Add support to build UBI based images

.github/workflows/lib-build.yaml

@@ -51,3 +51,30 @@ jobs:
           BUILDER_NAME: ${{ matrix.builder }}
         run: |
           make ${IMAGE_NAME} BUILDER=${BUILDER_NAME}
+  imageubi:
+    name: Build UBI image
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        image:
+          - intel-gpu-plugin
+          - intel-qat-initcontainer
+          - intel-qat-plugin
+          - intel-deviceplugin-operator
+          - intel-sgx-plugin
+          - intel-sgx-initcontainer
+          - intel-dsa-plugin
+        builder: [docker]
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - run: make -e vendor
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ matrix.image }}
+          BUILDER_NAME: ${{ matrix.builder }}
+        run: |
+          make ${IMAGE_NAME} BUILDER=${BUILDER_NAME} UBI=1

DEVEL.md

@@ -14,6 +14,7 @@ Table of Contents
 * [How to Develop Simple Device Plugins](#how-to-develop-simple-device-plugins)
     * [Logging](#logging)
     * [Error Conventions](#error-conventions)
+* [UBI images](#ubi-images)
 * [Checklist for New Device Plugins](#checklist-for-new-device-plugins)
 
 ## Day-to-day Development How to's
@@ -253,12 +254,12 @@ go test -v ./test/e2e/... -args -ginkgo.focus "Device:(dlb|dsa|iaa|qat|sgx)"
 It is possible to run predefined e2e tests with:
 ```
 make e2e-<device> [E2E_LEVEL={basic|full}] [FOCUS=<labels in regex>] [SKIP=<labels in regex>]
-```  
+```
 
 | `E2E_LEVEL`   | Equivalent `FOCUS` or `SKIP` | Explanation                                                                                      |
 :-------------- |:---------------------------- |:------------------------------------------------------------------------------------------------ |
 | `basic`       | `FOCUS=App:noapp`            | `basic` does not run any app pod, but checks if the plugin works and the resources are available |
-| `full`        | `SKIP=App:noapp`             | `full` checks all resources, runs all apps except the spec kept for no app running               | 
+| `full`        | `SKIP=App:noapp`             | `full` checks all resources, runs all apps except the spec kept for no app running               |
 
 ### Examples
 
@@ -426,6 +427,36 @@ Otherwise, they can be logged as simple values:
     klog.Warningf("Example of a warning due to an external error: %v", err)
 ```
 
+## UBI images
+
+UBI based images use different base image.
+
+|Default|UBI|
+|---|---|
+|gcr.io/distroless/static|registry.access.redhat.com/ubi9-micro:latest|
+|debian:unstable-slim|registry.access.redhat.com/ubi9/ubi:latest|
+
+The UBI based images are required for deployments that run on OpenShift Container Platform (OCP).
+
+To build these images:
+```bash
+UBI=1 make <image-name>
+```
+
+### Containers with RPM dependencies
+
+There are two containers that have external dependencies which are installed at build time from OSV repositories:
+* intel-idxd-config-initcontainer
+* intel-gpu-levelzero
+
+To build these containers, the build host has to be registered via `subscription-manager`. Typically the host OS has to be RHEL or some other RPM based Linux variant (e.g. Fedora).
+
+```bash
+UBI=1 BUILDER=podman make <image-name>
+```
+
+Docker doesn't support installing RPM packages with `subscription-manager`, so Podman needs to be used.
+
 ## Checklist for New Device Plugins
 
 For new device plugins contributed to this repository, below is a

Makefile

@@ -3,6 +3,7 @@ GO := go
 GOFMT := gofmt
 KUSTOMIZE ?= kustomize
 OPERATOR_SDK ?= operator-sdk
+UBI ?= 0
 
