Skip to content

ROX-34148: Migrate Dockerfiles to ubi9-micro base images #3095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
janisz wants to merge 26 commits into
base: master
Choose a base branch
from
Open

ROX-34148: Migrate Dockerfiles to ubi9-micro base images #3095

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
4ed303c
empty commit
davdhacs Feb 18, 2026
6860629
chore: Migrate all Scanner Dockerfiles to ubi9-micro base images
janisz Apr 14, 2026
fb55c40
fix: Remove coreutils package from ubi9-micro Dockerfiles
janisz Apr 15, 2026
0b60a3f
fix: Add rpms.lock.yaml to allowed-large-files list
janisz Apr 15, 2026
eeb62fa
fix: Create /var/lib/postgresql directory in scanner-db images
janisz Apr 17, 2026
4a10c15
chore: Remove redundant bash installation from ubi9-micro Dockerfiles
janisz Apr 17, 2026
2aef6d7
chore: Remove redundant util-linux installation from Dockerfiles
janisz Apr 17, 2026
20e6fcc
chore: Remove bash and util-linux from rpms.in.yaml
janisz Apr 17, 2026
a26a3fa
refactor: Simplify scanner-db Dockerfiles to use postgres base image
janisz Apr 17, 2026
6d2fdde
chore: Regenerate rpms.lock.yaml after removing bash and util-linux
janisz Apr 17, 2026
5d4e3c4
Revert "refactor: Simplify scanner-db Dockerfiles to use postgres bas…
janisz Apr 17, 2026
d099e0b
fix: Remove bash and util-linux from konflux.Dockerfile
janisz Apr 21, 2026
703624d
fix: Add missing rpm package and improve entrypoint robustness
janisz Apr 22, 2026
7b1dd2b
chore: Regenerate rpms.lock.yaml after adding rpm package
janisz Apr 23, 2026
05ab071
fix: Use sclorg postgres base image for scanner-db to fix timezone data
janisz Apr 23, 2026
e20a133
fix: Fix ARG placement in scanner-db Dockerfile
janisz Apr 23, 2026
8d94ba1
fix: Move PG_VERSION ARG to global scope in Dockerfile
janisz Apr 23, 2026
c84cd72
fix: Fix postgresql.conf path in Dockerfile.slim
janisz Apr 23, 2026
de37629
fix: Copy postgresql.conf to rhel/ directory for Dockerfile.slim buil…
janisz Apr 23, 2026
7dd718f
fix: Let postgres use default config instead of baking postgresql.con…
janisz Apr 29, 2026
2074717
fix: Add missing init-entrypoint.sh script for database initialization
janisz Apr 29, 2026
02e0118
Revert scanner-db changes to master state
janisz Apr 29, 2026
41f989c
revert changes to db
janisz May 4, 2026
6484ade
fix: Restore path parameter for RPM prefetch in Tekton pipelines
janisz May 4, 2026
ddee4a4
Merge branch 'master' into ubi-micro
janisz May 6, 2026
8a7cd6e
chore: Revert defensive file check in import-additional-cas
janisz May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .tekton/scanner-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ spec:
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
- name: ACTIVATION_KEY
value: subscription-manager-activation-key-prod

workspaces:
- name: git-auth
Expand Down
2 changes: 2 additions & 0 deletions .tekton/scanner-slim-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ spec:
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
- name: ACTIVATION_KEY
value: subscription-manager-activation-key-prod

workspaces:
- name: git-auth
Expand Down
34 changes: 25 additions & 9 deletions image/scanner/rhel/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,34 @@ ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG} AS ubi-micro-base

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

COPY bundle.tar.gz /
WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
FROM ${BASE_REGISTRY}/ubi9:${BASE_TAG} AS package_installer

COPY --from=ubi-micro-base / /out/

RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
findutils \
ca-certificates \
rpm \
xz \
gzip \
less \
tar && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

FROM ubi-micro-base AS base

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand All @@ -25,20 +46,15 @@ LABEL name="scanner" \

SHELL ["/bin/sh", "-o", "pipefail", "-c"]

COPY --from=package_installer /out/ /

COPY scripts /

COPY --from=extracted_bundle /bundle/scanner ./

COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/

RUN microdnf upgrade -y --nobest && \
microdnf install -y xz && \
microdnf clean -y all && \
# (Optional) Remove line below to keep package management utilities
# We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
Copy link
Copy Markdown
Contributor

@dcaravel dcaravel May 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed this before: curl was explicitly removed in the past but is included in the new micro image. If not intentional should be removed in new image as well.

Copy link
Copy Markdown
Contributor Author

@janisz janisz May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ubi-micro does not include curl also it doesn't include other packages (including package manager) and we only install following packages

  • findutils
  • ca-certificates
  • rpm
  • xz
  • gzip
  • less
  • tar

Copy link
Copy Markdown
Contributor

@dcaravel dcaravel May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shows in the image built as part of this PR:

$ docker run -it --rm --entrypoint /bin/bash quay.io/rhacs-eng/scanner:2.39.x-152-g8a7cd6e606
bash-5.1$ curl -h
Usage: curl [options...] <url>
 -d, --data <data>   HTTP POST data
 -f, --fail          Fail silently (no output at all) on HTTP errors
 -h, --help <category>  Get help for commands
 -i, --include       Include protocol response headers in the output
 -o, --output <file>  Write to file instead of stdout
 -O, --remote-name   Write output to a file named as the remote file
 -s, --silent        Silent mode
 -T, --upload-file <file>  Transfer local FILE to destination
 -u, --user <user:password>  Server user and password
 -A, --user-agent <name>  Send User-Agent <name> to server
 -v, --verbose       Make the operation more talkative
 -V, --version       Show version number and quit

This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".

And not in the prior tagged image(s):

$ docker run -it --rm --entrypoint /bin/bash quay.io/rhacs-eng/scanner:2.39.8
bash-4.4$ curl -h
bash: curl: command not found

Also appears the removal no longer works after this PR: #2562 (due to curl package name changed to curl-minimal breaking removal)

rm -rf /var/cache/dnf /var/cache/yum && \
chown -R 65534:65534 /tmp && \
RUN chown -R 65534:65534 /tmp && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
Expand Down
34 changes: 25 additions & 9 deletions image/scanner/rhel/Dockerfile.slim
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,34 @@ ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG} AS ubi-micro-base

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

COPY bundle.tar.gz /
WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
FROM ${BASE_REGISTRY}/ubi9:${BASE_TAG} AS package_installer

COPY --from=ubi-micro-base / /out/

RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--nodocs \
findutils \
ca-certificates \
rpm \
xz \
gzip \
less \
tar && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

FROM ubi-micro-base AS base

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand All @@ -25,20 +46,15 @@ LABEL name="scanner-slim" \

SHELL ["/bin/sh", "-o", "pipefail", "-c"]

COPY --from=package_installer /out/ /

COPY scripts /

COPY --from=extracted_bundle /bundle/scanner ./

COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/

RUN microdnf upgrade -y --nobest && \
microdnf install -y xz && \
microdnf clean -y all && \
# (Optional) Remove line below to keep package management utilities
# We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
chown -R 65534:65534 /tmp && \
RUN chown -R 65534:65534 /tmp && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
Expand Down
34 changes: 26 additions & 8 deletions image/scanner/rhel/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,30 @@ RUN echo -n "version: " && make --quiet --no-print-directory tag && \
COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json


FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base

FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer

COPY --from=ubi-micro-base / /out/

RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=0 \
--setopt=reposdir=/etc/yum.repos.d \
--nodocs \
findutils \
ca-certificates \
rpm \
xz \
gzip \
less \
tar && \
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

# Common base for scanner slim and full
FROM registry.access.redhat.com/ubi9-minimal:latest@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS scanner-common
FROM ubi-micro-base AS scanner-common

ARG SCANNER_TAG

Expand All @@ -52,20 +74,16 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]

ENV REPO_TO_CPE_DIR="/repo2cpe"

COPY --from=package_installer /out/ /

COPY --from=builder /src/image/scanner/scripts /
COPY --from=builder /src/image/scanner/bin/scanner ./
COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./

COPY LICENSE /licenses/LICENSE

RUN microdnf install -y xz && \
microdnf clean all && \
# (Optional) Remove line below to keep package management utilities
# We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
rm -rf /var/cache/dnf /var/cache/yum && \
chown -R 65534:65534 /tmp && \
RUN chown -R 65534:65534 /tmp && \
# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
# by the script `save-dir-contents` during the image build. The directory
# contents are then restored by the script `restore-all-dir-contents`
Expand Down
2 changes: 1 addition & 1 deletion image/scanner/scripts/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ set -euo pipefail
/restore-all-dir-contents
/import-additional-cas

exec /scanner
exec /scanner "$@"
2 changes: 1 addition & 1 deletion image/vulnerabilities/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG}

ARG LABEL_VERSION
ARG LABEL_RELEASE
Expand Down
20 changes: 19 additions & 1 deletion rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,31 @@
# See our docs here: https://spaces.redhat.com/display/StackRox/How+to+prefetch+RPMs+for+ACS+Konflux+builds

packages:
# Scanner packages (for konflux.Dockerfile stage: package_installer)
# These packages are installed on top of ubi9-micro base image
# Note: coreutils and bash are excluded - ubi9-micro already includes them
# Note: rpm is required by scanner binary to query packages in scanned images
- findutils
- ca-certificates
- rpm
- xz
- gzip
- less
- tar

# Note: Scanner-DB images don't need RPM prefetch because:
# - konflux.Dockerfile uses registry.redhat.io/rhel9/postgresql-15 base (already has everything)
# - Dockerfile and Dockerfile.slim use ubi9 (full) in dependency_builder stage (can install packages via dnf normally)

contentOrigin:
repofiles: [ "rpms.rhel.repo" ]

context:
containerfile:
file: image/scanner/rhel/konflux.Dockerfile
stageName: scanner-common
stageName: package_installer
imagePattern: registry.access.redhat.com/ubi9/ubi-micro:latest

arches:
- aarch64
- ppc64le
Expand Down
Loading