diff --git a/Dockerfile b/Dockerfile index 42c74b5ae6..29cd04475a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.21 as builder +FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder # Copy in the go src WORKDIR /go/src/github.com/kserve/kserve @@ -12,10 +12,17 @@ COPY cmd/ cmd/ COPY pkg/ pkg/ # Build +USER root RUN CGO_ENABLED=0 GOOS=linux GOFLAGS=-mod=mod go build -a -o manager ./cmd/manager -# Copy the controller-manager into a thin image -FROM gcr.io/distroless/static:nonroot +# Use distroless as minimal base image to package the manager binary +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest +RUN microdnf install -y shadow-utils && \ + microdnf clean all && \ + useradd kserve -m -u 1000 +RUN microdnf remove -y shadow-utils COPY third_party/ /third_party/ COPY --from=builder /go/src/github.com/kserve/kserve/manager / -ENTRYPOINT ["/manager"] +USER 1000:1000 + +ENTRYPOINT ["/manager"] \ No newline at end of file diff --git a/agent.Dockerfile b/agent.Dockerfile index ecb44a688c..9d3a65ed4b 100644 --- a/agent.Dockerfile +++ b/agent.Dockerfile @@ -1,5 +1,5 @@ # Build the inference-agent binary -FROM golang:1.21 as builder +FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder # Copy in the go src WORKDIR /go/src/github.com/kserve/kserve @@ -8,15 +8,23 @@ COPY go.sum go.sum RUN go mod download -COPY cmd/ cmd/ COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build +USER root RUN CGO_ENABLED=0 GOOS=linux GOFLAGS=-mod=mod go build -a -o agent ./cmd/agent # Copy the inference-agent into a thin image -FROM gcr.io/distroless/static:nonroot +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest + +RUN microdnf install -y shadow-utils && \ + microdnf clean all && \ + useradd kserve -m -u 1000 +RUN microdnf remove -y shadow-utils COPY third_party/ third_party/ WORKDIR /ko-app COPY --from=builder /go/src/github.com/kserve/kserve/agent /ko-app/ -ENTRYPOINT ["/ko-app/agent"] +USER 1000:1000 + +ENTRYPOINT ["/ko-app/agent"] \ No newline at end of file diff --git a/python/storage-initializer.Dockerfile b/python/storage-initializer.Dockerfile index 763213909d..d63cd8f444 100644 --- a/python/storage-initializer.Dockerfile +++ b/python/storage-initializer.Dockerfile @@ -1,24 +1,22 @@ ARG PYTHON_VERSION=3.9 -ARG BASE_IMAGE=python:${PYTHON_VERSION}-slim-bullseye ARG VENV_PATH=/prod_venv -FROM ${BASE_IMAGE} as builder +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as builder + +# Install Python and dependencies +RUN microdnf install -y python39 python39-devel gcc libffi-devel openssl-devel krb5-workstation krb5-libs && microdnf clean all # Install Poetry ARG POETRY_HOME=/opt/poetry ARG POETRY_VERSION=1.7.1 -# Required for building packages for arm64 arch -RUN apt-get update && apt-get install -y --no-install-recommends python3-dev build-essential && apt-get clean && \ - rm -rf /var/lib/apt/lists/* - -RUN python3 -m venv ${POETRY_HOME} && ${POETRY_HOME}/bin/pip install poetry==${POETRY_VERSION} +RUN python -m venv ${POETRY_HOME} && ${POETRY_HOME}/bin/pip install poetry==${POETRY_VERSION} ENV PATH="$PATH:${POETRY_HOME}/bin" # Activate virtual env ARG VENV_PATH ENV VIRTUAL_ENV=${VENV_PATH} -RUN python3 -m venv $VIRTUAL_ENV +RUN python -m venv $VIRTUAL_ENV ENV PATH="$VIRTUAL_ENV/bin:$PATH" COPY kserve/pyproject.toml kserve/poetry.lock kserve/ @@ -26,20 +24,11 @@ RUN cd kserve && poetry install --no-root --no-interaction --no-cache --extras " COPY kserve kserve RUN cd kserve && poetry install --no-interaction --no-cache --extras "storage" -ARG DEBIAN_FRONTEND=noninteractive - -RUN apt-get update && apt-get install -y \ - gcc \ - libkrb5-dev \ - krb5-config \ - && rm -rf /var/lib/apt/lists/* - RUN pip install --no-cache-dir krbcontext==0.10 hdfs~=2.6.0 requests-kerberos==0.14.0 # Fixes Quay alert GHSA-2jv5-9r88-3w3p https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p RUN pip install --no-cache-dir starlette==0.36.2 - -FROM ${BASE_IMAGE} as prod +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as prod COPY third_party third_party @@ -48,6 +37,8 @@ ARG VENV_PATH ENV VIRTUAL_ENV=${VENV_PATH} ENV PATH="$VIRTUAL_ENV/bin:$PATH" +RUN microdnf install -y shadow-utils python39 python39-devel && \ + microdnf clean all RUN useradd kserve -m -u 1000 -d /home/kserve COPY --from=builder --chown=kserve:kserve $VIRTUAL_ENV $VIRTUAL_ENV diff --git a/router.Dockerfile b/router.Dockerfile index c9a416d512..b0dd13813f 100644 --- a/router.Dockerfile +++ b/router.Dockerfile @@ -1,5 +1,5 @@ # Build the inference-router binary -FROM golang:1.21 as builder +FROM registry.access.redhat.com/ubi8/go-toolset:1.21 as builder # Copy in the go src WORKDIR /go/src/github.com/kserve/kserve @@ -8,15 +8,22 @@ COPY go.sum go.sum RUN go mod download -COPY cmd/ cmd/ COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build +USER root RUN CGO_ENABLED=0 go build -a -o router ./cmd/router # Copy the inference-router into a thin image -FROM gcr.io/distroless/static:nonroot +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest +RUN microdnf install -y shadow-utils && \ + microdnf clean all && \ + useradd kserve -m -u 1000 +RUN microdnf remove -y shadow-utils COPY third_party/ third_party/ WORKDIR /ko-app COPY --from=builder /go/src/github.com/kserve/kserve/router /ko-app/ -ENTRYPOINT ["/ko-app/router"] +USER 1000:1000 + +ENTRYPOINT ["/ko-app/router"] \ No newline at end of file