Skip to content

chore: Upgrade base image from UBI 9 to UBI 10.2#191

Open
rpokorny wants to merge 4 commits into
mainfrom
chore/upgrade-ubi10
Open

chore: Upgrade base image from UBI 9 to UBI 10.2#191
rpokorny wants to merge 4 commits into
mainfrom
chore/upgrade-ubi10

Conversation

@rpokorny

@rpokorny rpokorny commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Motivation

This upgrade addresses 12 policy violations currently failing the main branch build in IQ Server (report), including:

These are all RHEL 9 OS-level packages with known vulnerabilities. The branch IQ report on UBI 10.2 shows zero vulnerabilities — the newer base image ships patched versions of these packages.

Changes

  • Dockerfile: ubi9/ubi-minimal:9.6ubi10/ubi-minimal:10.2
  • Dockerfile.rh: ubi9/ubi-minimal:9.7ubi10/ubi-minimal:10.2
  • Dockerfile.slim: ubi9/ubi-minimal:9.6ubi10/ubi-minimal:10.2
  • Crypto policy: Added custom SHA1.pmod and use DEFAULT:SHA1 instead of the removed RHEL 10 module

Crypto policy detail

RHEL 10 removed the SHA1 subpolicy module that was used to allow SHA1-signed certificates (needed for Azure PostgreSQL connections — see PR #155). Rather than using the LEGACY policy (which enables SSH CBC ciphers, RSAES-PKCS1-v1.5, and other unnecessary relaxations), we ship a custom SHA1.pmod that allows only:

  • SHA1 hash algorithm (hash = SHA1+)
  • SHA1-based signatures (sign = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+)

This keeps the security posture identical to what we had on UBI 9 with DEFAULT:SHA1.

Testing

All three CI pipelines pass:

  • ✅ main-image / iq-server-docker-image-build-test
  • ✅ slim-image / iq-server-docker-slim-image-build-test
  • ✅ redhat-image / iq-server-docker-slim-red-hat-build-test

rpokorny added 4 commits June 1, 2026 10:04
Update all Dockerfiles to use registry.access.redhat.com/ubi10/ubi-minimal:10.2
replacing ubi9/ubi-minimal:9.6 (Dockerfile, Dockerfile.slim) and
ubi9/ubi-minimal:9.7 (Dockerfile.rh).
RHEL 10 removed the SHA1 subpolicy module. The LEGACY policy provides
equivalent SHA1 certificate support.
The LEGACY policy is significantly looser than the old UBI 9 DEFAULT:SHA1
combination — it enables SSH CBC ciphers, RSAES-PKCS1-v1.5, FFDHE-1536,
and legacy PKCS12/SMIME algorithms that were not previously allowed.

Instead, ship a custom SHA1.pmod that replicates the removed RHEL 10
module exactly, keeping the security posture identical to UBI 9.
This GnuTLS-specific knob is not needed for the Java/JDBC PostgreSQL
connection that motivated this workaround.
@rpokorny rpokorny requested review from a team and j-s-3 June 1, 2026 16:48

@JuanDavid31 JuanDavid31 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mealingr mealingr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants