ROX-10613: Use ubi-minimal for scanner-db (#956)

janisz · vladbologa · web-flow · commit 1cf4201be3cf · 2022-10-26T15:02:31.000+02:00
Co-authored-by: Vlad Bologa &lt;vbologa@redhat.com&gt;
diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile
@@ -1,12 +1,12 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8/ubi
+ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=8.6
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
 COPY bundle.tar.gz /
 
 WORKDIR /bundle
-RUN tar -xzf /bundle.tar.gz
+RUN microdnf -y install tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
 
@@ -25,18 +25,30 @@ COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf
 
 ARG POSTGRESQL_ARCH=x86_64
 
-RUN groupadd -g 70 postgres && \
+RUN curl -sSLf https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-${PG_MAJOR} -o /tmp/pg_repo.key && \
+    rpm --import /tmp/pg_repo.key && \
+    curl -sSLf https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${POSTGRESQL_ARCH}/pgdg-redhat-repo-latest.noarch.rpm -o /tmp/pg_repo.rpm && \
+    rpm -i /tmp/pg_repo.rpm && \
+    # Skip repo check for ARM as it's used only for development purposes and package has wrong signature.
+    if [[ "$POSTGRESQL_ARCH" == "aarch64" ]]; then sed -i 's/repo_gpgcheck = 1/repo_gpgcheck = 0/g' /etc/yum.repos.d/pgdg-redhat-all.repo; fi && \
+    microdnf upgrade -y && \
+    microdnf install -y shadow-utils && \
+    groupadd -g 70 postgres && \
     adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \
-    dnf upgrade -y && \
-    dnf install -y \
+    microdnf install -y \
         ca-certificates libicu systemd-sysv glibc-locale-source glibc-langpack-en \
-        https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${POSTGRESQL_ARCH}/pgdg-redhat-repo-latest.noarch.rpm && \
-    dnf install -y postgresql12-server && \
-    dnf clean all && \
+        postgresql12-server && \
+    # The removal of /usr/share/zoneinfo from UBI minimal images is intentional.
+    # After building the image, the image is reduced in size as much as possible,
+    # and the /usr/share/zoneinfo directory is purged as it saves space
+    # in the final distribution of the image.
+    # https://access.redhat.com/solutions/5616681
+    microdnf reinstall tzdata && \
+    microdnf clean all && \
     rpm -e --nodeps $(rpm -qa 'pgdg-redhat-repo*') && \
     # (Optional) Remove line below to keep package management utilities
-    rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
+    rpm -e --nodeps $(rpm -qa shadow-utils curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
+    rm -rf /var/cache/dnf /var/cache/yum  /tmp/pg_repo.rpm /tmp/pg_repo.key && \
     localedef -f UTF-8 -i en_US en_US.UTF-8 && \
     chown postgres:postgres /usr/local/bin/docker-entrypoint.sh && \
     chmod +x /usr/local/bin/docker-entrypoint.sh && \
diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim
@@ -1,12 +1,12 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8/ubi
+ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=8.6
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
 COPY bundle.tar.gz /
 
 WORKDIR /bundle
-RUN tar -xzf /bundle.tar.gz
+RUN microdnf -y install tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
 
@@ -25,18 +25,30 @@ COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf
 
 ARG POSTGRESQL_ARCH=x86_64
 
-RUN groupadd -g 70 postgres && \
+RUN curl -sSLf https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-${PG_MAJOR} -o /tmp/pg_repo.key && \
+    rpm --import /tmp/pg_repo.key && \
+    curl -sSLf https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${POSTGRESQL_ARCH}/pgdg-redhat-repo-latest.noarch.rpm -o /tmp/pg_repo.rpm && \
+    rpm -i /tmp/pg_repo.rpm && \
+    # Skip repo check for ARM as it's used only for development purposes and package has wrong signature.
+    if [[ "$POSTGRESQL_ARCH" == "aarch64" ]]; then sed -i 's/repo_gpgcheck = 1/repo_gpgcheck = 0/g' /etc/yum.repos.d/pgdg-redhat-all.repo; fi && \
+    microdnf upgrade -y && \
+    microdnf install -y shadow-utils && \
+    groupadd -g 70 postgres && \
     adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \
-    dnf upgrade -y && \
-    dnf install -y \
+    microdnf install -y \
         ca-certificates libicu systemd-sysv glibc-locale-source glibc-langpack-en \
-        https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${POSTGRESQL_ARCH}/pgdg-redhat-repo-latest.noarch.rpm && \
-    dnf install -y postgresql12-server && \
-    dnf clean all && \
+        postgresql12-server && \
+    # The removal of /usr/share/zoneinfo from UBI minimal images is intentional.
+    # After building the image, the image is reduced in size as much as possible,
+    # and the /usr/share/zoneinfo directory is purged as it saves space
+    # in the final distribution of the image.
+    # https://access.redhat.com/solutions/5616681
+    microdnf reinstall tzdata && \
+    microdnf clean all && \
     rpm -e --nodeps $(rpm -qa 'pgdg-redhat-repo*') && \
     # (Optional) Remove line below to keep package management utilities
-    rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
+    rpm -e --nodeps $(rpm -qa shadow-utils curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
+    rm -rf /var/cache/dnf /var/cache/yum  /tmp/pg_repo.rpm /tmp/pg_repo.key && \
     localedef -f UTF-8 -i en_US en_US.UTF-8 && \
     chown postgres:postgres /usr/local/bin/docker-entrypoint.sh && \
     chmod +x /usr/local/bin/docker-entrypoint.sh && \