 BUILDTAGS ?= ""
 BUILDER ?= "docker"
@@ -176,7 +177,7 @@ endif
 
 dockerlib = build/docker/lib
 dockertemplates = build/docker/templates
-images = $(shell basename -s .Dockerfile.in -a $(dockertemplates)/*.Dockerfile.in | grep -v -e dlb -e fpga -e xpumanager-sidecar)
+images = $(shell basename -s .Dockerfile.in -a $(dockertemplates)/*.Dockerfile.in | grep -v -e dlb -e fpga -e xpumanager-sidecar -e ubi)
 dockerfiles = $(shell basename -s .in -a $(dockertemplates)/*.Dockerfile.in | xargs -I"{}" echo build/docker/{})
 
 test-image-base-layer:
@@ -202,7 +203,7 @@ check-dockerfiles: dockerfiles
 	fi
 
 $(images): $(dockerfiles)
-	@build/docker/build-image.sh $(REG)$@ $(BUILDER) $(EXTRA_BUILD_ARGS)
+	@build/docker/build-image.sh $(REG)$@ $(BUILDER) $(UBI) $(EXTRA_BUILD_ARGS)
 
 images: $(images)
 

build/docker/build-image.sh

@@ -16,10 +16,11 @@ fi
 
 shift
 
-if [ "$1" = 'docker' -o "$1" = 'buildah' -o "$1" = 'podman' ]; then
-    BUILDER=$1
-    shift
-fi
+BUILDER=$1
+shift
+
+UBI=$1
+shift
 
 TAG=${TAG:-devel}
 
@@ -29,11 +30,22 @@ if [ -d $(dirname $0)/../../vendor ] ; then
     BUILD_ARGS="${BUILD_ARGS} --build-arg DIR=/go/src/github.com/intel/intel-device-plugins-for-kubernetes --build-arg GO111MODULE=off"
 fi
 
-BUILD_ARGS="${BUILD_ARGS} \
-    --build-arg FINAL_BASE=gcr.io/distroless/static \
-    --build-arg BUILD_BASE=golang:1.25-trixie \
-    --build-arg FINAL_BASE_DYN=debian:unstable-slim \
-    --build-arg ROCKYLINUX=0"
+GOLANG_BASE=golang:1.25-trixie
+
+if [ "${UBI}" = '1' ]; then
+    echo $DOCKERFILE | grep -q -e 'idxd-config' -e 'levelzero' && {
+        echo "Using UBI specific Dockerfile for ${IMG}"
+        DOCKERFILE="$(dirname $0)/$(basename ${IMG}).ubi.Dockerfile"
+    }
+
+    BUILD_ARGS="${BUILD_ARGS} \
+        --build-arg FINAL_BASE=registry.access.redhat.com/ubi9-micro:latest \
+        --build-arg BUILD_BASE=${GOLANG_BASE}"
+else
+    BUILD_ARGS="${BUILD_ARGS} \
+        --build-arg FINAL_BASE=gcr.io/distroless/static \
+        --build-arg BUILD_BASE=${GOLANG_BASE}"
+fi
 
 if [ -z "${BUILDER}" -o "${BUILDER}" = 'docker' -o "${BUILDER}" = 'podman' ] ; then
     ${BUILDER} build --pull -t ${IMG}:${TAG} ${BUILD_ARGS} -f ${DOCKERFILE} .

build/docker/intel-gpu-levelzero.Dockerfile

@@ -15,18 +15,8 @@
 ## limitations under the License.
 ###
 ARG CMD=gpu_levelzero
-ARG ROCKYLINUX=1
-## FINAL_BASE_DYN can be used to configure the base image of the final image.
-## The project default is 1) which sets FINAL_BASE_DYN=gcr.io/distroless/cc-debian12
-## (see build-image.sh).
-## 2) and the default FINAL_BASE is primarily used to build Redhat Certified Openshift Operator container images that must be UBI based.
-## The RedHat build tool does not allow additional image build parameters.
-ARG BUILD_BASE=rockylinux:9
-ARG FINAL_BASE_DYN=registry.access.redhat.com/ubi9/ubi-minimal:9.3
-###
-## Use the BUILD_BASE when either the a) golang-trixie is updated to a newer glibc
-## or b) the intel-igc-core libraries are fixed to not to demand a newer glibc
-FROM ${FINAL_BASE_DYN} AS builder
+ARG BUILD_BASE=golang:1.25-trixie
+FROM ${BUILD_BASE} AS builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ENV CGO_CFLAGS="-pipe -fno-plt"
 ENV CGO_LDFLAGS="-fstack-protector-strong -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now,-z,noexecstack,-z,defs,-s,-w"
@@ -36,71 +26,48 @@ ENV ASMFLAGS="all=-spectre=all"
 ENV LDFLAGS="all=-linkmode=external -s -w"
 ARG GOLICENSES_VERSION
 ARG CMD
-ARG ROCKYLINUX
-ARG CGO_VERSION=1.25
 RUN mkdir /runtime
-RUN if [ $ROCKYLINUX -eq 0 ]; then \
-        apt-get update && apt-get install --no-install-recommends -y wget jq curl libc6-dev ocl-icd-libopencl1 gcc ca-certificates && \
-        LATEST_GO=$(curl --no-progress-meter https://go.dev/dl/?mode=json | jq ".[] | select(.version | startswith(\"go${CGO_VERSION}\")).version" | tr -d "\"") && \
-        wget -q https://go.dev/dl/$LATEST_GO.linux-amd64.tar.gz -O - | tar -xz -C /usr/local && \
-        cd /runtime && \
-        wget -q https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-core-2_2.20.3+19972_amd64.deb && \
-        wget -q https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-opencl-2_2.20.3+19972_amd64.deb && \
-        wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/intel-opencl-icd_25.40.35563.4-0_amd64.deb && \
-        wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libigdgmm12_22.8.2_amd64.deb && \
-        wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libze-intel-gpu1_25.40.35563.4-0_amd64.deb && \
-        wget -q https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero_1.24.3+u22.04_amd64.deb && \
-        wget -q https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero-devel_1.24.3+u22.04_amd64.deb && \
-        dpkg -i *.deb && \
-        rm -f *.deb && \
-        rm -rf /var/lib/apt/lists/\*; \
-    else \
-        source /etc/os-release && dnf install -y gcc jq wget 'dnf-command(config-manager)' && \
-        dnf config-manager --add-repo https://repositories.intel.com/gpu/rhel/${VERSION_ID}/lts/2350/unified/intel-gpu-${VERSION_ID}.repo && \
-        dnf install -y intel-opencl level-zero level-zero-devel intel-level-zero-gpu intel-gmmlib intel-ocloc && \
-        dnf clean all && \
-        LATEST_GO=$(curl --no-progress-meter https://go.dev/dl/?mode=json | jq ".[] | select(.version | startswith(\"go${CGO_VERSION}\")).version" | tr -d "\"") && \
-        wget -q https://go.dev/dl/$LATEST_GO.linux-amd64.tar.gz -O - | tar -xz -C /usr/local && \
-        cp -a /etc/OpenCL /usr/lib64/libocloc.so /usr/lib64/libze_intel_gpu.* /usr/lib64/libze_loader.* /usr/lib64/libigdgmm.* /runtime/ && \
-        mkdir /runtime/licenses/ && cd /usr/share/licenses/ && cp -a level-zero intel-gmmlib intel-level-zero-gpu intel-ocloc /runtime/licenses/; \
-    fi
+RUN apt-get update && apt-get install --no-install-recommends -y wget jq curl libc6-dev ocl-icd-libopencl1 gcc ca-certificates && \
+    cd /runtime && \
+    wget -q https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-core-2_2.20.3+19972_amd64.deb && \
+    wget -q https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-opencl-2_2.20.3+19972_amd64.deb && \
+    wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/intel-opencl-icd_25.40.35563.4-0_amd64.deb && \
+    wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libigdgmm12_22.8.2_amd64.deb && \
+    wget -q https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libze-intel-gpu1_25.40.35563.4-0_amd64.deb && \
+    wget -q https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero_1.24.3+u22.04_amd64.deb && \
+    wget -q https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero-devel_1.24.3+u22.04_amd64.deb && \
+    dpkg -i *.deb && \
+    rm -f *.deb && \
+    rm -rf /var/lib/apt/lists/\*
 ARG EP=/usr/local/bin/intel_gpu_levelzero
-ARG CMD
 WORKDIR ${DIR}
 COPY . .
-## Apply for the build phase as well as the license copy below the build.
-ENV PATH=$PATH:/usr/local/go/bin/
 RUN cd cmd/${CMD} && \
-    GO111MODULE=on CGO_ENABLED=1 go install $CGOFLAGS --gcflags="$GCFLAGS" --asmflags="$ASMFLAGS" --ldflags="$LDFLAGS"
-RUN [ $ROCKYLINUX -eq 0 ] && install -D /go/bin/${CMD} /install_root${EP} || install -D /root/go/bin/${CMD} /install_root${EP}
+    GO111MODULE=on CGO_ENABLED=1 go install $CGOFLAGS --gcflags="$GCFLAGS" --asmflags="$ASMFLAGS" --ldflags="$LDFLAGS" && \
+    install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on GOROOT=$(go env GOROOT) go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
     --save_path /install_root/licenses/$CMD/go-licenses ; \
     else mkdir -p /install_root/licenses/$CMD/go-licenses/ && cd licenses/$CMD && cp -r * /install_root/licenses/$CMD/go-licenses/ ; fi && \
     echo "Verifying installed licenses" && test -e /install_root/licenses/$CMD/go-licenses
-FROM ${FINAL_BASE_DYN}
+FROM debian:unstable-slim
 ARG CMD
-ARG ROCKYLINUX
 COPY --from=builder /runtime /runtime
-RUN if [ $ROCKYLINUX -eq 0 ]; then \
-        apt-get update && apt-get install --no-install-recommends -y ocl-icd-libopencl1 wget ca-certificates && \
-        cd /runtime && \
-        wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-core-2_2.20.3+19972_amd64.deb && \
-        wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-opencl-2_2.20.3+19972_amd64.deb && \
-        wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/intel-opencl-icd_25.40.35563.4-0_amd64.deb && \
-        wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libigdgmm12_22.8.2_amd64.deb && \
-        wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libze-intel-gpu1_25.40.35563.4-0_amd64.deb && \
-        wget https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero_1.24.3+u22.04_amd64.deb && \
-        dpkg -i *.deb && \
-        apt-get -y remove wget ca-certificates && \
-        apt-get -y autoremove && \
-        rm -f *.deb && \
-        rm -rf /var/lib/apt/lists/\* && \
-        rm "/lib/x86_64-linux-gnu/libze_validation"* && rm "/lib/x86_64-linux-gnu/libze_tracing_layer"*; \
-    else \
-        cp -a /runtime//*.so* /usr/lib64/ && cp -a /runtime/OpenCL /etc/ && cp -a /runtime/licenses/* /usr/share/licenses/; \
-    fi
+RUN apt-get update && apt-get install --no-install-recommends -y ocl-icd-libopencl1 wget ca-certificates && \
+    cd /runtime && \
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-core-2_2.20.3+19972_amd64.deb && \
+    wget https://github.com/intel/intel-graphics-compiler/releases/download/v2.20.3/intel-igc-opencl-2_2.20.3+19972_amd64.deb && \
+    wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/intel-opencl-icd_25.40.35563.4-0_amd64.deb && \
+    wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libigdgmm12_22.8.2_amd64.deb && \
+    wget https://github.com/intel/compute-runtime/releases/download/25.40.35563.4/libze-intel-gpu1_25.40.35563.4-0_amd64.deb && \
+    wget https://github.com/oneapi-src/level-zero/releases/download/v1.24.3/level-zero_1.24.3+u22.04_amd64.deb && \
+    dpkg -i *.deb && \
+    apt-get -y remove wget ca-certificates && \
+    apt-get -y autoremove && \
+    rm -f *.deb && \
+    rm -rf /var/lib/apt/lists/\* && \
+    rm "/lib/x86_64-linux-gnu/libze_validation"* && rm "/lib/x86_64-linux-gnu/libze_tracing_layer"*
 COPY --from=builder /install_root /
 ENTRYPOINT ["/usr/local/bin/intel_gpu_levelzero"]
 LABEL vendor='Intel®'

