Skip to content

chore(base-image): Migrate Konflux builds to UBI9/RHEL9 #2562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
davdhacs wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

chore(base-image): Migrate Konflux builds to UBI9/RHEL9 #2562

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
fed2404
Migrate Konflux builds to UBI9/RHEL9
davdhacs Jan 15, 2026
5ac5f9c
Fix: Add -y flag to microdnf install command
davdhacs Jan 15, 2026
f2edcab
Fix UBI9 entrypoint CA trust permission issues
davdhacs Jan 15, 2026
0ae9542
Merge origin/master into konflux-ubi9-rhel9-migration
davdhacs Jan 21, 2026
b144795
Complete UBI9 migration for non-Konflux scanner builds (with diagnost…
davdhacs Jan 21, 2026
d2c3695
Pin scanner builds to ubuntu-22.04 for UBI9 compatibility
davdhacs Jan 21, 2026
9269012
Merge master into konflux-ubi9-rhel9-migration
davdhacs Jan 27, 2026
c66c74d
Regenerate rpms files and restore ubuntu-latest for CI
davdhacs Jan 27, 2026
51cbe99
workaround arm build failure
davdhacs Jan 29, 2026
0ca3881
add tar debug to db dockerfiles
davdhacs Jan 29, 2026
030ec3b
Merge branch 'master' into konflux-ubi9-rhel9-migration
davdhacs Jan 29, 2026
c45d91c
fix(ci): Serialize arm64 image builds to avoid QEMU resource exhaustion
davdhacs Jan 29, 2026
16d772d
fix(build): Extract bundles on host to avoid QEMU tar issues
davdhacs Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,16 @@ jobs:
name: scanner-db-bundle
path: image/db/rhel

# Extract bundles on the host to avoid tar issues under QEMU emulation for arm64
- name: Extract bundles on host
run: |
# Extract scanner bundle
mkdir -p image/scanner/rhel/bundle
tar -xzf image/scanner/rhel/bundle.tar.gz -C image/scanner/rhel/bundle
# Extract scanner-db bundle
mkdir -p image/db/rhel/bundle
tar -xzf image/db/rhel/bundle.tar.gz -C image/db/rhel/bundle

- name: Build scanner image
run: |
docker buildx build --platform "${{ matrix.goos }}/${{ matrix.goarch }}" --load -t stackrox/scanner:"$(make --no-print-directory --quiet tag)" $(make GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} image-build-args) -f image/scanner/rhel/Dockerfile image/scanner/rhel
Expand Down
2 changes: 1 addition & 1 deletion .tekton/scanner-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ spec:
- name: extra-labels
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"

workspaces:
- name: git-auth
Expand Down
2 changes: 1 addition & 1 deletion .tekton/scanner-db-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ spec:
- name: extra-labels
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"

workspaces:
- name: git-auth
Expand Down
2 changes: 1 addition & 1 deletion .tekton/scanner-db-slim-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ spec:
- name: extra-labels
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"

workspaces:
- name: git-auth
Expand Down
2 changes: 1 addition & 1 deletion .tekton/scanner-slim-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ spec:
- name: extra-labels
value:
# X.Y in the cpe label must be adjusted for every version stream.
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
- "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"

workspaces:
- name: git-auth
Expand Down
15 changes: 6 additions & 9 deletions image/db/rhel/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,13 @@
ARG RPMS_REGISTRY=registry.access.redhat.com
ARG RPMS_BASE_IMAGE=ubi8
ARG RPMS_BASE_IMAGE=ubi9
ARG RPMS_BASE_TAG=latest

ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
COPY bundle.tar.gz /

WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
# The bundle/ directory should contain: etc/, docker-entrypoint-initdb.d/

FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS postgres_rpms

Expand Down Expand Up @@ -38,7 +35,7 @@ ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \

COPY signatures/PGDG-RPM-GPG-KEY-RHEL /
COPY scripts/docker-entrypoint.sh /usr/local/bin/
COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/
COPY bundle/etc/postgresql.conf bundle/etc/pg_hba.conf /etc/
COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/

RUN microdnf upgrade -y --nobest && \
Expand Down Expand Up @@ -78,7 +75,7 @@ RUN microdnf upgrade -y --nobest && \
# This is equivalent to postgres:postgres.
USER 70:70

