docker: add ubi images for redhat certification

[josedev-union]

Description

This PR adds dockerfiles ubi-based.

Issues Resolved

closes #3625

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds two new Red Hat UBI 10-based Dockerfiles for OpenSearch and OpenSearch Dashboards. Both use multi-stage builds with explicit OpenShift UID/GID compatibility, dynamic version handling with fallbacks, group-writable permissions, and entrypoint scripts configured for arbitrary UID execution without setting a USER directive.

Changes

Cohort / File(s)

Summary

OpenShift-Compatible Dockerfiles docker/release/dockerfiles/opensearch.ubi8.dockerfile, docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile

Two-stage Dockerfiles for OpenSearch and OpenSearch Dashboards with UBI 10 base images. Implement dynamic version handling, conditional plugin configuration, explicit group-writable permissions for OpenShift (GID 0), version-specific entrypoint/config fallbacks, environment variable setup (JAVA_HOME, LD_LIBRARY_PATH, PATH), metadata labels, and entrypoint scripts configured for arbitrary UID execution without USER directives.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'docker: add ubi images for redhat certification' clearly summarizes the main change: adding UBI-based Docker images.
Description check	✅ Passed	The description is related to the changeset, mentioning the addition of UBI-based Dockerfiles and referencing the relevant issue #3625.
Linked Issues check	✅ Passed	The PR implements two Dockerfiles (OpenSearch and OpenSearch Dashboards) with explicit OpenShift/arbitrary UID compatibility through group-writable permissions, addressing issue #3625's requirement for non-UID-1000 execution.
Out of Scope Changes check	✅ Passed	All changes are in-scope Dockerfiles created to address the linked issue about supporting non-root user execution through UBI images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (7)

docker/release/dockerfiles/opensearch.ubi8.dockerfile (4)

47-47: [[ ]] is bash-specific — verify /bin/sh is bash in UBI 10 minimal.

Docker RUN executes commands via /bin/sh -c. On RHEL-based images /bin/sh is typically bash, so [[ -d ... ]] works in practice. However, if UBI 10 minimal ever switches to a POSIX-only shell, this will break. Using [ -d ... ] is a safer, portable alternative.

Portable alternative

-    if [[ -d $SECURITY_PLUGIN_DIR ]] ; then chmod -v 750 $SECURITY_PLUGIN_DIR/tools/* && chgrp -R 0 $SECURITY_PLUGIN_DIR/tools/* && chmod -R g+rwX $SECURITY_PLUGIN_DIR/tools/* ; fi && \
-    if [[ -d $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR ]] ; then cp -v $TEMP_DIR/performance-analyzer.properties $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR; fi && \
+    if [ -d "$SECURITY_PLUGIN_DIR" ] ; then chmod -v 750 $SECURITY_PLUGIN_DIR/tools/* && chgrp -R 0 $SECURITY_PLUGIN_DIR/tools/* && chmod -R g+rwX $SECURITY_PLUGIN_DIR/tools/* ; fi && \
+    if [ -d "$PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR" ] ; then cp -v $TEMP_DIR/performance-analyzer.properties $PERFORMANCE_ANALYZER_PLUGIN_CONFIG_DIR; fi && \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile` at line 47, The
conditional uses bash-specific [[ ]] which may break under /bin/sh; replace the
test in the RUN line that references SECURITY_PLUGIN_DIR to use the POSIX test [
-d "$SECURITY_PLUGIN_DIR" ] (note the single brackets and quoted variable) while
keeping the existing chmod/chgrp/chmod -R g+rwX sequence and overall command
chaining intact so behavior and exit codes remain the same.

---

78-84: Redundant permission operations — find commands duplicate chmod -R g+rwX.

chmod -R g+rwX (line 82) already grants g+x on directories and g+r on files (the uppercase X sets execute only on directories and files already executable). Lines 83–84 (find … -type d -exec chmod g+x and find … -type f -exec chmod g+r) are therefore no-ops and add two full filesystem traversals to the build.

Simplification

 RUN chgrp -R 0 $OPENSEARCH_HOME && \
-    chmod -R g+rwX $OPENSEARCH_HOME && \
-    find $OPENSEARCH_HOME -type d -exec chmod g+x {} + && \
-    find $OPENSEARCH_HOME -type f -exec chmod g+r {} +
+    chmod -R g+rwX $OPENSEARCH_HOME

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile` around lines 78 - 84,
The Dockerfile RUN block that sets permissions for $OPENSEARCH_HOME is
performing redundant filesystem traversals: the existing chmod -R g+rwX
$OPENSEARCH_HOME already grants group read on files and group execute on
directories via the capital X, so the subsequent find $OPENSEARCH_HOME -type d
-exec chmod g+x {} + and find $OPENSEARCH_HOME -type f -exec chmod g+r {} + are
unnecessary; remove those two find ... -exec lines and keep the chgrp -R 0
$OPENSEARCH_HOME && chmod -R g+rwX $OPENSEARCH_HOME sequence in the RUN command
to achieve the same effect with a single traversal.

---

97-105: Permissions are re-applied three times in Stage 1 — consolidate into a single pass.

Ownership/permissions are set on lines 81–84 after COPY --chown, then again on lines 104–105 after the one-time setup, and the entrypoint gets chmod g+x a third time on line 130. Each chgrp -R 0 + chmod -R g+rwX is a full recursive traversal. Consider consolidating: run the one-time setup first, then do a single permission-fixing pass afterward (and drop line 130 since g+rwX already covers it).

Consolidated approach

 COPY --from=linux_stage_0 --chown=root:0 $OPENSEARCH_HOME $OPENSEARCH_HOME
 WORKDIR $OPENSEARCH_HOME

-# Set group-writable permissions for OpenShift compatibility
-RUN chgrp -R 0 $OPENSEARCH_HOME && \
-    chmod -R g+rwX $OPENSEARCH_HOME && \
-    find $OPENSEARCH_HOME -type d -exec chmod g+x {} + && \
-    find $OPENSEARCH_HOME -type f -exec chmod g+r {} +
-
 # Set $JAVA_HOME
-RUN echo "export JAVA_HOME=$OPENSEARCH_HOME/jdk" >> /etc/profile.d/java_home.sh && \
-    echo "export PATH=\$PATH:\$JAVA_HOME/bin" >> /etc/profile.d/java_home.sh && \
-    ls -l $OPENSEARCH_HOME
+RUN ls -l $OPENSEARCH_HOME

 ENV JAVA_HOME=$OPENSEARCH_HOME/jdk
 ENV PATH=$PATH:$JAVA_HOME/bin:$OPENSEARCH_HOME/bin
@@ ...
 ARG DISABLE_INSTALL_DEMO_CONFIG=true
 ARG DISABLE_SECURITY_PLUGIN=false
 RUN ./opensearch-onetime-setup.sh && \
     chgrp -R 0 $OPENSEARCH_HOME && \
     chmod -R g+rwX $OPENSEARCH_HOME
 
-# Ensure the entrypoint script is executable by any UID
-RUN chmod g+x $OPENSEARCH_HOME/opensearch-docker-entrypoint.sh
-
 ENTRYPOINT ["./opensearch-docker-entrypoint.sh"]

Also applies to: 129-130

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile` around lines 97 - 105,
The Dockerfile currently repeats recursive permission fixes (chgrp -R 0
$OPENSEARCH_HOME and chmod -R g+rwX $OPENSEARCH_HOME) multiple times around the
COPY --chown step, the RUN ./opensearch-onetime-setup.sh step, and again in the
entrypoint chmod g+x; consolidate by running the one-time setup
(opensearch-onetime-setup.sh) before any final ownership/permission adjustments,
then perform a single chgrp -R 0 $OPENSEARCH_HOME && chmod -R g+rwX
$OPENSEARCH_HOME pass and remove the earlier and later redundant permission
commands (including the entrypoint chmod g+x) so only one recursive traversal
occurs.

---

86-89: /etc/profile.d/java_home.sh is effectively dead code in a container.

