add ubi dockerfile

[daniel-butler-irl]

#348

Made a start on this, I'm sure changes will be needed so let me know and I will try to get this over the line.

[github-actions]

@daniel-butler-irl Image is available for testing. docker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-550-08a774a7

[smuda]

Would it be better to copy the build task Build and Push Docker Image to ghcr registry in .github/workflows/push.yaml to run again with BASE_IMAGE=docker.io/redhat/ubi8-micro:latest?

That way when updating the Dockerfile the build for UBI image is updated as well.

That would be roughly the same as what we're doing internally.

[MuneebAijaz]

hi @daniel-butler-irl , as @smuda mentioned above, you will have to add docker build for this dockerfile as well in the github action. after that is added into the PR, we can merge it.

[smuda]

@MuneebAijaz my suggestion doesn't require a new Dockerfile, just running the same job again with a new ENV pointing to the new BASE_IMAGE, much like running

DOCKER_IMAGE=my.image.local/reloader \
   ARCH=amd64 \
   BASE_IMAGE=docker.io/redhat/ubi8-micro:latest \
   make build-image

[daniel-butler-irl]

@smuda If we can get it working without a new dockerfile great. However, we have found in the past that even if we use the latest ubi image there can be critical security fixes missing and microdnf update needs to be run, as it can take some time for the base image to be updated. Not sure if we can run the update with your approach?

[daniel-butler-irl]

I need to do some testing but If I add the following to the Dockerfile then It could support updating the UBI image

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM ${BASE_IMAGE:-gcr.io/distroless/static:nonroot}
WORKDIR /
COPY --from=builder /workspace/manager .

# Update image if it is RHEL based
RUN if cat /etc/os-release | grep 'ID="rhel"'; then \
        microdnf update -y; \
    fi
    
USER 65532:65532

[daniel-butler-irl]

Oh I see this wont work with distroless image (I've not used it before). I think two Dockerfiles are needed...

[smuda]

However, we have found in the past that even if we use the latest ubi image there can be critical security fixes missing and microdnf update needs to be run, as it can take some time for the base image to be updated. Not sure if we can run the update with your approach?

(Please note that I'm not a maintainer, just a user) That's correct and I'd say that is normally what you want as new UBI images arrives ~2 weeks.

With that said, what we've done before internally is to handle patches of the base image as a temporary patch, creating a Dockerfile which just includes the microdnf command for that particular package.

Honestly, this is also the reason why I like scratch as base image. If there are no software, there are no CVE's... :-) Beware of compliance requirements which includes more software than needed.

[daniel-butler-irl]

I have updated the workflows to what I think they should be, but please have someone who is more knowledgeable than me check them. Thanks.

[github-actions]

@daniel-butler-irl Image is available for testing. docker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-550-eb8d215c

[github-actions]

@daniel-butler-irl Image is available for testing. docker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-550-34ecb8be