ROX-34148: Migrate all Scanner Dockerfiles to ubi9-micro base images#3095
ROX-34148: Migrate all Scanner Dockerfiles to ubi9-micro base images#3095janisz wants to merge 3 commits intokonflux-ubi9-rhel9-migrationfrom
Conversation
Migrates scanner, scanner-db, and vulnerabilities images from ubi9-minimal to ubi9-micro base, following established patterns from stackrox/stackrox and stackrox/collector repositories. Changes: - Scanner images: Multi-stage build with package_installer for runtime deps - Scanner-DB images: Complex migration with PostgreSQL via chroot user/locale setup - Vulnerabilities image: Simple base image change (minimal deps) - Tekton configs: Added RPM prefetch + ACTIVATION_KEY for hermetic builds - rpms.in.yaml: Scanner packages (excludes coreutils - ubi9-micro has coreutils-single) - rpms.lock.yaml: Generated lockfile for all architectures Benefits: - ~30-35% image size reduction (ubi9-micro ~28MB vs ubi9-minimal ~92MB) - Improved security - package managers removed from runtime - Reduced CVE exposure surface - Alignment with organization-wide ubi9-micro standardization Technical details: - Scanner keeps rpm package (required for image scanning functionality) - PostgreSQL user created as UID/GID 70 via chroot - Locale set to en_US.UTF-8 via chroot - Konflux builds use SHA256-pinned base images - All scripts require bash (not sh) Reference PRs: - stackrox/stackrox#17431 (scanner-db migration) - stackrox/stackrox#17430 (scanner migration) - stackrox/collector#3021 (collector migration pattern) - stackrox/stackrox#19653 (main image migration) - stackrox/stackrox#19985 (debugging utilities) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The rpms.lock.yaml file contains RPM package lockfile data for all architectures (aarch64, ppc64le, s390x, x86_64), which makes it legitimately large. This file is auto-generated by the rpm-lockfile-prototype tool and is required for hermetic Konflux builds with RPM prefetch support. Fixes: style-check CI failure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
/retest scanner-db-slim-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-db-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-slim-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-db-slim-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest scanner-db-on-push |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
1 participant
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: