Use UBI9 base and pin to the latest calico/base #4365
Conversation
This change updates the Tigera operator runtime base to UBI 9 and pins calico/base to the latest version. It also fixes the shared library path to /lib64, which is the canonical runtime location for shared libraries on RHEL systems.
| COPY --from=ubi /usr/share/pki /usr/share/pki/ | ||
| # Used by the Helm library | ||
| COPY --from=ubi /usr/lib64/libdl.so.2 /usr/lib64/libdl.so.2 | ||
| COPY --from=ubi /lib64/libdl.so.2 /lib64/libdl.so.2 |
There was a problem hiding this comment.
/lib64 is the canonical runtime location for essential shared libraries on RHEL systems.
There was a problem hiding this comment.
Pull request overview
This PR updates the Tigera operator's base container images to use UBI 9 instead of UBI 8, pins the calico/base image to a specific version for reproducibility, and fixes the shared library path to use the canonical RHEL location.
Changes:
- Upgraded base OS image from UBI 8.10 to UBI 9
- Pinned calico/base to version ubi9-1765220429 for reproducible builds
- Fixed shared library path from /usr/lib64 to /lib64 (canonical location on RHEL systems)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| build/Dockerfile | Updated FROM statements to use UBI9 and parameterized calico/base image; corrected libdl.so.2 path from /usr/lib64 to /lib64 |
| Makefile | Added CALICO_BASE_VER and CALICO_BASE variables and passed them as build arguments to Docker |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10 AS ubi | ||
| ARG CALICO_BASE | ||
|
|
||
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS ubi |
There was a problem hiding this comment.
Using the :latest tag for the UBI9 base image can lead to non-reproducible builds and unexpected changes when the upstream image updates. Consider pinning to a specific version tag (e.g., ubi9/ubi-minimal:9.5-1733160736) to ensure build reproducibility and consistency across environments.
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS ubi | |
| FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1733160736 AS ubi |
There was a problem hiding this comment.
I think it's fine to use the latest version in this case, as we're currently only copying system-wide certificates and a single libdl.so. We do want these to be up-to-date.
…4377-upstream-release-v1.41 [v1.41] Bump golang and k8s patch releases; Use UBI9 base and pin to the latest calico/base; Bump Go to v1.25.6 and update dependencies
3 participants
Description
This change updates the Tigera operator runtime base to UBI 9 and pins calico/base to the latest version. It also fixes the shared library path to /lib64, which is the canonical runtime location for shared libraries on RHEL systems.
Release Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.