chore: upgrade UBI images to v10.2

[mcapell]

Proposed commit message

Upgrade UBI images to 10.2. With this update, dbus-glib and iptables
are not available on UBI v10.2, but checking the playwright
dependencies, both packages are not listed in the version in use (see list of dependencies).

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[infra-vault-gh-plugin-prod]

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 545874c3-87a8-4396-803b-31cd26c53bd2

📥 Commits

Reviewing files that changed from the base of the PR and between e80fb3c and b1fe97d.

📒 Files selected for processing (14)

• changelog/fragments/1779986777-update-ubi-10.2.yaml
• dev-tools/dependencies-report
• dev-tools/packaging/packages.yml
• dev-tools/packaging/templates/docker/Dockerfile.tmpl
• dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/auditbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/filebeat/Dockerfile
• dev-tools/packaging/templates/ironbank/filebeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/heartbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/metricbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/packetbeat/hardening_manifest.yaml

✅ Files skipped from review due to trivial changes (5)

• changelog/fragments/1779986777-update-ubi-10.2.yaml
• dev-tools/packaging/templates/ironbank/packetbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile
• dev-tools/packaging/packages.yml
• dev-tools/packaging/templates/ironbank/heartbeat/hardening_manifest.yaml

🚧 Files skipped from review as they are similar to previous changes (9)

• dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile
• dev-tools/dependencies-report
• dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/metricbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/docker/Dockerfile.tmpl
• dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/filebeat/Dockerfile
• dev-tools/packaging/templates/ironbank/filebeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/auditbeat/hardening_manifest.yaml

---

📝 Walkthrough

Walkthrough

This PR upgrades Docker base images from Red Hat UBI9 to UBI10 across the Beats project. Changes add a changelog fragment, update dependency-report sources to UBI10, switch packaging YAML anchors to redhat/ubi10-minimal, adjust the heartbeat Dockerfile template (including removal of dbus-glib), and update Ironbank Dockerfiles and hardening manifests to use redhat/ubi/ubi10:10.2 for auditbeat, filebeat, heartbeat, metricbeat, and packetbeat.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@changelog/fragments/1779986777-update-ubi-10.2.yaml`:
- Line 1: The changelog fragment currently uses an invalid kind value ("kind:
other"); update the top-level kind field in this fragment to one of the allowed
values (bug-fix, enhancement, breaking-change, deprecation, known-issue) so it
conforms to the repository’s changelog fragment format—replace "kind: other"
with the appropriate allowed kind that matches the change being described and
ensure the fragment includes the required summary and component fields if not
already present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 812ea38a-6f0c-492f-bbba-037716a711ff

📥 Commits

Reviewing files that changed from the base of the PR and between 14d1ed6 and e80fb3c.

📒 Files selected for processing (14)

• changelog/fragments/1779986777-update-ubi-10.2.yaml
• dev-tools/dependencies-report
• dev-tools/packaging/packages.yml
• dev-tools/packaging/templates/docker/Dockerfile.tmpl
• dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/auditbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/filebeat/Dockerfile
• dev-tools/packaging/templates/ironbank/filebeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/heartbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/metricbeat/hardening_manifest.yaml
• dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile
• dev-tools/packaging/templates/ironbank/packetbeat/hardening_manifest.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use an allowed changelog kind value on Line 1.

kind: other does not match the required fragment format for this repo’s review rules. Please switch it to one of the allowed values for this path.

As per coding guidelines: changelog/fragments/*.yaml: “Create a changelog fragment ... with format: kind (bug-fix, enhancement, breaking-change, deprecation, known-issue), summary, and component”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@changelog/fragments/1779986777-update-ubi-10.2.yaml` at line 1, The changelog
fragment currently uses an invalid kind value ("kind: other"); update the
top-level kind field in this fragment to one of the allowed values (bug-fix,
enhancement, breaking-change, deprecation, known-issue) so it conforms to the
repository’s changelog fragment format—replace "kind: other" with the
appropriate allowed kind that matches the change being described and ensure the
fragment includes the required summary and component fields if not already
present.

[coderabbitai]

Actionable comments posted: 0

[github-actions]

TL;DR

x-pack/auditbeat packaging is failing for both amd64 and arm64 because the generated Docker image now uses redhat/ubi10-minimal, but the template no longer installs shadow-utils, so groupadd is missing at image build time. The immediate fix is to restore installation of the user-management tools for UBI 10 before the groupadd/useradd steps.

Remediation

• In dev-tools/packaging/templates/docker/Dockerfile.tmpl, make the UBI package-install block match UBI 10 image names (for example, change contains .from "ubi-minimal" to a condition that matches ubi10-minimal, or more robustly all UBI minimal variants) so shadow-utils is installed before RUN groupadd --gid 1000 {{ .BeatName }}.
• Re-run the auditbeat packaging jobs for both architectures (x-pack/auditbeat: Packaging Linux and x-pack/auditbeat: Packaging arm64) after regenerating packaging artifacts.

Investigation details

Root Cause

groupadd is invoked unconditionally in the Docker template, but the dependency install block that provides it is gated by a string that no longer matches after this PR’s UBI image bump.

• dev-tools/packaging/templates/docker/Dockerfile.tmpl:49-56 only runs microdnf ... install ... shadow-utils ... when contains .from "ubi-minimal".
• dev-tools/packaging/templates/docker/Dockerfile.tmpl:127-128 always runs:
  • RUN groupadd --gid 1000 {{ .BeatName }}
  • RUN useradd -M --uid 1000 --gid 1000 ...
• In commit b1fe97de3aad940a068fd81551288c0f13a4c6b3, dev-tools/packaging/packages.yml switches docker base images to redhat/ubi10-minimal (e.g., entries at packages.yml:173, :186, :192, :197 in that revision), so the previous matcher no longer covers the new base image naming.

Evidence

• Build: https://buildkite.com/elastic/beats/builds/46927
• Jobs:
  • x-pack/auditbeat: Packaging Linux
  • x-pack/auditbeat: Packaging arm64
• Key log excerpts:

/bin/sh: line 1: groupadd: command not found
ERROR: failed to build: failed to solve: process "/bin/sh -c groupadd --gid 1000 auditbeat" did not complete successfully: exit code: 127
Dockerfile:89

(from both failed logs under /tmp/gh-aw/buildkite-logs/)

Verification

• Not run (detective workflow is read-only and focused on log/code correlation).

Follow-up

I could not reliably read prior PR discussion comments due MCP integrity filtering on PR/issue comment reads in this run, so I could not perform strict duplicate-comment detection.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• #50983 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• chore: upgrade UBI images to v10.2 #50983 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• chore: upgrade UBI images to v10.2 #50983 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.