Add helper image for RHEL (#74)

bthomee · web-flow · commit 4694e651175a · 2025-10-13T13:22:22.000-04:00
The change creates a helper image based on RHEL UBI. The Docker image adds
back a RHEL repo that contains the packages we need to build and sign an
.rpm installer for `rippled`. As credentials are needed to add the repo,
which will not be available in forks, this helper image will therefore
allow external contributors to modify our RHEL image without needing
access to the credentials.
diff --git a/.github/workflows/rhel-ubi.yml b/.github/workflows/rhel-ubi.yml
@@ -0,0 +1,180 @@
+name: RHEL UBI
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/rhel-ubi.yml
+      - docker/rhel-ubi/Dockerfile
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/rhel-ubi.yml
+      - docker/rhel-ubi/Dockerfile
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  PUSH: ${{ github.event_name == 'push' }}
+  CONTAINER_REGISTRY: ghcr.io
+  BUILDKIT_PROGRESS: plain
+
+jobs:
+  # Build the Docker image for the Red Hat Enterprise Linux image based on their
+  # free Universal Binary Image, which contains a subset of feature. We modify
+  # this image by adding back a package repository that contains dependencies we
+  # need.
+  # Note, the `os` part of matrix must be kept in sync with the `merge` job below
+  build:
+    strategy:
+      matrix:
+        architecture:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+            name: x86_64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            name: aarch64
+        os:
+          - release: 8
+          - release: 9
+          - release: 10
+    runs-on: ${{ matrix.architecture.runner }}
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Login to GitHub Registry
+        if: ${{ github.event_name == 'push' }}
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
+      - name: Prepare environment
+        run: |
+          # Convert the repository name to lowercase as the organization name is
+          # uppercase, which is not permitted by the Docker registry. It's 2025 and GitHub
+          # still does not provide convenient action expression syntax for lowercase.
+          GITHUB_REPO=${{ github.repository }}
+          CONTAINER_REPO=${GITHUB_REPO@L}
+          echo "CONTAINER_REPOSITORY=${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
+          echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
+          PLATFORM=${{ matrix.architecture.platform }}
+          echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV
+      - name: Prepare container metadata
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,manifest-descriptor
+        with:
+          images: ${{ env.CONTAINER_IMAGE }}
+          tags: |
+            type=raw,value=ubi
+            type=sha,prefix=ubi-sha-
+          labels: |
+            org.opencontainers.image.authors=For inquiries, please use https://${{ github.repository }}/issues
+            org.opencontainers.image.documentation=https://${{ github.repository }}
+            org.opencontainers.image.vendor=XRPLF
+            org.opencontainers.image.title=${{ env.CONTAINER_REPOSITORY }}
+      - name: Build and push the Docker image
+        id: build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          build-args: |
+            BUILDKIT_DOCKERFILE_CHECK=skip=InvalidDefaultArgInFrom
+            BUILDKIT_INLINE_CACHE=1
+            RHEL_ARCH=${{ matrix.architecture.name }}
+            RHEL_VERSION=${{ matrix.os.release }}
+          context: .
+          file: docker/rhel-ubi/Dockerfile
+          outputs: type=image,name=${{ env.CONTAINER_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ env.PUSH }}
+          platforms: ${{ matrix.architecture.platform }}
+          provenance: mode=max
+          push: ${{ env.PUSH }}
+          sbom: true
+          secrets: |
+            "RHEL_KEY=${{ secrets.RHEL_KEY }}"
+            "RHEL_ORG=${{ secrets.RHEL_ORG }}"
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Export digest
+        if: ${{ env.PUSH }}
+        run: |
+          mkdir -p /tmp/digests
+          DIGEST="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${DIGEST#sha256:}"
+      - name: Upload digest
+        if: ${{ env.PUSH }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-${{ matrix.os.release }}-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    if: ${{ github.event_name == 'push' }}
+    strategy:
+      matrix:
+        os:
+          - release: 8
+          - release: 9
+          - release: 10
+    runs-on: ubuntu-24.04
+    needs:
+      - build
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - name: Download digests
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          path: /tmp/digests
+          pattern: digests-${{ matrix.os.release }}-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Login to GitHub Registry
+        if: ${{ github.event_name == 'push' }}
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
+      - name: Prepare environment
+        run: |
+          GITHUB_REPO=${{ github.repository }}
+          CONTAINER_REPO=${GITHUB_REPO@L}
+          echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
+      - name: Prepare container metadata
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+        with:
+          images: ${{ env.CONTAINER_IMAGE }}
+          tags: |
+            type=raw,value=ubi
+            type=sha,prefix=ubi-sha-
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          eval "docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(jq -cr '.annotations | map("--annotation \"" + . + "\"") | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.CONTAINER_IMAGE }}@sha256:%s ' *)"
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.CONTAINER_IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/docker/rhel-ubi/Dockerfile b/docker/rhel-ubi/Dockerfile
@@ -0,0 +1,14 @@
+ARG RHEL_VERSION
+FROM registry.access.redhat.com/ubi${RHEL_VERSION}/ubi:latest AS ubi
+
+# This is not inherited from the base image.
