Skip to content

Red Hat Universal Base Image (UBI) 8 #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 27, 2022
Merged

Red Hat Universal Base Image (UBI) 8 #332

merged 1 commit into from
Jul 27, 2022

Conversation

guicassolato
Copy link
Collaborator

@guicassolato guicassolato commented Jul 26, 2022
edited
Loading

Changes container base image to Red Hat UBI 8 images.

As a side effect, image size will grow from ~25-27 MB to ~59-63 MB (depending on the platform – linux/arm64 or linux/amd64, respectively).

On the good side, automated security scans in Quay.io will work (closes #310).

@guicassolato guicassolato self-assigned this Jul 26, 2022
@guicassolato guicassolato requested review from gsaslis and a team July 26, 2022 16:09
@guicassolato guicassolato force-pushed the ubi8 branch 3 times, most recently from 9494aa5 to defd03e Compare July 26, 2022 17:37
@guicassolato
Red Hat Universal Base Image (UBI) 8
7137ab1 
- Builder: go-toolset
- Runtime: ubi-minimal
guicassolato
guicassolato commented Jul 26, 2022
View reviewed changes
Dockerfile
FROM golang:1.17 as builder

FROM registry.access.redhat.com/ubi8/go-toolset:1.17.10 as builder
USER root
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you build an image on a Red Hat UBI that includes a language runtime, the user is already switched to a non-root user named default.

Source: https://developers.redhat.com/articles/2021/11/11/best-practices-building-images-pass-red-hat-container-certification#best_practice__2__make_the_image_run_as_a_non_root_user

gsaslis
gsaslis approved these changes Jul 27, 2022
View reviewed changes
Copy link
Collaborator

@gsaslis gsaslis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is very welcome change in terms of minimizing upstream-downstream Dockerfile drifts for any Red Hat product images built from this source code (for which we have to rely on official Red Hat parent images), so a big 👍🏼 from me here.

gsaslis
gsaslis reviewed Jul 27, 2022
View reviewed changes
Dockerfile
@@ -1,17 +1,15 @@
# Build the authorino binary
FROM golang:1.17 as builder

FROM registry.access.redhat.com/ubi8/go-toolset:1.17.10 as builder
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might want to use 1.17 floating tag?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same conversation going on here: Kuadrant/authorino-operator#85 (comment)

@guicassolato guicassolato merged commit 034fecc into main Jul 27, 2022
@guicassolato guicassolato deleted the ubi8 branch July 27, 2022 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsaslis gsaslis gsaslis approved these changes

Assignees

@guicassolato guicassolato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Better support for automated security scans
2 participants
@guicassolato @gsaslis