chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
chore(base-image): Migrate Konflux builds to UBI9/RHEL9#2562
Conversation
|
Skipping CI for Draft Pull Request. |
|
@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution. The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it. |
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
d9cdc31 to
d2f149d
Compare
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
34c5d67 to
5a2e599
Compare
|
/test all |
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: Konflux base images: - Builder: openshift-golang-builder:rhel_9_golang_1.25 - Scanner runtime: ubi9-minimal - Scanner DB: rhel9/postgresql-15 Non-Konflux base images: - Scanner: ubi9-minimal - Scanner DB: ubi9 / ubi9-minimal - Vulnerabilities: ubi9-minimal Other updates: - Tekton CPE labels: el8 -> el9 - rpms.lock.yaml: xz updated to RHEL 9 version (5.2.5-8.el9_0) - rpms.rhel.repo: RHEL 8 repos -> RHEL 9 repos - PostgreSQL download script: pg_rhel_major=9 - Image name labels: rhel8 -> rhel9 - microdnf install -y xz (explicit -y for UBI9 compatibility) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In UBI9, update-ca-trust fails when running as an unprivileged user (nobody:nobody) because it attempts to write to system-wide paths. Use the -o flag to specify a user-writable output directory. Also switch restore-all-dir-contents to use --no-clobber to avoid overwriting CA trust files that were already updated at runtime. See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
force-pushed
the
konflux-ubi9-rhel9-migration
branch
from
5a2e599 to
b3addf3
Compare
|
/retest |
|
@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround) |
tommartensen
left a comment
tommartensen
left a comment
There was a problem hiding this comment.
LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?
Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds. |
2 participants
Description
Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.
Key Changes
Konflux Base Images:
brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24registry.access.redhat.com/ubi9-minimal:latestregistry.redhat.io/rhel9/postgresql-15:latestrhacs-scanner-rhel9,rhacs-scanner-slim-rhel9,rhacs-scanner-db-rhel9,rhacs-scanner-db-slim-rhel9Non-Konflux Base Images:
ubi9-minimalubi9/ubi9-minimalubi9-minimalRPM/Repo Updates:
rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)rpms.rhel.repo: repos updated fromrhel8torhel9pg_rhel_major=9Tekton Labels:
el8→el9UBI9 Compatibility Fixes:
update-ca-trust extract -o /etc/pki/ca-trust/extractedfor unprivileged containers (RHBZ#2241240)cp --recursive --no-dereference --no-clobberin restore-all-dir-contentsmicrodnf install -y xz(explicit-yflag)Checklist
Testing Performed
TBD