Skip to content

WIP: Update images for 5.0#2286

Open
tchap wants to merge 4 commits into
openshift:mainfrom
tchap:update-images
Open

WIP: Update images for 5.0#2286
tchap wants to merge 4 commits into
openshift:mainfrom
tchap:update-images

Conversation

@tchap

@tchap tchap commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Cherrypicking the following PRs since the change needs to occur at once:

Summary by CodeRabbit

  • Chores
    • Updated build infrastructure to use Go 1.26 and OpenShift 5.0 across the CLI binaries, artifacts, and tooling.
    • Refreshed the RHEL-based builder images and runtime base images used for multi-stage container builds.
    • Updated the CI release image tag to the corresponding OpenShift 5.0 / Go 1.26 version.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 9, 2026
@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 32f0c2d0-d7e2-44c2-9d42-4642b1aef502

📥 Commits

Reviewing files that changed from the base of the PR and between ca99000 and dd91d47.

📒 Files selected for processing (1)
  • go.mod

Walkthrough

Build tooling and container base images were updated to Go 1.26 and OpenShift 5.0 across CI configuration and Dockerfiles.

Changes

Build Infrastructure Upgrade

Layer / File(s) Summary
Toolchain version updates
go.mod, .ci-operator.yaml
The Go directive and CI build root image tag were updated to Go 1.26 and the matching OpenShift 5.0 release image.
Docker build image refresh
images/cli-artifacts/Dockerfile.rhel, images/cli/Dockerfile.rhel, images/tools/Dockerfile
The CLI artifact, CLI, and tools Dockerfiles now use updated OpenShift 5.0 builder and runtime base images.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: updating build/runtime images for 5.0.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes CI config, Dockerfiles, and go.mod; no *_test.go files or Ginkgo titles were modified.
Test Structure And Quality ✅ Passed PASS: the PR only changes CI/Docker/go.mod image/toolchain files, with no Ginkgo test code or cluster-interaction tests to review.
Microshift Test Compatibility ✅ Passed PR only updates config, Dockerfiles, and go.mod; no new Ginkgo e2e tests or MicroShift-unsafe APIs/features were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Diff only updates CI/Dockerfiles and go.mod; no new It/Describe/Context/When tests or SNO-unsafe patterns were added.
Topology-Aware Scheduling Compatibility ✅ Passed Touched files only update build images and Go version; no deployment manifests, operator code, controllers, node selectors, affinity, tolerations, or PDBs changed.
Ote Binary Stdout Contract ✅ Passed Only Dockerfiles/.ci-operator.yaml/go.mod changed; no process-level Go entrypoints or stdout writes in main/suite setup were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; changes are limited to config, Dockerfile tags, and go.mod, so this compatibility check is not applicable.
No-Weak-Crypto ✅ Passed Touched files only change image tags and Go toolchain version; no MD5/SHA1/DES/RC4/3DES/ECB, custom crypto, or secret comparisons were added.
Container-Privileges ✅ Passed Touched files only bump Go/base image tags; no privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings appear.
No-Sensitive-Data-In-Logs ✅ Passed Only image-tag and Go-version updates were changed; the touched files contain no logging or secret-like strings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from atiratree and ingvagabund June 9, 2026 10:51
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
images/cli/Dockerfile.rhel (1)

7-16: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add USER directive to run as non-root.

The Dockerfile does not specify a USER directive, causing the container to run as root by default. This violates the container security guidelines which require "USER non-root; never run as root." As per coding guidelines, all containers should run with a non-root user for security hardening.

🛡️ Proposed fix to add non-root user

Add a USER directive before the final CMD/LABEL declarations:

 RUN for i in kubectl openshift-deploy openshift-docker-build openshift-sti-build openshift-git-clone openshift-manage-dockerfile openshift-extract-image-content openshift-recycle; do ln -sf /usr/bin/oc /usr/bin/$i; done
+USER 1001
 LABEL io.k8s.display-name="OpenShift Client" \

Note: Verify that UID 1001 is appropriate for your security context, or use a different non-root UID as required by your organization's standards.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/cli/Dockerfile.rhel` around lines 7 - 16, The image currently leaves
no USER set (after the COPY and RUN lines and before the LABEL block), so update
the Dockerfile to create a non-root user and switch to it: add commands to
create a non-root user/group (e.g., UID 1001), chown the installed binaries
copied by the COPY --from=builder lines (/usr/bin/oc and
/usr/bin/oc-tests-ext.gz) and any other paths written during build, and then add
a USER directive (e.g., USER 1001) before the LABEL/CMD so the container runs
non-root; ensure no subsequent RUN steps require root or adjust ownership
accordingly.

