Migrate container base images from UBI9 to UBI10 and Python from 3.11 to 3.12

[crivetimihai]

Summary

Migrate MCP Gateway container base images from Red Hat UBI9 to the newer UBI10 for improved security, performance, and support lifecycle. UBI10 also comes with Python 3.12.

Background

Red Hat has released UBI10 (Universal Base Image 10) which provides:

• Enhanced security features and CVE patches
• Improved performance and smaller image sizes
• Extended support lifecycle
• Better compatibility with modern container runtimes
• Updated system libraries and tooling

Current State

Current Base Images:

• Containerfile: Uses registry.access.redhat.com/ubi9-minimal:9.6-1755695350
• Containerfile.lite: Uses registry.access.redhat.com/ubi9/ubi:9.6-1756915113

Proposed Changes

1. Update Containerfile Base Images

Containerfile (minimal):

# FROM: registry.access.redhat.com/ubi9-minimal:9.6-1755695350
FROM: registry.access.redhat.com/ubi10/ubi-minimal:latest

Containerfile.lite (full):

# FROM: registry.access.redhat.com/ubi9/ubi:9.6-1756915113  
FROM: registry.access.redhat.com/ubi10/ubi:latest

2. Red Hat Catalog References

• UBI10 Full: https://catalog.redhat.com/en/software/containers/ubi10/ubi/66f2b46b122803e4937d11ae
• UBI10 Minimal: https://catalog.redhat.com/en/software/containers/ubi10/ubi-minimal/66f1504a379b9c2cf23e145c

3. Python Version Considerations

UBI10 includes updated Python versions. Verify and update if needed:

ARG PYTHON_VERSION=3.12  # Consider upgrading from 3.11

4. Package Manager Updates

UBI10 may have updated package managers and dependencies:

• Verify microdnf usage and any package name changes
• Test dnf commands for dependency installation
• Validate Python package installation process

Implementation Tasks

Phase 1: Base Image Migration

• Update Containerfile to use UBI10 minimal
• Update Containerfile.lite to use UBI10 full
• Test local container builds
• Verify Python installation and version compatibility

Phase 2: Dependency Verification

• Test package installation (microdnf, dnf)
• Verify Python virtual environment creation
• Test pip/uv dependency installation
• Validate all optional dependencies (redis, postgres, mysql, observability)

Phase 3: Integration Testing

• Test container builds in CI/CD pipeline
• Verify database connectivity (SQLite, PostgreSQL, MariaDB)
• Test application startup and functionality
• Validate security scanning results

Phase 4: Documentation Updates

• Update deployment documentation with new base image info
• Update container build instructions
• Document any breaking changes or migration notes

Benefits

1. Security: Latest CVE patches and security updates
2. Performance: Optimized base image with smaller footprint
3. Support: Extended Red Hat support lifecycle
4. Compatibility: Better support for modern container platforms
5. Maintenance: Reduced technical debt and improved maintainability

Risk Assessment

• Low Risk: UBI10 maintains backward compatibility with UBI9
• Testing Required: Verify all functionality works with new base image
• Rollback Plan: Keep UBI9 images available if issues arise

Acceptance Criteria

• Container builds successfully with UBI10 base images
• All database backends (SQLite, PostgreSQL, MariaDB) work correctly
• Application functionality unchanged
• Container size optimized or at least not significantly larger
• Security scan results improved or equivalent
• CI/CD pipeline validates new images
• Documentation updated with new base image information

Related Issues

• Relates to ongoing container optimization efforts
• Supports enhanced security posture
• Aligns with Red Hat ecosystem best practices

Documentation Links

• Red Hat UBI10 Documentation
• UBI10 Container Catalog - Full
• UBI10 Container Catalog - Minimal