RHOAIENG-10350 feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases #641
Conversation
jiridanek
added
the
tide/merge-method-squash
jiridanek
changed the title
base/ubi8-python-3.8/Dockerfile
Outdated
| @@ -1,4 +1,21 @@ | |||
| FROM registry.access.redhat.com/ubi8/python-38:latest | |||
| FROM registry.access.redhat.com/ubi8/ubi:latest | |||
There was a problem hiding this comment.
Can we use ubi-minimal instead?
There was a problem hiding this comment.
That would either mean living with microdnf, or installing regular dnf first thing, at which point the benefits or the ubi-minimal base are pretty much lost, me thinks.
In any case, I'd want to do such large changes in multiple steps, across multiple PRs.
So far, I don't even have the modest change in this PR groomed. It's necessary to move slowly and cautiously, and to build consensus.
The disk savings are small, 300mb across three base images.
There was a problem hiding this comment.
/hold
@jiridanek can you share there is JIRA or github issue linked for this work.
This PR is great, definitely will be good to have however
This work has significant impact on the overall product, without changing the architecture , this change would disrupt some flow i believe.
the s2i image bring working dir: /opt/app-root/src
i don't think ubi:latest, has that working dir,
this might work only because, the PVC gets mounted at the path,
As mount would create the path.
however we should thoroughly check these changes.
Great! In that case I'll go forward creating a Jira so this can be groomed. https://issues.redhat.com/browse/RHOAIENG-10350 |
jiridanek
changed the title
our images explicitly set this in the
sure, that's why I created a jira for doing all the work in organized manner; the disk space savings are not all that significant, but I like how this removes much of the s2i magic, so that's what makes this seem worth doing to me |
|
BTW, I was wondering what are the most important changes, so I prepared some basic script for the image comparison (I have a plan to improve it further and put it into our CI/GHA for our convenience). I tried to compare one of the base images you change here with what we have (note that your build is 2 weeks old, I took the quay image from today):
|
|
+1 for this update, I like this. 🙂 As Harshad mentioned, we should thoroughly test everything to ensure there are no issues with the PVCs. Otherwise, it /lgtm |
yeah; was just thinking whether nginx gets properly installed after this change; I did not think of it before https://issues.redhat.com/browse/RHOAIENG-10350 is opened to properly schedule the work |
jiridanek
force-pushed
the
jd_ubi_base
branch
3 times, most recently
from
e2f0598 to
aa02b11
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us. Additionally, using plain ubi makes things more explicit.
jiridanek
force-pushed
the
jd_ubi_base
branch
from
db683dd to
1e8dd31
Compare
…less podman machine
```
base_image_test.py:146: in test_oc_command_runs_fake_fips
assert ecode == 0, output.decode()
E AssertionError: assertion failed [!result.is_error]: Unable to open /proc/sys/vm/mmap_min_addr
E (VMAllocationTracker.cpp:317 init)
E
E assert 137 == 0
```
```
lima cat /proc/sys/vm/mmap_min_addr
65536
```
```
podman machine ssh cat /proc/sys/vm/mmap_min_addr
65536
```
```
podman run --entrypoint /bin/bash --rm -it ghcr.io/jiridanek/notebooks/workbench-images:base-ubi9-python-3.11-jd_ubi_base_1e8dd3140d980ff573d56d3ae746959f31825d8a
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
bash-5.1$ cat /proc/sys/vm/mmap_min_addr
65536
```
|
@jiridanek: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
WalkthroughThe Dockerfiles for Python 3.11 base images were updated to use more generic CentOS Stream 9 and UBI9 images, with manual setup of the Python environment and utilities. The test for FIPS mode in containers was adjusted for better compatibility across host environments, refining volume mounts and output assertions. Changes
Sequence Diagram(s)sequenceDiagram
participant Host
participant Container
participant OS
participant PythonEnv
Host->>Container: Start container from base image
Container->>OS: Install Python 3.11 & utilities via dnf
Container->>OS: Create user, set env variables
Container->>PythonEnv: Create virtual environment
Container->>OS: Install additional packages (patch, wget, mesa-libGL)
Container->>PythonEnv: Install micropipenv and dependencies
Host->>Container: Run FIPS test (mount fips_enabled or /proc/sys)
Container->>OS: cat /proc/sys/crypto/fips_enabled
Container->>Host: Return FIPS status
Suggested labels
Poem
✨ Finishing Touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🔭 Outside diff range comments (1)
base/c9s-python-3.11/Dockerfile (1)
60-60: Use environment variable for consistency.Line 60 uses hardcoded "python3.11" while the UBI9 version (line 62) uses
${PYTHON_VERSION}. This inconsistency could cause maintenance issues.Apply this diff for consistency:
- chmod -R g+w /opt/app-root/lib/python3.11/site-packages && \ + chmod -R g+w /opt/app-root/lib/python${PYTHON_VERSION}/site-packages && \
🧹 Nitpick comments (1)
tests/containers/base_image_test.py (1)
153-155: Fix Yoda condition for better readability.The change from
sysctltocatcommand is more direct and appropriate. However, the assertion uses a Yoda condition which should be corrected.Apply this diff to fix the Yoda condition:
- assert "1\n" == output.decode(), f"Unexpected crypto/fips_enabled content: {output.decode()}" + assert output.decode() == "1\n", f"Unexpected crypto/fips_enabled content: {output.decode()}"
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
base/c9s-python-3.11/Dockerfile(2 hunks)base/ubi9-python-3.11/Dockerfile(3 hunks)tests/containers/base_image_test.py(2 hunks)
🧰 Additional context used
🪛 Ruff (0.11.9)
tests/containers/base_image_test.py
155-155: Yoda condition detected
Rewrite as output.decode() == "1\n"
(SIM300)
🔇 Additional comments (8)
base/ubi9-python-3.11/Dockerfile (4)
1-18: Excellent manual Python environment setup.The transition from s2i python image to plain UBI9 with manual environment setup is well-implemented. The setup correctly replicates the s2i behavior:
- Proper environment variables and paths
- Correct user/group setup (UID 1001, GID 0) for OpenShift compatibility
- Appropriate directory permissions (0771)
- Virtual environment creation
This aligns perfectly with the PR objectives to reduce image size while maintaining functionality.
40-40: Minor text refinement in echo statement.The text change from "softwares" to "software" improves grammar consistency.
46-50: Good addition of essential utilities.Adding
patchandwgetpackages enhances the base image functionality for development workflows.
62-62: Improved use of environment variable.Using
${PYTHON_VERSION}instead of hardcoded version number makes the Dockerfile more maintainable and consistent.base/c9s-python-3.11/Dockerfile (2)
1-18: Well-implemented manual Python environment setup.The transition to CentOS Stream 9 base with manual environment setup correctly replicates the s2i functionality, following the same pattern as the UBI9 version.
44-48: Good addition of essential utilities.Adding
patchandwgetpackages enhances the base image functionality, consistent with the UBI9 version.tests/containers/base_image_test.py (2)
8-8: Good addition for cross-platform compatibility.Adding the
platformimport enables better handling of Darwin vs Linux environments in the FIPS test.
139-145: Improved FIPS file mounting logic.The conditional volume mounting approach is more robust, handling both macOS and Linux environments appropriately by mounting only the specific FIPS file when possible.
https://issues.redhat.com/browse/RHOAIENG-10350
Description
The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us.
Every image is made approx 300MB smaller by doing this!
Before:
After:
Additionally, using plain ubi makes things more explicit.
How Has This Been Tested?
I'll test this when making this change is planned into a sprint.
Merge criteria:
Summary by CodeRabbit
Chores
Tests