Sources: Coding guidelines, Linters/SAST tools

images/tools/Dockerfile (1)

6-63: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add USER directive to run as non-root.

The Dockerfile does not specify a USER directive, causing the container to run as root by default. This violates the container security guidelines which require "USER non-root; never run as root." As per coding guidelines, all containers should run with a non-root user for security hardening, even for debugging and diagnostic tools.

🛡️ Proposed fix to add non-root user

Add a USER directive before CMD:

   yum -y install $INSTALL_PKGS && rpm -V --nogroup --nosize --nofiledigest --nomtime --nomode $INSTALL_PKGS && yum clean all && rm -rf /var/cache/*
   # Disabled until they are buildable on s390x
   # numactl \
   # numactl-devel \

+USER 1001
 CMD ["/usr/bin/bash"]

Note: Verify that UID 1001 is appropriate for your security context, or use a different non-root UID as required by your organization's standards.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/tools/Dockerfile` around lines 6 - 63, The Dockerfile currently has no
USER directive so containers run as root; create a non-root user (e.g., UID
1001) and group, chown any runtime-needed files/directories (for example
/usr/bin/oc and any files under /etc/sos referenced in the Dockerfile) during
the build, and add a USER <non-root> line before the CMD to run the container as
that user; ensure the chosen UID/GID is consistent with your security policy and
that no privileged operations in the RUN steps require root at container
runtime.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@images/cli/Dockerfile.rhel`:
- Around line 7-16: The image currently leaves no USER set (after the COPY and
RUN lines and before the LABEL block), so update the Dockerfile to create a
non-root user and switch to it: add commands to create a non-root user/group
(e.g., UID 1001), chown the installed binaries copied by the COPY --from=builder
lines (/usr/bin/oc and /usr/bin/oc-tests-ext.gz) and any other paths written
during build, and then add a USER directive (e.g., USER 1001) before the
LABEL/CMD so the container runs non-root; ensure no subsequent RUN steps require
root or adjust ownership accordingly.

In `@images/tools/Dockerfile`:
- Around line 6-63: The Dockerfile currently has no USER directive so containers
run as root; create a non-root user (e.g., UID 1001) and group, chown any
runtime-needed files/directories (for example /usr/bin/oc and any files under
/etc/sos referenced in the Dockerfile) during the build, and add a USER
<non-root> line before the CMD to run the container as that user; ensure the
chosen UID/GID is consistent with your security policy and that no privileged
operations in the RUN steps require root at container runtime.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29eb633b-64e7-4f56-9840-db72a4dce342

📥 Commits

Reviewing files that changed from the base of the PR and between 4007283 and ca99000.

📒 Files selected for processing (4)
  • .ci-operator.yaml
  • images/cli-artifacts/Dockerfile.rhel
  • images/cli/Dockerfile.rhel
  • images/tools/Dockerfile

@tchap

tchap commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

We need to wait for the rebase after all...

/close

@openshift-ci openshift-ci Bot closed this Jun 9, 2026
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@tchap: Closed this PR.

Details

In response to this:

We need to wait for the rebase after all...

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tchap tchap deleted the update-images branch June 9, 2026 11:15
@tchap tchap restored the update-images branch June 26, 2026 09:03
@tchap

tchap commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

/reopen

@openshift-ci openshift-ci Bot reopened this Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@tchap: Reopened this PR.

Details

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tchap

tchap commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

/retest

1 similar comment
@tchap

tchap commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@tchap: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial-2of2 ca99000 link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn dd91d47 link true /test e2e-aws-ovn
ci/prow/unit dd91d47 link true /test unit
ci/prow/verify dd91d47 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant