From dc64f02feb7d70ad9a48fed845dd130d69a28d6e Mon Sep 17 00:00:00 2001 From: "Mateusz \"Serafin\" Gajewski" Date: Wed, 27 Nov 2024 18:17:35 +0100 Subject: [PATCH] Use Ubi 9 micro image for docker This is the most secure and the smallest base image we can use. --- core/docker/Dockerfile | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/core/docker/Dockerfile b/core/docker/Dockerfile index 420b921c43c1..e4df11be1237 100644 --- a/core/docker/Dockerfile +++ b/core/docker/Dockerfile @@ -27,19 +27,34 @@ RUN \ mkdir -p "${JAVA_HOME}" && \ curl -#LfS "${JDK_DOWNLOAD_LINK}" | tar -zx --strip 1 -C "${JAVA_HOME}" +FROM registry.access.redhat.com/ubi9/ubi:latest AS packages + +RUN \ + set -xeuo pipefail && \ + mkdir -p /tmp/overlay/usr/libexec/ && \ + touch /tmp/overlay/usr/libexec/grepconf.sh && \ + chmod +x /tmp/overlay/usr/libexec/grepconf.sh && \ + yum update -y && \ + yum install --installroot /tmp/overlay --setopt install_weak_deps=false --nodocs -y \ + less \ + curl-minimal grep `# required by health-check` \ + zlib `#required by java` \ + shadow-utils `# required by useradd` \ + tar `# required to support kubectl cp` && \ + rm -rf /tmp/overlay/var/cache/* + # Use ubi9 minimal as it's more secure -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM registry.access.redhat.com/ubi9/ubi-micro:latest ARG JDK_VERSION ARG ARCH ENV JAVA_HOME="/usr/lib/jvm/${JDK_VERSION}" ENV PATH=$PATH:$JAVA_HOME/bin ENV CATALOG_MANAGEMENT=static COPY --from=jdk-download $JAVA_HOME $JAVA_HOME +COPY --from=packages /tmp/overlay / RUN \ set -xeu && \ - microdnf update -y && \ - microdnf install -y tar less shadow-utils && \ groupadd trino --gid 1000 && \ useradd trino --uid 1000 --gid 1000 --create-home && \ mkdir -p /usr/lib/trino /data/trino && \