RaBe Universal Base Image 9 Minimal
The RaBe Universal Base Image 9 Minimal is a stripped down image that uses microdnf for package management.
The image is based on the AlmaLinux 9 UBI9 variant image container provided by AlmaLinux and based on the work from Red Hat.
Features
- Based on UBI9 minimal
- Uses microdnf as a package manager
- Establishes trust with the RaBe Root CA
Usage
Create a downstream image from ghcr.io/radiorabe/ubi9-minimal
. Replace :latest
with a specific version in the example below.
FROM ghcr.io/radiorabe/ubi9-minimal:latest
RUN microdnf install -y \
shadow-utils \
&& microdnf clean all \
&& useradd -u 1001 -r -g 0 -s /sbin/nologin \
-c "Default Application User" default \
&& microdnf remove -y \
libsemanage \
shadow-utils
USER 1001
Note that libsemanage
is being removed because is was installed as a dependency of shadow-utils
. We only need them for
the useradd
command so the safe solution is to remove both packages after use.
Downstream Base Images
We provide specialised downstream images for select use cases.
Advanced Usage
If you need packages from EPEL (like cowsay
) your have to install an epel-release
package first:
RUN microdnf install -y epel-release \
&& microdnf install -y \
cowsay \
&& microdnf clean all
To account for CIS-DI-0008 you may want to
"defang" your image by running something similar to the following chmod
after installing setuid/setgid binaries.
RUN microdnf install -y \
cowsay \
&& microdnf clean all \
&& chmod a-s \
/usr/bin/* \
/usr/sbin/* \
/usr/libexec/*/*
Release Management
The CI/CD setup uses semantic commit messages following the conventional commits standard. There is a GitHub Action in .github/workflows/semantic-release.yaml that uses go-semantic-commit to create new releases.
The commit message should be structured as follows:
<type>[optional scope]: <description>
[optional body]
[optional footer(s)]
The commit contains the following structural elements, to communicate intent to the consumers of your library:
- fix: a commit of the type
fix
patches gets released with a PATCH version bump - feat: a commit of the type
feat
gets released as a MINOR version bump - BREAKING CHANGE: a commit that has a footer
BREAKING CHANGE:
gets released as a MAJOR version bump - types other than
fix:
andfeat:
are allowed and don't trigger a release
If a commit does not contain a conventional commit style message you can fix it during the squash and merge operation on the PR.
Build Process
The CI/CD setup uses the Docker build-push Action to publish container images. This is managed in .github/workflows/release.yaml.
License
This application is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.
Copyright
Copyright (c) 2022 Radio Bern RaBe