From a53a4162a26be4e0a6d8c3db96c6c47f76b19d6f Mon Sep 17 00:00:00 2001 From: Lily Zhang <49077510+LiilyZhang@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:59:20 -0500 Subject: [PATCH] Revert "Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area." --- anax-in-container/Dockerfile.alpine.amd64 | 1 - anax-in-container/Dockerfile.ubi.amd64 | 18 +----------------- anax-in-container/Dockerfile.ubi.arm64 | 18 +----------------- anax-in-container/Dockerfile.ubi.ppc64el | 18 +----------------- anax-in-container/Dockerfile.ubi.s390x | 18 +----------------- anax-in-container/Dockerfile_agbot.ubi | 18 +----------------- anax-in-k8s/Dockerfile.ubi.amd64 | 18 +----------------- anax-in-k8s/Dockerfile.ubi.arm64 | 18 +----------------- .../Dockerfile.ubi.auto-upgrade-cron.amd64 | 18 +----------------- .../Dockerfile.ubi.auto-upgrade-cron.arm64 | 18 +----------------- .../Dockerfile.ubi.auto-upgrade-cron.ppc64el | 18 +----------------- .../Dockerfile.ubi.auto-upgrade-cron.s390x | 18 +----------------- anax-in-k8s/Dockerfile.ubi.ppc64el | 18 +----------------- anax-in-k8s/Dockerfile.ubi.s390x | 18 +----------------- .../cloud-sync-service-amd64/Dockerfile.ubi | 18 +----------------- .../edge-sync-service-amd64/Dockerfile.ubi | 18 +----------------- .../edge-sync-service-arm64/Dockerfile.ubi | 18 +----------------- .../edge-sync-service-ppc64el/Dockerfile.ubi | 18 +----------------- .../edge-sync-service-s390x/Dockerfile.ubi | 18 +----------------- 19 files changed, 18 insertions(+), 307 deletions(-) diff --git a/anax-in-container/Dockerfile.alpine.amd64 b/anax-in-container/Dockerfile.alpine.amd64 index 04ab4b093..ad62789a5 100644 --- a/anax-in-container/Dockerfile.alpine.amd64 +++ b/anax-in-container/Dockerfile.alpine.amd64 @@ -11,7 +11,6 @@ ARG DOCKER_VER=19.03.8 # install docker cli # make required directories RUN microdnf update -y --nodocs && microdnf clean all && microdnf install --nodocs -y shadow-utils \ - && microdnf install -y curl \ && microdnf install --nodocs -y openssl ca-certificates \ && microdnf install -y wget iptables vim-minimal procps tar \ && wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 \ diff --git a/anax-in-container/Dockerfile.ubi.amd64 b/anax-in-container/Dockerfile.ubi.amd64 index a5d4ba317..e1143947d 100644 --- a/anax-in-container/Dockerfile.ubi.amd64 +++ b/anax-in-container/Dockerfile.ubi.amd64 @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent in a general purpose container." LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - ARG DOCKER_VER=26.1.4 # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) @@ -30,7 +15,6 @@ ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf upgrade -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager krb5-libs \ - && microdnf install -y curl \ && curl -4fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VER}.tgz \ && tar xzvf docker-${DOCKER_VER}.tgz --strip 1 -C /usr/bin docker/docker \ && rm docker-${DOCKER_VER}.tgz \ diff --git a/anax-in-container/Dockerfile.ubi.arm64 b/anax-in-container/Dockerfile.ubi.arm64 index e2ddeb0cf..70c8e075d 100644 --- a/anax-in-container/Dockerfile.ubi.arm64 +++ b/anax-in-container/Dockerfile.ubi.arm64 @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent in a general purpose container." LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - ARG DOCKER_VER=24.0.9 # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) @@ -29,7 +14,6 @@ ARG DOCKER_VER=24.0.9 ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng tar gzip" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ - && microdnf install -y curl \ && curl -4fsSLO https://download.docker.com/linux/static/stable/aarch64/docker-${DOCKER_VER}.tgz \ && tar xzvf docker-${DOCKER_VER}.tgz --strip 1 -C /usr/bin docker/docker \ && rm docker-${DOCKER_VER}.tgz \ diff --git a/anax-in-container/Dockerfile.ubi.ppc64el b/anax-in-container/Dockerfile.ubi.ppc64el index 066371ad1..df37a7b21 100644 --- a/anax-in-container/Dockerfile.ubi.ppc64el +++ b/anax-in-container/Dockerfile.ubi.ppc64el @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent in a general purpose container." LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - ARG DOCKER_VER=18.06.3-ce # add EPEL repo with jq pkg and all deps @@ -34,7 +19,6 @@ RUN microdnf clean all \ && rm -rf /var/cache/dnf /var/cache/PackageKit \ && microdnf update -y --nodocs --nobest --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ - && microdnf install -y curl \ && curl -4fsSLO