Skip to content

ROX-33559: Migrate collector images from UBI-minimal to UBI-micro #3021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
janisz merged 35 commits into from
Mar 16, 2026
Merged

ROX-33559: Migrate collector images from UBI-minimal to UBI-micro #3021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
895a2fb
chore: Optimize UBI-micro Dockerfiles with --installroot pattern
janisz Mar 4, 2026
13c20e2
fix: Use UBI instead of UBI-minimal for package_installer
janisz Mar 4, 2026
24fab83
fix: Preserve ubi-micro rpmdb by copying to /out first
janisz Mar 4, 2026
320bc59
fix: Add openssl package for FIPS support
janisz Mar 4, 2026
7970f98
fix: Add missing runtime libraries (libuuid, libstdc++)
janisz Mar 4, 2026
4f4b635
fix: Add runtime packages to rpms.in.yaml for Konflux build
janisz Mar 5, 2026
c9dec44
fix: Add ca-certificates to konflux.Dockerfile
janisz Mar 5, 2026
d1c346e
chore: Consolidate Docker COPY commands to reduce image layers
janisz Mar 5, 2026
419e3a9
fix: Use host repos for dnf --installroot in konflux.Dockerfile
janisz Mar 5, 2026
250d3c8
fix: Add missing runtime packages to konflux.Dockerfile
janisz Mar 6, 2026
4f9dffe
remove unnecessary pacakges
janisz Mar 6, 2026
5c70d69
chore: Replace sed-based Dockerfile.dev generation with static file
janisz Mar 6, 2026
2c0636d
fix: Add libcap-ng runtime dependency to collector images
janisz Mar 6, 2026
1627414
fix
janisz Mar 6, 2026
36d1dc3
fix
janisz Mar 6, 2026
97aedf4
fix
janisz Mar 6, 2026
7c3148d
chore: Rename Dockerfile.dev to dev.Dockerfile
janisz Mar 6, 2026
589a43a
Update rpms.in.yaml
janisz Mar 11, 2026
885bf9a
fix: Make cache cleanup more specific in Dockerfiles
janisz Mar 11, 2026
003f5e8
chore: Use CentOS Stream 10 for dev.Dockerfile
janisz Mar 11, 2026
bae7789
fix: Use floating tags for non-Konflux Dockerfile
janisz Mar 11, 2026
6100f0a
chore: Inline install commands in dev.Dockerfile
janisz Mar 11, 2026
2c75d7c
refactor: Revert COPY consolidation to original pattern
janisz Mar 11, 2026
f0118b4
fix
janisz Mar 11, 2026
55362c7
fix
janisz Mar 11, 2026
467032e
fix
janisz Mar 11, 2026
4aac0ca
Remove --allowearsing
janisz Mar 12, 2026
3bb578c
Apply suggestion from @msugakov
janisz Mar 12, 2026
c0b5266
Apply suggestion from @janisz
janisz Mar 12, 2026
33c7ae4
revert collector/.gitignore
janisz Mar 12, 2026
b72bece
cleanup
janisz Mar 12, 2026
99e49c9
cleanup
janisz Mar 12, 2026
4e10e93
comment gitignore
janisz Mar 13, 2026
277834c
Update collector/container/konflux.Dockerfile
janisz Mar 13, 2026
d04295d
fixes
janisz Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,6 @@ tag:
builder-tag:
@echo "$(COLLECTOR_BUILDER_TAG)"

.PHONY: container-dockerfile-dev
container-dockerfile-dev:
sed '1s/ubi-minimal/ubi/' $(CURDIR)/collector/container/Dockerfile > \
$(CURDIR)/collector/container/Dockerfile.dev

.PHONY: builder
builder:
ifneq ($(BUILD_BUILDER_IMAGE), false)
Expand Down Expand Up @@ -52,12 +47,11 @@ image: collector
-t quay.io/stackrox-io/collector:$(COLLECTOR_TAG) \
$(COLLECTOR_BUILD_CONTEXT)

image-dev: collector container-dockerfile-dev
image-dev: collector
make -C collector txt-files
docker buildx build --load --platform ${PLATFORM} \
--build-arg COLLECTOR_VERSION="$(COLLECTOR_TAG)" \
--build-arg BUILD_TYPE=devel \
-f collector/container/Dockerfile.dev \
-f collector/container/dev.Dockerfile \
-t quay.io/stackrox-io/collector:$(COLLECTOR_TAG) \
$(COLLECTOR_BUILD_CONTEXT)

Expand Down
2 changes: 1 addition & 1 deletion collector/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ cmake-build-rhel/
generated/
collector/protoc-*

# Generated dockerfiles
# Leftover generated dockerfiles from former process, can be removed after a while
container/Dockerfile.dev

# clangd specific files
Expand Down
1 change: 0 additions & 1 deletion collector/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ clean:
rm -rf container/LICENSE-kernel-modules.txt
rm -rf container/bin
rm -rf container/THIRD_PARTY_NOTICES
rm -f container/Dockerfile.dev

.PHONY: check
check:
Expand Down
25 changes: 19 additions & 6 deletions collector/container/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,24 @@
FROM registry.access.redhat.com/ubi10/ubi-minimal:latest
FROM registry.access.redhat.com/ubi10/ubi-micro:latest AS ubi-micro-base

FROM registry.access.redhat.com/ubi10/ubi:latest AS package_installer

# Copy ubi-micro base to /out to preserve its rpmdb
COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
RUN dnf install -y \
--installroot=/out/ \
Comment thread
msugakov marked this conversation as resolved.
--releasever=10 \
--setopt=install_weak_deps=False \
--nodocs \
ca-certificates curl-minimal elfutils-libelf libcap-ng libstdc++ libuuid openssl tbb && \
Comment thread
msugakov marked this conversation as resolved.
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum

