Conversation
janisz
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3021 +/- ##
=======================================
Coverage 27.38% 27.38%
=======================================
Files 95 95
Lines 5427 5427
Branches 2548 2548
=======================================
Hits 1486 1486
Misses 3214 3214
Partials 727 727
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
janisz
force-pushed
the
ubi-micro
branch
3 times, most recently
from
0e2287f to
a50fa44
Compare
Replace manual package installation and file copying with proper dnf --installroot pattern. This cleaner approach installs packages directly to the target directory without manual cp commands or rpm workarounds. Benefits: - Reduced image size (20% smaller: 86MB vs 108MB) - Cleaner implementation following industry best practices - Better maintainability with proper RPM database tracking - Reduced layer count by combining COPY commands - Added .dockerignore for faster builds Changes: - Use dnf --installroot instead of microdnf + manual copying - Combine multiple COPY commands into single layer - Add .dockerignore to exclude unnecessary build context Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
msugakov
reviewed
Mar 4, 2026
Contributor
msugakov
left a comment
msugakov
left a comment
There was a problem hiding this comment.
Most of what I commented on collector/container/Dockerfile applies to collector/container/konflux.Dockerfile also.
collector/container/Dockerfile
Outdated
| --releasever=10 \ | ||
| --setopt=install_weak_deps=False \ | ||
| --nodocs \ | ||
| bash coreutils curl grep gawk elfutils-libelf ca-certificates && \ |
Contributor
There was a problem hiding this comment.
I'll check with you about the desired extra packages later on. This comment is just not to forget that.
Contributor
There was a problem hiding this comment.
https://redhat-internal.slack.com/archives/CELUQKESC/p1772802238069599
Please add your suggestions @janisz. I put a few from my side.
Changes: - Switch from ubi-minimal to ubi base image for package_installer stages - Remove dnf installation step (ubi already includes dnf) - UBI10: sha256:f573194e8e5231f1c9340c497e1f8d9aa9dbb42b2849e60341e34f50eec9477e - UBI9: sha256:cecb1cde7bda7c8165ae27841c2335667f8a3665a349c0d051329c61660a496c This improves build efficiency since we no longer need to install dnf on top of ubi-minimal, which essentially gives us ubi anyway. Addresses review comment from @msugakov on PR #3021. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes: - Add ubi-micro-base stage to reference the ubi-micro image - Create package_installer_final stage that copies ubi-micro base to /out - Install packages on top of the existing ubi-micro base - Use ubi-micro-base as the final runtime image base This ensures that the rpmdb in the final image correctly tracks both: 1. Packages that come with the ubi-micro base image 2. Packages we install via dnf --installroot Without this change, we were creating a new rpmdb from scratch in /out, which would replace ubi-micro's existing rpmdb and lose track of packages already present in the base image. Addresses review comment from @msugakov on PR #3021. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
msugakov
reviewed
Mar 4, 2026
The collector binary requires libuuid.so.1 and libstdc++.so.6 which were present in ubi-minimal but are not included in ubi-micro. This caused collector to fail with exit code 127 and the error: "error while loading shared libraries: libuuid.so.1: cannot open shared object file: No such file or directory" Add both libuuid and libstdc++ packages to ensure the collector binary has all required runtime dependencies. Also add --allowerasing flag to handle package conflicts when installing on top of the ubi-micro base (e.g., coreutils vs coreutils-single). Verified by checking ldd output from existing collector binary: libuuid.so.1 => not found libstdc++.so.6 => not found Fixes CI test failures in integration tests. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add openssl, libuuid, and libstdc++ to rpms.in.yaml so they are prefetched by Hermeto during Konflux hermetic builds. These packages are required by the package_installer_final stage in konflux.Dockerfile but were missing from the prefetch configuration, causing the build to fail with "Could not resolve host: cdn-ubi.redhat.com" errors. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add ca-certificates package to the runtime stage in konflux.Dockerfile and to rpms.in.yaml for Konflux prefetch. This is required for SSL/TLS verification and was identified in PR review comments. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Consolidate all file copies into the package_installer stage to reduce the number of layers in the final images. This results in smaller image sizes due to better compression and a simpler build structure. Changes: - Dockerfile: 4 COPY commands → 1 (reduces 3 layers) - konflux.Dockerfile: 3 COPY commands → 1 (reduces 2 layers) All files (packages, binaries, licenses, docs) are now copied from package_installer's /out/ directory in a single layer. