feat: move from ubi to ubi-minimal

[maichouni-mitek]

This PR should close #1826.
Using a smaller base image has several benefits:

• Reducing the storage footprint. Quicker deployments (less and/or smaller layers to pull).
• Reducing the potential attack surface.
• Reducing the amount of vulnerabilities that will arise between one kepler release and another, simply because there are less items installed.

A picture is worth a thousand words:

The vulnerabilities we see above (as of 2024/10/24, in kepler:release-0.7.12) are inherited from the base image. They are in the python namespace, which is not needed at all in the kepler image, and which is why #1361 cannot get rid of them.

Thank you.

[github-actions]

🤖 SeineSailor

Here is a concise summary of the pull request changes:

Summary: This pull request updates the build/Dockerfile to reduce the attack surface, storage footprint, and potential vulnerabilities by switching to the ubi9/ubi-minimal:latest base image. Key changes include:

• Replacing yum with microdnf for package installation
• Removing unnecessary packages
• Adding microdnf clean all after package installations

Impact: These changes do not affect the external interface or behavior of the code, and no alterations to function signatures, global data structures, or variables are observed. The updated base image and package management approach should improve the overall security and efficiency of the Docker image.

Observation: The changes are well-contained within the build/Dockerfile and do not introduce any apparent risks or side effects. However, it may be beneficial to verify that the updated image still meets all necessary dependencies and requirements for the project.

[maichouni-mitek]

@sthaha , would you please start the GHAs?

[rootfs]

@vimalk78 can you take a look? thanks

[SamYuan1990]

LGTM, but we need test image at PR level. @rootfs, @marceloamaral , @sthaha could you please help?

[maichouni-mitek]

@rootfs, @marceloamaral, @sthaha, can you please help with the image test?
Thank you very much.

[sthaha]

@SamYuan1990 @maichouni-mitek could you please elaborate what you meant by image-test ?

[SamYuan1990]

@SamYuan1990 @maichouni-mitek could you please elaborate what you meant by image-test ?

@rootfs and I once made a CI job https://github.com/sustainable-computing-io/kepler/actions/workflows/image_pr.yml. The job can build an temp image with a specific PR as code base.

As our PR level testing almost running on GHA VM, which is not a BM instance, at meanwhile, this PR has base image change, to ensure the change does not harmful, we can use this PR level CI to build a PR level image and tested on a BM instance if necessary.

Well, unfortunately I don't have a BM instance which able to support to test...as my laptop is mac without GPU, so ....that's the reason I comment it out as PR review result in previous.

[vimalk78]

LGTM.

built images and pushed

quay.io/vimalkum/kepler:v0.7.12-31-gcb7b058a-linux-amd64-dcgm

quay.io/vimalkum/kepler:v0.7.12-31-gcb7b058a-linux-amd64-habana