Update ubi9 and add ubi9-based developer image (#190)

Update ubi9 and udi9 to resemble base/ubi8/Dockerfile and universal/ubi8/Dockerfile

Signed-off-by: David Kwon <[email protected]>

.github/workflows/empty-worksapce-smoke-test-on-minikube-ubi8.yaml

@@ -17,8 +17,8 @@ on:
       - '**/*.md'
       - .devfile.yaml
       - LICENSE
-      - '.rebase/*'
       - 'base/ubi9/**'
+      - 'universal/ubi9/**'
 
 env:
    USERSTORY: CloneGitRepoAPI

.github/workflows/empty-worksapce-smoke-test-on-minikube-ubi9.yaml

@@ -0,0 +1,116 @@
+#
+# Copyright (c) 2019-2024 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+name: Empty workspace smoke test on udi9
+on:
+  pull_request:
+    paths-ignore:
+      - '**/*.md'
+      - .devfile.yaml
+      - LICENSE
+      - 'base/ubi8/**'
+      - 'universal/ubi8/**'
+
+env:
+   USERSTORY: CloneGitRepoAPI
+   TS_API_TEST_KUBERNETES_COMMAND_LINE_TOOL: kubectl
+   DEPLOYMENT_TIMEOUT: 90s
+   PULL_POLICY: IfNotPresent
+
+jobs:
+  workspace-api-tests-on-minikube:
+    runs-on: ubuntu-22.04
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@master
+    - name: Free runner space
+      run: |
+        sudo rm -rf /usr/local/lib/android
+      # obtain the PR number for tegging the image
+    - name: Get PR number
+      id: get_pr_number
+      run: |
+        pr_number=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+        echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
+        echo ">>>>>>>>>>>$pr_number"
+
+    - name: Cleanup build-in images
+      run: |
+        # remove build-in images from the VM because it is not used
+        docker rmi -f $(docker images -aq)
+
+    - name: Start minikube cluster
+      id: run-minikube
+      uses: che-incubator/setup-minikube-action@next
+      with:
+        minikube-version: v1.31.0
+
+     # connect with docker daemon in the minikube and build an image there
+     # we need to build the image in the minikube because we have just 14 GB of space on the runner
+     # the UBI have more than 9 GB size this approach saves the disk space
+    - name: Build base image
+      run: |
+       eval $(minikube docker-env)
+       cd base/ubi9 && docker build -t quay.io/devfile/base-developer-image:ubi9-latest .
+
+    - name: Build universal image
+      run: |
+        eval $(minikube docker-env)
+        cd universal/ubi9 && docker build -t quay.io/devfile/universal-developer-image:${{ env.PR_NUMBER }} .
+
+    - name: Checkout DWO
+      uses: actions/checkout@master
+      with:
+        repository: devfile/devworkspace-operator
+        path: devworkspace-operator
+
+    - name: Setup cert manager
+      run: |
+        cd devworkspace-operator
+        make install_cert_manager
+        kubectl wait deployment -n cert-manager cert-manager --for condition=Available=True --timeout=$DEPLOYMENT_TIMEOUT
+        kubectl wait deployment -n cert-manager cert-manager-cainjector --for condition=Available=True --timeout=$DEPLOYMENT_TIMEOUT
+        kubectl wait deployment -n cert-manager cert-manager-webhook --for condition=Available=True --timeout=$DEPLOYMENT_TIMEOUT
+
+    - name: Setup DWO
+      run: |
+        cd devworkspace-operator
+        make install
+        kubectl rollout status deployment -n devworkspace-controller devworkspace-controller-manager --timeout=$DEPLOYMENT_TIMEOUT
+        kubectl rollout status deployment -n devworkspace-controller devworkspace-webhook-server --timeout=$DEPLOYMENT_TIMEOUT
+        kubectl wait deployment -n devworkspace-controller devworkspace-webhook-server --for condition=Available=True --timeout=$DEPLOYMENT_TIMEOUT
+        kubectl wait deployment -n devworkspace-controller devworkspace-controller-manager --for condition=Available=True --timeout=$DEPLOYMENT_TIMEOUT
+
+    - name: Check that UDI is presen in the image list
+      run: |
+        # we used it for the build above and do not need it anymore. It saves the disk space
+        minikube image rm quay.io/devfile/base-developer-image:ubi9-latest
+        minikube image list --format table
+
+    - name: Install NodeJs
+      uses: actions/setup-node@v4
+
+    - name: Checkout tests codebase
+      uses: actions/checkout@master
+      with:
+        ref: api-test-with-clone-project-without-generating
+        repository: eclipse/che
+        path: che
+
+    - name: Run Empty workspace smoke test
+      run: |
+        export TS_API_TEST_UDI_IMAGE=quay.io/devfile/universal-developer-image:${{ env.PR_NUMBER }}
+        cd che/tests/e2e
+        npm i
+        npm run driver-less-test
+

