Skip to content

Migrate container base images from Debian to Red Hat UBI9#49

Open
yakovbeder wants to merge 2 commits into
openshift:mainfrom
yakovbeder:ubi9-migration
Open

Migrate container base images from Debian to Red Hat UBI9#49
yakovbeder wants to merge 2 commits into
openshift:mainfrom
yakovbeder:ubi9-migration

Conversation

@yakovbeder

@yakovbeder yakovbeder commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Fixes #38

Summary

  • Replace node:22-slim (Debian) with registry.access.redhat.com/ubi9/nodejs-22-minimal in all Dockerfiles
  • Convert package management from apt-get to microdnf
  • Adapt the runtime user from Debian's node (uid 1000) to UBI's default (uid 1001, gid 0)
  • Update entrypoint.sh to drop privileges as default

Motivation

Mirror-GUI runs on RHEL VMs in disconnected/air-gapped environments where Debian-based images are not acceptable. UBI9 matches the host OS family and provides FIPS-validated crypto when the host is in FIPS mode.

Changes

File Change
Dockerfile All 3 stages → ubi9/nodejs-22-minimal; microdnf installs; create default user (uid 1001)
Dockerfile.catalog-sync processor stage → ubi9/nodejs-22-minimal; catalog index stages unchanged
.ci-operator/build-root/Dockerfile ubi9/nodejs-22-minimal; microdnf install git
entrypoint.sh Drop privileges as default (uid 1001) instead of node (uid 1000)

Testing

  • ./local-build.sh succeeds (catalog sync, UBI image build, container start)
  • Container starts, entrypoint permissions check passes
  • Playwright E2E: 63/63 tests pass against the UBI-based container
  • No Debian artifacts remain (apt-get not present, OS is RHEL 9.8)
  • API save/upload/delete, operation start, and host data/ persistence verified with uid 1001 (default)

Summary by CodeRabbit

  • Chores
    • Updated container images to Red Hat UBI9 Node.js 22 minimal images.
    • Migrated container package installation to the UBI-compatible package manager.
    • Improved runtime compatibility with non-root container users.
    • Added configurable application user support for data directory ownership, permissions, and startup checks.

…imal.

Align Dockerfiles and entrypoint with Red Hat UBI conventions (microdnf, uid 1001/default) for disconnected/enterprise environments.

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci
openshift-ci Bot requested review from dorzel and r4f4 July 17, 2026 20:53
@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yakovbeder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Walkthrough

The container images now use UBI9 Node.js 22 minimal bases and microdnf. Production creates a UID/GID-aligned user, while entrypoint.sh uses configurable APP_USER ownership, permission checks, and execution.

Changes

UBI9 container migration

Layer / File(s) Summary
Build and processing image migration
.ci-operator/build-root/Dockerfile, Dockerfile, Dockerfile.catalog-sync
Build, downloader, processor, and related stages switch to UBI9 Node.js images, root setup, and microdnf package installation.
Production runtime user setup
Dockerfile
The production image installs runtime packages, creates the UID/GID-aligned user, and assigns /app/data ownership to 1001:0.
Entrypoint user parameterization
entrypoint.sh
Data directories, auth files, permission checks, error guidance, and process execution use configurable APP_USER.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed HEAD only changes Dockerfiles and entrypoint.sh; no test/spec files or Ginkgo titles were modified.
Test Structure And Quality ✅ Passed PR only changes Dockerfiles and entrypoint.sh; no Ginkgo or other test files were modified, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PR only changes Dockerfiles and entrypoint.sh; no Ginkgo e2e tests were added or modified, so MicroShift API compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo/e2e test files were changed; the PR only modifies Dockerfiles and entrypoint.sh, so SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only Dockerfiles and entrypoint.sh changed; no manifests/controllers or topology-related scheduling logic were introduced.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only changes Dockerfiles and entrypoint.sh; no OTE main/TestMain/setup code or new stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes Dockerfiles and entrypoint.sh, with no It/Describe/Context/When or network-test logic in the diff.
No-Weak-Crypto ✅ Passed Changed files only adjust images/users/permissions; searches found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed No privileged/host* securityContext fields or SYS_ADMIN/allowPrivilegeEscalation settings were added; root is only used for image setup before runuser drops privileges.
No-Sensitive-Data-In-Logs ✅ Passed The changed files only log generic status/errors and build metadata; no passwords, tokens, PII, or auth-file contents are printed.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the primary change: moving container base images from Debian to Red Hat UBI9.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 67: Update Dockerfile#L67-L67 to use a non-root default user and move
volume ownership handling to init/fsGroup or pre-provisioning; update
.ci-operator/build-root/Dockerfile#L3-L3, Dockerfile#L3-L3, and
Dockerfile#L42-L42 to switch back to the intended non-root user after privileged
setup while preserving workspace writability; update
Dockerfile.catalog-sync#L40-L40 so the emitted processor/data image is non-root
by default. Ensure all listed Dockerfiles never run as root by default.
- Around line 65-67: Add a real application readiness HEALTHCHECK to Dockerfile
at lines 65-67. Add the approved explicit disabled-healthcheck directive to
.ci-operator/build-root/Dockerfile at lines 1-6 and Dockerfile.catalog-sync at
lines 38-45, since those images are not run as services or only carry data.

In `@Dockerfile.catalog-sync`:
- Around line 38-45: Add a HEALTHCHECK to the processor image in
Dockerfile.catalog-sync, following the repository-approved policy: disable it
explicitly if this is a data-carrier image; otherwise define a meaningful check
that validates the processor’s health. Ensure the matching Dockerfile contains
an explicit HEALTHCHECK directive.

In `@entrypoint.sh`:
- Around line 15-20: Update the permission assignment in the entrypoint flow
around AUTHFILE to use mode 600 instead of 664, ensuring only the file owner can
read the pull secret; preserve the existing ownership change and file-existence
check.
- Line 4: Update the APP_USER initialization in the entrypoint to preserve an
externally supplied value while defaulting to “default”; derive the selected
user’s UID for host-permission fixes instead of hardcoding 1001. Validate that
APP_USER exists before invoking chown, su, or runuser, and retain the existing
flow for valid users.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f7fb99ee-25df-4b0d-a510-5b27a5d19003

📥 Commits

Reviewing files that changed from the base of the PR and between 399dd94 and 5b9bf57.

📒 Files selected for processing (4)
  • .ci-operator/build-root/Dockerfile
  • Dockerfile
  • Dockerfile.catalog-sync
  • entrypoint.sh

Comment thread Dockerfile
Comment thread Dockerfile
Comment thread Dockerfile.catalog-sync
Comment thread entrypoint.sh
Comment thread entrypoint.sh
datetime.UTC requires Python 3.11+, but UBI9 ships Python 3.9, which
broke catalog-sync CI when processing catalog metadata.

Co-authored-by: Cursor <cursoragent@cursor.com>
@yakovbeder

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown

@yakovbeder: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

./local-build.sh --build fails with cannot import name 'UTC'

1 participant