build/docker/intel-gpu-levelzero.ubi.Dockerfile

@@ -0,0 +1,68 @@
+## This is a generated file, do not edit directly. Edit build/docker/templates/intel-gpu-levelzero.ubi.Dockerfile.in instead.
+##
+## Copyright 2022 Intel Corporation. All Rights Reserved.
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+###
+ARG CMD=gpu_levelzero
+## At the time of writing this, 9.6 is the latest supported version for Intel GPU repos.
+ARG FINAL_BASE_UBI=registry.access.redhat.com/ubi9/ubi:9.6
+FROM ${FINAL_BASE_UBI} AS builder
+ARG DIR=/intel-device-plugins-for-kubernetes
+ENV CGO_CFLAGS="-pipe -fno-plt"
+ENV CGO_LDFLAGS="-fstack-protector-strong -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now,-z,noexecstack,-z,defs,-s"
+ENV CGOFLAGS="-trimpath -mod=readonly -buildmode=pie"
+ENV GCFLAGS="all=-spectre=all -N -l"
+ENV ASMFLAGS="all=-spectre=all"
+ENV LDFLAGS="all=-linkmode=external -s -w"
+ARG GOLICENSES_VERSION
+ARG CMD
+ARG CGO_VERSION=1.25
+RUN mkdir /runtime
+RUN source /etc/os-release && dnf install -y gcc jq wget 'dnf-command(config-manager)' && \
+    dnf config-manager --add-repo https://repositories.intel.com/gpu/rhel/${VERSION_ID}/lts/2523/unified/intel-gpu-${VERSION_ID}.repo && \
+    dnf install -y intel-opencl level-zero level-zero-devel intel-level-zero-gpu intel-gmmlib intel-ocloc && \
+    dnf clean all && \
+    LATEST_GO=$(curl --no-progress-meter https://go.dev/dl/?mode=json | jq ".[] | select(.version | startswith(\"go${CGO_VERSION}\")).version" | tr -d "\"") && \
+    wget -q https://go.dev/dl/$LATEST_GO.linux-amd64.tar.gz -O - | tar -xz -C /usr/local
+ARG EP=/usr/local/bin/intel_gpu_levelzero
+WORKDIR ${DIR}
+COPY . .
+## Apply for the build phase as well as the license copy below the build.
+ENV PATH=$PATH:/usr/local/go/bin/
+RUN cd cmd/${CMD} && \
+    GO111MODULE=on CGO_ENABLED=1 go install $CGOFLAGS --gcflags="$GCFLAGS" --asmflags="$ASMFLAGS" --ldflags="$LDFLAGS" && \
+    install -D /root/go/bin/${CMD} /install_root${EP}
+RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
+    && if [ ! -d "licenses/$CMD" ] ; then \
+    GO111MODULE=on GOROOT=$(go env GOROOT) go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
+    --save_path /install_root/licenses/$CMD/go-licenses ; \
+    else mkdir -p /install_root/licenses/$CMD/go-licenses/ && cd licenses/$CMD && cp -r * /install_root/licenses/$CMD/go-licenses/ ; fi && \
+    echo "Verifying installed licenses" && test -e /install_root/licenses/$CMD/go-licenses
+FROM ${FINAL_BASE_UBI}
+ARG CMD
+COPY --from=builder /runtime /runtime
+RUN source /etc/os-release && dnf install -y 'dnf-command(config-manager)' && \
+    dnf config-manager --add-repo https://repositories.intel.com/gpu/rhel/${VERSION_ID}/lts/2523/unified/intel-gpu-${VERSION_ID}.repo && \
+    dnf install -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs intel-opencl level-zero intel-level-zero-gpu intel-gmmlib intel-ocloc && \
+    dnf remove -y 'dnf-command(config-manager)' && dnf -y autoremove && dnf clean all && rm -rf /var/cache/dnf
+COPY --from=builder /install_root /
+ENTRYPOINT ["/usr/local/bin/intel_gpu_levelzero"]
+LABEL vendor='Intel®'
+LABEL org.opencontainers.image.source='https://github.com/intel/intel-device-plugins-for-kubernetes'
+LABEL maintainer="Intel®"
+LABEL version='devel'
+LABEL release='1'
+LABEL name='intel-gpu-levelzero'
+LABEL summary='Intel® GPU levelzero for Kubernetes'
+LABEL description='The GPU levelzero container provides access to Levelzero API for the Intel GPU plugin'

build/docker/intel-idxd-config-initcontainer.Dockerfile

@@ -25,3 +25,11 @@ COPY demo/iaa.conf /idxd-init/
 RUN mkdir /idxd-init/scratch
 WORKDIR /idxd-init
 ENTRYPOINT ["/usr/local/bin/idxd-init.sh"]
+LABEL name='intel-idxd-config-initcontainer'
+LABEL summary='Intel® IDXD config initcontainer for Kubernetes'
+LABEL description='IDXD config configures DSA and IAA devices for use with the DSA/IAA plugin'
+LABEL vendor='Intel®'
+LABEL org.opencontainers.image.source='https://github.com/intel/intel-device-plugins-for-kubernetes'
+LABEL maintainer="Intel®"
+LABEL version='devel'
+LABEL release='1'