README.md

@@ -17,7 +17,7 @@ $ docker run -ti --rm \
 ```
 ### Included Development Tools
 
-| Tool                | ubi8 based image                    |
+| Tool                | ubi9 based image                    |
 |---------------------|-------------------------------------|
 | `bash`              |`bash`                               |
 | `bat`               |`<gh releases>`                      |
@@ -96,7 +96,7 @@ docker run -ti --rm \
 ```
 ### Included Development Tools
 
-| Tool or language    | ubi8 based image                    |
+| Tool or language    | ubi9 based image                    |
 |---------------------|-------------------------------------|
 |--------JAVA---------|-------------------------------------|
 | `sdk`               |`<https://get.sdkman.io>`            |
@@ -106,7 +106,7 @@ docker run -ti --rm \
 | `java`              |`<21.0.2-tem via sdkman>`   |
 | `maven`             |`<via sdkman>`                       |
 | `gradle`            |`<via sdkman>`                       |
-| `mandrel`           |`<22.1.0.0.r17-mandrel via sdkman>`  |
+| `mandrel`           |`<22.1.2.r21-mandrel via sdkman>`  |
 | `jbang`             |`<via sdkman>`                       |
 |--------SCALA--------|-------------------------------------|
 | `cs`                |`<https://get-coursier.io/>`         |

base/ubi9/.stow-local-ignore

@@ -0,0 +1,12 @@
+# .viminfo cannot be a symlink for security reasons
+\.viminfo
+
+# We store bash related files in /home/tooling/ so they aren't overriden if persistUserHome is enabled
+# but we don't want them to be symbolic links (or to cause stow conflicts). They will be copied to /home/user/ manually.
+\.bashrc
+\.bash_profile
+
+# Ignore absolute symbolic links, as they are not supported by stow
+\.krew
+\.sdkman
+\.local/bin/podman

base/ubi9/Dockerfile

@@ -19,17 +19,26 @@ LABEL io.openshift.expose-services=""
 
 USER 0
 
-# Removed because of vulnerabilities: git-lfs
-RUN dnf install -y diffutils git iproute jq less lsof man nano procps \
-    perl-Digest-SHA net-tools openssh-clients rsync socat sudo time vim wget zip && \
+ENV HOME=/home/tooling
+RUN mkdir -p /home/tooling/
+
+## add epel repos so that p7zip p7zip-plugins stow can be found
+RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    dnf install -y diffutils git git-lfs iproute jq less lsof man nano procps p7zip p7zip-plugins \
+        perl-Digest-SHA net-tools openssh-clients rsync socat sudo time vim wget zip stow && \
     dnf update -y && \
     dnf clean all
 
