UBI Repository Tutorial (How to install rpm resources directly through your Dockerfile)
Introduction
The Iron Bank Nexus server mirrors all of the official upstream rpm resources for UBI images. This means that when you build a container on Iron Bank using a UBI image as a base, you can install any of the packages in the repositories for that UBI image directly with dnf in your Dockerfile without referencing them as resources in hardening_manifest.yaml.
Note: EPEL (https://docs.fedoraproject.org/en-US/epel/) is not currently mirrored on our Nexus server, but we will hopefully be adding it as a mirrored repository soon.
Example
Here is an example Dockerfile that shows how this is done with an image based on ubi9:
ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
ARG BASE_TAG=9.3
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
RUN mkdir /rpms
COPY percona-server-mongodb-x86_64-bundle.tar /rpms
COPY numactl-libs.x86_64.rpm /rpms
COPY numactl.x86_64.rpm /rpms
RUN dnf update -y --nodocs && \
dnf -y install cyrus-sasl-plain policycoreutils cyrus-sasl-gssapi && \
dnf clean all && \
rm -rf /var/cache/dnf && \
useradd -m mongod && \
tar -xf /rpms/percona-server-mongodb-x86_64-bundle.tar -C /rpms && \
rm -f /rpms/*debug* && \
rpm -i /rpms/numactl-libs.x86_64.rpm /rpms/numactl.x86_64.rpm && \
rm -f /rpms/numactl*.rpm && \
rpm -i /rpms/*.rpm && \
rm -rf /rpms && \
mkdir -p /data/db && \
chown -R 1000:1000 /data/
HEALTHCHECK NONE
USER 1000
ENTRYPOINT ["mongod"]
Note the use of the --nodocs option here:
dnf update -y --nodocs
Also note that you can use docker to query an existing Iron Bank base image to see what packages are already installed in it. For example, to generate an alphabetical list of installed packages in the ironbank/redhat/ubi/ubi9:9.3 image:
docker run --rm -it registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3 rpm -qa | sort
docker run --rm -it registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3 dnf search libxml2