Create UBI minimal base image

.architectures-lib

@@ -12,14 +12,18 @@ _generateParentRepoToArches() {
 	local officialImagesUrl='https://github.com/docker-library/official-images/raw/master/library/'
 
 	eval "declare -g -A parentRepoToArches=( $(
-		find -name 'Dockerfile' -exec awk '
+		find . -name 'Dockerfile' -exec awk '
 				toupper($1) == "FROM" && $2 !~ /^('"$repo"'|scratch|.*\/.*)(:|$)/ {
 					print "'"$officialImagesUrl"'" $2
 				}
 			' '{}' + \
 			| sort -u \
 			| xargs bashbrew cat --format '[{{ .RepoName }}:{{ .TagName }}]="{{ join " " .TagEntry.Architectures }}"'
 	) )"
+	# could do, but returns arm64 rather than arm64v8
+	#readarray -t ubiarch < <(docker manifest inspect redhat/ubi9-minimal | jq  '.manifests[].platform.architecture')
+	local ubiarch=(amd64 arm64v8 s390x ppc64le)
+	parentRepoToArches[redhat/ubi9-minimal]=${ubiarch[@]//\"/}
 }
 _generateParentRepoToArches 'mariadb'
 

.test/run.sh

@@ -317,7 +317,8 @@ killoff
 		--silent \
 		-e "show create user")
 	# shellcheck disable=SC2016,SC2076
-	[[ "${createuser//\'/\`}" =~ 'CREATE USER `healthcheck`@`::1` IDENTIFIED' ]] || \
+	[[ "${createuser//\'/\`}" =~ 'CREATE USER `healthcheck`@`localhost` IDENTIFIED' ]] || \
+		[[ "${createuser//\'/\`}" =~ 'CREATE USER `healthcheck`@`::1` IDENTIFIED' ]] || \
 		[[ "${createuser//\'/\`}" =~ 'CREATE USER `healthcheck`@`127.0.0.1` IDENTIFIED' ]] || die "healthcheck wasn't created how I was expected"
 
 	grants="$(docker exec --user mysql -i \
@@ -326,7 +327,8 @@ killoff
 		--silent \
 		-e show\ grants)"
 
-	[[ "${grants//\'/\`}" =~ GRANT\ USAGE\ ON\ *.*\ TO\ \`healthcheck\`@\`::1\` ]] || \
+	[[ "${grants//\'/\`}" =~ GRANT\ USAGE\ ON\ *.*\ TO\ \`healthcheck\`@\`localhost\` ]] || \
+		[[ "${grants//\'/\`}" =~ GRANT\ USAGE\ ON\ *.*\ TO\ \`healthcheck\`@\`::1\` ]] || \
 		[[ "${grants//\'/\`}" =~ GRANT\ USAGE\ ON\ *.*\ TO\ \`healthcheck\`@\`127.0.0.1\` ]] || die "healthcheck wasn't granted what I was expected"
 	killoff
 
@@ -622,7 +624,7 @@ esac
 if [ -n "$debarch" ]
 then
 	echo -e "Test: jemalloc preload\n"
-	runandwait -e LD_PRELOAD="/usr/lib/$debarch-linux-gnu/libjemalloc.so.1 /usr/lib/$debarch-linux-gnu/libjemalloc.so.2" -e MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 "${image}"
+	runandwait -e LD_PRELOAD="/usr/lib/$debarch-linux-gnu/libjemalloc.so.1 /usr/lib/$debarch-linux-gnu/libjemalloc.so.2 /usr/lib64/libjemalloc.so.2" -e MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 "${image}"
 	docker exec -i "$cid" gosu mysql /bin/grep 'jemalloc' /proc/1/maps || die "expected to preload jemalloc"
 
 

10.11-ubi/Dockerfile

@@ -0,0 +1,106 @@
+FROM redhat/ubi9-minimal
+
+# user 999/ group 999, that we want to use for compatibility with the ubuntu image.
+RUN groupadd --gid 999 -r mysql && \
+	useradd -r -g mysql mysql --home-dir /var/lib/mysql --uid 999
+
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \
+	case "$rpmArch" in \
+		aarch64) dpkgArch='arm64' ;; \
+		armv7*) dpkgArch='armhf' ;; \
+		i686) dpkgArch='i386' ;; \
+		ppc64le) dpkgArch='ppc64el' ;; \
+		s390x|riscv64) dpkgArch=$rpmArch ;; \
+		x86_64) dpkgArch='amd64' ;; \
+		*) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \
+	esac; \
+	curl --fail --location --output /usr/local/bin/gosu https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch} ; \
+	curl --fail --location --output /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc; \
+	GNUPGHOME="$(mktemp -d)"; \
+	export GNUPGHOME; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	chmod a+x /usr/local/bin/gosu; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	gosu --version; \
+	gosu nobody true
+
+COPY docker.cnf /etc/my.cnf.d/
+
+COPY MariaDB.repo /etc/yum.repos.d/
+
+# HasRequiredLabel requirement from Red Hat OpenShift Software Certification
+# https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html/red_hat_openshift_software_certification_policy_guide/assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction#con-image-metadata-requirements_openshift-sw-cert-policy-container-images
+LABEL name="MariaDB Server" \
+	vendor="MariaDB Community" \
+	version="10.11.8" \
+	release="Refer to Annotations org.opencontainers.image.{revision,source}" \
+	summary="MariaDB Database" \
+	description="MariaDB Database for relational SQL"
+
+# OCI annotations to image
+LABEL org.opencontainers.image.authors="MariaDB Community" \
+      org.opencontainers.image.title="MariaDB Database" \
+      org.opencontainers.image.description="MariaDB Database for relational SQL" \
+      org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \
+      org.opencontainers.image.base.name="docker.io/redhat/ubi9-minimal" \
+      org.opencontainers.image.licenses="GPL-2.0" \
+      org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \
+      org.opencontainers.image.vendor="MariaDB Community" \
+      org.opencontainers.image.version="10.11.8" \
+      org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker"
+
+# bashbrew-architectures: amd64 arm64v8 ppc64le s390x
+ARG MARIADB_VERSION=10.11.8
+# release-status:Stable
+# release-support-type:Long Term Support
+# (https://downloads.mariadb.org/rest-api/mariadb/)
+
+# missing pwgen(epel), jemalloc(epel) (as entrypoint/user extensions)
+# procps, pv(epel) - missing dependencies of galera sst script
+# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
+# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+RUN set -eux ; \
+	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
+	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	rpmkeys --import /tmp/epelkey.txt ; \
+	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
+	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
+	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
+	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
+	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
+	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
+	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	microdnf update -y ; \
+	microdnf reinstall -y tzdata ; \
+	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \
+	mkdir -p /etc/mysql/conf.d /etc/mysql/mariadb.conf.d/ /var/lib/mysql/mysql /run/mariadb /usr/lib64/galera ; \
+	chmod ugo+rwx,o+t /run/mariadb ; \
+	microdnf install -y MariaDB-backup-10.11.8 MariaDB-server-10.11.8 ; \
+	# compatibility with DEB Galera packaging
+	ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib/libgalera_smm.so ; \
+	# compatibility with RPM Galera packaging
+	ln -s /usr/lib64/galera-4/libgalera_smm.so /usr/lib64/galera/libgalera_smm.so ; \
+	microdnf clean all ; \
+	rmdir /var/lib/mysql/mysql ; \
+	chown -R mysql:mysql /var/lib/mysql /run/mariadb ; \
+	mkdir /licenses ; \
+	ln -s /usr/share/doc/MariaDB-server-10.11.8/COPYING /licenses/GPL-2 ; \
+	ln -s /usr/share/licenses /licenses/package-licenses ; \
+	ln -s Apache-2.0-license /licenses/gosu
+
+VOLUME /var/lib/mysql
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+COPY healthcheck.sh /usr/local/bin/healthcheck.sh
+COPY docker-entrypoint.sh /usr/local/bin/
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 3306
+CMD ["mariadbd"]

10.11-ubi/MariaDB.repo

@@ -0,0 +1,7 @@
+[mariadb]
+name = MariaDB
+#baseurl = https://rpm.mariadb.org/10.11/rhel/$releasever/$basearch
+baseurl = https://archive.mariadb.org/mariadb-10.11/yum/rhel/$releasever/$basearch
+#microdnf cannot read to the second key here.
+#gpgkey=https://archive.mariadb.org/PublicKey
+gpgcheck=1