - stackrox/collector#3021 (collector migration pattern) - stackrox/stackrox#19653 (main image migration) - stackrox/stackrox#19985 (debugging utilities) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The rpms.lock.yaml file contains RPM package lockfile data for all architectures (aarch64, ppc64le, s390x, x86_64), which makes it legitimately large. This file is auto-generated by the rpm-lockfile-prototype tool and is required for hermetic Konflux builds with RPM prefetch support. Fixes: style-check CI failure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
PGDATA is set to /var/lib/postgresql/data/pgdata, but the parent directory /var/lib/postgresql did not exist, causing the init container to crash when postgres user (uid 70) tried to create it in the root-owned /var/lib directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Bash is already included in ubi9-micro base image, so installing it via dnf is redundant and wastes build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
util-linux is not used by any scripts and is not installed in the main stackrox/stackrox repository Dockerfiles, so removing it to reduce image size and build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
These packages are already included in ubi9-micro base image, so they don't need to be prefetched for Konflux builds. Note: rpms.lock.yaml will be auto-regenerated by Konflux CI on next build. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: scanner-db was using ubi9-minimal with multi-stage build, manually downloading and installing postgres RPMs via download.sh, creating maintenance overhead and divergence from the main postgres image pattern used in stackrox/stackrox and konflux.Dockerfile. Solution: Switch to registry.redhat.io/rhel9/postgresql-15 base image (same pattern as konflux.Dockerfile). This eliminates: - Multi-stage ubi9-micro build with chroot complexity - RPM downloads and GPG key handling - Manual postgres user creation - Complex dependency installation Now simply modifies existing postgres user to UID/GID 70 and sets up required directories. Aligns with stackrox/stackrox PR #19981. Deleted: download.sh and PGDG-RPM-GPG-KEY-RHEL (no longer needed) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Regenerated using regenerate-rpms-lockfile.sh from stackrox/collector. Removed 1461 lines of dependencies that are no longer needed since bash and util-linux were removed from rpms.in.yaml. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…e image" This reverts commit 34cc249.
|
/retest scanner-slim-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
1 participant
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: