Skip to content

NO-JIRA: Update Dockerfile.dev to use latest base images #16264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rhamilto wants to merge 1 commit into
base: main
Choose a base branch
from
+2 −2
Open

NO-JIRA: Update Dockerfile.dev to use latest base images #16264

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfile.dev
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Dockerfile to build console image from pre-built front end.
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.23-openshift-4.20 AS build
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS build
RUN mkdir -p /go/src/github.com/openshift/console/
ADD . /go/src/github.com/openshift/console/
WORKDIR /go/src/github.com/openshift/console/
RUN ./build-backend.sh

FROM registry.ci.openshift.org/ocp/4.20:base-rhel9
FROM registry.ci.openshift.org/ocp/builder:rhel-9-base-nodejs-openshift-4.22
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if Dockerfile.dev or related dev tooling references Node.js at runtime

# Search for any runtime Node.js usage in dev docs or scripts
rg -n --type=md --type=sh -i 'dockerfile\.dev.*node' 

# Check if dev scripts expect Node.js in the running container
rg -n --type=sh 'docker.*run.*Dockerfile\.dev|podman.*run.*Dockerfile\.dev' -A 5 | rg -i 'npm|node|yarn'

# Compare runtime images between Dockerfile and Dockerfile.dev
echo "=== Production Dockerfile runtime ==="
rg -n '^FROM.*' Dockerfile | tail -1

echo "=== Dockerfile.dev runtime ==="
rg -n '^FROM.*' Dockerfile.dev | tail -1

Repository: openshift/console

Length of output: 262

🏁 Script executed:

#!/bin/bash
# Read the full Dockerfile.dev to understand Node.js usage
cat -n Dockerfile.dev | head -60

Repository: openshift/console

Length of output: 825

🏁 Script executed:

#!/bin/bash
# Check production Dockerfile runtime stage and any related context
echo "=== Production Dockerfile context around runtime stage ==="
sed -n '55,65p' Dockerfile

echo ""
echo "=== Check if there's dev workflow documentation ==="
rg -i 'dockerfile\.dev|dev.*runtime|node.*runtime' --type=md | head -20

echo ""
echo "=== Verify what's in the final stage - any Node.js references? ==="
sed -n '8,15p' Dockerfile.dev

Repository: openshift/console

Length of output: 2365

🏁 Script executed:

#!/bin/bash
# Check README or CONTRIBUTING for any mention of Dockerfile.dev dev workflow
echo "=== README mentions of Dockerfile.dev ==="
rg -n 'Dockerfile\.dev' README.md -B 2 -A 5

echo ""
echo "=== CONTRIBUTING docs ==="
if [ -f CONTRIBUTING.md ]; then
  rg -n -i 'docker|dev.*setup|runtime' CONTRIBUTING.md | head -20
else
  echo "No CONTRIBUTING.md found"
fi

Repository: openshift/console

Length of output: 593

Remove unnecessary Node.js from the dev runtime — align with production's minimal base.

Dockerfile.dev's final stage uses rhel-9-base-nodejs-openshift-4.22, but the container only executes the Go binary (/opt/bridge/bin/bridge) and serves pre-built frontend assets. Node.js isn't invoked.

This introduces security and efficiency concerns:

  • Expanded attack surface: Unnecessary binaries and runtime libraries that the application never uses.
  • Image bloat: Node.js adds hundreds of MB without benefit.
  • Production divergence: The production Dockerfile uses minimal base-rhel9, not the nodejs variant, for the identical runtime workload.

Switch to the minimal base image to match production:

Suggested change 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-base-nodejs-openshift-4.22
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM registry.ci.openshift.org/ocp/builder:rhel-9-base-nodejs-openshift-4.22
FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.dev` at line 8, Change the final stage base image from the Node.js
variant to the minimal production base by replacing the FROM image reference
"registry.ci.openshift.org/ocp/builder:rhel-9-base-nodejs-openshift-4.22" with
the minimal runtime base used in production (e.g.,
"registry.ci.openshift.org/ocp/builder:base-rhel9"); ensure the stage still
copies the Go binary (/opt/bridge/bin/bridge) and static frontend assets and
remove any leftover Node-specific install/copy steps so the resulting dev image
mirrors the production minimal runtime.

COPY --from=build /go/src/github.com/openshift/console/bin/bridge /opt/bridge/bin/bridge
COPY ./frontend/public/dist /opt/bridge/static
COPY ./pkg/graphql/schema.graphql /pkg/graphql/schema.graphql
Expand Down