chore(base-image): Migrate Konflux builds to UBI9/RHEL9

[davdhacs]

Description

Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.

Key Changes

Konflux Base Images:

• Builder: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24
• Scanner runtime: registry.access.redhat.com/ubi9-minimal:latest
• Scanner DB: registry.redhat.io/rhel9/postgresql-15:latest
• Image names: rhacs-scanner-rhel9, rhacs-scanner-slim-rhel9, rhacs-scanner-db-rhel9, rhacs-scanner-db-slim-rhel9

Non-Konflux Base Images:

• Scanner: ubi9-minimal
• Scanner DB: ubi9 / ubi9-minimal
• Vulnerabilities: ubi9-minimal

RPM/Repo Updates:

• rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)
• rpms.rhel.repo: repos updated from rhel8 to rhel9
• PostgreSQL download script: pg_rhel_major=9

Tekton Labels:

• CPE labels: el8 → el9

UBI9 Compatibility Fixes:

• update-ca-trust extract -o /etc/pki/ca-trust/extracted for unprivileged containers (RHBZ#2241240)
• cp --recursive --no-dereference --no-clobber in restore-all-dir-contents
• microdnf install -y xz (explicit -y flag)

Checklist

• Investigated and inspected CI test results

Testing Performed

TBD

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[davdhacs]

@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution.

The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it.

[davdhacs]

/test all

[davdhacs]

/retest

[davdhacs]

@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround)

[tommartensen]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

[davdhacs]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds.

[BradLugo]

Note to self and @stackrox/scanner: we need to follow up on #2092 and update the image for s390x to avoid using a different version of psql.

[mclasmeier]

I'd like to understand this better.
Is this path /etc/pki/ca-trust/extracted referenced somewhere? Is it defaulted to somewhere?

[BradLugo]

I think it's self-referential: https://src.fedoraproject.org/rpms/ca-certificates/blob/rawhide/f/update-ca-trust#_129-138

[davdhacs]

/etc/pki/ca-trust/extracted is the default. We're re-setting it to get the non-root user operation of setting a -o path.
Here you can see it hardcoded in the version of update-ca-trust in ubi9-minimal: https://pkgs.devel.redhat.com/cgit/rpms/ca-certificates/tree/update-ca-trust?h=rhel-9.4.0#n10
And this explains why we need to use the -o arg: https://pkgs.devel.redhat.com/cgit/rpms/ca-certificates/tree/update-ca-trust?h=rhel-9.4.0#n88
long-version:
In UBI8, the update-ca-trust trust extract execution did not change the permissions on the files it wrote. In the version in UBI9, the directory-hash output was added and write permissions are removed when it is written.
The -o(USER_DEST) arg was added to allow running as non-root because it does a chmod +/- around adding links into the directory-hash directory: https://src.fedoraproject.org/rpms/ca-certificates/pull-request/8#request_diff
Looking forward in https://src.fedoraproject.org/rpms/ca-certificates/c/7dc60cb it was reworked but changes it so the symlinks are only added when the USER_DIR is not specified (so we will still need the -o arg if the ca-certificates package updates are backported).

[davdhacs]

example usage: here this path is in the search paths for golang ssl: https://go.dev/src/crypto/x509/root_linux.go

[davdhacs]

more information in the man page, https://www.linux.org/docs/man8/update-ca-trust.html

[davdhacs]

Far future / TODO: The cert setup could be re-worked for these images so that it does not rely on update-ca-trust to add custom certs. Maybe that part isn't needed anymore, but I think that reaches outside of the scope of upgrading to UBI9. There was discussion about init container instead of the double-run that sensor and scanner do, and there are other options especially when we eventually switch to the golang built-in ssl.

[mclasmeier]

Thank you @davdhacs

[davdhacs]

If you're okay with this, can I get a +1 and we'll merge this PR? We can also update the change in stackrox to follow update-ca-trust's -o arg use instead of needing the full chmod.

[davdhacs]

/test ?

[davdhacs]

The test failures are not-related to UBI9/changes in this PR.

[davdhacs]

#2888
test fix pr

[davdhacs]

/retest e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

@BradLugo can I get another +1? I merged changes from master to get the e2e test fix.

[mclasmeier]

I just did some testing with this scanner and I believe it suffers from the same problem as the one I have addressed with this commit.

See:

I am deploying ACS (some semi-recent master version, doesn't mater) on an OpenShift cluster, with scanner v2 enabled, scanner v4 disabled and an overlay which injects this PR's scanner version image into the scanner deployment:

❯ roxie deploy --resources=auto central \
  --set spec.scanner.scannerComponent=Enabled \
  --set spec.scannerV4.scannerComponent=Disabled \
  --set spec.overlays='[{"apiVersion":"apps/v1", "kind":"Deployment", "name":"scanner", "patches":[{"path":"spec.template.spec.containers[name:scanner].image", "value":"quay.io/rhacs-eng/scanner:2.39.x-86-gf65ee678a8"}]}]'
00:00 Using kubeconfig /Users/mclasmeier/.kube/infra/kubeconfig
00:00 Running with a controlling terminal.
00:01 🚀 ACS Deployer initialized
00:01 roxctl version: 4.9.1-0-g1bde1c73b2
00:01 
00:01 ┌────────────────────────────────────────────────────────────┐
00:01 │ Deployment Configuration                                   │
00:01 ├────────────────────────────────────────────────────────────┤
00:01 │              Component: Central                            │
00:01 │           Cluster Type: OpenShift4                         │
00:01 │               Main Tag:                                    │
00:01 │     Kubernetes Context: admin                              │
00:01 │      Deployment Method: Operator                           │
00:01 │               Exposure: loadbalancer                       │
00:01 └────────────────────────────────────────────────────────────┘
00:01 
00:01 Looking up main image tag
00:07 Using stackrox repository tag: 4.11.x-300-g280a4287f7
00:07 Auto-detected cluster type OpenShift4: using resource profile "medium"
00:07 Initiating deployment of Central
00:07 Deploying Central to namespace acs-central
00:07 Existing Central deployment found, tearing down...
00:07 🗑️  Tearing down acs-central
00:08 ⏳ Waiting for Central resources to be fully deleted...
00:08 Deleting Central resources
00:14 ✓ Central resources in namespace acs-central have been deleted
00:14 🚀 Deploying Central via Operator...
00:17 ✓ Operator already deployed with correct version
00:17 Preparing namespace acs-central
00:18 ✓ Admin password secret created
00:18 Using Central resource profile: medium
00:18 Applying Central custom resource
00:19 ✓ Central Custom Resource applied
00:19 ⏳ Waiting for Central to become ready...
[...]
01:00 ✓ Central is ready (1 replicas)
01:00 ⏳ Waiting for LoadBalancer central-loadbalancer to get external IP...
[...]
01:49 ✓ Central is ready and responding!
[...]

Then, I exec into the scanner container and show that the restore-all-dir-contents script cannot be invoked again (after the import-additional-cas script has run) -- something that I believe needs to be possible, because that would happen on container restarts.

❯ kubectl -n acs-central exec -it deploy/scanner -- /bin/sh
sh-5.1$ /restore-all-dir-contents 
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R4.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R5.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_Root_CA_-_R3.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_Root_CA_-_R6.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/certSIGN_Root_CA_G2.pem': Permission denied
sh-5.1$