chore: Remove ARM workaround and restore in-container bundle extraction

davdhacs · claude · davdhacs · commit d9cdc31e8c14 · 2026-02-04T23:03:12.000-07:00
Remove the temporary workaround that extracted bundles on the host to
avoid QEMU tar issues. Restore the standard in-container bundle
extraction approach in non-Konflux Dockerfiles while keeping UBI9.

Changes:
- Remove "Extract bundles on host" step from CI workflow
- Restore extracted_bundle Docker stage in all non-Konflux Dockerfiles
- Keep UBI9 base images (ubi9-minimal, ubi9)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -396,16 +396,6 @@ jobs:
           name: scanner-db-bundle
           path: image/db/rhel
 
-      # Extract bundles on the host to avoid tar issues under QEMU emulation for arm64
-      - name: Extract bundles on host
-        run: |
-          # Extract scanner bundle
-          mkdir -p image/scanner/rhel/bundle
-          tar -xzf image/scanner/rhel/bundle.tar.gz -C image/scanner/rhel/bundle
-          # Extract scanner-db bundle
-          mkdir -p image/db/rhel/bundle
-          tar -xzf image/db/rhel/bundle.tar.gz -C image/db/rhel/bundle
-
       - name: Build scanner image
         run: |
           docker buildx build --platform "${{ matrix.goos }}/${{ matrix.goarch }}" --load -t stackrox/scanner:"$(make --no-print-directory --quiet tag)" $(make GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} image-build-args) -f image/scanner/rhel/Dockerfile image/scanner/rhel
diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile
@@ -6,8 +6,11 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
-# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
-# The bundle/ directory should contain: etc/, docker-entrypoint-initdb.d/
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
+COPY bundle.tar.gz /
+
+WORKDIR /bundle
+RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS postgres_rpms
 
@@ -35,7 +38,7 @@ ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \
 
 COPY signatures/PGDG-RPM-GPG-KEY-RHEL /
 COPY scripts/docker-entrypoint.sh /usr/local/bin/
-COPY bundle/etc/postgresql.conf bundle/etc/pg_hba.conf /etc/
+COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/
 COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/
 
 RUN microdnf upgrade -y --nobest && \
@@ -75,7 +78,7 @@ RUN microdnf upgrade -y --nobest && \
 # This is equivalent to postgres:postgres.
 USER 70:70
 
-COPY bundle/docker-entrypoint-initdb.d/definitions.sql.gz /docker-entrypoint-initdb.d/
+COPY --from=extracted_bundle /bundle/docker-entrypoint-initdb.d/definitions.sql.gz /docker-entrypoint-initdb.d/
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 
diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim
@@ -6,8 +6,11 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
-# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
-# The bundle/ directory should contain: etc/
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
+COPY bundle.tar.gz /
+
+WORKDIR /bundle
+RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${RPMS_REGISTRY}/${RPMS_BASE_IMAGE}:${RPMS_BASE_TAG} AS postgres_rpms
 
@@ -35,7 +38,7 @@ ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \
 
 COPY signatures/PGDG-RPM-GPG-KEY-RHEL /
 COPY scripts/docker-entrypoint.sh /usr/local/bin/
-COPY bundle/etc/postgresql.conf bundle/etc/pg_hba.conf /etc/
+COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/
 COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/
 
 RUN microdnf upgrade -y --nobest && \
diff --git a/image/scanner/rhel/Dockerfile b/image/scanner/rhel/Dockerfile
@@ -2,8 +2,11 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
-# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
-# The bundle/ directory should contain: scanner, THIRD_PARTY_NOTICES/, nvd_definitions/, etc.
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
+
+COPY bundle.tar.gz /
+WORKDIR /bundle
+RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
 
@@ -24,9 +27,9 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 COPY scripts /
 
-COPY bundle/scanner ./
+COPY --from=extracted_bundle /bundle/scanner ./
 
-COPY bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
+COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
 
 RUN microdnf upgrade -y --nobest && \
     microdnf install -y xz && \
@@ -48,11 +51,11 @@ ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
 ENV ISTIO_DEFINITIONS_DIR="/istio_definitions"
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
-COPY --chown=65534:65534 "bundle${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
-COPY --chown=65534:65534 "bundle${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
-COPY --chown=65534:65534 "bundle${ISTIO_DEFINITIONS_DIR}/" ".${ISTIO_DEFINITIONS_DIR}/"
-COPY --chown=65534:65534 "bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 bundle/genesis_manifests.json ./
+COPY --chown=65534:65534 --from=extracted_bundle "/bundle${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
+COPY --chown=65534:65534 --from=extracted_bundle "/bundle${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
+COPY --chown=65534:65534 --from=extracted_bundle "/bundle${ISTIO_DEFINITIONS_DIR}/" ".${ISTIO_DEFINITIONS_DIR}/"
+COPY --chown=65534:65534 --from=extracted_bundle "/bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=extracted_bundle /bundle/genesis_manifests.json ./
 
 # This is equivalent to nobody:nobody.
 USER 65534:65534
diff --git a/image/scanner/rhel/Dockerfile.slim b/image/scanner/rhel/Dockerfile.slim
@@ -2,8 +2,11 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
-# Bundle is pre-extracted on the host to avoid tar issues under QEMU emulation.
-# The bundle/ directory should contain: scanner, THIRD_PARTY_NOTICES/, repo2cpe/
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
+
+COPY bundle.tar.gz /
+WORKDIR /bundle
+RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
 
@@ -24,9 +27,9 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 COPY scripts /
 
-COPY bundle/scanner ./
+COPY --from=extracted_bundle /bundle/scanner ./
 
-COPY bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
+COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
 
 RUN microdnf upgrade -y --nobest && \
     microdnf install -y xz && \
@@ -45,8 +48,8 @@ RUN microdnf upgrade -y --nobest && \
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
-COPY --chown=65534:65534 "bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 bundle/genesis_manifests.json ./
+COPY --chown=65534:65534 --from=extracted_bundle "/bundle${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=extracted_bundle /bundle/genesis_manifests.json ./
 
 # This is equivalent to nobody:nobody.
 USER 65534:65534