+## podman buildah skopeo
+RUN dnf -y reinstall shadow-utils && \
+    dnf -y install podman buildah skopeo fuse-overlayfs && \
+    dnf clean all
+
 ## gh-cli
 RUN \
     TEMP_DIR="$(mktemp -d)"; \
     cd "${TEMP_DIR}"; \
-    GH_VERSION="2.23.0"; \
+    GH_VERSION="2.45.0"; \
     GH_ARCH="linux_amd64"; \
     GH_TGZ="gh_${GH_VERSION}_${GH_ARCH}.tar.gz"; \
     GH_TGZ_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}/${GH_TGZ}"; \
@@ -88,16 +97,69 @@ RUN \
     cd - && \
     rm -rf "${TEMP_DIR}"
 
+    # Define user directory for binaries
+ENV PATH="/home/user/.local/bin:$PATH"
+
+# Set up environment variables to note that this is
+# not starting with usernamespace and default to
+# isolate the filesystem with chroot.
+ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
+
+# Tweaks to make rootless buildah work
+RUN touch /etc/subgid /etc/subuid  && \
+    chmod g=u /etc/subgid /etc/subuid /etc/passwd  && \
+    echo user:10000:65536 > /etc/subuid  && \
+    echo user:10000:65536 > /etc/subgid
+
+# Adjust storage.conf to enable Fuse storage.
+RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; \
+    touch /var/lib/shared/overlay-images/images.lock; \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# But use VFS since not all environments support overlay with Fuse backend
+RUN mkdir -p "${HOME}"/.config/containers && \
+   (echo '[storage]';echo 'driver = "vfs"') > "${HOME}"/.config/containers/storage.conf && \
+   chown -R 10001 "${HOME}"/.config
+
+# Add kubedock
+ENV KUBEDOCK_VERSION 0.17.0
+ENV KUBECONFIG=/home/user/.kube/config
+RUN curl -L https://github.com/joyrex2001/kubedock/releases/download/${KUBEDOCK_VERSION}/kubedock_${KUBEDOCK_VERSION}_linux_amd64.tar.gz | tar -C /usr/local/bin -xz --no-same-owner \
+    && chmod +x /usr/local/bin/kubedock
+COPY --chown=0:0 kubedock_setup.sh /usr/local/bin/kubedock_setup
+
+# Configure Podman wrapper
+ENV PODMAN_WRAPPER_PATH=/usr/bin/podman.wrapper
+ENV ORIGINAL_PODMAN_PATH=/usr/bin/podman.orig
+COPY --chown=0:0 podman-wrapper.sh "${PODMAN_WRAPPER_PATH}"
+RUN mv /usr/bin/podman "${ORIGINAL_PODMAN_PATH}"
+
 COPY --chown=0:0 entrypoint.sh /
+COPY --chown=0:0 .stow-local-ignore /home/tooling/
 RUN \
     # add user and configure it
     useradd -u 10001 -G wheel,root -d /home/user --shell /bin/bash -m user && \
     # Setup $PS1 for a consistent and reasonable prompt
-    echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> /home/user/.bashrc && \
+    touch /etc/profile.d/udi_prompt.sh && \
+    chown 10001 /etc/profile.d/udi_prompt.sh && \
+    echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> /etc/profile.d/udi_prompt.sh && \
+    # Copy the global git configuration to user config as global /etc/gitconfig
+    # file may be overwritten by a mounted file at runtime
+    cp /etc/gitconfig ${HOME}/.gitconfig && \
+    chown 10001 ${HOME}/ ${HOME}/.viminfo ${HOME}/.gitconfig ${HOME}/.stow-local-ignore && \
     # Set permissions on /etc/passwd and /home to allow arbitrary users to write
     chgrp -R 0 /home && \
     chmod -R g=u /etc/passwd /etc/group /home && \
-    chmod +x /entrypoint.sh
+    chmod +x /entrypoint.sh && \
+    # Create symbolic links from /home/tooling/ -> /home/user/
+    stow . -t /home/user/ -d /home/tooling/ && \
+    # .viminfo cannot be a symbolic link for security reasons, so copy it to /home/user/
+    cp /home/tooling/.viminfo /home/user/.viminfo && \
+    # Bash-related files are backed up to /home/tooling/ incase they are deleted when persistUserHome is enabled.
+    cp /home/user/.bashrc /home/tooling/.bashrc && \
+    cp /home/user/.bash_profile /home/tooling/.bash_profile && \
+    chown 10001 /home/tooling/.bashrc /home/tooling/.bash_profile
 
