unixPB: Add UBI10 static dockerfile

[sxa]

Part of #3868
Relative to earlier versions this also implements points 1, 2, 4, 5 of #4043 (comment) (Albeit with point 1 using JDK21 instead of 25 for now until it GAs), plus some moving about of the control stuff like ENTRYPOINT to the end.

Log of running this Dockerfile to show time stamps - JDK download/install is under four seconds

The eagle-eyed among you will note that this has had x64 and x86-64 switched to aarch64 for this test ;-)
Most of the time is spent installing perl and the other prereqs required for the testing.

$ docker build --no-cache -t aqa_ubi10 -f Dockerfile.ubi10 .
[+] Building 197.0s (27/27) FINISHED                                                                  docker:default
 => [internal] load build definition from Dockerfile.ubi10                                                      0.0s
 => => transferring dockerfile: 3.90kB                                                                          0.0s
 => WARN: JSONArgsRecommended: JSON arguments recommended for ENTRYPOINT to prevent unintended behavior relate  0.0s
 => [internal] load metadata for docker.io/redhat/ubi10:latest                                                  0.0s
 => [internal] load .dockerignore                                                                               0.0s
 => => transferring context: 2B                                                                                 0.0s
 => CACHED [ 1/23] FROM docker.io/redhat/ubi10:latest                                                           0.0s
 => [ 2/23] RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm          2.0s
 => [ 3/23] RUN dnf -y update && dnf install -y unzip zip epel-release openssl gpg                              7.7s 
 => [ 4/23] RUN curl -o /tmp/gpgkey.rpm 'https://mirror.stream.centos.org/10-stream/BaseOS/aarch64/os/Packages  0.4s 
 => [ 5/23] RUN ACTUAL_CHECKSUM=$(sha256sum /tmp/gpgkey.rpm | awk '{print $1}')     && if [ "$ACTUAL_CHECKSUM"  0.6s 
 => [ 6/23] RUN rpm -i '/tmp/gpgkey.rpm'                                                                        0.7s 
 => [ 7/23] RUN curl -o /tmp/centosrepos.rpm 'https://mirror.stream.centos.org/10-stream/BaseOS/aarch64/os/Pac  0.5s 
 => [ 8/23] RUN ACTUAL_CHECKSUM=$(sha256sum /tmp/centosrepos.rpm | awk '{print $1}')     && if [ "$ACTUAL_CHEC  0.6s 
 => [ 9/23] RUN rpm -i '/tmp/centosrepos.rpm'                                                                   0.6s 
 => [10/23] RUN curl -sL -o /tmp/jdk21.sig `curl -s 'https://api.adoptium.net/v3/assets/feature_releases/21/ga  1.1s 
 => [11/23] RUN gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B       1.3s
 => [12/23] RUN mkdir -p /usr/lib/jvm/jdk21                                                                     0.5s
 => [13/23] RUN curl -sL 'https://api.adoptium.net/v3/binary/latest/21/ga/linux/aarch64/jre/hotspot/normal/ecl  3.2s 
 => [14/23] RUN curl -o /tmp/ant.zip 'https://archive.apache.org/dist/ant/binaries/apache-ant-1.10.15-bin.zip  10.7s 
 => [15/23] RUN rm /tmp/ant.zip /tmp/ant-contrib.tgz /tmp/gpgkey.rpm                                            0.3s 
 => [16/23] RUN useradd -m -d /home/jenkins jenkins &&     mkdir /home/jenkins/.ssh &&     echo "Jenkins_User_  0.8s 
 => [17/23] RUN dnf install -y perl                                                                            32.4s
 => [18/23] RUN dnf install -y --enablerepo=crb turbojpeg                                                       4.9s
 => [19/23] RUN dnf install -y git make gcc weston xwayland-run libXrender libXi libXtst fontconfig fakeroot  110.3s
 => [20/23] RUN dnf install -y coreutils --allowerasing curl                                                    4.2s
 => [21/23] RUN dnf install -y gnutls gnutls-utils nss nss-tools                                                4.2s
 => [22/23] RUN dnf install -y openssh-server                                                                   3.5s
 => [23/23] RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -P ""                                            0.5s
 => exporting to image                                                                                          6.0s
 => => exporting layers                                                                                         6.0s
 => => writing image sha256:a64f6d793ccef68baff55ca0f181815496847ee31a36f17d370ffed7ff234567                    0.0s
 => => naming to docker.io/library/aqa_ubi10                                                                    0.0s
$

An AQA_Test_Pipeline run with JDK8+25 excluding extended.openjdk and the system tests is at https://ci.adoptium.net/job/AQA_Test_Pipeline/457 (One last hurrah for our Equinix aarch64 machines!)

Checklist

• commit message has one of the standard prefixes
• faq.md updated if appropriate
• other documentation is changed or added (if applicable)
• playbook changes run through VPC or QPC (if you have access)
• VPC/QPC not applicable for this PR
• for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

[Haroon-Khel]

Im going to run this pr in the static container deployment task in AWX. If it runs without error its good to go

[Haroon-Khel]

Im going to run this pr in the static container deployment task in AWX. If it runs without error its good to go

https://awx.adoptium.net/#/jobs/playbook/2993/output

[sxa]

@Haroon-Khel Please pick up the latest version as the JDK extract had the wrong --strip-components parameter so will not work

[sxa]

Also noting that this should not be made live with a ci.role.test label until adoptium/aqa-tests#6541 is merged

[Haroon-Khel]

Latest awx run
https://awx.adoptium.net/#/jobs/playbook/2995/output

[Haroon-Khel]

The awx job deploys the container fine, but the container does not stay up

56d4b98782c1   aqa_ubi10         "/bin/sh -c /bin/bas…"   17 seconds ago   Restarting (0) 5 seconds ago                                               UBI10.3200

Maybe try it without ENTRYPOINT /bin/bash, our other dockerfiles do not have this command at the end, some have it commented out which suggests it is not needed.

Also our other containers use /usr/sbin/sshd -D as their entrypoint command

5827d3b3e964   aqa_alp320        "/usr/sbin/sshd -D"      3 weeks ago      Up 3 weeks                     0.0.0.0:32007->22/tcp, [::]:32007->22/tcp   ALP320.32007

[sxa]

The awx job deploys the container fine, but the container does not stay up

56d4b98782c1   aqa_ubi10         "/bin/sh -c /bin/bas…"   17 seconds ago   Restarting (0) 5 seconds ago                                               UBI10.3200

Maybe try it without ENTRYPOINT /bin/bash, our other dockerfiles do not have this command at the end, some have it commented out which suggests it is not needed

Hmm it's a default if you don't specify a command when you run the container. That woulld suggest to me that perhaps the ssh startup isn't working - which I haven't been testing.

I have noticed that some of the containers didn't have the default entry point so I've had to use docker exec -it blah bash so it would possibly be good to add an ENTRYPOINT to those. I'll have a play to fix the ssh scenario ...

[Haroon-Khel]

Which host did you see the issue on?

dockerhost-osuosl-ubuntu2404-aarch64-1

[sxa]

Fixed by latest commit which removes the ENTRYPOINT (I deleted an earlier comment which had incorrect information in it.

[Haroon-Khel]

Latest run https://awx.adoptium.net/#/jobs/playbook/2997/output

[Haroon-Khel]

Yep now it stays up

f19f5c2484df   aqa_ubi10         "/usr/sbin/sshd -D"   45 seconds ago   Up 45 seconds   0.0.0.0:32008->22/tcp, [::]:32008->22/tcp   UBI10.32008

[sxa]

Yep now it stays up

f19f5c2484df   aqa_ubi10         "/usr/sbin/sshd -D"   45 seconds ago   Up 45 seconds   0.0.0.0:32008->22/tcp, [::]:32008->22/tcp   UBI10.32008

Great - thanks for testing! So now I just have to confirm from the AQA_Test_Pipeline runs whether either the installation of a JRE vs JDK for the agent, and the absence of wget causes any problems (I suspect it will...)

[sxa]

I don't know why but on my laptop with podman the GPG but for the adoptium download isn't working at the moment ...

STEP 15/29: RUN gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B
--> Using cache a1d1129bcfa5fe280242de33f525c1111da8c76e7dc92922bb88aaa29a1af257
--> a1d1129bcfa5
STEP 16/29: RUN mkdir -p /usr/lib/jvm/jdk21
--> Using cache 4ce8617b4a013f7dad33bce4f457931b052a5c3bd313f81b39e4ffc9f3eb44e2
--> 4ce8617b4a01
STEP 17/29: RUN curl -sL 'https://api.adoptium.net/v3/binary/latest/21/ga/linux/x64/jre/hotspot/normal/eclipse?project=jdk' | tee >(tar xpfz - -C /usr/lib/jvm/jdk21 --strip-components=1) | gpg --verify /tmp/jdk21.sig -
gpg: Signature made Tue Jul 15 22:39:47 2025 UTC
gpg:                using RSA key 3B04D753C9050D9A5D343F39843C48A565F8F04B
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: keydb_search failed: Connection timed out
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: Note: database_open 134217901 waiting for lock (held by 6) ...
gpg: keydb_search failed: Connection timed out
gpg: Can't check signature: No public key
Error: building at STEP "RUN curl -sL 'https://api.adoptium.net/v3/binary/latest/21/ga/linux/x64/jre/hotspot/normal/eclipse?project=jdk' | tee >(tar xpfz - -C /usr/lib/jvm/jdk21 --strip-components=1) | gpg --verify /tmp/jdk21.sig -": while running runtime: exit status 2
sxa:Dockerfiles$ 

[sxa]

Need an extra commit to create /tmp/.X11-unix otherwise weston starts but won't allow things to connect (Ideally we'd move that location ..)
Or that could be done in the Weston startup code in aqa-tests, t that makes it harder to run from the command line, so maybe I'll go for both.

[sxa]

Taking this out of draft. I'm still not sure what the issue is with my x64 podman system, but it's reproducible with ubi10 with the minimal dockerfile below. Switch the first line to reference ubi9 and it works fine.

FROM redhat/ubi10
RUN dnf -y update && dnf install -y gpg
RUN curl -Lo /tmp/jdk17.tar.gz 'https://api.adoptium.net/v3/binary/latest/17/ga/linux/x64/jre/hotspot/normal/eclipse?project=jdk'
RUN gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B
RUN curl -Lo /tmp/jdk17.sig `curl -s 'https://api.adoptium.net/v3/assets/feature_releases/17/ga?architecture=x64&heap_size=normal&image_type=jre&jvm_impl=hotspot&os=linux&page=0&page_size=1&project=jdk&vendor=eclipse' | grep signature_link | awk '{split($0,a,"\""); print a[4]}'`
RUN gpg --verify /tmp/jdk17.sig /tmp/jdk17.tar.gz

@Haroon-Khel Can you do one final check with this PR in AWX and confirm that you're still happy with it please?

[steelhead31]

Looks good.

[sxa]

Another option from the rm would have been:

RUN gpg  --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B && gpgconf --kill keyboxd

which still force a shutdown of the process holding the lock

[Haroon-Khel]

Latest check https://awx.adoptium.net/#/jobs/playbook/3019/output

[Haroon-Khel]

@sxa The latest awx check ran successfully and the container is up and running