Conversation
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Migrates scanner, scanner-db, and vulnerabilities images from ubi9-minimal to ubi9-micro base, following established patterns from stackrox/stackrox and stackrox/collector repositories. Changes: - Scanner images: Multi-stage build with package_installer for runtime deps - Scanner-DB images: Complex migration with PostgreSQL via chroot user/locale setup - Vulnerabilities image: Simple base image change (minimal deps) - Tekton configs: Added RPM prefetch + ACTIVATION_KEY for hermetic builds - rpms.in.yaml: Scanner packages (excludes coreutils - ubi9-micro has coreutils-single) - rpms.lock.yaml: Generated lockfile for all architectures Benefits: - ~30-35% image size reduction (ubi9-micro ~28MB vs ubi9-minimal ~92MB) - Improved security - package managers removed from runtime - Reduced CVE exposure surface - Alignment with organization-wide ubi9-micro standardization Technical details: - Scanner keeps rpm package (required for image scanning functionality) - PostgreSQL user created as UID/GID 70 via chroot - Locale set to en_US.UTF-8 via chroot - Konflux builds use SHA256-pinned base images - All scripts require bash (not sh) Reference PRs: - stackrox/stackrox#17431 (scanner-db migration) - stackrox/stackrox#17430 (scanner migration) - stackrox/collector#3021 (collector migration pattern) - stackrox/stackrox#19653 (main image migration) - stackrox/stackrox#19985 (debugging utilities) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The rpms.lock.yaml file contains RPM package lockfile data for all architectures (aarch64, ppc64le, s390x, x86_64), which makes it legitimately large. This file is auto-generated by the rpm-lockfile-prototype tool and is required for hermetic Konflux builds with RPM prefetch support. Fixes: style-check CI failure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
PGDATA is set to /var/lib/postgresql/data/pgdata, but the parent directory /var/lib/postgresql did not exist, causing the init container to crash when postgres user (uid 70) tried to create it in the root-owned /var/lib directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Bash is already included in ubi9-micro base image, so installing it via dnf is redundant and wastes build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
util-linux is not used by any scripts and is not installed in the main stackrox/stackrox repository Dockerfiles, so removing it to reduce image size and build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
These packages are already included in ubi9-micro base image, so they don't need to be prefetched for Konflux builds. Note: rpms.lock.yaml will be auto-regenerated by Konflux CI on next build. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: scanner-db was using ubi9-minimal with multi-stage build, manually downloading and installing postgres RPMs via download.sh, creating maintenance overhead and divergence from the main postgres image pattern used in stackrox/stackrox and konflux.Dockerfile. Solution: Switch to registry.redhat.io/rhel9/postgresql-15 base image (same pattern as konflux.Dockerfile). This eliminates: - Multi-stage ubi9-micro build with chroot complexity - RPM downloads and GPG key handling - Manual postgres user creation - Complex dependency installation Now simply modifies existing postgres user to UID/GID 70 and sets up required directories. Aligns with stackrox/stackrox PR #19981. Deleted: download.sh and PGDG-RPM-GPG-KEY-RHEL (no longer needed) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Regenerated using regenerate-rpms-lockfile.sh from stackrox/collector. Removed 1461 lines of dependencies that are no longer needed since bash and util-linux were removed from rpms.in.yaml. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…e image" This reverts commit 34cc249.
These packages were removed from rpms.in.yaml in commit 20e6fcc but were still referenced in the Dockerfile, causing Konflux build failures. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixes critical pod startup failures when migrating to ubi9-micro base image. Root Cause Analysis: 1. Scanner binary requires 'rpm' command to query packages in scanned images 2. ubi9-minimal includes rpm by default, but ubi9-micro does NOT 3. Scanner failed at startup with: exec: "rpm": executable file not found in $PATH Changes: 1. Add rpm package to all scanner Dockerfiles (Dockerfile, Dockerfile.slim, konflux.Dockerfile) 2. Add rpm to rpms.in.yaml for Konflux hermetic builds 3. Add file existence check in import-additional-cas before copying ca.pem - Prevents crashes if /run/secrets/stackrox.io/certs/ca.pem is missing - Script has 'set -euo pipefail' so any command failure exits immediately 4. Pass arguments through entrypoint.sh with "$@" - Allows custom -config flag from StackRox deployments - Maintains backward compatibility when no args provided Note: rpms.lock.yaml needs regeneration (see commit 6d2fdde for process) Fixes: stackrox/stackrox#20071 (scanner pod Error status with 10+ restarts) Fixes: #3095 (e2e-tests and slim-e2e-tests failures) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: Scanner-DB pods were failing to start with error: FATAL: configuration file "/etc/postgresql.conf" contains errors LOG: invalid value for parameter "log_timezone": "UTC" LOG: could not open directory "/usr/share/zoneinfo": No such file or directory Root Cause: The ubi9-micro base image with manually installed PostgreSQL was missing /usr/share/zoneinfo directory that PostgreSQL requires. Solution: Switch Dockerfile and Dockerfile.slim to use quay.io/sclorg/postgresql-15-c9s base image, matching the pattern from stackrox/stackrox commit c92e85134. The sclorg image includes all required timezone data and dependencies. Note: konflux.Dockerfile continues to use registry.redhat.io/rhel9/postgresql-15 which has its own timezone data handling. This simplifies the regular Dockerfiles by: - Eliminating multi-stage ubi9-micro builds - Removing RPM downloads and GPG key handling (download.sh, PGDG-RPM-GPG-KEY-RHEL) - Using existing postgres user (modified to UID/GID 70) - Adding chown for sclorg-specific directories (/var/lib/pgsql, /opt/app-root) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: The Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Problem: Build was failing with error: ERROR: failed to parse stage name "/:": invalid reference format Root Cause: PG_VERSION ARG was used in FROM statement before being defined. Docker requires ARGs to be defined before the FROM statement that uses them. Solution: Move PG_VERSION ARG declaration to just before the FROM statement that references it (line 10-11). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: Build failing with: UndefinedArgInFrom: FROM argument 'PG_VERSION' is not declared ERROR: quay.io/sclorg/postgresql--c9s:latest (empty PG_VERSION) Root Cause: ARG declared between FROM statements is not in global scope. Docker ARGs need to be declared at the very top (before any FROM) to be available to all FROM statements in the multi-stage build. Solution: Move ARG PG_VERSION=15 to line 1 (global scope), matching the pattern from stackrox/stackrox commit c92e85134. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: Build failing with: ERROR: "/etc/postgresql.conf": not found Root Cause: Dockerfile.slim was trying to copy from etc/postgresql.conf but the build context is image/db/rhel, and the files are in image/db/. Solution: Change COPY path from etc/ to ../ to reference files in parent directory (image/db/postgresql.conf and image/db/pg_hba.conf). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…d context Docker COPY cannot reference files outside the build context with ../. The CI workflow uses image/db/rhel as the build context, so config files must be within that directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@janisz: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: