ROX-33559: Migrate collector images from UBI-minimal to UBI-micro

Makefile

@@ -15,11 +15,6 @@ tag:
 builder-tag:
 	@echo "$(COLLECTOR_BUILDER_TAG)"
 
-.PHONY: container-dockerfile-dev
-container-dockerfile-dev:
-	sed '1s/ubi-minimal/ubi/' $(CURDIR)/collector/container/Dockerfile > \
-		$(CURDIR)/collector/container/Dockerfile.dev
-
 .PHONY: builder
 builder:
 ifneq ($(BUILD_BUILDER_IMAGE), false)
@@ -52,12 +47,11 @@ image: collector
 		-t quay.io/stackrox-io/collector:$(COLLECTOR_TAG) \
 		$(COLLECTOR_BUILD_CONTEXT)
 
-image-dev: collector container-dockerfile-dev
+image-dev: collector
 	make -C collector txt-files
 	docker buildx build --load --platform ${PLATFORM} \
 		--build-arg COLLECTOR_VERSION="$(COLLECTOR_TAG)" \
-		--build-arg BUILD_TYPE=devel \
-		-f collector/container/Dockerfile.dev \
+		-f collector/container/dev.Dockerfile \
 		-t quay.io/stackrox-io/collector:$(COLLECTOR_TAG) \
 		$(COLLECTOR_BUILD_CONTEXT)
 

collector/.gitignore

@@ -14,7 +14,7 @@ cmake-build-rhel/
 generated/
 collector/protoc-*
 
-# Generated dockerfiles
+# Leftover generated dockerfiles from former process, can be removed after a while
 container/Dockerfile.dev
 
 # clangd specific files

collector/Makefile

@@ -69,7 +69,6 @@ clean:
 	rm -rf container/LICENSE-kernel-modules.txt
 	rm -rf container/bin
 	rm -rf container/THIRD_PARTY_NOTICES
-	rm -f container/Dockerfile.dev
 
 .PHONY: check
 check:

collector/container/Dockerfile

@@ -1,10 +1,24 @@
-FROM registry.access.redhat.com/ubi10/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi10/ubi-micro:latest AS ubi-micro-base
+
+FROM registry.access.redhat.com/ubi10/ubi:latest AS package_installer
+
+# Copy ubi-micro base to /out to preserve its rpmdb
+COPY --from=ubi-micro-base / /out/
+
+# Install packages directly to /out/ using --installroot
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=10 \
+    --setopt=install_weak_deps=False \
+    --nodocs \
+    ca-certificates curl-minimal elfutils-libelf libcap-ng libstdc++ libuuid openssl tbb && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+FROM ubi-micro-base
 
-ARG BUILD_TYPE=rhel
-ARG ROOT_DIR=.
 ARG COLLECTOR_VERSION
 
-ENV ROOT_DIR=$ROOT_DIR
 ENV COLLECTOR_HOST_ROOT=/host
 
 LABEL name="collector" \
@@ -16,8 +30,7 @@ LABEL name="collector" \
 
 WORKDIR /
 
-COPY container/${BUILD_TYPE}/install.sh /
-RUN ./install.sh && rm -f install.sh
+COPY --from=package_installer /out/ /
 
 # Uncomment this line to enable generation of core for collector
 # RUN echo '/core/core.%e.%p.%t' > /proc/sys/kernel/core_pattern

collector/container/dev.Dockerfile

@@ -0,0 +1,38 @@
+FROM quay.io/centos/centos:stream10
+
+ARG COLLECTOR_VERSION
+
+ENV COLLECTOR_HOST_ROOT=/host
+
+LABEL name="collector" \
+      vendor="StackRox" \
+      maintainer="support@stackrox.com" \
+      summary="Runtime data collection for the StackRox Kubernetes Security Platform" \
+      description="This image supports runtime data collection in the StackRox Kubernetes Security Platform." \
+      io.stackrox.collector.version="${COLLECTOR_VERSION}"
+
+WORKDIR /
+
+RUN dnf upgrade -y && \
+    dnf install -y libasan libubsan libtsan elfutils-libelf
+
+# Uncomment this line to enable generation of core for collector
+# RUN echo '/core/core.%e.%p.%t' > /proc/sys/kernel/core_pattern
+
+COPY container/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
+COPY kernel-modules /kernel-modules
+COPY container/bin/collector /usr/local/bin/
+COPY container/bin/self-checks /usr/local/bin/self-checks
+COPY container/status-check.sh /usr/local/bin/status-check.sh
+
+EXPOSE 8080 9090
+
+HEALTHCHECK \
+	# health checks within the first 5s are not counted as failure
+	--start-period=5s \
+	# perform health check every 5s
+	--interval=5s \
+	# the command uses /ready API
+	CMD /usr/local/bin/status-check.sh
+
+ENTRYPOINT ["collector"]

collector/container/konflux.Dockerfile

@@ -79,18 +79,27 @@ RUN ctest --no-tests=error -V --test-dir "${CMAKE_BUILD_DIR}"
 RUN strip -v --strip-unneeded "${CMAKE_BUILD_DIR}/collector/collector"
 
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68
-
-RUN microdnf -y install --nobest \
-      tbb \
-      c-ares \
-      crypto-policies-scripts \
-      elfutils-libelf && \
-    # Enable post-quantum cryptography key exchange for TLS.
-    update-crypto-policies --set DEFAULT:PQ && \
-    microdnf -y clean all && \
-    rpm --verbose -e --nodeps $(rpm -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*' 'libyaml*' 'libarchive*') && \
-    rm -rf /var/cache/dnf /var/cache/yum
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base
+
+FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer
+
+COPY --from=ubi-micro-base / /out/
+
+# Install packages directly to /out/ using --installroot
+# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
+# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=False \
+    --setopt=reposdir=/etc/yum.repos.d \
+    --nodocs \
+    c-ares ca-certificates crypto-policies-scripts elfutils-libelf libcap-ng libcurl-minimal libstdc++ libuuid openssl tbb && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+
+FROM ubi-micro-base
 
 ARG COLLECTOR_TAG
 
@@ -122,6 +131,8 @@ ARG CMAKE_BUILD_DIR
 
 ENV COLLECTOR_HOST_ROOT=/host
 
+COPY --from=package_installer /out/ /
+
 COPY --from=builder ${CMAKE_BUILD_DIR}/collector/collector /usr/local/bin/
 COPY --from=builder ${CMAKE_BUILD_DIR}/collector/self-checks /usr/local/bin/
 

collector/container/status-check.sh

@@ -11,11 +11,8 @@
 #    "status" : "ok"
 # }
 #
-# Take the status line, split it by ":" and trim spaces and quotes.
-STATUS=$(curl -s localhost:8080/ready | grep 'status' | awk -F ':' '{print $2}' | tr -d '"' | tr -d ' ')
-
-if [[ "${STATUS}" = "ok" ]]; then
-    exit 0
-else
-    exit 1
-fi
+# Pattern match for "status":"ok" in the JSON response
+case "$(curl -sf localhost:8080/ready)" in
+    *'"status"'*'"ok"'*) exit 0 ;;
+    *) exit 1 ;;
+esac

rpms.in.yaml

@@ -24,10 +24,16 @@ packages:
 - patch
 - systemtap-sdt-devel
 # final stage in collector/container/konflux.Dockerfile
+- libcurl-minimal
 - tbb
 - c-ares
 - crypto-policies-scripts
 - elfutils-libelf
+- ca-certificates
+- openssl
+- libuuid
+- libstdc++
+- libcap-ng
 contentOrigin:
   repofiles: [ "rpms.rhel.repo" ]
 context: