feat: update validator target to be based on ubi-micro #1070
Conversation
Since Ubi-Micro has fewer packages, it has fewer security risks; therefore, no microdnf updates are necessary. This minimizes the need to execute an architecture-specific command while building the target image. Signed-off-by: Nestor Acuna Blanco <[email protected]>
kubevirt-bot
added
release-note-none
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @nestoracunablanco. Thanks for your PR. I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
openshift-ci
bot
added
ok-to-test
|
@lyarwood, the PR has the LGTM label, and the tests have passed. Could you please take a look? Thank you! :) |
|
/assign lyarwood |
| RUN mkdir -p /etc/webhook/certs | ||
|
|
||
| RUN microdnf update -y && microdnf clean all |
There was a problem hiding this comment.
it can happen, that the released image contains vulnerabilities, which can be fixed by updating the packages with microdnf update -y
There was a problem hiding this comment.
@ksimon1, I appreciate your valid point. However, it's worth noting that the ubi-micro image contains significantly fewer packages, weighing in at 22.4 MB compared to 96.2 MB in the latest release.
Another important consideration is that running microdnf update can break the build if the host architecture differs from that of the container image, especially if no emulation is enabled.
Here’s an example of what I’m aiming to achieve: https://github.com/kubevirt/vm-console-proxy/blob/main/Dockerfile
In summary, my approach involves the following steps:
- Build everything from the host architecture in the builder image.
- Perform cross-compilation to the target architecture.
- Copy the binaries to a image with the target architecture.
What are your thoughts on this approach?
There was a problem hiding this comment.
I am not saying your changes are wrong, I am just explaining why I added the command 2 years ago :)
It is great, that you are working on making it available on multiple architecture.
The approach you mentioned looks good 👍
There was a problem hiding this comment.
Thank you so much! I truly appreciate your feedback 👍
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ksimon1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
Since Ubi-Micro has fewer packages, it has fewer security risks; therefore, no microdnf updates are necessary. This minimizes the need to execute an architecture-specific command while building the target image.
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: