Skip to content

OCPBUGS-86911: Updating openshift-enterprise-base-rhel9-container image to be consistent with ART for 5.0 #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-bot wants to merge 1 commit into
base: master
Choose a base branch
from
+3 −0
Open

OCPBUGS-86911: Updating openshift-enterprise-base-rhel9-container image to be consistent with ART for 5.0 #236

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions base/Dockerfile.rhel9
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# URGENT! ART metadata configuration has a different number of FROMs
# than this Dockerfile. ART will be unable to build your component or
# reconcile this Dockerfile until that disparity is addressed.
Comment on lines +1 to +3
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Warning-only change leaves required container hardening unmet.

This adds visibility, but the Dockerfile still runs as root and has no HEALTHCHECK, so the security/compliance gap remains unresolved in this PR.

As per coding guidelines, USER non-root; never run as root and HEALTHCHECK defined.

🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@base/Dockerfile.rhel9` around lines 1 - 3, The Dockerfile currently leaves
the container running as root and lacks a HEALTHCHECK; modify the Dockerfile to
create a non-root user/group (e.g., add a dedicated user and chown any runtime
dirs), switch to that account with a USER non-root instruction before the final
image is produced, and add a HEALTHCHECK instruction (using a small, appropriate
command or script that verifies the app is running and exits with correct codes)
so the container meets hardening/compliance requirements; ensure any files or
ports the non-root user needs are given proper ownership/permissions prior to
USER switching and that the HEALTHCHECK command is reliable for your service.

# Builder stage: Configure crypto-policies with post-quantum support
FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 AS builder

Expand Down