-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ubi dockerfile #550
add ubi dockerfile #550
Conversation
@daniel-butler-irl Image is available for testing. |
Would it be better to copy the build task That way when updating the Dockerfile the build for UBI image is updated as well. That would be roughly the same as what we're doing internally. |
hi @daniel-butler-irl , as @smuda mentioned above, you will have to add docker build for this dockerfile as well in the github action. after that is added into the PR, we can merge it. |
@MuneebAijaz my suggestion doesn't require a new Dockerfile, just running the same job again with a new ENV pointing to the new BASE_IMAGE, much like running
|
@smuda If we can get it working without a new dockerfile great. However, we have found in the past that even if we use the latest ubi image there can be critical security fixes missing and |
I need to do some testing but If I add the following to the Dockerfile then It could support updating the UBI image # Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM ${BASE_IMAGE:-gcr.io/distroless/static:nonroot}
WORKDIR /
COPY --from=builder /workspace/manager .
# Update image if it is RHEL based
RUN if cat /etc/os-release | grep 'ID="rhel"'; then \
microdnf update -y; \
fi
USER 65532:65532 |
Oh I see this wont work with distroless image (I've not used it before). I think two Dockerfiles are needed... |
(Please note that I'm not a maintainer, just a user) That's correct and I'd say that is normally what you want as new UBI images arrives ~2 weeks. With that said, what we've done before internally is to handle patches of the base image as a temporary patch, creating a Dockerfile which just includes the microdnf command for that particular package. Honestly, this is also the reason why I like |
I have updated the workflows to what I think they should be, but please have someone who is more knowledgeable than me check them. Thanks. |
@daniel-butler-irl Image is available for testing. |
@daniel-butler-irl Image is available for testing. |
#348
Made a start on this, I'm sure changes will be needed so let me know and I will try to get this over the line.