chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
Conversation
|
Skipping CI for Draft Pull Request. |
|
@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution. The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it. |
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
d9cdc31 to
d2f149d
Compare
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
34c5d67 to
5a2e599
Compare
|
/test all |
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: Konflux base images: - Builder: openshift-golang-builder:rhel_9_golang_1.25 - Scanner runtime: ubi9-minimal - Scanner DB: rhel9/postgresql-15 Non-Konflux base images: - Scanner: ubi9-minimal - Scanner DB: ubi9 / ubi9-minimal - Vulnerabilities: ubi9-minimal Other updates: - Tekton CPE labels: el8 -> el9 - rpms.lock.yaml: xz updated to RHEL 9 version (5.2.5-8.el9_0) - rpms.rhel.repo: RHEL 8 repos -> RHEL 9 repos - PostgreSQL download script: pg_rhel_major=9 - Image name labels: rhel8 -> rhel9 - microdnf install -y xz (explicit -y for UBI9 compatibility) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In UBI9, update-ca-trust fails when running as an unprivileged user (nobody:nobody) because it attempts to write to system-wide paths. Use the -o flag to specify a user-writable output directory. Also switch restore-all-dir-contents to use --no-clobber to avoid overwriting CA trust files that were already updated at runtime. See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
5a2e599 to
b3addf3
Compare
|
/retest |
|
@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround) |
tommartensen
left a comment
tommartensen
left a comment
There was a problem hiding this comment.
LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?
Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds. |
|
Note to self and @stackrox/scanner: we need to follow up on #2092 and update the image for s390x to avoid using a different version of psql. |
| update-ca-trust extract | ||
| # The -o flag is required for running as an unprivileged user in containers. | ||
| # See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 | ||
| update-ca-trust extract -o /etc/pki/ca-trust/extracted |
There was a problem hiding this comment.
I'd like to understand this better.
Is this path /etc/pki/ca-trust/extracted referenced somewhere? Is it defaulted to somewhere?
There was a problem hiding this comment.
I think it's self-referential: https://src.fedoraproject.org/rpms/ca-certificates/blob/rawhide/f/update-ca-trust#_129-138
There was a problem hiding this comment.
/etc/pki/ca-trust/extracted is the default. We're re-setting it to get the non-root user operation of setting a -o path.
Here you can see it hardcoded in the version of update-ca-trust in ubi9-minimal: https://pkgs.devel.redhat.com/cgit/rpms/ca-certificates/tree/update-ca-trust?h=rhel-9.4.0#n10
And this explains why we need to use the -o arg: https://pkgs.devel.redhat.com/cgit/rpms/ca-certificates/tree/update-ca-trust?h=rhel-9.4.0#n88
long-version:
In UBI8, the update-ca-trust trust extract execution did not change the permissions on the files it wrote. In the version in UBI9, the directory-hash output was added and write permissions are removed when it is written.
The -o(USER_DEST) arg was added to allow running as non-root because it does a chmod +/- around adding links into the directory-hash directory: https://src.fedoraproject.org/rpms/ca-certificates/pull-request/8#request_diff
Looking forward in https://src.fedoraproject.org/rpms/ca-certificates/c/7dc60cb it was reworked but changes it so the symlinks are only added when the USER_DIR is not specified (so we will still need the -o arg if the ca-certificates package updates are backported).
There was a problem hiding this comment.
example usage: here this path is in the search paths for golang ssl: https://go.dev/src/crypto/x509/root_linux.go
There was a problem hiding this comment.
more information in the man page, https://www.linux.org/docs/man8/update-ca-trust.html
There was a problem hiding this comment.
Far future / TODO: The cert setup could be re-worked for these images so that it does not rely on update-ca-trust to add custom certs. Maybe that part isn't needed anymore, but I think that reaches outside of the scope of upgrading to UBI9. There was discussion about init container instead of the double-run that sensor and scanner do, and there are other options especially when we eventually switch to the golang built-in ssl.
…migration # Conflicts: # image/db/rhel/konflux.Dockerfile
|
/test ? |
|
The test failures are not-related to UBI9/changes in this PR. |
|
#2888 |
…migration # Conflicts: # image/db/rhel/konflux.Dockerfile
|
/retest e2e-tests |
|
/test e2e-tests |
2 similar comments
|
/test e2e-tests |
|
/test e2e-tests |
|
@davdhacs: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Description
Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.
Key Changes
Konflux Base Images:
brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24registry.access.redhat.com/ubi9-minimal:latestregistry.redhat.io/rhel9/postgresql-15:latestrhacs-scanner-rhel9,rhacs-scanner-slim-rhel9,rhacs-scanner-db-rhel9,rhacs-scanner-db-slim-rhel9Non-Konflux Base Images:
ubi9-minimalubi9/ubi9-minimalubi9-minimalRPM/Repo Updates:
rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)rpms.rhel.repo: repos updated fromrhel8torhel9pg_rhel_major=9Tekton Labels:
el8→el9UBI9 Compatibility Fixes:
update-ca-trust extract -o /etc/pki/ca-trust/extractedfor unprivileged containers (RHBZ#2241240)cp --recursive --no-dereference --no-clobberin restore-all-dir-contentsmicrodnf install -y xz(explicit-yflag)Checklist
Testing Performed
TBD