22# It is built with dependencies that take a while to download, thus speeding
33# up ansible deploy jobs.
44
5- FROM registry.access.redhat.com/ubi8 /ubi:8.9-1107 AS basebuilder
5+ FROM registry.access.redhat.com/ubi9 /ubi:9.4-1214 AS basebuilder
66
77# Install Rust so that we can ensure backwards compatibility with installing/building the cryptography wheel across all platforms
88RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
@@ -11,20 +11,22 @@ RUN rustc --version
1111
1212# Copy python dependencies (including ansible) to be installed using Pipenv
1313COPY images/ansible-operator/Pipfile* ./
14+
1415# Instruct pip(env) not to keep a cache of installed packages,
1516# to install into the global site-packages and
1617# to clear the pipenv cache as well
17- ENV PIP_NO_CACHE_DIR=1 \
18- PIPENV_SYSTEM=1 \
19- PIPENV_CLEAR=1
18+ ENV PIP_NO_CACHE_DIR=1
19+
2020# Ensure fresh metadata rather than cached metadata, install system and pip python deps,
2121# and remove those not needed at runtime.
2222RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
2323 && yum update -y \
24- && yum install -y libffi-devel openssl-devel python39-devel gcc python39-pip python39-setuptools \
25- && pip3 install --upgrade pip~=23.3.2 \
26- && pip3 install pipenv==2023.11.15 \
27- && pipenv install --deploy \
24+ && yum install -y python3.11 \
25+ && yum install -y libffi-devel openssl-devel gcc python3.11-devel python3.11-pip python3.11-setuptools \
26+ && pip3.11 install --upgrade pip~=24.2 \
27+ && pip3.11 install pipenv \
28+ && pipenv requirements > requirements.txt \
29+ && pip3.11 install -r requirements.txt --prefix /usr/local \
2830 # NOTE: This ignored vulnerability (70612) was detected in jinja2, \
2931 # but the vulnerability is disputed and may never be fixed. See: \
3032 # - https://github.com/advisories/GHSA-f6pv-j8mr-w6rr \
@@ -33,12 +35,12 @@ RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
3335 # NOTE: This ignored vulnerability (71064) was detected in requests, \
3436 # but the upgraded version doesn't support the use case (protocol we are using).\
3537 # Ref: https://github.com/operator-framework/ansible-operator-plugins/pull/67#issuecomment-2189164688
36- && pipenv check --ignore 70612 --ignore 71064 \
37- && yum remove -y gcc libffi-devel openssl-devel python39 -devel \
38+ && safety check --ignore 70612 --ignore 71064 \
39+ && yum remove -y gcc libffi-devel openssl-devel python3.11 -devel \
3840 && yum clean all \
3941 && rm -rf /var/cache/yum
4042
41- FROM registry.access.redhat.com/ubi8 /ubi:8.9-1107 as base
43+ FROM registry.access.redhat.com/ubi9 /ubi:9.4-1214 as base
4244ARG TARGETARCH
4345
4446# Label this image with the repo and commit that built it, for freshmaking purposes.
@@ -53,14 +55,15 @@ RUN mkdir -p /etc/ansible \
5355
5456RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
5557 && yum update -y \
56- && yum install -y python39-pip python39-setuptools \
57- && pip3 install --upgrade pip~=23.3.2 \
58- && pip3 install pipenv==2023.11.15 \
58+ && yum install -y python3.11 \
59+ && yum install -y python3.11-pip python3.11-setuptools \
60+ && pip3.11 install --upgrade pip~=24.2 \
61+ && pip3.11 install pipenv==2024.0.1 \
5962 && yum clean all \
6063 && rm -rf /var/cache/yum
6164
62- COPY --from=basebuilder /usr/local/lib64/python3.9 /site-packages /usr/local/lib64/python3.9 /site-packages
63- COPY --from=basebuilder /usr/local/lib/python3.9/site-packages /usr/local/lib/python3.9/site-packages
65+ COPY --from=basebuilder /usr/local/lib64/python3.11 /site-packages /usr/local/lib64/python3.11 /site-packages
66+ COPY --from=basebuilder /usr/local/lib/python3.11 /usr/local/lib/python3.11
6467COPY --from=basebuilder /usr/local/bin /usr/local/bin
6568
6669ENV TINI_VERSION=v0.19.0
0 commit comments