Skip to content

UBI Repository Tutorial (How to install rpm resources directly through your Dockerfile)

Introduction

The Iron Bank Nexus server mirrors all of the official upstream rpm resources for UBI images. This means that when you build a container on Iron Bank using a UBI image as a base, you can install any of the packages in the repositories for that UBI image directly with dnf in your Dockerfile without referencing them as resources in hardening_manifest.yaml.

Note: EPEL (https://docs.fedoraproject.org/en-US/epel/) is not currently mirrored on our Nexus server, but we will hopefully be adding it as a mirrored repository soon.

Example

Here is an example Dockerfile that shows how this is done with an image based on ubi9:

ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
ARG BASE_TAG=9.3

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

RUN mkdir /rpms


COPY percona-server-mongodb-x86_64-bundle.tar /rpms
COPY numactl-libs.x86_64.rpm /rpms
COPY numactl.x86_64.rpm /rpms

RUN dnf update -y --nodocs && \
    dnf -y install cyrus-sasl-plain policycoreutils cyrus-sasl-gssapi && \
    dnf clean all && \
    rm -rf /var/cache/dnf && \
    useradd -m mongod && \
    tar -xf /rpms/percona-server-mongodb-x86_64-bundle.tar -C /rpms && \
    rm -f /rpms/*debug* && \
    rpm -i /rpms/numactl-libs.x86_64.rpm /rpms/numactl.x86_64.rpm && \
    rm -f /rpms/numactl*.rpm && \
    rpm -i /rpms/*.rpm && \
    rm -rf /rpms && \
    mkdir -p /data/db && \
    chown -R 1000:1000 /data/

HEALTHCHECK NONE

USER 1000

ENTRYPOINT ["mongod"]

Note the use of the --nodocs option here:

dnf update -y --nodocs
This is best practice to avoid downloading documentation files that aren't needed in a container.

Also note that you can use docker to query an existing Iron Bank base image to see what packages are already installed in it. For example, to generate an alphabetical list of installed packages in the ironbank/redhat/ubi/ubi9:9.3 image:

docker run --rm -it registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3 rpm -qa | sort
You can also query the upstream image in a similar manner to determine whether or not a specific package is available for installation. For example, to search for libxml2 in the ubi9:9.3 upstream:
docker run --rm -it registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3 dnf search libxml2