ROX-33603: Switch to UBI9 base images by mclasmeier · Pull Request #19454 · stackrox/stackrox
Description
This PR replaces #19437 and is based on recent master (after roxctl has been migrated to UBI micro images).
This PR switches all base images in the stackrox repo to UBI9. A couple of smaller changes had to be done to account for technical differences between UBI8 and UBI9, most importantly a change in the update-ca-trust script which fiddles around with the permissions in /etc/pki/ci-trust/extracted and conflicted with our save-dir-contents/restore-all-dir-contents flow, which is used for re-populating directories which are shadowed at runtime by emptyDir mounts.
There are a couple of experiments regarding how to address this best. For example:
- chore(base-image): Migrate Konflux builds to UBI9/RHEL9 scanner#2562 (different repo, same problem): Used
chmodat some places to fix permissions after runningupdate-ca-trust. This approach turned out to be not sufficient (see chore(base-image): Migrate Konflux builds to UBI9/RHEL9 scanner#2562 (comment) for explanation). - ROX-33603: Switch to UBI9 base images #19437: Introduced a dedicated
fix-etc-pki-permissionsscript, which made ourrestore & import-additional-casflow idempotent. - This PR: Works without a dedicated step involving permission fixing. Instead we change the save & restore flow to only deal with the sub-directory
/etc/pki/ca-trust/source. In particular, we don't try to restore the problematic directory/etc/pki/ca-trust/extractedat container runtime. Not restoring this directory should be fine, because this is the output directory forupdate-ca-trust, which we run at container startup. In the same commit which addresses this issue I have also removed code for saving & restoring the direectory/etc/ssl, which I believe isn't required nowadays anymore.
There is also one commit, which cleans up the codebase by removing legacy code.
All other changes are required for green CI.
See commit history.
User-facing documentation
- CHANGELOG.md is updated
Testing and quality
- the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
- CI results are inspected
Automated testing
- modified existing tests
No tests added.
How I validated my change
Deploying with
$ roxie deploy -t 4.11.x-380-gb4eff13f93
All pods come up, no startup errors about our save/restore/import-cas flow. Exec'ing into a pod and verifying manually that the operations can be re-run without errors:
❮ kc exec -it deployment/scanner-v4-indexer -- /bin/sh
sh-5.1$ restore-all-dir-contents
sh-5.1$ restore-all-dir-contents
sh-5.1$ find /.init-dirs/etc/pki/ca-trust/
/.init-dirs/etc/pki/ca-trust/
/.init-dirs/etc/pki/ca-trust/source
/.init-dirs/etc/pki/ca-trust/source/README
/.init-dirs/etc/pki/ca-trust/source/anchors
/.init-dirs/etc/pki/ca-trust/source/blocklist
/.init-dirs/etc/pki/ca-trust/source/ca-bundle.legacy.crt
sh-5.1$ import-additional-cas
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container
sh-5.1$ import-additional-cas
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container
sh-5.1$ restore-all-dir-contents
sh-5.1$ import-additional-cas
Setting up CA trust store in container
Looking for certificates in '/usr/local/share/ca-certificates'
No certificates found in /usr/local/share/ca-certificates
Looking for certificates in '/etc/pki/injected-ca-trust'
'/etc/pki/injected-ca-trust/tls-ca-bundle.pem' -> '/etc/pki/ca-trust/source/anchors/tls-ca-bundle.pem'
Updating CA trust
Done setting up CA trust store in container
sh-5.1$