chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
Conversation
|
Skipping CI for Draft Pull Request. |
|
@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution. The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it. |
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
d9cdc31 to
d2f149d
Compare
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
34c5d67 to
5a2e599
Compare
|
/test all |
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: Konflux base images: - Builder: openshift-golang-builder:rhel_9_golang_1.25 - Scanner runtime: ubi9-minimal - Scanner DB: rhel9/postgresql-15 Non-Konflux base images: - Scanner: ubi9-minimal - Scanner DB: ubi9 / ubi9-minimal - Vulnerabilities: ubi9-minimal Other updates: - Tekton CPE labels: el8 -> el9 - rpms.lock.yaml: xz updated to RHEL 9 version (5.2.5-8.el9_0) - rpms.rhel.repo: RHEL 8 repos -> RHEL 9 repos - PostgreSQL download script: pg_rhel_major=9 - Image name labels: rhel8 -> rhel9 - microdnf install -y xz (explicit -y for UBI9 compatibility) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In UBI9, update-ca-trust fails when running as an unprivileged user (nobody:nobody) because it attempts to write to system-wide paths. Use the -o flag to specify a user-writable output directory. Also switch restore-all-dir-contents to use --no-clobber to avoid overwriting CA trust files that were already updated at runtime. See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
5a2e599 to
b3addf3
Compare
|
/retest |
|
@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround) |
tommartensen
left a comment
tommartensen
left a comment
There was a problem hiding this comment.
LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?
Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds. |
|
Note to self and @stackrox/scanner: we need to follow up on #2092 and update the image for s390x to avoid using a different version of psql. |
…migration # Conflicts: # image/db/rhel/konflux.Dockerfile
|
/test ? |
|
The test failures are not-related to UBI9/changes in this PR. |
|
/retest e2e-tests |
|
/test e2e-tests |
3 similar comments
|
/test e2e-tests |
|
/test e2e-tests |
|
/test e2e-tests |
|
@BradLugo can I get another +1? I merged changes from master to get the e2e test fix. |
|
I just did some testing with this scanner and I believe it suffers from the same problem as the one I have addressed with this commit. See: I am deploying ACS (some semi-recent master version, doesn't mater) on an OpenShift cluster, with scanner v2 enabled, scanner v4 disabled and an overlay which injects this PR's scanner version image into the scanner deployment: Then, I exec into the scanner container and show that the |
This looks like the chmod within the restore-* script is conclusively needed then? I'm out this week--could you commit the fix to this branch? |
Before I do that, let me run some more tests first, I'd like to check if we can address this ca-trust/save/restore issue a bit cleaner. |
FTR, currently testing this even simpler fix: Looking good so far. |
Align the scanner entrypoint scripts and Dockerfiles with the proven CA trust setup from stackrox/stackrox#19454: - save-dir-contents: Only save /etc/pki/ca-trust/source (not the full /etc/pki/ca-trust or /etc/ssl). The extracted dir is regenerated at runtime by update-ca-trust. - Remove /etc/ssl from chown and save-dir-contents (not needed). - import-additional-cas: Add logging, use --output flag with detailed comment explaining why it's needed (BZ#2241240). - trust-root-ca: Same --output flag and comment. - restore-all-dir-contents: Add comment explaining --no-clobber. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
/retest-failed-builds |
|
/test e2e-tests |
…anner into konflux-ubi9-rhel9-migration
|
/retest |
…anner into konflux-ubi9-rhel9-migration
…anner into konflux-ubi9-rhel9-migration
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
5c49c9f to
d285ba8
Compare
|
/test e2e-tests |
|
/retest scanner-db-on-push |
|
@github-actions[bot]: The Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
Description
Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.
Key Changes
Konflux Base Images:
brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24registry.access.redhat.com/ubi9-minimal:latestregistry.redhat.io/rhel9/postgresql-15:latestrhacs-scanner-rhel9,rhacs-scanner-slim-rhel9,rhacs-scanner-db-rhel9,rhacs-scanner-db-slim-rhel9Non-Konflux Base Images:
ubi9-minimalubi9/ubi9-minimalubi9-minimalRPM/Repo Updates:
rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)rpms.rhel.repo: repos updated fromrhel8torhel9pg_rhel_major=9Tekton Labels:
el8→el9UBI9 Compatibility Fixes:
update-ca-trust extract -o /etc/pki/ca-trust/extractedfor unprivileged containers (RHBZ#2241240)cp --recursive --no-dereference --no-clobberin restore-all-dir-contentsmicrodnf install -y xz(explicit-yflag)Checklist
Testing Performed
TBD