-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
Medium
-
rhel-sst-container-tools
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
I'm looking at https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0/Dockerfile?ref_type=heads
In no particular order:
- https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L71
Wait what? What is /licenses? Who invented that?
https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L50
Should definitely not be needed, we're not using anaconda anymore...
https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L34
This seems weird...when passing --setopt install_weak_deps=false we shouldn't be pulling in things that can be removed later?
https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L68
This looks wrong, there's no good reason to have pregenerated files in `/run` in the container image.
https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L37
We see this pattern repeated sufficiently that I think we really do need to ask the dnf team for `dnf clean everything` etc.
At a higher level, this build process has grown sufficiently that bunch of individual RUN invocations start to get ugly, and I think we should have a separate build.sh (or even don't write it in shell) - I experimented with this in https://gitlab.com/fedora/bootc/base-images-experimental
Also related to the experimental builder I linked...fundamentally the way we're doing "dnf --installroot" here without setting up basic things like /dev and /proc in the target root is not long term supportable. Today, doing so requires capabilities sufficient for nested containerization; if you look at the repo above it documents `podman build --security-opt=label=disable --cap-add=all` but ultimately all that's really necessary is user namespaces (I can help work on this).