stackabletech · maltesander · May 6, 2024 · Mar 2, 2024 · Mar 20, 2024 · Mar 20, 2024
diff --git a/.github/workflows/ubi-rust-builder.yml b/.github/workflows/ubi-rust-builder.yml
@@ -16,10 +16,10 @@ jobs:
     strategy:
       matrix:
         runner: ["ubuntu-latest", "buildjet-2vcpu-ubuntu-2204-arm"]
+        ubi-version: ["ubi8", "ubi9"]
     runs-on: ${{ matrix.runner }}
     steps:
-      - name: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
       - name: Login to Stackable Harbor
         uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # tag=v3.1.0
         with:
@@ -36,23 +36,26 @@ jobs:
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: .
-          file: ./ubi8-rust-builder/Dockerfile
+          file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
           push: true
-          tags: oci.stackable.tech/sdp/ubi8-rust-builder:${{ env.TAG }}
+          tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
       - name: Sign the published builder image
         shell: bash
         run: |
           # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
           # This generates a signature and publishes it to the registry, next to the image
           # Uses the keyless signing flow with Github Actions as identity provider
-          cosign sign -y "oci.stackable.tech/sdp/ubi8-rust-builder@${{ steps.build-and-push.outputs.digest }}"
+          cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@${{ steps.build-and-push.outputs.digest }}"
   create_manifest:
     permissions:
       id-token: write
+    strategy:
+      matrix:
+        ubi-version: ["ubi8", "ubi9"]
     runs-on: ubuntu-latest
     needs: ["build"]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=v4.1.4
       - name: Login to Stackable Harbor
         uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # tag=v3.1.0
         with:
@@ -65,7 +68,7 @@ jobs:
         shell: bash
         run: |
           COMMIT_ID=$(git rev-parse --short HEAD)
-          MANIFEST_LIST_NAME=oci.stackable.tech/sdp/ubi8-rust-builder
+          MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder
           docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64"
           # `docker manifest push` directly returns the digest of the manifest list
           # As it is an experimental feature, this might change in the future

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
+- ubi9-rust-builder: A builder image using UBI9 instead of the current UBI8 ([#583])
 - Build all `0.0.0-dev` product images as multi-arch and push them to Nexus and Harbor.
   Also SBOMs are generated and everything is signed ([#614], [#616]).
 - hbase: Enable snapshot exports to S3; The HBase image depends now on
@@ -31,6 +32,7 @@ All notable changes to this project will be documented in this file.
 - hive: Fix compilation on ARM in CI as well ([#619]).
 - hive: Fix compilation of x86 in CI due to lower disk usage to prevent disk running full ([#619]).
 
+[#583]: https://github.com/stackabletech/docker-images/pull/583
 [#611]: https://github.com/stackabletech/docker-images/pull/611
 [#612]: https://github.com/stackabletech/docker-images/pull/612
 [#613]: https://github.com/stackabletech/docker-images/pull/613

diff --git a/README.adoc b/README.adoc
@@ -43,10 +43,10 @@ To verify if Apache Zookeeper validate against OpenShift preflight, run:
 
     check-container --product zookeeper --image 0.0.0-dev
 
-== ubi8-rust-builder
+== ubi8-rust-builder / ubi9-rust-builder
 
-This image is meant to be used in multi-stage builds as a base image for projects building Rust projects.
-It is automatically rebuilt and pushed every night and also on every push to the main branch, in addition a build can be triggered using GitHub Actions.
+These images are meant to be used in multi-stage builds as a base image for projects building Rust projects.
+They are automatically rebuilt and pushed every night and also on every push to the main branch, in addition a build can be triggered using GitHub Actions.
 
 The image will run `cargo build --release` in the current context and copy all binaries to an `/app` directory.
 
@@ -55,15 +55,15 @@ This will bake in the current stable Rust version at the time this image was bui
 .Example usage
 [source,dockerfile]
 ----
-FROM docker.stackable.tech/ubi8-rust-builder AS builder
+FROM docker.stackable.tech/ubi9-rust-builder AS builder
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal AS operator
+FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator
 LABEL maintainer="Stackable GmbH"
 
 # Update image
-RUN microdnf update --disablerepo=* --enablerepo=ubi-8-baseos-rpms --enablerepo=ubi-8-baseos-rpms -y \
-  && rm -rf /var/cache/yum \
-  && microdnf install --disablerepo=* --enablerepo=ubi-8-appstream-rpms --enablerepo=ubi-8-baseos-rpms shadow-utils -y \
+RUN microdnf update \
+  && microdnf install \
+    shadow-utils \
   && rm -rf /var/cache/yum
 
 COPY --from=builder /app/stackable-zookeeper-operator /

diff --git a/ubi8-rust-builder/copy_artifacts.sh → shared/copy_artifacts.sh b/ubi8-rust-builder/copy_artifacts.sh → shared/copy_artifacts.sh
diff --git a/stackable-base/stackable/dnf.conf b/stackable-base/stackable/dnf.conf
@@ -1,2 +1,3 @@
 [main]
-install_weak_deps=0
+install_weak_deps=False
+assumeyes=True
diff --git a/ubi8-rust-builder/Dockerfile b/ubi8-rust-builder/Dockerfile
@@ -37,12 +37,12 @@ WORKDIR /
 # property in operator-templating/config/rust.yaml
 # hadolint ignore=SC1091
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.77.0 \
- && . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@0.4.0 cargo-auditable@0.6.1
+ && . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@0.4.0 cargo-auditable@0.6.2
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
 
-COPY ubi8-rust-builder/copy_artifacts.sh /
+COPY shared/copy_artifacts.sh /
 
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src

diff --git a/ubi9-rust-builder/Dockerfile b/ubi9-rust-builder/Dockerfile
@@ -0,0 +1,95 @@
+# syntax=docker/dockerfile:1.6.0@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
+
+# Ignoring DL3038 globally because set `assumeyes=True` in dnf.conf
+# hadolint global ignore=DL3038
+
+# 9.4-949 as of 2024-05-02
+# https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?image=6627f8683d10f9c54d395968&architecture=amd64
+# Manifest list digest because of multi architecture builds ( https://www.redhat.com/architect/pull-container-image#:~:text=A%20manifest%20list%20exists%20to,system%20on%20a%20specific%20architecture )
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:b6ec3ea97ba321c7529b81ae45c407ba8039d52fea3f7b6853734d7f8863344b AS builder
+
+LABEL maintainer="Stackable GmbH"
+
+# Sets the default shell to Bash with strict error handling and robust pipeline processing.
+# "-e": Exits immediately if a command exits with a non-zero status
+# "-u": Treats unset variables as an error, preventing unexpected behavior from undefined variables.
+# "-o pipefail": Causes a pipeline to return the exit status of the last command in the pipe that failed, ensuring errors in any part of a pipeline are not ignored.
+# "-c": Allows the execution of commands passed as a string
+# This is automatically inherited in all other Dockerfiles that use this unless it is overwritten
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
+# We configure microdnf to not install weak dependencies in this file
+# Not doing this caused the content of images to become unpredictable because
+# based on which packages get updated by `microdnf update` new weak dependencies
+# might be installed that were not present earlier (the ubi8 base image doesn't
+# seem to install weak dependencies)
+# This also affects the packages that are installed in our Dockerfiles (java as prime
+# example).
+# https://github.com/stackabletech/docker-images/pull/533
+COPY stackable-base/stackable/dnf.conf /etc/dnf/dnf.conf
+
+# Update image and install everything needed for Rustup & Rust
+RUN microdnf update \
+  && microdnf install \
+    clang \
+    cmake \
+    curl-minimal \
+    findutils \
+    gcc \
+    gcc-c++ \
+    krb5-libs \
+    libkadm5 \
+    make \
+    openssl-devel \
+    pkg-config \
+    systemd-devel \
+    unzip \
+  && microdnf clean all \
+  && rm -rf /var/cache/yum
+
+# Container Storage Interface is defined using GRPC/Protobuf, our operators that use it (secret-operator/listener-operator) require
+# protoc via Prost (https://github.com/tokio-rs/prost).
+WORKDIR /opt/protoc
+# Prost does not document which version of protoc it expects (https://docs.rs/prost-build/0.12.4/prost_build/), so this should be the latest upstream version
+# (within reason).
+RUN PROTOC_VERSION=26.1 \
+  ARCH=$(arch | sed 's/^aarch64$/aarch_64/') \
+  && curl --location --output protoc.zip "https://repo.stackable.tech/repository/packages/protoc/protoc-${PROTOC_VERSION}-linux-${ARCH}.zip" \
+  && unzip protoc.zip \
+  && rm protoc.zip
+ENV PROTOC=/opt/protoc/bin/protoc
+WORKDIR /
+
+# IMPORTANT
+# If you change the toolchain version here, make sure to also change the "rust_version"
+# property in operator-templating/config/rust.yaml
+# hadolint ignore=SC1091
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.77.2 \
+ && . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@0.4.0 cargo-auditable@0.6.2
+
+# Build artifacts will be available in /app.
+RUN mkdir /app
+
+COPY shared/copy_artifacts.sh /
+
+ONBUILD WORKDIR /src
+ONBUILD COPY . /src
+
+# hadolint ignore=SC1091
+ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+
+# Copy the "interesting" files into /app.
+ONBUILD RUN find /src/target/release \
+                -regextype egrep \
+                # The interesting binaries are all directly in ${BUILD_DIR}.
+                -maxdepth 1 \
+                # Well, binaries are executable.
+                -executable \
+                # Well, binaries are files.
+                -type f \
+                # Filter out tests.
+                ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+                # Copy the matching files into /app.
+                -exec /copy_artifacts.sh {} \;
+
+ONBUILD RUN echo "The following files will be copied to the runtime image: $(ls /app)"