stackrox · msugakov · Aug 8, 2024 · Aug 8, 2024
diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
@@ -1,70 +1,8 @@
-FROM registry.redhat.io/rhel8/postgresql-15:latest AS scanner-db-common
+FROM registry.access.redhat.com/ubi9-minimal:latest AS scanner-db-slim
 
-ARG SCANNER_TAG
+RUN microdnf -y install xz
 
-LABEL \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \
-    io.k8s.description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \
-    io.openshift.tags="rhacs,scanner-db,stackrox" \
-    maintainer="Red Hat, Inc." \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="Scanner DB for Red Hat Advanced Cluster Security for Kubernetes" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    version="${SCANNER_TAG}" \
-    # Release label is required by EC although has no practical semantics.
-    # We also set it to not inherit one from a base stage in case it's RHEL or UBI.
-    release="1"
 
-USER root
+FROM registry.access.redhat.com/ubi9:latest AS scanner-db
 
-COPY image/db/pg_hba.conf \
-     image/db/postgresql.conf \
-     /etc/
-
-COPY image/db/rhel/scripts/docker-entrypoint.sh \
-     /usr/local/bin/
-
-RUN dnf upgrade -y --nobest && \
-    localedef -f UTF-8 -i en_US en_US.UTF-8 && \
-    mkdir -p /var/lib/postgresql && \
-    groupmod -g 70 postgres && \
-    usermod -u 70 postgres -d /var/lib/postgresql && \
-    chown -R postgres:postgres /var/lib/postgresql && \
-    chown -R postgres:postgres /var/run/postgresql && \
-    dnf clean all && \
-    rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR=15 \
-    PGDATA="/var/lib/postgresql/data/pgdata"
-
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres", "-c", "config_file=/etc/postgresql.conf"]
-
-USER 70:70
-
-
-FROM scanner-db-common AS scanner-db-slim
-
-LABEL \
-    com.redhat.component="rhacs-scanner-db-slim-container" \
-    io.k8s.display-name="scanner-db-slim" \
-    name="rhacs-scanner-db-slim-rhel8"
-
-ENV ROX_SLIM_MODE="true"
-
-
-FROM scanner-db-common AS scanner-db
-
-LABEL \
-    com.redhat.component="rhacs-scanner-db-container" \
-    io.k8s.display-name="scanner-db" \
-    name="rhacs-scanner-db-rhel8"
-
-COPY --chown=0:0 blob-pg-definitions.sql.gz \
-     /docker-entrypoint-initdb.d/definitions.sql.gz
+RUN dnf -y install xz
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
@@ -1,106 +1,8 @@
-ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
-ARG BASE_TAG=latest
+FROM registry.access.redhat.com/ubi8-minimal:latest AS scanner-slim
 
+RUN microdnf -y install xz
 
-# Compiling scanner binaries and staging repo2cpe and genesis manifests
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.21 AS builder
 
-ARG SCANNER_TAG
-ENV RELEASE_TAG="${SCANNER_TAG}"
+FROM registry.access.redhat.com/ubi8:latest AS scanner
 
-ENV GOFLAGS=""
-ENV CI=1
-
-COPY . /src
-WORKDIR /src
-
-RUN scripts/konflux/fail-build-if-git-is-dirty.sh
-
-RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
-    unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
-    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
-
-RUN echo -n "version: " && make --quiet --no-print-directory tag && \
-    make CGO_ENABLED=1 scanner-build-nodeps
-
-# Replace genesis manifests file in the source code with the one generated at
-# the point when the dump was taken.  This is to avoid discrepancy between other
-# files of the dump and the manifest.
-COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
-
-
-# Common base for scanner slim and full
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS scanner-common
-
-ARG SCANNER_TAG
-
-LABEL \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="This image supports image scanning for Red Hat Advanced Cluster Security for Kubernetes" \
-    io.k8s.description="This image supports image scanning for Red Hat Advanced Cluster Security for Kubernetes" \
-    io.openshift.tags="rhacs,scanner,stackrox" \
-    maintainer="Red Hat, Inc." \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="The image scanner for Red Hat Advanced Cluster Security for Kubernetes" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    version="${SCANNER_TAG}" \
-    # Release label is required by EC although has no practical semantics.
-    # We also set it to not inherit one from a base stage in case it's RHEL or UBI.
-    release="1"
-
-SHELL ["/bin/sh", "-o", "pipefail", "-c"]
-
-ENV REPO_TO_CPE_DIR="/repo2cpe"
-
-COPY --from=builder /src/image/scanner/scripts /
-COPY --from=builder /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
-
-RUN microdnf upgrade --nobest && \
-    microdnf install xz && \
-    microdnf clean all && \
-    # (Optional) Remove line below to keep package management utilities
-    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
-    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
-    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
-    # by the script `save-dir-contents` during the image build. The directory
-    # contents are then restored by the script `restore-all-dir-contents`
-    # during the container start.
-    chown -R 65534:65534 /etc/pki /etc/ssl && \
-    /save-dir-contents /etc/pki/ca-trust /etc/ssl
-
-# This is equivalent to nobody:nobody.
-USER 65534:65534
-
-ENTRYPOINT ["/entrypoint.sh"]
-
-
-# Scanner Slim
-FROM scanner-common AS scanner-slim
-
-LABEL \
-    com.redhat.component="rhacs-scanner-slim-container" \
-    io.k8s.display-name="scanner-slim" \
-    name="rhacs-scanner-slim-rhel8"
-
-ENV ROX_SLIM_MODE="true"
-
-
-# Scanner (full)
-FROM scanner-common AS scanner
-
-LABEL \
-    com.redhat.component="rhacs-scanner-container" \
-    io.k8s.display-name="scanner" \
-    name="rhacs-scanner-rhel8"
-
-ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
-ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
-
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
+RUN dnf -y install xz