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add --setopt=reposdir=/etc/yum.repos.d to dnf install command in package_installer stage to ensure dnf uses the host's repo directory (where cachi2 configures RHEL repos) instead of the installroot's repo directory (which contains UBI repos from the copied ubi-micro-base). When using --installroot=/out/, dnf defaults to looking for repo configurations in /out/etc/yum.repos.d/. Since we copy ubi-micro-base to /out/, this directory contains UBI repo configurations pointing to cdn-ubi.redhat.com, which is not accessible in Konflux hermetic builds. By explicitly setting reposdir to the host's /etc/yum.repos.d/, dnf will use the cachi2-configured RHEL repos and hermetically prefetched packages, fixing the DNS resolution failure. Fixes build error: Curl error (6): Couldn't resolve host name for https://cdn-ubi.redhat.com/.../repomd.xml Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add bash, coreutils, curl, grep, and gawk to the runtime package list in konflux.Dockerfile to match the regular Dockerfile and provide necessary shared libraries and utilities. These packages were missing from the konflux.Dockerfile package_installer stage, causing runtime errors: - curl provides libcurl.so.4 (required by collector binary) - bash, coreutils, grep, gawk provide shell utilities used by scripts The packages are already present in rpms.lock.yaml (included as dependencies from other packages or previous builds), so only rpms.in.yaml needs to be updated to document the explicit dependency. Fixes error: collector: error while loading shared libraries: libcurl.so.4: cannot open shared object file: No such file or directory Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
janisz
commented
Mar 6, 2026
janisz
changed the title
Molter73
reviewed
Mar 6, 2026
Molter73
reviewed
Mar 6, 2026
msugakov
reviewed
Mar 6, 2026
| --allowerasing \ | ||
| bash coreutils curl grep gawk tbb c-ares crypto-policies-scripts elfutils-libelf ca-certificates openssl libuuid libstdc++ && \ | ||
| dnf clean all --installroot=/out/ && \ | ||
| rm -rf /out/var/cache/* |
Contributor
There was a problem hiding this comment.
Nit: rm -rf /out/var/cache/* is not equivalent to rm -rf /var/cache/dnf /var/cache/yum which was before.
What exists there in /out/var/cache/* at all, could you please check (i.e. add find /out/var/cache or similar command temporarily)? I doubt that in our way of installation anything gets written there.
Contributor
Author
There was a problem hiding this comment.
Tested locally:
Dockerfile
FROM registry.access.redhat.com/ubi10/ubi-micro:latest@sha256:551f8ee81be3dbabd45a9c197f3724b9724c1edb05d68d10bfe85a5c9e46a458 AS
ubi-micro-base
FROM registry.access.redhat.com/ubi10/ubi:latest@sha256:f573194e8e5231f1c9340c497e1f8d9aa9dbb42b2849e60341e34f50eec9477e AS
package_installer
COPY --from=ubi-micro-base / /out/
RUN dnf install -y \
--installroot=/out/ \
--releasever=10 \
--setopt=install_weak_deps=False \
--nodocs \
--allowerasing \
ca-certificates curl-minimal elfutils-libelf libstdc++ libuuid openssl && \
echo "=== After dnf install, before dnf clean ===" && \
find /out/var/cache -type f -o -type d | sort && \
echo "=== After dnf clean all ===" && \
dnf clean all --installroot=/out/ && \
find /out/var/cache -type f -o -type d | sort && \
After dnf install, before dnf clean
#8 21.67 /out/var/cache
#8 21.67 /out/var/cache/dnf
#8 21.67 /out/var/cache/dnf/.gpgkeyschecked.yum
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata/105d1c78a2ce558f9e55fca601afd478aa4686
05a548dd5ebdd5fba4e6fa9ba4-updateinfo.xml.gz
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata/731421dcdc00be9451e8be49a0047b9a15d28e
f726f36f4c0307b074dc7de423-primary.xml.gz
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93
f6bb7d0a55aacd592d03144b70-comps.xml
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata/repomd.xml
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-updateinfo.solvx
#8 21.67 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms.solv
#8 21.67 /out/var/cache/dnf/expired_repos.json
#8 21.67 /out/var/cache/dnf/tempfiles.json
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata/1cfbb614d4967976cd092c445ff9d5555353e75d101708
7c0c49153a4c41e17e-updateinfo.xml.gz
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a
55aacd592d03144b70-comps.xml
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata/b323d686191dc63586c351c1347370915432e4efc4f8a1
99e81e8c15797c1739-primary.xml.gz
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata/repomd.xml
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-updateinfo.solvx
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms.solv
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/packages
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata/a27718cc28ec6d71432e0ef3e6da544b7f9d93f6bb7d0a55a
acd592d03144b70-comps.xml
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata/c2b81dd06b9e48da59c1e9b1cb2ed63e2b115e6173b16a91b
19371877fb27b87-primary.xml.gz
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata/d45abc51b71845eaa4e00515333fa804b9cb1281edcbbf2de
f8818e45d7718c9-updateinfo.xml.gz
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata/repomd.xml
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-updateinfo.solvx
#8 21.67 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms.solv
#8 21.67 /out/var/cache/ldconfig
#8 21.67 /out/var/cache/ldconfig/aux-cache
After dnf clean all
#8 21.96 Updating Subscription Management repositories.
