chore(CI): Konflux build to UBI9 #2815
Conversation
Update Konflux build configuration to use UBI9 and RHEL 9: - Update builder base image: ubi8/ubi -> ubi9/ubi Pinned to sha256:22e95731596d661ff08daabaa5ef751b20ac42d0a58492dac5efa7373f471389 - Update runtime base image: ubi8/ubi-minimal -> ubi9/ubi-minimal Pinned to sha256:90bd85dcd061d1ad6dbda70a867c41958c04a86462d05c631f8205e8870f28f8 - Add Cachi2 environment sourcing for hermetic RPM builds - Update image label: rhacs-collector-rhel8 -> rhacs-collector-rhel9 - Update Tekton CPE label: el8 -> el9 This aligns collector Konflux builds with the UBI9 migration already completed for GitHub CI builds.
Configure hermetic builds with RHEL 9 package dependencies:
- Update rpms.in.yaml:
* Change context from bare:true to UBI9 image
* Update clang version: clang-19.1.7 -> clang-20.1.8
- Add rpms.rhel.repo with RHEL 9 repository configurations
* Updated from RHEL 8 to RHEL 9 base URLs
* Includes all required repos for 4 architectures
- Add rpms.lock.yaml with locked package versions
* Generated for aarch64, ppc64le, s390x, x86_64
* Enables hermetic builds with reproducible dependencies
* Required for RHEL-only packages (elfutils-libelf-devel,
tbb-devel, c-ares-devel) not in public UBI repos
Hermetic builds ensure reproducible container images by prefetching
all RPM dependencies before the build starts.
davdhacs
force-pushed
the
konflux-ubi9-migration
branch
from
2334d7b to
23cacca
Compare
|
"This branch has conflicts that must be resolved" because the konflux base image sha's are updated in master. Until we decide to merge this branch, it is not necessary to "resolve" these conflicts because we are ignoring the updates to the UBI8 images for this change. |
|
@tommartensen does this include all of the Konflux-built collector images? I think this does what is needed: base image update, pinned to latest image shas, and updated rpm lockfiles. Is there anything missing? |
| - wget | ||
| - unzip | ||
| - clang-19.1.7 | ||
| - clang-20.1.8 |
There was a problem hiding this comment.
Please check with @stackrox/collector-team if this clang version is compatible.
There was a problem hiding this comment.
The kind of issues we get with incompatible versions of clang are usually detected pretty well by integration tests. Making sure that all the tests pass should be enough.
I think that clang-20 is already what is used for upstream.
There was a problem hiding this comment.
ty. This is the latest stable clang I found for ubi9. @ovalenti would it be better to un-pin clang for ubi9?
Unfortunately, github will refuse to run its pipelines unless those conflicts are resolved, it seems. |
Thank you. I'll update and fix the conflicts then. |
konflux sources the env file for every RUN already Co-authored-by: Tom Martensen <tmartens@redhat.com>
Analysis showed that bare: true and image: with SHA produce identical lockfiles (4,668 lines, 167 packages). Both correctly exclude base image packages, with only 2 packages overlapping (openssl/openssl-libs as dependencies of openssl-devel). Using bare: true is clearer for our use case since collector has two different base images (ubi9/ubi for builder, ubi9/ubi-minimal for runtime). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Source RPMs are required for build-source-image task in Konflux and GPL compliance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2815 +/- ##
=======================================
Coverage 27.38% 27.38%
=======================================
Files 95 95
Lines 5427 5427
Branches 2548 2548
=======================================
Hits 1486 1486
Misses 3214 3214
Partials 727 727
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The collector binary requires libelf.so.1 at runtime to load eBPF programs into the kernel via libbpf. When migrating from UBI8 to UBI9, this runtime dependency was not explicitly added because it was included in the UBI8 ubi-minimal base image. UBI9 ubi-minimal is more stripped down and does not include elfutils-libelf by default. Without this library, the collector fails at runtime with: collector: error while loading shared libraries: libelf.so.1: cannot open shared object file: No such file or directory Why libelf is required: - Collector uses libbpf to load eBPF programs for kernel-level monitoring - eBPF programs are compiled by LLVM into ELF object files - libbpf uses libelf to parse these ELF files and extract: - eBPF program bytecode - BPF map descriptions - BTF (BPF Type Format) metadata - Relocation information - libelf is an internal dependency of libbpf and must be present at runtime This issue was discovered by run-konflux-tests, which test the actual Konflux-built UBI9 images at runtime, while integration-tests (which test GitHub Actions-built images) continued to pass. References: - https://docs.kernel.org/bpf/libbpf/libbpf_build.html - https://docs.ebpf.io/ebpf-library/libbpf/ Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| # final stage in collector/container/konflux.Dockerfile | ||
| - tbb | ||
| - c-ares | ||
| - elfutils-libelf |
There was a problem hiding this comment.
@ovalenti It looks like this is needed now. Is this valid?
| [rhel-8-for-$basearch-appstream-rpms] | ||
| name = Red Hat Enterprise Linux 8 for $basearch - AppStream (RPMs) | ||
| baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/appstream/os | ||
| [rhel-9-for-$basearch-appstream-rpms] |
There was a problem hiding this comment.
This file looks better now!
tommartensen
left a comment
tommartensen
left a comment
There was a problem hiding this comment.
As a next step, can you try to deploy ACS with this image?
Manifest or Helm based installs should be easiest to setup: https://spaces.redhat.com/spaces/StackRox/pages/483005167/How+to+deploy+ACS+with+Konflux+images
Then run the manual smoke tests: https://spaces.redhat.com/spaces/StackRox/pages/388132725/Manual+smoke+test+for+ACS
4 participants
Description
Migrates Konflux collector builds from UBI8/RHEL8 to UBI9/RHEL9 base images.
Key Changes
Base Images:
registry.access.redhat.com/ubi9/ubi:latestregistry.access.redhat.com/ubi9/ubi-minimal:latestrhacs-collector-rhel9RPM Packages (RHEL 9):
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
CI is sufficient.
elfutils: