chore: Add ubi10 rust builder, update ubi9 rust builder (#1432)

NickLarsenNZ · web-flow · commit d1aeefc967c6 · 2026-02-26T12:16:24.000Z
* chore: Add ubi10 rust builder

* chore(ubi-rust-builders): bump dependencies

Note: Ignoring protoc (which could go to 34.0, but now it feels too close to the release time to update it).

* chore: Update changelog

* chore(ubi-rust-builders): Revert rustup update

Note: The vesion from the changelog hasn't been tagged yet

* chore(nix): Run niv update
diff --git a/.github/ISSUE_TEMPLATE/update-base-ubi-rust-builders.md b/.github/ISSUE_TEMPLATE/update-base-ubi-rust-builders.md
@@ -52,6 +52,7 @@ Add/Change/Remove anything that isn't applicable anymore
 > checked, the issue can be moved into _Development: Done_.
 
 - [ ] Done for [ubi9-rust-builder/Dockerfile](https://github.com/stackabletech/docker-images/blob/main/ubi9-rust-builder/Dockerfile)
+- [ ] Done for [ubi10-rust-builder/Dockerfile](https://github.com/stackabletech/docker-images/blob/main/ubi10-rust-builder/Dockerfile)
 - [ ] Can build the image locally
 - [ ] Can build an operator image
 
@@ -60,6 +61,7 @@ Add/Change/Remove anything that isn't applicable anymore
 
 ```shell
 docker build -t oci.stackable.tech/sdp/ubi9-rust-builder . -f ubi9-rust-builder/Dockerfile
+docker build -t oci.stackable.tech/sdp/ubi10-rust-builder . -f ubi10-rust-builder/Dockerfile
 
 # Change directory into the an operator repository and ensure the image can build
 docker build . -f docker/Dockerfile
diff --git a/.github/workflows/ubi-rust-builder.yml b/.github/workflows/ubi-rust-builder.yml
@@ -26,7 +26,7 @@ jobs:
       fail-fast: false
       matrix:
         runner: ["ubuntu-latest", "ubicloud-standard-8-arm-ubuntu-2404"]
-        ubi-version: ["ubi9"]
+        ubi-version: ["ubi9", "ubi10"]
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
@@ -75,7 +75,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ubi-version: ["ubi9"]
+        ubi-version: ["ubi9", "ubi10"]
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@ All notable changes to this project will be documented in this file.
 - spark: Add `3.5.8` ([#1414]).
 - spark-connect-client: Add `3.5.8` ([#1414]).
 - hbase: Backport HBASE-29797 to all HBAse versions (`2.6.3` and `2.6.4`) ([#1425]).
+- ubi10-rust-builder: Add new ubi10 base image for operators to begin using ([#1432]).
 
 ### Changed
 
@@ -43,6 +44,7 @@ All notable changes to this project will be documented in this file.
   Pull logging dependencies with `mvn` instead of `curl` to remove manual maintenance in Nexus `packages`.
 - hbase: Update `hbase-operator-tools` from `1.3.0-fd5a5fb` to `1.3.0` ([#1425]).
 - nifi: Backported NiFi-15567 to NiFi 2.6.0 and 2.7.2 to fix CVE CVE-2026-25903 ([#1429]).
+- ubi9-rust-builder: Bump rust toolchain and cargo auditable versions ([#1432]).
 
 ### Removed
 
@@ -106,6 +108,7 @@ All notable changes to this project will be documented in this file.
 [#1426]: https://github.com/stackabletech/docker-images/pull/1426
 [#1428]: https://github.com/stackabletech/docker-images/pull/1428
 [#1429]: https://github.com/stackabletech/docker-images/pull/1429
+[#1432]: https://github.com/stackabletech/docker-images/pull/1432
 
 ## [25.11.0] - 2025-11-07
 
diff --git a/nix/sources.json b/nix/sources.json
diff --git a/ubi10-rust-builder/Dockerfile b/ubi10-rust-builder/Dockerfile
@@ -0,0 +1,122 @@
+# syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7
+# check=error=true
+
+# Find the latest version at https://catalog.redhat.com/en/software/containers/ubi10/ubi-minimal/66f1504a379b9c2cf23e145c#get-the-image
+# IMPORTANT: Make sure to use the "Manifest List Digest" that references the images for multiple architectures
+# rather than just the "Image Digest" that references the image for the selected architecture.
+# The website is broken, so you can use this to find it:
+# curl https://catalog.redhat.com/en/software/containers/ubi10/ubi-minimal/66f1504a379b9c2cf23e145c \
+# | grep -oE 'registry.redhat.io/ubi10/ubi-minimal@sha256:[a-z0-9]{64}'
+FROM registry.access.redhat.com/ubi10/ubi-minimal@sha256:a74a7a92d3069bfac09c6882087771fc7db59fa9d8e16f14f4e012fe7288554c AS builder
+
+LABEL maintainer="Stackable GmbH"
+
+# Pin the rustup version to avoid unexpected breaking changes.
+# See https://github.com/rust-lang/rustup/blob/4514d36fcc9c42416176111cd841c86f7ec44b2c/rustup-init.sh#L91
+# Find the latest version here: https://github.com/rust-lang/rustup/tags
+# renovate: datasource=github-tags packageName=rust-lang/rustup
+ENV RUSTUP_VERSION=1.28.2
+# This SHOULD be kept in sync with operator-templating and other tools to reduce build times
+# Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
+ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.93.0
+# Find the latest version here: https://crates.io/crates/cargo-cyclonedx
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.7
+# Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
+ENV CARGO_AUDITABLE_CRATE_VERSION=0.7.2
+# Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
+# Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
+# renovate: datasource=github-releases packageName=protocolbuffers/protobuf
+ENV PROTOC_VERSION=31.1
+
+# Sets the default shell to Bash with strict error handling and robust pipeline processing.
+# "-e": Exits immediately if a command exits with a non-zero status
+# "-u": Treats unset variables as an error, preventing unexpected behavior from undefined variables.
+# "-o pipefail": Causes a pipeline to return the exit status of the last command in the pipe that failed, ensuring errors in any part of a pipeline are not ignored.
+# "-c": Allows the execution of commands passed as a string
+# This is automatically inherited in all other Dockerfiles that use this unless it is overwritten
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
+# We configure microdnf to not install weak dependencies in this file
+# Not doing this caused the content of images to become unpredictable because
+# based on which packages get updated by `microdnf update` new weak dependencies
+# might be installed that were not present earlier (the ubi base image doesn't
+# seem to install weak dependencies)
+# This also affects the packages that are installed in our Dockerfiles (java as prime
+# example).
+# https://github.com/stackabletech/docker-images/pull/533
+COPY stackable-base/stackable/dnf.conf /etc/dnf/dnf.conf
+
+# Update image and install everything needed for Rustup & Rust
+RUN microdnf update \
+  && microdnf install \
+    clang \
+    cmake \
+    curl-minimal \
+    findutils \
+    gcc \
+    gcc-c++ \
+    # krb5 needed for secret-operator
+    krb5-devel \
+    krb5-libs \
+    libkadm5 \
+    make \
+    openssl-devel \