https://download.docker.com/linux/static/stable/ppc64le/docker-${DOCKER_VER}.tgz \ && tar xzvf docker-${DOCKER_VER}.tgz --strip 1 -C /usr/bin docker/docker \ && rm docker-${DOCKER_VER}.tgz \ diff --git a/anax-in-container/Dockerfile.ubi.s390x b/anax-in-container/Dockerfile.ubi.s390x index 5809367e6..6d1dc246e 100644 --- a/anax-in-container/Dockerfile.ubi.s390x +++ b/anax-in-container/Dockerfile.ubi.s390x @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent in a general purpose container." LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - ARG DOCKER_VER=18.06.3-ce # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) @@ -29,7 +14,6 @@ ARG DOCKER_VER=18.06.3-ce ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng tar gzip" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ - && microdnf install -y curl \ && curl -4fsSLO https://download.docker.com/linux/static/stable/s390x/docker-${DOCKER_VER}.tgz \ && tar xzvf docker-${DOCKER_VER}.tgz --strip 1 -C /usr/bin docker/docker \ && rm docker-${DOCKER_VER}.tgz \ diff --git a/anax-in-container/Dockerfile_agbot.ubi b/anax-in-container/Dockerfile_agbot.ubi index 559c5672c..38c101306 100644 --- a/anax-in-container/Dockerfile_agbot.ubi +++ b/anax-in-container/Dockerfile_agbot.ubi @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The deployment engine." LABEL description="The Agbot scans all the edge nodes in the system initiating deployment of services and model to all eligible nodes." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) # The anax.service calls jq (from jq) and killall (from psmisc) # anax does not use iptables directly but the github.com/coreos/go-iptables/iptables dependency needs the directory structure @@ -27,7 +12,6 @@ COPY --from=base /etc/pki /etc/pki/ # Create required directories ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng gettext" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf upgrade -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager krb5-libs \ && microdnf clean all --disableplugin=subscription-manager \ diff --git a/anax-in-k8s/Dockerfile.ubi.amd64 b/anax-in-k8s/Dockerfile.ubi.amd64 index 997bf757a..d357c4852 100644 --- a/anax-in-k8s/Dockerfile.ubi.amd64 +++ b/anax-in-k8s/Dockerfile.ubi.amd64 @@ -1,31 +1,15 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent for edge clusters." LABEL description="The agent in a container that is used solely for the purpose of running the agent in a kubernetes edge cluster." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) # The anax.service calls jq (from jq) and killall (from psmisc) # anax does not use iptables directly but the github.com/coreos/go-iptables/iptables dependency needs the directory structure # Create required directories ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng tar" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/anax-in-k8s/Dockerfile.ubi.arm64 b/anax-in-k8s/Dockerfile.ubi.arm64 index 792a0d843..91010a24d 100644 --- a/anax-in-k8s/Dockerfile.ubi.arm64 +++ b/anax-in-k8s/Dockerfile.ubi.arm64 @@ -1,31 +1,15 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent for edge clusters." LABEL description="The agent in a container that is used solely for the purpose of running the agent in a kubernetes edge cluster." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) # The anax.service calls jq (from jq) and killall (from psmisc) # anax does not use iptables directly but the github.com/coreos/go-iptables/iptables dependency needs the directory structure # Create required directories ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng tar" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.amd64 b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.amd64 index 21418cddd..3860e0765 100644 --- a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.amd64 +++ b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.amd64 @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent auto upgrade cron job for edge clusters." LABEL description="" -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # The build calls adduser (from shadow-utils) # The auto-upgrade-cronjob.sh calls jq (from jq) # Download kubectl @@ -28,7 +13,6 @@ ARG REQUIRED_RPMS="shadow-utils jq" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ - && microdnf install -y curl \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ && curl -4LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl \ && chmod +x ./kubectl \ diff --git a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.arm64 