NETOBSERV-2611: add tar to dockerfiles (#462)

jotak · web-flow · commit e6fb4b9c9109 · 2026-02-09T07:51:06.000+01:00
* NETOBSERV-2611: add tar to dockerfiles

* Update konflux hermetic builds with rpm cache
diff --git a/.tekton/pipeline-ref.yaml b/.tekton/pipeline-ref.yaml
@@ -48,7 +48,7 @@ spec:
     description: Execute the build with network isolation
     name: hermetic
     type: string
-  - default: "{\"type\":\"gomod\", \"path\":\".\"}"
+  - default: '[{"type": "gomod", "path": "."}, {"type": "rpm", "path": "./rpm-prefetching/"}]'
     description: Build dependencies to be prefetched by Cachi2
     name: prefetch-input
     type: string
diff --git a/Dockerfile b/Dockerfile
@@ -33,7 +33,11 @@ RUN USER=netobserv VERSION=main make oc-commands
 RUN mkdir -p output
 
 # Create final image from ubi + built binary and command
-FROM --platform=linux/$TARGETARCH registry.access.redhat.com/ubi9/ubi:9.7-1769417801
+FROM --platform=linux/$TARGETARCH registry.access.redhat.com/ubi9/ubi-minimal:9.7-1769056855
+
+RUN microdnf install -y tar && \
+    microdnf clean all
+
 WORKDIR /
 
 COPY --from=builder /opt/app-root/build .
diff --git a/Dockerfile.downstream b/Dockerfile.downstream
@@ -38,6 +38,9 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1769056855
 ARG BUILDVERSION
 ARG BUILDVERSION_Y
 
+RUN microdnf install -y tar && \
+    microdnf clean all
+
 WORKDIR /
 
 COPY --from=builder /opt/app-root/build .
diff --git a/rpm-prefetching/README.md b/rpm-prefetching/README.md
@@ -0,0 +1,29 @@
+## RPM pre-fetching for Konflux
+
+1. Doc reference is here: https://konflux.pages.redhat.com/docs/users/building/prefetching-dependencies.html#rpm-walkthrough
+
+2. How it's currently done:
+
+Tool rpm-lockfile-prototype is downloaded as a Docker image via:
+
+```
+curl https://raw.githubusercontent.com/konflux-ci/rpm-lockfile-prototype/refs/heads/main/Containerfile \
+   | $(OCI_BIN) build -t localhost/rpm-lockfile-prototype -
+```
+
+Then, ubi.repo was created out of the current base image (which means, we need to do it again every time the base image changes)
+
+```
+BASE_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:9.7-1769056855
+podman run -it $BASE_IMAGE cat /etc/yum.repos.d/ubi.repo > rpm-prefetching/ubi.repo
+sed -i 's/ubi-9-codeready-builder/codeready-builder-for-ubi-9-$basearch/' rpm-prefetching/ubi.repo
+sed -i 's/\[ubi-9/[ubi-9-for-$basearch/' rpm-prefetching/ubi.repo
+```
+
+Finally, run rpm-lockfile-prototype:
+
+```
+podman run --privileged --rm -v ./rpm-prefetching:/work localhost/rpm-lockfile-prototype:latest --outfile=rpms.lock.yaml --image $BASE_IMAGE rpms.in.yaml
+```
+
+3. Automate all this!
diff --git a/rpm-prefetching/rpms.in.yaml b/rpm-prefetching/rpms.in.yaml
@@ -0,0 +1,10 @@
+contentOrigin:
+  repofiles:
+  - ubi.repo
+packages:
+  - tar
+arches:
+  - aarch64
+  - x86_64
+  - ppc64le
+  - s390x
diff --git a/rpm-prefetching/rpms.lock.yaml b/rpm-prefetching/rpms.lock.yaml
@@ -0,0 +1,48 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-9.el9_7.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
+    size: 898317
+    checksum: sha256:2d0bd44116c3f5c229d25fdc6458f6ce24a7ad4fdb463767eea48dcab78c5062
+    name: tar
+    evr: 2:1.34-9.el9_7
+    sourcerpm: tar-1.34-9.el9_7.src.rpm
+  source: []
+  module_metadata: []
+- arch: ppc64le
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/t/tar-1.34-9.el9_7.ppc64le.rpm
+    repoid: ubi-9-for-ppc64le-baseos-rpms
+    size: 938310
+    checksum: sha256:6b32b0c5b960f836c91fae329c0d2786d932a44b9e44711639646b5e55146c8b
+    name: tar
+    evr: 2:1.34-9.el9_7
+    sourcerpm: tar-1.34-9.el9_7.src.rpm
+  source: []
+  module_metadata: []
+- arch: s390x
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tar-1.34-9.el9_7.s390x.rpm
+    repoid: ubi-9-for-s390x-baseos-rpms
+    size: 900131
+    checksum: sha256:ae335ed3e594cdb4123c6732c5dd9d4250050e96117e2593b31f8c4ee4ee2b8f
+    name: tar
+    evr: 2:1.34-9.el9_7
+    sourcerpm: tar-1.34-9.el9_7.src.rpm
+  source: []
+  module_metadata: []
+- arch: x86_64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-9.el9_7.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
+    size: 906521
+    checksum: sha256:4c0beb933074a5254c297e8968b3f41ec5a02b23056997ddcf526fe7e6166482
+    name: tar
+    evr: 2:1.34-9.el9_7
+    sourcerpm: tar-1.34-9.el9_7.src.rpm
+  source: []
+  module_metadata: []
diff --git a/rpm-prefetching/ubi.repo b/rpm-prefetching/ubi.repo
@@ -0,0 +1,62 @@
+[ubi-9-for-$basearch-baseos-rpms]
+name = Red Hat Universal Base Image 9 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-for-$basearch-baseos-debug-rpms]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-for-$basearch-baseos-source-rpms]
+name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-for-$basearch-appstream-rpms]
+name = Red Hat Universal Base Image 9 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-for-$basearch-appstream-debug-rpms]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-9-for-$basearch-appstream-source-rpms]
+name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[codeready-builder-for-ubi-9-$basearch-rpms]
+name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[codeready-builder-for-ubi-9-$basearch-debug-rpms]
+name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[codeready-builder-for-ubi-9-$basearch-source-rpms]
+name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
