Migrate cp-kcat to UBI9 micro base image#113
Migrate cp-kcat to UBI9 micro base image#113Krish Vora (KrishVora01) wants to merge 2 commits intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the cp-kcat container build from a ubi9-minimal-based final image to a 3-stage build that targets a ubi9-micro final image, aiming to reduce runtime image size while preserving required runtime libraries and running as non-root.
Changes:
- Update Maven Docker build args to pass
UBI9_VERSIONandUBI_MICRO_VERSIONinto the Docker build. - Refactor
kcat/Dockerfile.ubi9into a 3-stage build: build from source, assemble runtime deps viadnf --installroot, then copy into a UBI micro final image. - Replace
useraddwith manual/etc/passwd+/etc/groupentries and run as UID 1000.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| kcat/pom.xml | Switch build args from minimal to UBI9 + UBI micro version args. |
| kcat/Dockerfile.ubi9 | Convert to 3-stage build with runtime deps copied into a UBI micro final image and non-root user setup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| RUN echo "Building kcat ....." \ | ||
| && microdnf install -y dnf \ | ||
| && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ |
There was a problem hiding this comment.
This build installs epel-release-latest-8.noarch.rpm on a UBI9 (RHEL 9) base. EPEL major versions are tied to the RHEL major version; using the EPEL 8 release package on UBI9 is likely to break dnf dependency resolution or pull incompatible packages. Consider switching to the EPEL 9 release RPM (or removing EPEL entirely if it’s no longer needed).
| && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ | |
| && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ |
There was a problem hiding this comment.
This line is carried over unchanged from the original master Dockerfile. kcat's bootstrap.sh doesn't actually pull packages from EPEL — the build packages (gcc-c++, cmake, etc.) all come from the base UBI9 repos. The EPEL repo is enabled but unused in practice. Changing it is out of scope for this migration, but harmless either way.
| # Stage 1: Build kcat from source | ||
| FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} AS build | ||
|
|
There was a problem hiding this comment.
FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} looks like an invalid UBI image reference (UBI images are typically under registry.access.redhat.com/ubi9/ubi:<tag>). As written, the build stage may fail to pull the base image; consider switching to the correct repository path for the full UBI9 base image.
There was a problem hiding this comment.
registry.access.redhat.com/ubi9 is a valid top-level alias for ubi9/ubi. Both references resolve to the same image. This is the same reference used in all other micro-migration Dockerfiles across kafka-images, ksql-images, and kafka-rest-images. The image builds successfully with this reference.
| # Stage 2: Install runtime dependencies to /microdir | ||
| FROM registry.access.redhat.com/ubi9:${UBI9_VERSION} AS runtime-deps | ||
|
|
There was a problem hiding this comment.
The runtime-deps stage uses FROM registry.access.redhat.com/ubi9:${UBI9_VERSION}; if the intended base is the standard UBI9 image, the correct reference is usually registry.access.redhat.com/ubi9/ubi:<tag>. Using registry.access.redhat.com/ubi9:<tag> is likely to fail at pull time.
There was a problem hiding this comment.
Same as above — registry.access.redhat.com/ubi9 is a valid alias for ubi9/ubi. The full Docker image builds and all 13 functional tests pass with this reference.
| && rm -rf /microdir/dev/* /microdir/proc/* /microdir/sys/* | ||
|
|
||
| # Stage 3: Final ultra-lightweight image using ubi9-micro | ||
| FROM registry.access.redhat.com/ubi9-micro:${UBI_MICRO_VERSION} |
There was a problem hiding this comment.
FROM registry.access.redhat.com/ubi9-micro:${UBI_MICRO_VERSION} is likely not the correct UBI micro image path; the UBI micro image is typically registry.access.redhat.com/ubi9/ubi-micro:<tag>. If the repository name is wrong, the final stage will fail to pull.
| FROM registry.access.redhat.com/ubi9-micro:${UBI_MICRO_VERSION} | |
| FROM registry.access.redhat.com/ubi9/ubi-micro:${UBI_MICRO_VERSION} |
There was a problem hiding this comment.
registry.access.redhat.com/ubi9-micro is a valid top-level alias for ubi9/ubi-micro. This matches the convention used in cp-base-java-micro and other micro-migration Dockerfiles. The image builds and kcat -V runs successfully on the final ubi9-micro base.
Switch from 2-stage ubi9-minimal build to 3-stage build using ubi9-micro as the final base: - Stage 1: Build kcat from source on ubi9 (unchanged logic) - Stage 2: Install runtime deps (libcurl, cyrus-sasl, krb5, etc.) into /microdir using dnf --installroot - Stage 3: Copy runtime libs + kcat binary to ubi9-micro Key changes: - Base image: ubi9-minimal -> ubi9-micro (ultra-lightweight, no pkg mgr) - Package manager: microdnf -> dnf --installroot=/microdir - Runtime deps installed in isolated stage, only /usr/lib64 + /etc/pki copied - Remove shadow-utils from build deps; manually create appuser in /etc/passwd - Build arg: UBI_MINIMAL_VERSION -> UBI_MICRO_VERSION + UBI9_VERSION - Fix LABEL summary quoting (remove nested quotes) - Fix fabric8 plugin indentation in pom.xml Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
airlock-confluentinc
bot
force-pushed
the
micro-migration-ubi9
branch
from
0b5fbcb to
5a7e7b7
Compare
Full ldd analysis and 13 functional tests (version, metadata, produce, consume, keyed messages, partitions, format strings, non-root user) all passing against a local cp-kafka broker. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
ubi9-minimalbuild to 3-stage build usingubi9-microas the final base/microdirusingdnf --installrootubi9-microuseradd-> manual/etc/passwdentry (ubi9-micro has no shadow-utils)UBI_MINIMAL_VERSION->UBI_MICRO_VERSION+UBI9_VERSIONRuntime dependency verification
Ran
lddagainst the compiled kcat binary and cross-referenced each shared library with whatubi9-microships natively. The following packages are installed in the runtime-deps stage because they are NOT in ubi9-micro:libz.so.1zliblibcrypto.so.3,libssl.so.3openssl-libslibsasl2.so.3cyrus-sasl-liblibcrypt.so.2libxcryptlibgssapi_krb5.so.2,libkrb5.so.3,libk5crypto.so.3,libkrb5support.so.0krb5-libslibcom_err.so.2libcom_errlibcurl.so.4libcurl-minimallibkeyutils.so.1keyutils-libslibnghttp2.so.14libnghttp2Plus
ca-certificatesfor the TLS trust store.Libraries already in ubi9-micro (no install needed):
glibc(libc, libm, libresolv, ld-linux),libselinux,pcre2.Docker build + functional test (13/13 passed)
Built the full image locally and ran all tests from the Confluent kcat docs against a cp-kafka broker:
Note: kcat 1.7.0 (librdkafka 1.7.0) has a pre-existing compatibility issue with latest Kafka ListOffsets API. Consume tests use -X broker.version.fallback=2.6.0. Not related to this image change.
Full test output: see kcat-micro-verification.md in this branch.
Test plan