From 89a9781346ab37f92321871764fa07db9656fcb4 Mon Sep 17 00:00:00 2001 From: Shay Bratslavsky Date: Mon, 26 Jan 2026 12:36:10 +0200 Subject: [PATCH 1/2] transition to ubi-minimal --- Dockerfile.image-service | 21 ++++++++++++++++++--- Dockerfile.image-service-mce | 5 +++-- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/Dockerfile.image-service b/Dockerfile.image-service index c6ce5660..d84b1c38 100644 --- a/Dockerfile.image-service +++ b/Dockerfile.image-service @@ -45,7 +45,7 @@ RUN ${HOME}/go/bin/go-licenses save --save_path /tmp/licenses ./... RUN cd /app && git rev-parse --short HEAD > /commit-reference.txt ## Runtime -FROM quay.io/centos/centos:stream9 +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:6fc28bcb6776e387d7a35a2056d9d2b985dc4e26031e98a2bd35a7137cd6fd71 ARG release=main ARG version=latest @@ -62,6 +62,23 @@ LABEL url https://github.com/openshift/assisted-image-service LABEL vendor "Red Hat, Inc." LABEL maintainer "Red Hat" +# Install cpio directly with microdnf (available in UBI minimal) +RUN microdnf install -y cpio && microdnf clean all + +# Install dnf for external repository management +RUN microdnf install -y dnf && microdnf clean all + +# Add CentOS Stream repositories for packages not available in UBI +RUN dnf install -y 'dnf-command(config-manager)' && \ + dnf config-manager --add-repo http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/ && \ + dnf config-manager --add-repo http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/ + +# Import CentOS GPG keys for secure package verification +RUN rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official + +# Install squashfs-tools from CentOS Stream repositories +RUN dnf install -y squashfs-tools && dnf clean all + # Ensure UID can write in data dir (e.g.: when using podman, docker, ...) # Ensure root group can write in data dir when deployed on OCP # https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#use-uid_create-images @@ -79,8 +96,6 @@ RUN mkdir $DATA_TEMP_DIR && chmod 775 $DATA_TEMP_DIR && chown $UID:$GID /data VOLUME $DATA_TEMP_DIR ENV DATA_TEMP_DIR=$DATA_TEMP_DIR -RUN dnf install -y cpio squashfs-tools && dnf clean all - # Copy the commit reference from the builder COPY --from=golang /commit-reference.txt /commit-reference.txt diff --git a/Dockerfile.image-service-mce b/Dockerfile.image-service-mce index 844a4a50..b2d0d690 100644 --- a/Dockerfile.image-service-mce +++ b/Dockerfile.image-service-mce @@ -44,7 +44,7 @@ WORKDIR /app RUN GO111MODULE=on GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -o assisted-image-service main.go -FROM --platform=$BUILDPLATFORM registry.redhat.io/rhel9-4-els/rhel:9.4 +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:6fc28bcb6776e387d7a35a2056d9d2b985dc4e26031e98a2bd35a7137cd6fd71 ARG release=main ARG version=latest @@ -61,7 +61,8 @@ RUN mkdir $DATA_TEMP_DIR && chmod 775 $DATA_TEMP_DIR VOLUME $DATA_TEMP_DIR ENV DATA_TEMP_DIR=$DATA_TEMP_DIR -RUN dnf -y update && dnf install -y cpio squashfs-tools && dnf clean all +# Install runtime packages directly with microdnf (rpm-prefetching makes them available) +RUN microdnf install -y cpio squashfs-tools && microdnf clean all # Copy the very minimum that we need from the external packages container. That is the 'dump.erofs' # binary and the compression library (from the 'xz' package) that it needs. From 02171c73022b3f480f82cddc5aef2de012694426 Mon Sep 17 00:00:00 2001 From: Shay Bratslavsky Date: Wed, 28 Jan 2026 13:15:42 +0200 Subject: [PATCH 2/2] update renovate tool to be able to update ubi images --- Dockerfile.image-service | 4 ++-- renovate.json | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/Dockerfile.image-service b/Dockerfile.image-service index 2459774b..d09c16e3 100644 --- a/Dockerfile.image-service +++ b/Dockerfile.image-service @@ -70,8 +70,8 @@ RUN microdnf install -y dnf && microdnf clean all # Add CentOS Stream repositories for packages not available in UBI RUN dnf install -y 'dnf-command(config-manager)' && \ - dnf config-manager --add-repo http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/ && \ - dnf config-manager --add-repo http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/ + dnf config-manager --add-repo https://mirror.stream.centos.org/9-stream/BaseOS/\$basearch/os/ && \ + dnf config-manager --add-repo https://mirror.stream.centos.org/9-stream/AppStream/\$basearch/os/ # Import CentOS GPG keys for secure package verification RUN rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official diff --git a/renovate.json b/renovate.json index ec452998..a0ba6de4 100644 --- a/renovate.json +++ b/renovate.json @@ -52,6 +52,18 @@ ], "depNameTemplate": "registry.access.redhat.com/ubi8/go-toolset", "datasourceTemplate": "docker" + }, + { + "customType": "regex", + "managerFilePatterns": [ + "/^Dockerfile\\.image-service.*$/" + ], + "matchStrings": [ + "FROM registry.access.redhat.com/ubi9/ubi-minimal:(?[^@]+)@(?sha256:[a-f0-9]+)\\n", + "FROM --platform=\\$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-minimal:(?[^@]+)@(?sha256:[a-f0-9]+)\\n" + ], + "depNameTemplate": "registry.access.redhat.com/ubi9/ubi-minimal", + "datasourceTemplate": "docker" } ], "packageRules": [ @@ -117,6 +129,27 @@ "matchManagers": [ "tekton" ] + }, + { + "matchPackageNames": [ + "registry.access.redhat.com/ubi9/ubi-minimal" + ], + "groupName": "UBI Runtime Images", + "addLabels": [ + "ubi" + ] + }, + { + "matchUpdateTypes": [ + "major" + ], + "matchDatasources": [ + "docker" + ], + "matchPackageNames": [ + "registry.access.redhat.com/ubi9/ubi-minimal" + ], + "enabled": false } ] }