container-build

# Container Build Skill for OpenShift

Build container images that work on OpenShift with arbitrary UIDs.

## Critical Requirements

### 1. Platform Targeting (MANDATORY)

**Always build for AMD64** - the cluster runs AMD64, Mac builds ARM64 by default:

```bash
podman build --platform linux/amd64 -t registry/image:tag .
```

### 2. OpenShift File Permissions (MANDATORY)

OpenShift runs containers with **arbitrary UIDs** in the root group (GID 0). Files must be group-readable/executable:

```dockerfile
# Bad - only owner can read
COPY main.py .

# Good - group can read
COPY --chown=1001:0 main.py .
RUN chmod g+r main.py requirements.txt

# For executables
RUN chmod g+rx entrypoint.sh

# For directories that need writing
RUN chmod -R g+rwX /app/data
```

### 3. Versioned Tags (MANDATORY)

**Never use `latest` tag** - Kubernetes caches images. Use semantic versions:

```bash
# Bad - cached images won't update
podman build -t registry/image:latest .

# Good - forces fresh pull
podman build -t registry/image:v1.0.0 .
```

Update `values.yaml` with the new tag AND use `imagePullPolicy: Always` or versioned tags.

### 4. Non-Root User Setup

```dockerfile
# Create non-root user with GID 0 for OpenShift
RUN useradd -u 1001 -g 0 -m appuser

# Set ownership to user:root-group
COPY --chown=1001:0 . /app

# Switch to non-root
USER 1001
```

### 5. Health Check Endpoints

**Match health probes to actual endpoints:**

| Framework | Default Endpoint | Probe Type |
|-----------|------------------|------------|
| FastAPI | `/health` or `/` | HTTP GET |
| FastMCP 2.0 | `/mcp` (returns 406 for plain GET) | **TCP Socket** |
| Express | `/health` | HTTP GET |

For MCP servers using FastMCP 2.0, use TCP probes:
```yaml
livenessProbe:
  tcpSocket:
    port: http
  initialDelaySeconds: 10
readinessProbe:
  tcpSocket:
    port: http
  initialDelaySeconds: 5
```

## Standard Containerfile Template

```dockerfile
# Multi-stage build for Python services
FROM registry.access.redhat.com/ubi9/py