/etc/profile.d scripts are only sourced by login shells. Docker ENTRYPOINT/CMD invocations don't use a login shell, so these exports are never applied. The ENV directives on lines 91–92 are what actually set JAVA_HOME and PATH for the container process — the profile.d snippet can be removed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile` around lines 86 - 89,
Remove the RUN block that writes to /etc/profile.d/java_home.sh and the ls -l
$OPENSEARCH_HOME step because profile.d scripts aren't sourced for container
processes; instead rely on the existing ENV directives that set JAVA_HOME and
PATH (the ENV for JAVA_HOME and PATH present later in this Dockerfile) to expose
the environment to the container runtime.

docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile (3)

82-88: Same redundant find commands as the OpenSearch Dockerfile.

chmod -R g+rwX on line 86 already covers what lines 87–88 do. See the comment on the OpenSearch Dockerfile for details.

Simplification

 RUN chgrp -R 0 $OPENSEARCH_DASHBOARDS_HOME && \
-    chmod -R g+rwX $OPENSEARCH_DASHBOARDS_HOME && \
-    find $OPENSEARCH_DASHBOARDS_HOME -type d -exec chmod g+x {} + && \
-    find $OPENSEARCH_DASHBOARDS_HOME -type f -exec chmod g+r {} +
+    chmod -R g+rwX $OPENSEARCH_DASHBOARDS_HOME

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile` around
lines 82 - 88, The RUN block setting group-writable permissions is redundant:
keep the chgrp -R 0 $OPENSEARCH_DASHBOARDS_HOME && chmod -R g+rwX
$OPENSEARCH_DASHBOARDS_HOME and remove the extra find commands that reapply
directory execute and file read bits (the two find ... -exec chmod ... lines),
since chmod -R g+rwX on $OPENSEARCH_DASHBOARDS_HOME already grants group execute
on directories and group read on files; update the RUN invocation to only use
chgrp -R 0 and chmod -R g+rwX on $OPENSEARCH_DASHBOARDS_HOME.

---

115-116: Redundant chmod g+x — already covered by chmod -R g+rwX on line 86.

This can be dropped.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile` around
lines 115 - 116, Remove the redundant RUN chmod g+x
$OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh line; the
entrypoint already gets execute permissions from the earlier chmod -R g+rwX
call, so delete the explicit chmod invocation referencing
OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh to avoid
duplication.

---

58-72: Consider using microdnf consistently instead of installing dnf as a runtime dependency.

Stage 1 installs dnf via microdnf (line 62), then uses dnf on line 70 for font packages. microdnf can install those same packages directly, avoiding the overhead of pulling in the full dnf dependency tree. This applies to the OpenSearch Dockerfile as well.

Additionally, silencing font package errors with 2>/dev/null || true (line 71) is pragmatic but could mask real failures (e.g., repo connectivity issues). Consider logging a warning instead of fully suppressing stderr.

Proposed simplification

 RUN microdnf update -y && \
-    microdnf install -y tar gzip which dnf && \
+    microdnf install -y tar gzip which && \
     microdnf clean all

-RUN dnf install -y nss fontconfig freetype && \
-    (dnf install -y xorg-x11-fonts-Type1 xorg-x11-fonts-misc 2>/dev/null || true) && \
-    dnf clean all
+RUN microdnf install -y nss fontconfig freetype && \
+    (microdnf install -y xorg-x11-fonts-Type1 xorg-x11-fonts-misc 2>/dev/null || echo "WARNING: Some optional font packages not available") && \
+    microdnf clean all

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile` around
lines 58 - 72, Replace the runtime use of dnf with microdnf and stop installing
dnf as a dependency: change the RUN that installs font packages to use microdnf
(install nss fontconfig freetype and xorg-x11-fonts-Type1 xorg-x11-fonts-misc
via microdnf) instead of calling dnf; remove the separate dnf installation. For
the fallback install of xorg fonts, avoid silencing stderr with "2>/dev/null ||
true" — instead check the command exit status and emit a clear warning (e.g.,
via echo to stderr) if microdnf fails so repository/connectivity errors aren’t
masked; keep the final microdnf clean all call to reduce image size.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c5c801 and fb354f3.

📒 Files selected for processing (2)

• docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile
• docker/release/dockerfiles/opensearch.ubi8.dockerfile

🧰 Additional context used

🪛 Trivy (0.69.1)

docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

docker/release/dockerfiles/opensearch.ubi8.dockerfile

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🔇 Additional comments (3)

docker/release/dockerfiles/opensearch.ubi8.dockerfile (1)

107-108: Trivy DS-0002 (no USER directive) is an intentional design choice here — acknowledged.

The static analysis flag is a false positive in this context. Omitting USER is the standard pattern for OpenShift arbitrary-UID images where the runtime UID is injected by the platform. The comments clearly document the rationale.

docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile (2)

103-113: LGTM — labels and metadata look correct.

The label schema follows the same conventions as the OpenSearch Dockerfile. VERSION, BUILD_DATE, and NOTES are properly parameterized via ARGs.

---

118-120: LGTM — entrypoint and CMD follow established conventions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile`:
- Line 15: The Dockerfile opensearch-dashboards.ubi8.dockerfile incorrectly uses
the UBI10 base image string "registry.access.redhat.com/ubi10-minimal:10.1"
while the filename/label still say "ubi8"; rename the file to use "ubi10" in its
name (e.g., opensearch-dashboards.ubi10.dockerfile) and update the Dockerfile
LABEL that records the UBI version to reflect ubi10 (also update the other
identical occurrence noted in the file) so the filename, base image and labels
consistently indicate UBI10.
- Around line 36-43: The current logic computing MAJOR_VERSION_ENTRYPOINT and
MAJOR_VERSION_YML uses grep "$MAJOR..." which matches empty VERSION and prevents
the fallback to "default"; update the two conditional lines that set
MAJOR_VERSION_ENTRYPOINT and MAJOR_VERSION_YML so they first ensure the major
variables are non-empty before grepping (for example: change the if to check [
-n "$MAJOR_VERSION_ENTRYPOINT" ] && ls $TEMP_DIR | grep -E
"opensearch-dashboards-docker-entrypoint-.*.x.sh" | grep -q
"$MAJOR_VERSION_ENTRYPOINT" && ...; otherwise set
MAJOR_VERSION_ENTRYPOINT="default", and do the same pattern for
MAJOR_VERSION_YML), keeping the subsequent cp commands that use
MAJOR_VERSION_ENTRYPOINT and MAJOR_VERSION_YML unchanged.
- Line 44: Remove the unconditional copy of example certificates so the
production image does not ship self‑signed certs: delete or stop using the cp of
"$TEMP_DIR/opensearch.example.org.*" into "$OPENSEARCH_DASHBOARDS_HOME/config/"
(the glob "opensearch.example.org.*") and instead require certificates be
provided at runtime via a mounted volume or loader in the entrypoint (or gate
the copy behind an explicit opt‑in env var like INCLUDE_EXAMPLE_CERTS). Update
Dockerfile logic around TEMP_DIR and OPENSEARCH_DASHBOARDS_HOME/config to no
longer add the example cert files and add documentation/entrypoint checks
explaining how to mount/provide real certs.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile`:
- Around line 40-56: The build silently misroutes when VERSION is empty because
MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` yields empty and the grep
check matches everything; fix by explicitly validating
VERSION/MAJOR_VERSION_ENTRYPOINT before using it: after computing
MAJOR_VERSION_ENTRYPOINT (from VERSION), check if it is non-empty (e.g., test -n
"$MAJOR_VERSION_ENTRYPOINT") and only run the grep-based selection when
non-empty, otherwise set MAJOR_VERSION_ENTRYPOINT="default"; ensure the
subsequent cp of opensearch-docker-entrypoint-$MAJOR_VERSION_ENTRYPOINT.x.sh
uses the validated MAJOR_VERSION_ENTRYPOINT so a missing or empty VERSION falls
back to "default" instead of attempting to copy
opensearch-docker-entrypoint-.x.sh.
- Line 16: The filename and DOCKERFILE label are inconsistent with the base
image: rename the file from opensearch.ubi8.dockerfile to
opensearch.ubi10.dockerfile and update the DOCKERFILE label (the label value
currently on line ~127) to "opensearch.ubi10.dockerfile" so it matches the FROM
statement "registry.access.redhat.com/ubi10-minimal:10.1"; ensure any references
or comments inside the Dockerfile that mention "ubi8" are changed to "ubi10" as
well.
- Around line 65-70: Remove the unnecessary runtime packages from Stage 1: edit
the RUN line that currently does "microdnf install -y tar gzip which dnf" and
remove tar, gzip, which, and dnf so the stage only performs the microdnf
update/clean (or installs only truly required runtime packages); also update the
comment above the RUN to reflect that the builder stage handles tarball
extraction and that securityadmin.sh/install_demo_configuration.sh do not
require these tools so they are omitted to reduce image size.