 USER 10001
 ENV HOME=/home/user

base/ubi9/entrypoint.sh

@@ -18,4 +18,6 @@ if ! whoami &> /dev/null; then
   fi
 fi
 
+source kubedock_setup
+
 exec "$@"

base/ubi9/kubedock_setup.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# Kubedock setup script meant to be run from the entrypoint script.
+
+LOCAL_BIN=/home/user/.local/bin
+ORIGINAL_PODMAN_PATH=${ORIGINAL_PODMAN_PATH:-"/usr/bin/podman.orig"}
+PODMAN_WRAPPER_PATH=${PODMAN_WRAPPER_PATH:-"/usr/bin/podman.wrapper"}
+
+mkdir -p "${LOCAL_BIN}"
+
+if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then
+  echo
+  echo "Kubedock is enabled (env variable KUBEDOCK_ENABLED is set to true)."
+
+  SECONDS=0
+  KUBEDOCK_TIMEOUT=${KUBEDOCK_TIMEOUT:-10}
+  until [ -f $KUBECONFIG ]; do
+    if ((SECONDS > KUBEDOCK_TIMEOUT)); then
+      break
+    fi
+    echo "Kubeconfig doesn't exist yet. Waiting..."
+    sleep 1
+  done
+
+  if [ -f $KUBECONFIG ]; then
+    echo "Kubeconfig found."
+
+    KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"}
+
+    echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..."
+
+    kubedock server ${KUBEDOCK_PARAMS} >/tmp/kubedock.log 2>&1 &
+
+    echo "Done."
+
+    echo "Replacing podman with podman-wrapper..."
+
+    ln -f -s "${PODMAN_WRAPPER_PATH}" "${LOCAL_BIN}/podman"
+
+    export TESTCONTAINERS_RYUK_DISABLED="true"
+    export TESTCONTAINERS_CHECKS_DISABLE="true"
+
+    echo "Done."
+    echo
+  else
+    echo "Could not find Kubeconfig at $KUBECONFIG"
+    echo "Giving up..."
+  fi
+else
+  echo
+  echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\""
+  echo "set in the workspace Devfile or in a Kubernetes ConfigMap in the developer namespace."
+  echo
+  ln -f -s "${ORIGINAL_PODMAN_PATH}" "${LOCAL_BIN}/podman"
+fi

base/ubi9/podman-wrapper.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+PODMAN_ORIGINAL_PATH=${PODMAN_ORIGINAL_PATH:-"/usr/bin/podman.orig"}
+KUBEDOCK_SUPPORTED_COMMANDS=${KUBEDOCK_SUPPORTED_COMMANDS:-"run ps exec cp logs inspect kill rm wait stop start"}
+
+PODMAN_ARGS=( "$@" )
+
+TRUE=0
+FALSE=1
+
+exec_original_podman() {
+    exec ${PODMAN_ORIGINAL_PATH} "${PODMAN_ARGS[@]}"
+}
+
+exec_kubedock_podman() {
+    exec env CONTAINER_HOST=tcp://127.0.0.1:2475 "${PODMAN_ORIGINAL_PATH}" "${PODMAN_ARGS[@]}"
+}
+
+podman_command() {
+    echo "${PODMAN_ARGS[0]}"
+}
+
+command_is_supported_by_kubedock() {
+    CMD=$(podman_command)
+    for SUPPORTED_CMD in $KUBEDOCK_SUPPORTED_COMMANDS; do
+        if [ "$SUPPORTED_CMD" = "$CMD" ]; then
+            return $TRUE
+        fi
+    done
+    return ${FALSE}
+}
+
+if command_is_supported_by_kubedock; then
+  exec_kubedock_podman
+else
+  exec_original_podman
+fi