Domino container project base image switch from CentOS Stream 9 to Redhat UBI 9 Minimal
Daniel Nashed – 26 April 2024 10:03:26
For a container project the Linux base image is a very important decision to take.
The base image is really the Linux base you pick to base your container on.
HCL uses the RedHat Universal Base Image (UBI) for a long time.
The community project selected CentOS Stream as the base image because of the following reasons:
- Separate glibc language packs per language (in contrast UBI only has one big pack of 200 MB if you need anything else then EN).
- epel-release for additional software available out of the box (this means for example direct Borg Backup download. but there are other ways to install it and the build script can take care of it meanwhile).
On the other side there are good reasons to use UBI
- UBI provides a working minimal base image which allows to better control which packages are installed for a Domino server.
In combination with the change introduced a while ago to use gdb-minimal package to avoid python, the container has much less packages installed (not just size relevant but also from CVE point of view).
- UBI base images are on the Redhat registry (quay.io) and also the package updates are coming from Redhat directly.
With CentOS Stream the updates are coming from a random mirror that is "close" to you.
If you are in a restricted network where you have proxy settings that require to limit the target hosts, this is an important difference.
- There have been issues accessing mirrors an getting packages recently, which causes container build failures.
---
Meanwhile many more corporate admins are leveraging the Domino container project.
So it looks like a good move to change the default to UBI Minimal and be more aligned to the HCL base image as well.
All existing container base images will continue to be supported.
This is just a change of the default base image.
You can still us the CentOS Stream 9 base image by just selecting it at image build time via -from=centos9.
Avoiding Docker registry at build time for NGINX
Once we switch, you can consider only getting signed images from Redhat.
There is also a NGINX build option (-nginx=dom-nginx) to avoid accessing the Docker registry completely.
This options builds a NGINX image based on Redhat UBI and does not download the NGINX image from Docker Hub either.
Unless anyone raises valid concerns, I would introduce the changed default in the develop branch and then merge it to the main branch next week.
-- Daniel
- Comments [0]