Feature Overview (aka. Goal Summary)

Switch the Red Hat Quay downstream container image to use the UBI minimal version 9.7 (ubi-minimal:9.7) as its base layer.

This change aims to reduce the final image size and attack surface area for the Red Hat Quay deployment by leveraging the smaller, stripped-down nature of the ubi-minimal image compared to the standard UBI image currently in use.

Goals (aka. expected user outcomes)

The primary goal is to enhance the security posture and efficiency of Red Hat Quay deployments for our users.  

This transition will empower users by resulting in:

• Reduced image size: Users will benefit from smaller container image downloads and faster deployment times, leading to reduced storage consumption and quicker cluster operations.

• Minimal attack surface: By switching to ubi-minimal, users will deploy an application with fewer unnecessary packages and libraries, significantly reducing potential security vulnerabilities.

• Improved deployment efficiency: Less time and bandwidth will be spent pulling and staging the Quay images, improving overall CI/CD pipeline efficiency.

Background

Currently, the Red Hat Quay downstream image uses a standard UBI image as its base. While UBI provides a secure and compatible foundation, the full image includes packages and utilities that are not strictly necessary for the Quay application to run in a containerized environment. This redundancy results in a larger image size and a broader security attack surface than required.

With the maturity and stability of ubi-minimal and the availability of version 9.7, we have the opportunity to migrate to this smaller base. This initiative is a standard practice for optimizing Red Hat's containerized products, ensuring we provide the most secure and streamlined product possible while maintaining full RHEL compatibility. The move is critical for maintaining Quay's efficiency and security profile in modern cloud-native environments.

Requirements (aka. acceptance criteria)

• The Quay downstream image(s) are successfully built using the ubi-minimal:9.7 base image.

• The size of the new ubi-minimal:9.7-based image(s) is smaller (e.g., -30%) than the current image built on the standard UBI base.

• All existing Quay components and functionalities are fully operational and pass the standard suite of integration and end-to-end tests (e.g., storage backend operations, user authentication, registry pushing/pulling).

• If any necessary packages or dependencies required by Quay that are missing in ubi-minimal are explicitly and minimally installed in the Dockerfile/Containerfile.
• The final image(s) are scannable and pass the required security and vulnerability checks (e.g., Clair scans) without introducing new critical/high-severity vulnerabilities.

Notes for further image optimization

In addition to switching to ubi-minimal:9.7, we should look to remove Node.js build caches from the final images to meet the goal of reducing the Quay image size.

• Removing these caches can save significant space without affecting runtime functionality, since the caches are only needed during the dependency installation phase.

• This should be achieved using multi-stage builds or explicit cache cleanup commands added to the Dockerfile/Containerfile.
  • The key is to clean caches after installing dependencies but before the final image layer is built, ensuring the runtime application has everything it needs while keeping the image as small as possible.