Skip to content

ROX-34663: Migrate from ubi-minimal to ubi-micro#653

Merged
janisz merged 4 commits into
mainfrom
ROX-34663-ubi-micro
May 13, 2026
Merged

ROX-34663: Migrate from ubi-minimal to ubi-micro#653
janisz merged 4 commits into
mainfrom
ROX-34663-ubi-micro

Conversation

@janisz
Copy link
Copy Markdown
Contributor

@janisz janisz commented May 12, 2026
edited
Loading

Description

Reduce container image size and attack surface by migrating to ubi-micro base images following the pattern established in collector and stackrox repositories.

Refs:

Checklist

  • Patch has a change log entry OR does not need one.
  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

CI

@janisz janisz requested review from a team and rhacs-bot as code owners May 12, 2026 14:05
@janisz @claude
ROX-34663: Migrate from ubi-minimal to ubi-micro
f31b1fc 
Reduce container image size and attack surface by migrating to ubi-micro
base images following the pattern established in collector and stackrox
repositories.

Changes:
- Add ubi-micro-base and package_installer multi-stage build pattern
- Replace ubi-minimal with ubi-micro as final base image
- Install packages via dnf --installroot for proper rpmdb tracking
- Add packages: ca-certificates, gzip, less, tar for operational needs
- Maintain crypto-policies-scripts and openssl-libs from original
- Optimize layer caching by moving update-crypto-policies to end

Results:
- Image size: ~150MB (18% reduction)
- Maintained TLS with post-quantum cryptography support
- Reduced package count and attack surface

Refs:
- stackrox/collector#3021
- stackrox/collector#3220

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@janisz janisz force-pushed the ROX-34663-ubi-micro branch from 826daba to f31b1fc Compare May 12, 2026 14:19
Molter73
Molter73 reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Molter73 Molter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, but the konflux jobs are failing. There's also a weird situation with the integration tests, it is failing but I can't read the logs (thanks GH).

Comment thread konflux.Containerfile Outdated
@@ -1,3 +1,24 @@
FROM registry.access.redhat.com/ubi9/ubi-micro@sha256:fe9e574f04371b333ed4e21d30d984f6b7fcd1046e579f5ddab4816c0c8e231d AS ubi-micro-base
Copy link
Copy Markdown
Contributor

@Molter73 Molter73 May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is not the correct SHA for the image based on the konflux work.

Copy link
Copy Markdown
Contributor Author

@janisz janisz May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fixed now

@janisz janisz requested review from a team and Molter73 May 12, 2026 17:51
Molter73
Molter73 approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Molter73 Molter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@janisz janisz merged commit 530531c into main May 13, 2026
26 of 27 checks passed
@janisz janisz deleted the ROX-34663-ubi-micro branch May 13, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Molter73 Molter73 Molter73 approved these changes

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@janisz @Molter73