Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-55447

various build process things for ubi9-container

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • ubi9-container
    • None
    • Medium
    • rhel-sst-container-tools
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      I'm looking at https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0/Dockerfile?ref_type=heads

      In no particular order:

      https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L50
      Should definitely not be needed, we're not using anaconda anymore...

      https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L34
      This seems weird...when passing --setopt install_weak_deps=false we shouldn't be pulling in things that can be removed later?

      https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L68
      This looks wrong, there's no good reason to have pregenerated files in `/run` in the container image.

      https://gitlab.com/redhat/rhel/containers/ubi9/-/blob/rhel-9.5.0-konflux/Dockerfile?ref_type=heads#L37
      We see this pattern repeated sufficiently that I think we really do need to ask the dnf team for `dnf clean everything` etc.

      At a higher level, this build process has grown sufficiently that bunch of individual RUN invocations start to get ugly, and I think we should have a separate build.sh (or even don't write it in shell) - I experimented with this in https://gitlab.com/fedora/bootc/base-images-experimental

      Also related to the experimental builder I linked...fundamentally the way we're doing "dnf --installroot" here without setting up basic things like /dev and /proc in the target root is not long term supportable. Today, doing so requires capabilities sufficient for nested containerization; if you look at the repo above it documents `podman build --security-opt=label=disable --cap-add=all` but ultimately all that's really necessary is user namespaces (I can help work on this).

              jboyer@redhat.com Josh Boyer
              walters@redhat.com Colin Walters
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: