Details
-
Enhancement
-
Status: Closed
-
Critical
-
Resolution: Done
-
None
-
Keycloak Sprint 28
-
5
-
NEW
-
NEW
Description
Actually we use jboss/base-jdk:8 as the base image for Keycloak, altough the last updates for this image dates from 5 years ago https://github.com/jboss-dockerfiles/base-jdk/tree/jdk8.
What
- Update our Keycloak server Dockerfile to use ubi-minimal
Why
- Current packages inside jboss/base-jdk:8 are lagging behind and became out of date
- We need our image to have the latest package updates
- We want to reduce the installed packages to a minimum to reduce the amount of CVEs and size of the image
How
- Switch to ubi-minimal. See: https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image
- For package management we may need to consider microdnf instead of yum https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/using_red_hat_universal_base_images_standard_minimal_and_runtimes#using_minimal_red_hat_base_images
- Here's an idea heavily inspired on https://hub.docker.com/r/perconalab/pxc-openshift/dockerfile:
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest RUN curl -L -o /tmp/jq.rpm https://download.fedoraproject.org/pub/epel/7/x86_64/Packages/j/jq-1.5-1.el7.x86_64.rpm \ && curl -L -o /tmp/epel-release.rpm https://download.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm \ && curl -L -o /tmp/oniguruma.rpm https://download.fedoraproject.org/pub/epel/7/x86_64/Packages/o/oniguruma-5.9.5-3.el7.x86_64.rpm \ && rpm -iv /tmp/epel-release.rpm /tmp/jq.rpm /tmp/oniguruma.rpm \ && rm -rf /tmp/*.rpm RUN microdnf update -y && \ microdnf install -y hostname && \ microdnf clean all
Acceptance Criteria
- Have the Keycloak server image reported as green. Which means that we don't have any warnings
Attachments
Issue Links
- causes
-
KEYCLOAK-11636 New Keycloak docker image uses ubi8
-
- Closed
-
- incorporates
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- relates to
-
-
- Closed
-