+ARG RHEL_VERSION
+# The RHEL architecture should be either 'x86_64' or 'aarch64'.
+ARG RHEL_ARCH
+
+# Enable the repository containing packages we need that are missing from the
+# UBI image.
+RUN --mount=type=secret,id=RHEL_KEY,env=RHEL_KEY \
+    --mount=type=secret,id=RHEL_ORG,env=RHEL_ORG \
+    subscription-manager register --activationkey="${RHEL_KEY}" --org="${RHEL_ORG}" && \
+    subscription-manager repos --enable=rhel-${RHEL_VERSION}-for-${RHEL_ARCH}-appstream-rpms
diff --git a/docker/rhel-ubi/README.md b/docker/rhel-ubi/README.md
@@ -0,0 +1,85 @@
+## RHEL-UBI: A helper Docker image for RHEL
+
+We are providing a helper Docker image for building `rippled` on Red Hat
+Enterprise Linux (RHEL) systems. The image is based on the Universal Base Image
+(UBI) provided by Red Hat, which is freely available to everyone. However, they
+contain a subset of RHEL content, and for our purposes some content is missing.
+
+The helper Docker image adds back a RHEL repo that contains the packages we need
+to build and sign an .rpm installer for `rippled`. As credentials are needed to
+add the repo, which will not be available in forks, this helper image will
+therefore allow external contributors to modify our RHEL image without needing
+access to the credentials.
+
+### Obtaining Red Hat credentials
+
+To be able to add the RHEL repo to the UBI image, an activation key is needed,
+which can be obtained free of charge. First you need to register for a Developer
+account [here](https://developers.redhat.com), and then you can create an activation key
+[here](https://console.redhat.com/insights/connector/activation-keys). On that
+same page you will find your organization ID.
+
+### Building the Docker image
+
+In order to build an image, run the commands below from the root directory of
+the repository.
+
+```shell
+export RHEL_KEY=<value-of-rhel-key>
+export RHEL_ORG=<value-of-rhel-org>
+RHEL_ARCH=<x86_64 or aarch64>
+RHEL_VERSION=8
+CONTAINER_IMAGE=ghcr.io/xrplf/ci/rhel-${RHEL_VERSION}:ubi
+
+docker buildx build . \
+  --file docker/rhel-ubi/Dockerfile \
+  --build-arg BUILDKIT_DOCKERFILE_CHECK=skip=InvalidDefaultArgInFrom \
+  --build-arg BUILDKIT_INLINE_CACHE=1 \
+  --secret id=RHEL_KEY,env=RHEL_KEY \
+  --secret id=RHEL_ORG,env=RHEL_ORG \
+  --build-arg RHEL_ARCH=${RHEL_ARCH} \
+  --build-arg RHEL_VERSION=${RHEL_VERSION} \
+  --tag ${CONTAINER_IMAGE}
+```
+
+### Pushing the Docker image
+
+#### Logging into the GitHub registry
+
+To be able to push a Docker image to the GitHub registry, a personal access
+token is needed, see instructions [here](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic).
+In summary, if you do not have a suitable personal access token, generate one
+[here](https://github.com/settings/tokens/new?scopes=write:packages).
+
+```shell
+GITHUB_USER=<your-github-username>
+GITHUB_TOKEN=<your-github-personal-access-token>
+echo ${GITHUB_TOKEN} | docker login ghcr.io -u "${GITHUB_USER}" --password-stdin
+```
+
+#### Pushing to the GitHub registry
+
+To push the image to the GitHub registry, you can do so with the following
+command, whereby we append your username to not overwrite existing images:
+
+```shell
+docker tag ${CONTAINER_IMAGE} ${CONTAINER_IMAGE}-${GITHUB_USER}
+docker push ${CONTAINER_IMAGE}-${GITHUB_USER}
+```
+
+However, there should be no need to push the RHEL UBI image manually, as it is
+only used as a base image for other images in this repository.
+
+Note, if you or the CI pipeline are pushing an image for the first time, it will
+be private by default. You will need to go to the
+[packages page](https://github.com/orgs/XRPLF/packages), select the relevant
+package, then "Package settings", and after clicking the "Change visibility"
+button make it "Public". In addition, on that same page, under "Manage Actions
+access" click the "Add repository" button, select the `ci` repository, and grant
+it "Admin" access.
+
+#### Note on macOS
+
+If you are using macOS and wish to push an image to the GitHub registry for use
+in GitHub Actions, you will need to append `--platform linux/amd64` to the
+`docker buildx build` commands above.
