Skip to content

chore(base-image): Migrate Konflux builds to UBI9/RHEL9 #2562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
davdhacs wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

chore(base-image): Migrate Konflux builds to UBI9/RHEL9 #2562

davdhacs wants to merge 6 commits into from

Conversation

@davdhacs
Copy link

@davdhacs davdhacs commented Jan 15, 2026

No description provided.

@davdhacs @claude
Migrate Konflux builds to UBI9/RHEL9
fed2404 
This migrates scanner (non-v4) Konflux and non-Konflux builds from
UBI8/RHEL8 to UBI9/RHEL9 base images.

Changes:
- Generated rpms.lock.yaml for RHEL 9 (48 lines, xz package for all 4 architectures)
- Updated rpms.rhel.repo: RHEL 8→9 repository URLs, SSL vars not hardcoded
- Updated .tekton CPE labels: el8→el9 for all 4 build configs
- Updated konflux Dockerfiles:
  - image/scanner/rhel/konflux.Dockerfile: rhel_8_1.24→rhel_9_1.24 builder, ubi8→ubi9 base
  - image/db/rhel/konflux.Dockerfile: rhel8/postgresql-15→rhel9/postgresql-15 base
- Updated non-konflux Dockerfiles:
  - image/scanner/rhel/Dockerfile: ubi8-minimal→ubi9-minimal
  - image/db/rhel/Dockerfile: ubi8→ubi9, ubi8-minimal→ubi9-minimal
  - image/vulnerabilities/Dockerfile: ubi8-minimal→ubi9-minimal

The RPM lockfile was generated using rpm-lockfile-prototype with Red Hat
subscription credentials via update.repos.sh script (kept locally only).

Note: Image name labels remain as "rhel8" since new rhel9 registry repos
are not yet available.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@davdhacs davdhacs added the konflux-build Run Konflux in PR. Push commit to trigger it. label Jan 15, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 15, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

davdhacs and others added 5 commits January 14, 2026 22:37
@davdhacs @claude
Fix: Add -y flag to microdnf install command
5ac5f9c 
The microdnf install xz command was missing the -y flag, causing
the Konflux build to hang waiting for user confirmation.

This fix adds the -y flag to auto-confirm the package installation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@davdhacs @claude
Fix UBI9 entrypoint CA trust permission issues
f2edcab 
Apply the same entrypoint script fixes from stackrox PR rox-14475-ubi9-acs411
to handle UBI9's stricter filesystem permissions when running as non-root.

Changes:
- restore-all-dir-contents: Use --no-clobber flag to prevent overwriting
  read-only files and avoid permission denied errors
- import-additional-cas: Use --update flag and make directory-hash writable
  before update-ca-trust, add explicit --output flag
- trust-root-ca: Add chmod to make directory-hash writable, use --update
  flag, and add explicit --output flag

These changes prevent crashes when the scanner container (running as UID
65534) tries to update CA trust files in /etc/pki/ca-trust which are
owned by root in the base UBI9 image.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@davdhacs @claude
Merge origin/master into konflux-ubi9-rhel9-migration
0ae9542 
Resolved conflicts in favor of UBI9 base images:
- image/db/rhel/konflux.Dockerfile: Keep rhel9/postgresql-15:latest
- image/scanner/rhel/konflux.Dockerfile: Keep ubi9-minimal:latest

Updated image name labels from rhel8 to rhel9 to match new base images.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@davdhacs @claude
Complete UBI9 migration for non-Konflux scanner builds (with diagnost…
b144795 
…ics)

This commit contains ONLY the absolutely necessary changes to migrate from
UBI8/RHEL8 to UBI9/RHEL9 base images, plus diagnostic commands to investigate
the THIRD_PARTY_NOTICES tar extraction issue observed in earlier testing.

Minimal Required Changes:
- image/scanner/rhel/Dockerfile.slim: ubi8-minimal → ubi9-minimal
- image/db/rhel/Dockerfile.slim: ubi8-minimal → ubi9-minimal, ubi8 → ubi9
- image/db/rhel/scripts/download.sh: pg_rhel_major=8 → pg_rhel_major=9

Diagnostic/Research Commands Added:
- image/scanner/rhel/Dockerfile: Added verbose tar extraction with diagnostics
- image/scanner/rhel/Dockerfile.slim: Added verbose tar extraction with diagnostics

The diagnostic commands will help us understand:
1. What tar version is in UBI9 vs UBI8
2. What filesystem type is being used
3. Whether tar successfully extracts THIRD_PARTY_NOTICES
4. Where THIRD_PARTY_NOTICES ends up in the filesystem
5. Whether UBI9 can create directories with names like 'cloud.google.com-go-errorreporting'
6. What the actual tar exit code is (success/failure)

These diagnostics are TEMPORARY and will be removed once we understand the
root cause of any tar extraction issues. They do not change behavior - they
only add verbose logging to the build output.

No functional changes. Build failures will reveal what UBI9 compatibility
changes are needed based on diagnostic output.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@davdhacs @claude
Pin scanner builds to ubuntu-22.04 for UBI9 compatibility
d2c3695 
This change addresses arm64 build failures where tar extraction of
THIRD_PARTY_NOTICES fails with "Cannot open: Invalid argument" errors.

Root cause:
- GitHub Actions migrated ubuntu-latest to ubuntu-24.04 (Dec 2024 - Jan 2025)
- ubuntu-24.04 has a QEMU regression (issue #11662) affecting fchmodat2 syscall
- UBI9 glibc (2.34+) uses fchmodat2 for file operations
- When building UBI9 images under QEMU emulation on ubuntu-24.04, tar extraction
  fails with EINVAL, leaving THIRD_PARTY_NOTICES empty
- Only affects arm64 builds (amd64/ppc64le/s390x use different QEMU paths)

UBI8 vs UBI9:
- UBI8 glibc (2.28) uses old fchmodat syscall → works fine on ubuntu-24.04
- UBI9 glibc (2.34+) uses new fchmodat2 syscall → hits QEMU regression

Solution:
- Pin pre-build-scanner, generate-scanner-bundle, and build-images jobs
  to ubuntu-22.04 which does not have the QEMU regression
- All architectures (amd64, arm64, ppc64le, s390x) use same runner for consistency
- This is a temporary workaround until upstream fixes the regression

Updated jobs:
- pre-build-scanner: ubuntu-22.04
- generate-scanner-bundle: ubuntu-22.04
- build-images: ubuntu-22.04

References:
- actions/runner-images#11662 (QEMU regression)
- https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2059734 (fchmodat2 issue)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot will be requested when the pull request is marked ready for review rhacs-bot is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress konflux-build Run Konflux in PR. Push commit to trigger it.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davdhacs