diff --git a/.konflux/rpm-prefetching/rpms.in.yaml b/.konflux/rpm-prefetching/rpms.in.yaml new file mode 100644 index 000000000..76671c088 --- /dev/null +++ b/.konflux/rpm-prefetching/rpms.in.yaml @@ -0,0 +1,12 @@ +packages: [xz] +contentOrigin: + repofiles: ["./ubi.repo"] +context: + containerfile: + file: ../../image/scanner/rhel/konflux.Dockerfile + stageName: scanner-common +arches: + - aarch64 + - ppc64le + - s390x + - x86_64 diff --git a/.konflux/rpm-prefetching/rpms.lock.yaml b/.konflux/rpm-prefetching/rpms.lock.yaml new file mode 100644 index 000000000..55c92bdbb --- /dev/null +++ b/.konflux/rpm-prefetching/rpms.lock.yaml @@ -0,0 +1,48 @@ +--- +lockfileVersion: 1 +lockfileVendor: redhat +arches: +- arch: aarch64 + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/aarch64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.aarch64.rpm + repoid: ubi-8-baseos-rpms + size: 156276 + checksum: sha256:342a2504cb34c9a5c1d43906f534cb1f3bf1de58ac517d575cff57053d04ab00 + name: xz + evr: 5.2.4-4.el8_6 + sourcerpm: xz-5.2.4-4.el8_6.src.rpm + source: [] + module_metadata: [] +- arch: ppc64le + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/ppc64le/baseos/os/Packages/x/xz-5.2.4-4.el8_6.ppc64le.rpm + repoid: ubi-8-baseos-rpms + size: 162264 + checksum: sha256:80d2fc754452ae52b3b36504e5cceb5cd5435a97999351402ae7a28298592a01 + name: xz + evr: 5.2.4-4.el8_6 + sourcerpm: xz-5.2.4-4.el8_6.src.rpm + source: [] + module_metadata: [] +- arch: s390x + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/s390x/baseos/os/Packages/x/xz-5.2.4-4.el8_6.s390x.rpm + repoid: ubi-8-baseos-rpms + size: 155012 + checksum: sha256:7fb678077d965dd6aeb09df28ce05cba9c22e4110d4b52f1ee43986beb87a5ff + name: xz + evr: 5.2.4-4.el8_6 + sourcerpm: xz-5.2.4-4.el8_6.src.rpm + source: [] + module_metadata: [] +- arch: x86_64 + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.x86_64.rpm + repoid: ubi-8-baseos-rpms + size: 156884 + checksum: sha256:fa4ceb20dbf23e9408a6446fefc4b709bc85e0bc563ca423569bbe08ecee2c5e + name: xz + evr: 5.2.4-4.el8_6 + sourcerpm: xz-5.2.4-4.el8_6.src.rpm + source: [] + module_metadata: [] diff --git a/.konflux/rpm-prefetching/ubi.repo b/.konflux/rpm-prefetching/ubi.repo new file mode 100644 index 000000000..5e6d8d21a --- /dev/null +++ b/.konflux/rpm-prefetching/ubi.repo @@ -0,0 +1,21 @@ +[ubi-8-baseos-rpms] +name = Red Hat Universal Base Image 8 (RPMs) - BaseOS +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/baseos/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-8-appstream-rpms] +name = Red Hat Universal Base Image 8 (RPMs) - AppStream +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/appstream/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-8-codeready-builder-rpms] +name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/codeready-builder/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index 2a8113455..d94a9ca23 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -44,11 +44,10 @@ spec: value: '{{revision}}' - name: rebuild value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" + - name: hermetic + value: "true" - name: prefetch-input - value: '{"type": "gomod", "path": "."}' + value: '[{"type": "gomod", "path": "."}, {"type": "rpm", "path": ".konflux/rpm-prefetching"}]' - name: build-source-image value: 'true' - name: build-target-stage diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index eb0322548..db76b514f 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -230,6 +230,9 @@ spec: value: $(params.output-image-repo):konflux-$(params.revision).prefetch - name: ociArtifactExpiresAfter value: $(params.oci-artifact-expires-after) + # Required for RPM prefetching support + - name: dev-package-managers + value: "true" taskRef: params: - name: name diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml index fd2b10bf3..9b5f13f98 100644 --- a/.tekton/scanner-db-build.yaml +++ b/.tekton/scanner-db-build.yaml @@ -44,9 +44,8 @@ spec: value: '{{revision}}' - name: rebuild value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" + - name: hermetic + value: "true" # No language dependencies are required for scanner-db image. - name: prefetch-input value: '' diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml index a02bd0956..408f4b1b9 100644 --- a/.tekton/scanner-db-slim-build.yaml +++ b/.tekton/scanner-db-slim-build.yaml @@ -44,9 +44,8 @@ spec: value: '{{revision}}' - name: rebuild value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" + - name: hermetic + value: "true" # No language dependencies are required for scanner-db-slim image. - name: prefetch-input value: '' diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index 18f48e1fd..b80f5f597 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -44,11 +44,10 @@ spec: value: '{{revision}}' - name: rebuild value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" + - name: hermetic + value: "true" - name: prefetch-input - value: '{"type": "gomod", "path": "."}' + value: '[{"type": "gomod", "path": "."}, {"type": "rpm", "path": ".konflux/rpm-prefetching"}]' - name: build-source-image value: 'true' - name: build-target-stage diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index 79049bdfa..df52c70b9 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -30,8 +30,7 @@ COPY image/db/rhel/scripts/docker-entrypoint.sh \ COPY LICENSE /licenses/LICENSE -RUN dnf upgrade -y --nobest && \ - localedef -f UTF-8 -i en_US en_US.UTF-8 && \ +RUN localedef -f UTF-8 -i en_US en_US.UTF-8 && \ mkdir -p /var/lib/postgresql && \ groupmod -g 70 postgres && \ usermod -u 70 postgres -d /var/lib/postgresql && \ diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index 731cd1125..c24a0bd50 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -1,8 +1,3 @@ -ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal -ARG BASE_TAG=latest - - # Compiling scanner binaries and staging repo2cpe and genesis manifests FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.22 AS builder @@ -35,7 +30,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi # Common base for scanner slim and full -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS scanner-common +FROM registry.access.redhat.com/ubi8-minimal:latest AS scanner-common ARG SCANNER_TAG @@ -66,8 +61,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest COPY LICENSE /licenses/LICENSE -RUN microdnf upgrade --nobest && \ - microdnf install xz && \ +RUN microdnf install xz && \ microdnf clean all && \ # (Optional) Remove line below to keep package management utilities # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.