#8 21.96 Unable to read consumer identity
#8 21.96
#8 21.96 This system is not registered with an entitlement server. You can use subscription-manager to register.
#8 21.96
#8 21.97 18 files removed
#8 22.05 /out/var/cache
#8 22.05 /out/var/cache/dnf
#8 22.05 /out/var/cache/dnf/.gpgkeyschecked.yum
#8 22.05 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858
#8 22.05 /out/var/cache/dnf/codeready-builder-for-ubi-10-x86_64-rpms-c9308cee97045858/repodata
#8 22.05 /out/var/cache/dnf/expired_repos.json
#8 22.05 /out/var/cache/dnf/tempfiles.json
#8 22.05 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec
#8 22.05 /out/var/cache/dnf/ubi-10-for-x86_64-appstream-rpms-7e8601b0f442edec/repodata
#8 22.05 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be
#8 22.05 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/packages
#8 22.05 /out/var/cache/dnf/ubi-10-for-x86_64-baseos-rpms-ba1a0318ea5ba2be/repodata
#8 22.05 /out/var/cache/ldconfig
#8 22.05 /out/var/cache/ldconfig/aux-cache
Contributor
There was a problem hiding this comment.
Ok, good to know that dnf --installroot does touch /out/var/cache. Thanks for checking.
Besides dnf/, there's also ldconfig/aux-cache and AI tells me it's safe to delete but I'm hesitant. Even if this file is safe to delete, there my appear other things in subsequent releases.
I'd vote to keep doing rm -rf /var/cache/dnf /var/cache/yum to prevent regressions.
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Replace the complex sed-based generation of Dockerfile.dev with a static single-stage Dockerfile for development builds. This simplifies the build process and makes the development Dockerfile easier to maintain. Changes: - Add static collector/container/Dockerfile.dev using full UBI base - Remove container-dockerfile-dev target from Makefile - Update image-dev target to use static Dockerfile.dev directly - Remove --build-arg BUILD_TYPE=devel (not needed for dedicated dev Dockerfile) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> chore: Add static Dockerfile.dev and update .gitignore Add the static Dockerfile.dev file that was previously ignored, and remove it from .gitignore since it's now a source file rather than a generated one. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The collector binary requires libcap-ng.so.0 at runtime, but this library was missing from the final image after commit 4b7f0cc removed packages. While libcap-ng-devel is installed in the builder stage, the runtime library libcap-ng must also be present in the final image. This was causing CI test failures with: "collector: error while loading shared libraries: libcap-ng.so.0: cannot open shared object file: No such file or directory" Changes: - Added libcap-ng to rpms.in.yaml final stage packages - Added libcap-ng to konflux.Dockerfile runtime packages - Added libcap-ng (and missing c-ares, tbb) to Dockerfile runtime packages Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Rename collector/container/Dockerfile.dev to dev.Dockerfile to follow a more consistent naming convention (matching konflux.Dockerfile pattern). This is now a static file (not generated), so removed it from the clean target in collector/Makefile. Changes: - Renamed collector/container/Dockerfile.dev to dev.Dockerfile - Updated Makefile to reference dev.Dockerfile - Removed dev.Dockerfile from clean target (no longer generated) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Reduce container image size and improve security posture by migrating from UBI minimal base images to UBI micro base images.
Removed (28 packages):
Refs:
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
CI