---

Nitpick comments:
In `@docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile`:
- Around line 82-88: The RUN block setting group-writable permissions is
redundant: keep the chgrp -R 0 $OPENSEARCH_DASHBOARDS_HOME && chmod -R g+rwX
$OPENSEARCH_DASHBOARDS_HOME and remove the extra find commands that reapply
directory execute and file read bits (the two find ... -exec chmod ... lines),
since chmod -R g+rwX on $OPENSEARCH_DASHBOARDS_HOME already grants group execute
on directories and group read on files; update the RUN invocation to only use
chgrp -R 0 and chmod -R g+rwX on $OPENSEARCH_DASHBOARDS_HOME.
- Around line 115-116: Remove the redundant RUN chmod g+x
$OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh line; the
entrypoint already gets execute permissions from the earlier chmod -R g+rwX
call, so delete the explicit chmod invocation referencing
OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh to avoid
duplication.
- Around line 58-72: Replace the runtime use of dnf with microdnf and stop
installing dnf as a dependency: change the RUN that installs font packages to
use microdnf (install nss fontconfig freetype and xorg-x11-fonts-Type1
xorg-x11-fonts-misc via microdnf) instead of calling dnf; remove the separate
dnf installation. For the fallback install of xorg fonts, avoid silencing stderr
with "2>/dev/null || true" — instead check the command exit status and emit a
clear warning (e.g., via echo to stderr) if microdnf fails so
repository/connectivity errors aren’t masked; keep the final microdnf clean all
call to reduce image size.

In `@docker/release/dockerfiles/opensearch.ubi8.dockerfile`:
- Line 47: The conditional uses bash-specific [[ ]] which may break under
/bin/sh; replace the test in the RUN line that references SECURITY_PLUGIN_DIR to
use the POSIX test [ -d "$SECURITY_PLUGIN_DIR" ] (note the single brackets and
quoted variable) while keeping the existing chmod/chgrp/chmod -R g+rwX sequence
and overall command chaining intact so behavior and exit codes remain the same.
- Around line 78-84: The Dockerfile RUN block that sets permissions for
$OPENSEARCH_HOME is performing redundant filesystem traversals: the existing
chmod -R g+rwX $OPENSEARCH_HOME already grants group read on files and group
execute on directories via the capital X, so the subsequent find
$OPENSEARCH_HOME -type d -exec chmod g+x {} + and find $OPENSEARCH_HOME -type f
-exec chmod g+r {} + are unnecessary; remove those two find ... -exec lines and
keep the chgrp -R 0 $OPENSEARCH_HOME && chmod -R g+rwX $OPENSEARCH_HOME sequence
in the RUN command to achieve the same effect with a single traversal.
- Around line 97-105: The Dockerfile currently repeats recursive permission
fixes (chgrp -R 0 $OPENSEARCH_HOME and chmod -R g+rwX $OPENSEARCH_HOME) multiple
times around the COPY --chown step, the RUN ./opensearch-onetime-setup.sh step,
and again in the entrypoint chmod g+x; consolidate by running the one-time setup
(opensearch-onetime-setup.sh) before any final ownership/permission adjustments,
then perform a single chgrp -R 0 $OPENSEARCH_HOME && chmod -R g+rwX
$OPENSEARCH_HOME pass and remove the earlier and later redundant permission
commands (including the entrypoint chmod g+x) so only one recursive traversal
occurs.
- Around line 86-89: Remove the RUN block that writes to
/etc/profile.d/java_home.sh and the ls -l $OPENSEARCH_HOME step because
profile.d scripts aren't sourced for container processes; instead rely on the
existing ENV directives that set JAVA_HOME and PATH (the ENV for JAVA_HOME and
PATH present later in this Dockerfile) to expose the environment to the
container runtime.

[peterzhuamazon]

Hi @josedev-union
Thanks for PR.
However, I dont particularly understand this requirement well enough nor do I think there is a plan defined to release this image as official distribution.

If this is related to k8s operator then maybe the dockerfile can live in that repository (so k8s operator maintainer can properly maintain it) and we can discuss about potentially release this either on github package or some other spaces.

This build repo in particular is hosting the build scripts for releases on https://opensearch.org/downloads/ only for now.

Thanks.

[josedev-union]

Hi @josedev-union Thanks for PR. However, I dont particularly understand this requirement well enough nor do I think there is a plan defined to release this image as official distribution.

If this is related to k8s operator then maybe the dockerfile can live in that repository (so k8s operator maintainer can properly maintain it) and we can discuss about potentially release this either on github package or some other spaces.

This build repo in particular is hosting the build scripts for releases on https://opensearch.org/downloads/ only for now.

Thanks.

Hi @peterzhuamazon year, the final goal is still to get the operator certified by Red Hat.
That said, I believe this PR is reasonable. The Dockerfile in question is for OpenSearch as the operand, not for the operator itself. Regardless of whether OpenSearch is deployed via the operator, we’ll still need a UBI-based image or at least an image that supports anyuid to run OpenSearch properly on an OpenShift cluster.
So this change seems aligned with our deployment requirements, independent of operator certification.
What are your thoughts on this?
cc @synhershko @prudhvigodithi

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit ff77221.

Path	Line	Severity	Description
docker/release/dockerfiles/opensearch-dashboards.ubi10.dockerfile	94	low	DOCKERFILE label references ubi8.dockerfile instead of ubi10.dockerfile - inconsistent metadata that could cause confusion but appears to be a copy-paste error rather than malicious intent

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 0 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 3e1e0f3)

Here are some key observations to aid the review process:

🧪 No relevant tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ Recommended focus areas for review Duplicate Package Installation The microdnf install command is executed in both Stage 0 and Stage 1, installing the same packages (tar, gzip, which, dnf). Since Stage 1 copies from Stage 0, these tools may not be needed in Stage 1 unless they're required at runtime. Consider whether these packages are necessary in the final image or if they can be removed to reduce image size. RUN microdnf update -y && \ microdnf install -y tar gzip which dnf && \ microdnf clean all Duplicate Package Installation Similar to the dashboards dockerfile, microdnf install is executed in both stages with identical packages (tar, gzip, which). Verify if these tools are needed at runtime in the final image or if they can be omitted to reduce image size. RUN microdnf update -y && \ microdnf install -y tar gzip which && \ microdnf clean all Redundant Permission Setting Permissions are set with chgrp -R 0 and chmod -R g+rwX in Stage 0 (lines 44-45), then the same operations are repeated in Stage 1 (lines 72-73) after copying with --chown=root:0. The Stage 1 permission setting may be redundant since the copy already preserves ownership and permissions from Stage 0. RUN chgrp -R 0 $OPENSEARCH_DASHBOARDS_HOME && \ chmod -R g+rwX $OPENSEARCH_DASHBOARDS_HOME Redundant Permission Setting Similar redundancy exists here where permissions are set in Stage 0 (lines 50-51) and then repeated in Stage 1 (lines 73-74, 93-94) after copying with --chown=root:0. This duplication may be unnecessary. RUN chgrp -R 0 $OPENSEARCH_HOME && \ chmod -R g+rwX $OPENSEARCH_HOME

[github-actions]

PR Code Suggestions ✨

Latest suggestions up to 3e1e0f3
Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use variable instead of hardcoded path The hardcoded path /tmp/opensearch/opensearch-</code>uname -m<code>.tgz bypasses the $TEMP_DIR variable defined earlier. This inconsistency could cause failures if $TEMP_DIR is changed. Use the variable for consistency and maintainability. docker/release/dockerfiles/opensearch.ubi10.dockerfile [40-43] -RUN tar -xzpf /tmp/opensearch/opensearch-`uname -m`.tgz -C $OPENSEARCH_HOME --strip-components=1 && \ +RUN tar -xzpf $TEMP_DIR/opensearch-`uname -m`.tgz -C $OPENSEARCH_HOME --strip-components=1 && \ MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` && \ echo $MAJOR_VERSION_ENTRYPOINT && \ if ! (ls $TEMP_DIR | grep -E "opensearch-docker-entrypoint-.*.x.sh" | grep $MAJOR_VERSION_ENTRYPOINT); then MAJOR_VERSION_ENTRYPOINT="default"; fi Suggestion importance[1-10]: 7 __ Why: This is a valid consistency issue where /tmp/opensearch/opensearch-\uname -m`.tgzshould use$TEMP_DIRinstead. The hardcoded path creates maintainability problems and could cause failures if$TEMP_DIR` is changed, making this a meaningful improvement.	Medium
	Handle missing wildcard file matches The cp commands with wildcard patterns (opensearch.example.org.*) may fail silently if no matching files exist, potentially causing runtime issues. Add error handling or validation to ensure required files are present before copying. docker/release/dockerfiles/opensearch-dashboards.ubi10.dockerfile [34-42] RUN tar -xzpf $TEMP_DIR/opensearch-dashboards-`uname -m`.tgz -C $OPENSEARCH_DASHBOARDS_HOME --strip-components=1 && \ MAJOR_VERSION_ENTRYPOINT=`echo $VERSION | cut -d. -f1` && \ MAJOR_VERSION_YML=`echo $VERSION | cut -d. -f1` && \ echo $MAJOR_VERSION_ENTRYPOINT && echo $MAJOR_VERSION_YML && \ if ! (ls $TEMP_DIR | grep -E "opensearch-dashboards-docker-entrypoint-.*.x.sh" | grep $MAJOR_VERSION_ENTRYPOINT); then MAJOR_VERSION_ENTRYPOINT="default"; fi && \ if ! (ls $TEMP_DIR | grep -E "opensearch_dashboards-.*.x.yml" | grep $MAJOR_VERSION_YML); then MAJOR_VERSION_YML="default"; fi && \ cp -v $TEMP_DIR/opensearch-dashboards-docker-entrypoint-$MAJOR_VERSION_ENTRYPOINT.x.sh $OPENSEARCH_DASHBOARDS_HOME/opensearch-dashboards-docker-entrypoint.sh && \ cp -v $TEMP_DIR/opensearch_dashboards-$MAJOR_VERSION_YML.x.yml $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml && \ - cp -v $TEMP_DIR/opensearch.example.org.* $OPENSEARCH_DASHBOARDS_HOME/config/ + (ls $TEMP_DIR/opensearch.example.org.* >/dev/null 2>&1 && cp -v $TEMP_DIR/opensearch.example.org.* $OPENSEARCH_DASHBOARDS_HOME/config/ || echo "Warning: No example cert files found") Suggestion importance[1-10]: 5 __ Why: The suggestion addresses a potential issue where wildcard file copying might fail silently. However, the improved code only adds a warning rather than preventing build failures, and the example certs may be optional. The impact is moderate as it improves error visibility.	Low

---

Previous suggestions

Suggestions up to commit ff77221

Category	Suggestion	Impact
General	Fix incorrect dockerfile reference in label The DOCKERFILE label references opensearch-dashboards.ubi8.dockerfile but this is a UBI10 dockerfile. This incorrect reference will mislead users about the actual dockerfile location and could cause confusion during troubleshooting or reproduction attempts. docker/release/dockerfiles/opensearch-dashboards.ubi10.dockerfile [95] LABEL org.label-schema.schema-version="1.0" \ org.label-schema.name="opensearch-dashboards" \ org.label-schema.version="$VERSION" \ org.label-schema.url="https://opensearch.org" \ org.label-schema.vcs-url="https://github.com/opensearch-project/OpenSearch-Dashboards" \ org.label-schema.license="Apache-2.0" \ org.label-schema.vendor="OpenSearch" \ org.label-schema.description="$NOTES" \ org.label-schema.build-date="$BUILD_DATE" \ - "DOCKERFILE"="https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/dockerfiles/opensearch-dashboards.ubi8.dockerfile" + "DOCKERFILE"="https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/dockerfiles/opensearch-dashboards.ubi10.dockerfile" Suggestion importance[1-10]: 9 __ Why: The DOCKERFILE label incorrectly references opensearch-dashboards.ubi8.dockerfile instead of opensearch-dashboards.ubi10.dockerfile. This is a critical metadata error that will mislead users about the actual dockerfile location and should be corrected.	High

[github-actions]

Persistent review updated to latest commit 3e1e0f3

[josedev-union]

Can i request the review please?