Use Ubi 9 micro image for docker

This is the most secure and the smallest base image we can use.
trinodb · Nov 28, 2024 · dc64f02 · dc64f02
1 parent 7d1b217
commit dc64f02
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/core/docker/Dockerfile b/core/docker/Dockerfile
@@ -27,19 +27,34 @@ RUN \
     mkdir -p "${JAVA_HOME}" && \
     curl -#LfS "${JDK_DOWNLOAD_LINK}" | tar -zx --strip 1 -C "${JAVA_HOME}"
 
+FROM registry.access.redhat.com/ubi9/ubi:latest AS packages
+
+RUN \
+    set -xeuo pipefail && \
+    mkdir -p /tmp/overlay/usr/libexec/ && \
+    touch /tmp/overlay/usr/libexec/grepconf.sh && \
+    chmod +x /tmp/overlay/usr/libexec/grepconf.sh && \
+    yum update -y && \
+    yum install --installroot /tmp/overlay --setopt install_weak_deps=false --nodocs -y \
+      less \
+      curl-minimal grep `# required by health-check` \
+      zlib `#required by java` \
+      shadow-utils `# required by useradd` \
+      tar `# required to support kubectl cp` && \
+      rm -rf /tmp/overlay/var/cache/*
+
 # Use ubi9 minimal as it's more secure
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 ARG JDK_VERSION
 ARG ARCH
 ENV JAVA_HOME="/usr/lib/jvm/${JDK_VERSION}"
 ENV PATH=$PATH:$JAVA_HOME/bin
 ENV CATALOG_MANAGEMENT=static
 COPY --from=jdk-download $JAVA_HOME $JAVA_HOME
+COPY --from=packages /tmp/overlay /
 
 RUN \
     set -xeu && \
-    microdnf update -y && \
-    microdnf install -y tar less shadow-utils && \
     groupadd trino --gid 1000 && \
     useradd trino --uid 1000 --gid 1000 --create-home && \
     mkdir -p /usr/lib/trino /data/trino && \