COPY --from=extracted_bundle /bundle/docker-entrypoint-initdb.d/definitions.sql.gz /docker-entrypoint-initdb.d/
COPY bundle/docker-entrypoint-initdb.d/definitions.sql.gz /docker-entrypoint-initdb.d/

ENTRYPOINT ["docker-entrypoint.sh"]

Expand Down
13 changes: 5 additions & 8 deletions image/db/rhel/Dockerfile.slim
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,13 @@
ARG RPMS_REGISTRY=registry.access.redhat.com
ARG RPMS_BASE_IMAGE=ubi8
ARG RPMS_BASE_IMAGE=ubi9
ARG RPMS_BASE_TAG=latest

ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
COPY bundle.tar.gz /

WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
# The bundle/ directory should contain: etc/

FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS postgres_rpms

Expand Down Expand Up @@ -38,7 +35,7 @@ ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \

COPY signatures/PGDG-RPM-GPG-KEY-RHEL /
COPY scripts/docker-entrypoint.sh /usr/local/bin/
COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/
COPY bundle/etc/postgresql.conf bundle/etc/pg_hba.conf /etc/
COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/

RUN microdnf upgrade -y --nobest && \
Expand Down
6 changes: 3 additions & 3 deletions image/db/rhel/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.redhat.io/rhel8/postgresql-15:latest@sha256:9790ea7c445759dcf7a81061948b355aab849f72b2a74f098d3c946dcaeed830 AS scanner-db-common
FROM registry.redhat.io/rhel9/postgresql-15:latest AS scanner-db-common

ARG SCANNER_TAG
RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
Expand Down Expand Up @@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim
LABEL \
com.redhat.component="rhacs-scanner-db-slim-container" \
io.k8s.display-name="scanner-db-slim" \
name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8"
name="advanced-cluster-security/rhacs-scanner-db-slim-rhel9"

ENV ROX_SLIM_MODE="true"

Expand All @@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db
LABEL \
com.redhat.component="rhacs-scanner-db-container" \
io.k8s.display-name="scanner-db" \
name="advanced-cluster-security/rhacs-scanner-db-rhel8"
name="advanced-cluster-security/rhacs-scanner-db-rhel9"

COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
/docker-entrypoint-initdb.d/definitions.sql.gz
2 changes: 1 addition & 1 deletion image/db/rhel/scripts/download.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ set -euo pipefail

# If this is updated, be sure to update PG_MAJOR in the Dockerfile and the signature file.
postgres_major=15
pg_rhel_major=8
pg_rhel_major=9

arch="$(uname -m)"
dnf_list_args=()
Expand Down
23 changes: 10 additions & 13 deletions image/scanner/rhel/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

COPY bundle.tar.gz /
WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
# The bundle/ directory should contain: scanner, THIRD_PARTY_NOTICES/, nvd_definitions/, etc.

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base

Expand All @@ -27,9 +24,9 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]

COPY scripts /

COPY --from=extracted_bundle /bundle/scanner ./
COPY bundle/scanner ./

COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
COPY bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/

RUN microdnf upgrade -y --nobest && \
microdnf install -y xz && \
Expand All @@ -51,11 +48,11 @@ ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
ENV ISTIO_DEFINITIONS_DIR="/istio_definitions"
ENV REPO_TO_CPE_DIR="/repo2cpe"

COPY --chown=65534:65534 --from=extracted_bundle "/bundle${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 --from=extracted_bundle "/bundle${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 --from=extracted_bundle "/bundle${ISTIO_DEFINITIONS_DIR}/" ".${ISTIO_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 --from=extracted_bundle "/bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 --from=extracted_bundle /bundle/genesis_manifests.json ./
COPY --chown=65534:65534 "bundle${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 "bundle${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 "bundle${ISTIO_DEFINITIONS_DIR}/" ".${ISTIO_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 "bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 bundle/genesis_manifests.json ./

# This is equivalent to nobody:nobody.
USER 65534:65534
Expand Down
17 changes: 7 additions & 10 deletions image/scanner/rhel/Dockerfile.slim
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

COPY bundle.tar.gz /
WORKDIR /bundle
RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
# The bundle/ directory should contain: scanner, THIRD_PARTY_NOTICES/, repo2cpe/

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base

Expand All @@ -27,9 +24,9 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]

COPY scripts /

COPY --from=extracted_bundle /bundle/scanner ./
COPY bundle/scanner ./

COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
COPY bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/

RUN microdnf upgrade -y --nobest && \
microdnf install -y xz && \
Expand All @@ -48,8 +45,8 @@ RUN microdnf upgrade -y --nobest && \

ENV REPO_TO_CPE_DIR="/repo2cpe"

COPY --chown=65534:65534 --from=extracted_bundle "/bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 --from=extracted_bundle /bundle/genesis_manifests.json ./
COPY --chown=65534:65534 "bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 bundle/genesis_manifests.json ./

# This is equivalent to nobody:nobody.
USER 65534:65534
Expand Down
10 changes: 5 additions & 5 deletions image/scanner/rhel/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Compiling scanner binaries and staging repo2cpe and genesis manifests
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.24@sha256:176e92de4ef14982b4309ff81465595efb2f02369e726a36270d96a96a9e7f4c AS builder
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24 AS builder

ARG SCANNER_TAG
RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
Expand Down Expand Up @@ -28,7 +28,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi


# Common base for scanner slim and full
FROM registry.access.redhat.com/ubi8-minimal:latest@sha256:fba1e7fb1f50cd7b021c8379f207fb744b00ff55c7f539f15b40709a38cb4cde AS scanner-common
FROM registry.access.redhat.com/ubi9-minimal:latest AS scanner-common

ARG SCANNER_TAG

Expand Down Expand Up @@ -59,7 +59,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest

COPY LICENSE /licenses/LICENSE

RUN microdnf install xz && \
RUN microdnf install -y xz && \
microdnf clean all && \
# (Optional) Remove line below to keep package management utilities
# We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
Expand All @@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim
LABEL \
com.redhat.component="rhacs-scanner-slim-container" \
io.k8s.display-name="scanner-slim" \
name="advanced-cluster-security/rhacs-scanner-slim-rhel8"
name="advanced-cluster-security/rhacs-scanner-slim-rhel9"

ENV ROX_SLIM_MODE="true"

Expand All @@ -96,7 +96,7 @@ FROM scanner-common AS scanner
LABEL \
com.redhat.component="rhacs-scanner-container" \
io.k8s.display-name="scanner" \
name="advanced-cluster-security/rhacs-scanner-rhel8"
name="advanced-cluster-security/rhacs-scanner-rhel9"

ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
Expand Down
14 changes: 12 additions & 2 deletions image/scanner/scripts/import-additional-cas
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ set -euo pipefail
copy_existing () {
src=$1
if [ -d "$src" ] && [ "$(ls -A -I "..*" "$src")" ]; then
cp -v -L "$src"/* /etc/pki/ca-trust/source/anchors
cp --verbose --dereference --update \
"$src"/* /etc/pki/ca-trust/source/anchors
else
echo "No certificates found in $src"
fi
Expand All @@ -19,4 +20,13 @@ copy_existing /usr/local/share/ca-certificates
# Copy the custom trusted CA bundles injected by the Openshift Network Operator.
copy_existing /etc/pki/injected-ca-trust

update-ca-trust extract
# update-ca-trust runs `chmod u-w "$DEST/pem/directory-hash"` at the end. Add
# it back before running update-ca-trust again. Currently only relevant for
# sensor since its init-container and main service both run this script.
if [ -d "/etc/pki/ca-trust/extracted/pem/directory-hash" ]; then
chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash
fi

# Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
# will create the necessary directories if the `--output` flag is used.
update-ca-trust extract --output /etc/pki/ca-trust/extracted
2 changes: 1 addition & 1 deletion image/scanner/scripts/restore-all-dir-contents
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ set -euo pipefail

[ -d /.init-dirs ] || exit 0

cp -rfP /.init-dirs/* /
cp --recursive --no-dereference --no-clobber /.init-dirs/* /
13 changes: 11 additions & 2 deletions image/scanner/scripts/trust-root-ca
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,14 @@ set -euo pipefail
CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"

# For RHEL
cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
update-ca-trust
cp --update "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem

# update-ca-trust runs `chmod u-w "$DEST/pem/directory-hash"` at the end. Add
# it back before running update-ca-trust again.
if [ -d "/etc/pki/ca-trust/extracted/pem/directory-hash" ]; then
chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash
fi

# Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
# will create the necessary directories if the `--output` flag is used.
update-ca-trust extract --output /etc/pki/ca-trust/extracted
2 changes: 1 addition & 1 deletion image/vulnerabilities/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_IMAGE=ubi9-minimal
ARG BASE_TAG=latest

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
Expand Down
Loading