FROM ubi-micro-base

ARG BUILD_TYPE=rhel
ARG ROOT_DIR=.
ARG COLLECTOR_VERSION

ENV ROOT_DIR=$ROOT_DIR
ENV COLLECTOR_HOST_ROOT=/host

LABEL name="collector" \
Expand All @@ -16,8 +30,7 @@ LABEL name="collector" \

WORKDIR /

COPY container/${BUILD_TYPE}/install.sh /
RUN ./install.sh && rm -f install.sh
COPY --from=package_installer /out/ /

# Uncomment this line to enable generation of core for collector
# RUN echo '/core/core.%e.%p.%t' > /proc/sys/kernel/core_pattern
Expand Down
38 changes: 38 additions & 0 deletions collector/container/dev.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
FROM quay.io/centos/centos:stream10

ARG COLLECTOR_VERSION

ENV COLLECTOR_HOST_ROOT=/host

LABEL name="collector" \
vendor="StackRox" \
maintainer="support@stackrox.com" \
summary="Runtime data collection for the StackRox Kubernetes Security Platform" \
description="This image supports runtime data collection in the StackRox Kubernetes Security Platform." \
io.stackrox.collector.version="${COLLECTOR_VERSION}"

WORKDIR /

RUN dnf upgrade -y && \
dnf install -y libasan libubsan libtsan elfutils-libelf

# Uncomment this line to enable generation of core for collector
# RUN echo '/core/core.%e.%p.%t' > /proc/sys/kernel/core_pattern

COPY container/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
COPY kernel-modules /kernel-modules
COPY container/bin/collector /usr/local/bin/
COPY container/bin/self-checks /usr/local/bin/self-checks
COPY container/status-check.sh /usr/local/bin/status-check.sh

EXPOSE 8080 9090

HEALTHCHECK \
# health checks within the first 5s are not counted as failure
--start-period=5s \
# perform health check every 5s
--interval=5s \
# the command uses /ready API
CMD /usr/local/bin/status-check.sh

ENTRYPOINT ["collector"]
5 changes: 0 additions & 5 deletions collector/container/devel/install.sh
View file
Open in desktop

This file was deleted.

35 changes: 23 additions & 12 deletions collector/container/konflux.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,18 +79,27 @@ RUN ctest --no-tests=error -V --test-dir "${CMAKE_BUILD_DIR}"
RUN strip -v --strip-unneeded "${CMAKE_BUILD_DIR}/collector/collector"


FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68

RUN microdnf -y install --nobest \
tbb \
c-ares \
crypto-policies-scripts \
elfutils-libelf && \
# Enable post-quantum cryptography key exchange for TLS.
update-crypto-policies --set DEFAULT:PQ && \
Comment on lines -89 to -90

@vladbologa vladbologa Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not supposed to be removed. 😩

@msugakov msugakov Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I probably overlooked it as a reviewer.

#3448

microdnf -y clean all && \
rpm --verbose -e --nodeps $(rpm -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*' 'libyaml*' 'libarchive*') && \
rm -rf /var/cache/dnf /var/cache/yum
FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base

FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer

COPY --from=ubi-micro-base / /out/

# Install packages directly to /out/ using --installroot
# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
RUN dnf install -y \
--installroot=/out/ \
--releasever=9 \
--setopt=install_weak_deps=False \
--setopt=reposdir=/etc/yum.repos.d \
--nodocs \
c-ares ca-certificates crypto-policies-scripts elfutils-libelf libcap-ng libcurl-minimal libstdc++ libuuid openssl tbb && \
Comment thread
msugakov marked this conversation as resolved.
dnf clean all --installroot=/out/ && \
rm -rf /out/var/cache/dnf /out/var/cache/yum


FROM ubi-micro-base

ARG COLLECTOR_TAG

Expand Down Expand Up @@ -122,6 +131,8 @@ ARG CMAKE_BUILD_DIR

ENV COLLECTOR_HOST_ROOT=/host

COPY --from=package_installer /out/ /

Comment thread
janisz marked this conversation as resolved.
COPY --from=builder ${CMAKE_BUILD_DIR}/collector/collector /usr/local/bin/
COPY --from=builder ${CMAKE_BUILD_DIR}/collector/self-checks /usr/local/bin/

Expand Down
12 changes: 0 additions & 12 deletions collector/container/rhel/install.sh
View file
Open in desktop

This file was deleted.

13 changes: 5 additions & 8 deletions collector/container/status-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,8 @@
# "status" : "ok"
# }
#
# Take the status line, split it by ":" and trim spaces and quotes.
STATUS=$(curl -s localhost:8080/ready | grep 'status' | awk -F ':' '{print $2}' | tr -d '"' | tr -d ' ')

if [[ "${STATUS}" = "ok" ]]; then
exit 0
else
exit 1
fi
# Pattern match for "status":"ok" in the JSON response
case "$(curl -sf localhost:8080/ready)" in
*'"status"'*'"ok"'*) exit 0 ;;
*) exit 1 ;;
esac
6 changes: 6 additions & 0 deletions rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,16 @@ packages:
- patch
- systemtap-sdt-devel
# final stage in collector/container/konflux.Dockerfile
- libcurl-minimal
- tbb
- c-ares
- crypto-policies-scripts
- elfutils-libelf
- ca-certificates
- openssl
- libuuid
- libstdc++
- libcap-ng
contentOrigin:
repofiles: [ "rpms.rhel.repo" ]
context:
Expand Down
Loading
Loading