docker: Base the docker image on RedHat UBI#54812
docker: Base the docker image on RedHat UBI#54812craig[bot] merged 1 commit intocockroachdb:masterfrom
Conversation
Before: The docker image was based on Debian 9.12 slim. Why: This change will help on-prem customers from a security and compliance perspective. It also aligns with our publishing images into the RedHat Marketplace. Now: Published docker images are based on the RedHat UBI 8 base image. Fixes: cockroachdb#49643 Release note (backward-incompatible change): CockroachDB Docker images are now based on the RedHat ubi8/ubi base image instead of Debian 9.12 slim. This will help on-prem customers from a security and compliance perspective.
|
@bdarnell For the "Why", I think I captured the Why ok. If I missed something or didn't capture it quite right, I'm happy to modify the commit message. And on the release note, I chose "backward-incompatible change" as the category because if a user is building upon our images then those additions are likely to no longer work. "general" seemed appropriate if this doesn't make the bar for backward-incompatible. @joshimhoff @DuskEagle Wanted to get your eyes on this in case it changes anything you've got set up to work with debian images. I can make a build of this for testing if that's helpful. |
|
This change is |
bdarnell
left a comment
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1.
Reviewable status:complete! 1 of 0 LGTMs obtained (waiting on @DuskEagle and @joshimhoff)
DuskEagle
left a comment
There was a problem hiding this comment.
registry.access.redhat.com/ubi8/ubi
Reviewable status:
|
TFTR! bors r=bdarnell,DuskEagle |
|
bors r- |
|
Canceled. |
|
Since this will be on master only for the moment, I'm re-merging. Ideally, we'd get this into 20.2. @bdarnell My biggest concern with backporting to 20.2 is that I haven't done much testing of crdb on RedHat (just verified it runs) so I don't have a sense of how stable CRDB is on RedHat. Is this a concern for you? Do you have any other concerns with getting it in so late in the release cycle? @joshimhoff @DuskEagle What would it take to update the above-mentioned code to work with both Debian and RedHat containers? (because I'd suggest we only backport this to 20.2, if we do.) bors r=bdarnell,DuskEagle |
Ya we'll take care of it. Sorry to block. Merge away. |
|
Build succeeded: |
| @@ -1,28 +1,26 @@ | |||
| FROM debian:9.12-slim | |||
| FROM registry.access.redhat.com/ubi8/ubi | |||
There was a problem hiding this comment.
Can we use ubi-minimal instead of the regular ubi? It looks like all the packages we list below are present there (https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8?container-tabs=packages).
There was a problem hiding this comment.
I had tried ubi-minimal. Cockroach couldn't find the installed tzinfo. I verified the package was installed but didn't dig deeper at the time. I just dug a bit deeper and found that the minimal image gets it's smaller size by excluding documentation and language files for many RPMs. For tzinfo, all the files in /usr/share/zoneinfo are excluded.
There was a problem hiding this comment.
Oops. Sounds like a bug on redhat's side, but when this was reported in rhel-atomic they responded by removing the rest of the tzdata package instead of fixing it. It looks like it's intended to be there since it still shows up in the package list, but the actual contents are missing.
Is there any way to use ubi-minimal and then reinstall the tzdata package? It looks like yum is not present on ubi-minimal and I don't know enough of the redhat ecosystem to know if there's an alternative that is present.
There was a problem hiding this comment.
The tool to use in ubi-minimal is microdnf. This is the primary page I've been referencing for information on what's in each of the UBI image versions and how they differ from each other. The "Based on RHEL packaging" bullet of section 4.1.2 on that page is where I found the note about what is excluded from the ubi-minimal image. The command rpm -Va shows the excluded files for the installed RPMs.
I tried uninstalling the tzdata package and found it is depended upon by a large number of packages. There doesn't appear to be a way to force uninstallation and I'm not finding a way to install a different version of the file.
It does seem odd that they'd intentionally include a package and remove all the useful information from it. I can put a bug report in for this.
There was a problem hiding this comment.
I figured out a hack to make the image use the ubi8/ubi-minimal image. See #55467.
There was a problem hiding this comment.
This issue says that there's now a microdnf reinstall command: rpm-software-management/microdnf#34
And if that's too recent, it offers a workaround: rpm --erase --nodeps tzdata && microdnf install tzdata
There was a problem hiding this comment.
~~Ah, I see you're already using microdnf reinstall in #55467. ~~ No, that's dnf reinstall, not microdnf reinstall
There was a problem hiding this comment.
Oh. Nice find. I'm switching to use the rpm erase hack.
Oh, good point. We can fix that pretty quickly though, so this change is fine. |
Before: The docker image was based on Debian 9.12 slim.
Why: This change will help on-prem customers from a security and
compliance perspective. It also aligns with our publishing images into
the RedHat Marketplace.
Now: Published docker images are based on the RedHat UBI 8 base image.
Fixes: #49643
Release note (backward-incompatible change): CockroachDB Docker images
are now based on the RedHat ubi8/ubi base image instead of Debian 9.12
slim. This will help on-prem customers from a security and compliance
perspective.