+    pkg-config \
+    systemd-devel \
+    # tar needed to create the source code snapshot before building the Rust code
+    tar \
+    unzip \
+  && microdnf clean all \
+  && rm -rf /var/cache/yum
+
+# Container Storage Interface is defined using GRPC/Protobuf, our operators that use it (secret-operator/listener-operator) require
+# protoc via Prost (https://github.com/tokio-rs/prost).
+WORKDIR /opt/protoc
+# Prost does not document which version of protoc it expects (https://docs.rs/prost-build/0.12.4/prost_build/), so this should be the latest upstream version
+# (within reason).
+RUN ARCH=$(arch | sed 's/^aarch64$/aarch_64/') \
+  && curl --fail --location --output protoc.zip "https://repo.stackable.tech/repository/packages/protoc/protoc-${PROTOC_VERSION}-linux-${ARCH}.zip" \
+  && unzip protoc.zip \
+  && rm protoc.zip
+ENV PROTOC=/opt/protoc/bin/protoc
+WORKDIR /
+
+# IMPORTANT
+# If you change the toolchain version here, make sure to also change the "rust_version"
+# property in operator-templating/config/rust.yaml
+RUN <<EOF
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | RUSTUP_VERSION="$RUSTUP_VERSION" sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env"
+cargo install --quiet --locked "cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION" "cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION"
+EOF
+
+# Build artifacts will be available in /app.
+RUN mkdir /app
+
+COPY shared/copy_artifacts.sh /
+
+ONBUILD WORKDIR /src
+ONBUILD COPY . /src
+
+ONBUILD RUN <<EOF
+. "$HOME/.cargo/env"
+tar -czf /app/stackable-src.tar.gz .
+cargo auditable --quiet build --release --workspace
+cargo cyclonedx --all --spec-version 1.5 --describe binaries
+
+# -maxdepth 1: The interesting binaries are all directly in ${BUILD_DIR}.
+# -regex filters out tests
+# - exec copies matching files to /app
+find /src/target/release \
+  -regextype egrep \
+  -maxdepth 1 \
+  -executable \
+  -type f \
+  ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+  -exec /copy_artifacts.sh {} \;
+
+echo "The following files will be copied to the runtime image: $(ls /app)"
+EOF
diff --git a/ubi10-rust-builder/README.md b/ubi10-rust-builder/README.md
@@ -0,0 +1,31 @@
+# ubi10-rust-builder
+
+These images are meant to be used in multi-stage builds as a base image for projects building Rust projects.
+They are automatically rebuilt and pushed every night and also on every push to the main branch, in addition a build can be triggered using GitHub Actions.
+
+The image will run `cargo build --release` in the current context and copy all binaries to an `/app` directory.
+
+This will bake in the current stable Rust version at the time this image was built, which means it should be rebuilt (and tagged) for every release of Rust.
+
+## Example usage
+
+```dockerfile
+FROM oci.stackable.tech/sdp/ubi10-rust-builder AS builder
+
+FROM registry.access.redhat.com/ubi10/ubi-minimal AS operator
+LABEL maintainer="Stackable GmbH"
+
+# Update image
+RUN microdnf update \
+  && microdnf install \
+    shadow-utils \
+  && rm -rf /var/cache/yum
+
+COPY --from=builder /app/stackable-zookeeper-operator /
+
+RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Operator' stackable
+
+USER 1000:1000
+
+ENTRYPOINT ["/stackable-zookeeper-operator"]
+```
diff --git a/ubi9-rust-builder/Dockerfile b/ubi9-rust-builder/Dockerfile
@@ -3,25 +3,28 @@
 
 # Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti
 # IMPORTANT: Be sure to use the Manifest List Digest for multi-arch support
-FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:bb08f2300cb8d12a7eb91dddf28ea63692b3ec99e7f0fa71a1b300f2756ea829 AS builder
+# The website is broken, so you can use this to find it:
+# curl https://catalog.redhat.com/en/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5 \
+# | grep -oE 'registry.redhat.io/ubi9/ubi-minimal@sha256:[a-z0-9]{64}'
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS builder
 
 LABEL maintainer="Stackable GmbH"
 
 # Pin the rustup version to avoid unexpected breaking changes.
 # See https://github.com/rust-lang/rustup/blob/4514d36fcc9c42416176111cd841c86f7ec44b2c/rustup-init.sh#L91
-# Find the latest version here: https://github.com/rust-lang/rustup/blob/master/CHANGELOG.md
+# Find the latest version here: https://github.com/rust-lang/rustup/tags
 # renovate: datasource=github-tags packageName=rust-lang/rustup
 ENV RUSTUP_VERSION=1.28.2
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
 # renovate: datasource=github-releases packageName=rust-lang/rust
-ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.89.0
+ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.93.0
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
 # renovate: datasource=crate packageName=cargo-cyclonedx
 ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.7
 # Find the latest version here: https://crates.io/crates/cargo-auditable
 # renovate: datasource=crate packageName=cargo-auditable
-ENV CARGO_AUDITABLE_CRATE_VERSION=0.7.1
+ENV CARGO_AUDITABLE_CRATE_VERSION=0.7.2
 # Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
 # Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
 # renovate: datasource=github-releases packageName=protocolbuffers/protobuf
diff --git a/ubi9-rust-builder/README.md b/ubi9-rust-builder/README.md
@@ -10,7 +10,7 @@ This will bake in the current stable Rust version at the time this image was bui
 ## Example usage
 
 ```dockerfile
-FROM oci.stackable.tech/ubi9-rust-builder AS builder
+FROM oci.stackable.tech/sdp/ubi9-rust-builder AS builder
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator
 LABEL maintainer="Stackable GmbH"