b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.arm64 index c7371cd02..2cdf93c04 100644 --- a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.arm64 +++ b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.arm64 @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent auto upgrade cron job for edge clusters." LABEL description="" -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # The build calls adduser (from shadow-utils) # The auto-upgrade-cronjob.sh calls jq (from jq) # Download kubectl @@ -28,7 +13,6 @@ ARG REQUIRED_RPMS="shadow-utils jq" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ - && microdnf install -y curl \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ && curl -4LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/arm64/kubectl \ && chmod +x ./kubectl \ diff --git a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.ppc64el b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.ppc64el index 350c89cd4..0297c88ac 100644 --- a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.ppc64el +++ b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.ppc64el @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent auto upgrade cron job for edge clusters." LABEL description="" -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # add EPEL repo with jq pkg and all deps COPY EPEL.repo /etc/yum.repos.d @@ -33,7 +18,6 @@ RUN microdnf clean all \ && microdnf update -y --nodocs --nobest --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ - && microdnf install -y curl \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ && curl -4LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/ppc64le/kubectl \ && chmod +x ./kubectl \ diff --git a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.s390x b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.s390x index de3b10385..b4f439f85 100644 --- a/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.s390x +++ b/anax-in-k8s/Dockerfile.ubi.auto-upgrade-cron.s390x @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent auto upgrade cron job for edge clusters." LABEL description="" -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # add EPEL repo with jq pkg and all deps COPY EPEL.repo /etc/yum.repos.d @@ -31,7 +16,6 @@ ARG REQUIRED_RPMS="shadow-utils jq" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ - && microdnf install -y curl \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ && curl -4LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/s390x/kubectl \ && chmod +x ./kubectl \ diff --git a/anax-in-k8s/Dockerfile.ubi.ppc64el b/anax-in-k8s/Dockerfile.ubi.ppc64el index 7e488df20..e966ba966 100644 --- a/anax-in-k8s/Dockerfile.ubi.ppc64el +++ b/anax-in-k8s/Dockerfile.ubi.ppc64el @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent for edge clusters." LABEL description="The agent in a container that is used solely for the purpose of running the agent in a kubernetes edge cluster." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # add EPEL repo with jq pkg and all deps COPY EPEL.repo /etc/yum.repos.d @@ -30,7 +15,6 @@ ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal RUN microdnf clean all \ && rm -rf /var/cache/dnf /var/cache/PackageKit \ && microdnf update -y --nodocs --nobest --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/anax-in-k8s/Dockerfile.ubi.s390x b/anax-in-k8s/Dockerfile.ubi.s390x index 47c46ea7f..04e980555 100644 --- a/anax-in-k8s/Dockerfile.ubi.s390x +++ b/anax-in-k8s/Dockerfile.ubi.s390x @@ -1,24 +1,9 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="The agent for edge clusters." LABEL description="The agent in a container that is used solely for the purpose of running the agent in a kubernetes edge cluster." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # add EPEL repo with jq pkg and all deps COPY EPEL.repo /etc/yum.repos.d @@ -28,7 +13,6 @@ COPY EPEL.repo /etc/yum.repos.d # Create required directories ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils jq iptables vim-minimal psmisc procps-ng" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/css/image/cloud-sync-service-amd64/Dockerfile.ubi b/css/image/cloud-sync-service-amd64/Dockerfile.ubi index 21659c97a..b2e70ba89 100644 --- a/css/image/cloud-sync-service-amd64/Dockerfile.ubi +++ b/css/image/cloud-sync-service-amd64/Dockerfile.ubi @@ -1,29 +1,13 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="Object model storage and APIs in the management hub." LABEL description="Provides the management hub side of the Model Management System, which stores object models and provides APIs for admins and edge nodes to access the object models." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # shadow-utils contains groupadd and adduser commands # css_start.sh calls envsubst (from gettext) ARG REQUIRED_RPMS="openssl ca-certificates shadow-utils gettext" RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager ${REQUIRED_RPMS} \ && microdnf clean all --disableplugin=subscription-manager \ && groupadd -g 1000 cssuser && adduser -u 1000 -g cssuser cssuser \ diff --git a/ess/image/edge-sync-service-amd64/Dockerfile.ubi b/ess/image/edge-sync-service-amd64/Dockerfile.ubi index 7a8a24757..fcf012525 100644 --- a/ess/image/edge-sync-service-amd64/Dockerfile.ubi +++ b/ess/image/edge-sync-service-amd64/Dockerfile.ubi @@ -1,27 +1,11 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="Edge node Model Management System." LABEL description="Provides the edge node side of the Model Management System to be used by the CLI service test tools when also testing object models." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # yum is not installed, use microdnf instead RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs openssl ca-certificates --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/ess/image/edge-sync-service-arm64/Dockerfile.ubi b/ess/image/edge-sync-service-arm64/Dockerfile.ubi index 7a8a24757..fcf012525 100644 --- a/ess/image/edge-sync-service-arm64/Dockerfile.ubi +++ b/ess/image/edge-sync-service-arm64/Dockerfile.ubi @@ -1,27 +1,11 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="Edge node Model Management System." LABEL description="Provides the edge node side of the Model Management System to be used by the CLI service test tools when also testing object models." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # yum is not installed, use microdnf instead RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs openssl ca-certificates --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/ess/image/edge-sync-service-ppc64el/Dockerfile.ubi b/ess/image/edge-sync-service-ppc64el/Dockerfile.ubi index 94b44919f..1ca256074 100644 --- a/ess/image/edge-sync-service-ppc64el/Dockerfile.ubi +++ b/ess/image/edge-sync-service-ppc64el/Dockerfile.ubi @@ -1,29 +1,13 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="Edge node Model Management System." LABEL description="Provides the edge node side of the Model Management System to be used by the CLI service test tools when also testing object models." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # yum is not installed, use microdnf instead RUN microdnf clean all \ && rm -rf /var/cache/dnf /var/cache/PackageKit \ && microdnf update -y --nodocs --nobest --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs openssl ca-certificates --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \ diff --git a/ess/image/edge-sync-service-s390x/Dockerfile.ubi b/ess/image/edge-sync-service-s390x/Dockerfile.ubi index 7a8a24757..fcf012525 100644 --- a/ess/image/edge-sync-service-s390x/Dockerfile.ubi +++ b/ess/image/edge-sync-service-s390x/Dockerfile.ubi @@ -1,27 +1,11 @@ -# Building microdnf from ubi9-minimal base -FROM registry.access.redhat.com/ubi9-minimal:latest AS base - -#--------------------------------------------------------------- -FROM registry.access.redhat.com/ubi9-micro:latest AS runtime +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 LABEL vendor="IBM" LABEL summary="Edge node Model Management System." LABEL description="Provides the edge node side of the Model Management System to be used by the CLI service test tools when also testing object models." -# Copy microdnf necessary files from the base stage -COPY --from=base /usr/bin/microdnf /usr/bin/ -COPY --from=base /usr/bin/gpg /usr/bin/ -COPY --from=base /usr/bin/gpg2 /usr/bin/ -COPY --from=base /lib64 /lib64/ -COPY --from=base /usr/lib64 /usr/lib64/ -COPY --from=base /usr/lib/rpm /usr/lib/rpm/ -COPY --from=base /etc/dnf /etc/dnf/ -COPY --from=base /etc/rpm /etc/rpm/ -COPY --from=base /etc/pki /etc/pki/ - # yum is not installed, use microdnf instead RUN microdnf update -y --nodocs --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ - && microdnf install -y curl \ && microdnf install -y --nodocs openssl ca-certificates --setopt=install_weak_deps=0 --disableplugin=subscription-manager \ && microdnf clean all --disableplugin=subscription-manager \ && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \