NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#108
NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#108PillaiManish wants to merge 1 commit intoopenshift:mainfrom
Conversation
|
@PillaiManish: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
WalkthroughThe PR switches OpenShift Dockerfile base images to UBI10 variants for RHCOS10 compatibility and adds documentation describing the migration, image mappings, prerequisites, and expected e2e test outcomes. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PillaiManish The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
PillaiManish
force-pushed
the
rhcos10-ubi10-migration
branch
2 times, most recently
from
acb2205 to
45e2217
Compare
Replace OCP CI registry RHEL9-based builder and runtime images with
registry.redhat.io UBI10 equivalents across all OpenShift-variant
Dockerfiles:
- Dockerfile.openshift: rhel-9-golang-1.24-openshift-4.22 → ubi10/go-toolset:10.1
ocp/4.22:base-rhel9 → ubi10-minimal:10.1
Adds USER 0 (required by go-toolset) in the builder stage.
Also adds docs/rhcos10-ubi10-migration.md documenting the migration.
Made-with: Cursor
openshift-ci
bot
removed
the
needs-rebase
PillaiManish
force-pushed
the
rhcos10-ubi10-migration
branch
from
45e2217 to
51d0242
Compare
|
/test operator-e2e-azure-rhcos10-fips operator-e2e-azure-rhcos10 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
docs/rhcos10-ubi10-migration.md (2)
34-37: Make the test matrix actionable with concrete job references.The matrix is clear, but it should include the exact Prow job names/links (or where they’re configured) so pass/fail verification is auditable.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/rhcos10-ubi10-migration.md` around lines 34 - 37, Update the test matrix table so each row contains actionable Prow job identifiers/links instead of just "Pass"; specifically replace or augment the cells for "e2e-azure-rhcos10" and "e2e-azure-rhcos10-fips" with the exact Prow job names or links (or a pointer to their configuration) so verification is auditable—e.g., add a "Prow Job" column or append the job name/URL next to the test-suite names in the existing rows to reference the concrete job definitions.
5-6: The migration summary is internally inconsistent.Lines 5-6 and Line 13 say “all images” moved, but Lines 25-27 explicitly say
Dockerfile.mustgatherand.ci-operator.yamlare unchanged/tracked separately. Please narrow the summary wording so the migration scope is unambiguous.Suggested wording update
-Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to -`registry.redhat.io` UBI10 for native RHCOS10 compatibility. +Migrate `Dockerfile.openshift` base images from the OCP CI registry (RHEL9-based) to +`registry.redhat.io` UBI10 for native RHCOS10 compatibility. -All images move from `registry.ci.openshift.org` → `registry.redhat.io`. +`Dockerfile.openshift` images move from `registry.ci.openshift.org` → `registry.redhat.io`, +while `Dockerfile.mustgather` and `.ci-operator.yaml` remain tracked separately.Also applies to: 13-13, 25-27
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/rhcos10-ubi10-migration.md` around lines 5 - 6, The migration summary is inconsistent: update the opening summary phrase "Migrate all OpenShift Dockerfile base images..." to clearly scope which files were changed (e.g., "Migrate OpenShift Dockerfile base images used in build artifacts to registry.redhat.io UBI10") and explicitly exclude or call out exceptions by name (retain mention that Dockerfile.mustgather and .ci-operator.yaml were not modified and are tracked separately); revise any other occurrences of "all images" (including the later phrase at line 13) to the same clarified wording so the doc consistently states the exact scope.Dockerfile.openshift (1)
1-1: Pin base images by digest to make builds reproducible.Line 1 and Line 8 use mutable tags (
:10.1). Pinning to digests avoids silent base-image drift and improves supply-chain traceability.Proposed hardening
-FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder +FROM registry.redhat.io/ubi10/go-toolset:10.1@sha256:<builder_digest> AS builder ... -FROM registry.redhat.io/ubi10-minimal:10.1 +FROM registry.redhat.io/ubi10-minimal:10.1@sha256:<runtime_digest>Also applies to: 8-8
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.openshift` at line 1, Replace mutable tags with immutible digests: locate the two FROM lines (the initial "FROM registry.redhat.io/ubi10/go-toolset:10.1" and the second FROM on line 8) in Dockerfile.openshift, retrieve the exact image digests from the registry (e.g., via skopeo inspect or the registry API), and replace the tag-style references with digest-style references (registry.../image@sha256:<digest>) so builds are reproducible; update both occurrences and commit the change with a note that the base images are pinned by digest.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile.openshift`:
- Around line 8-10: The final image is left running as root; update the final
stage so the runtime binary copied by COPY --from=builder (the
/usr/bin/secrets-store-csi-driver-operator) is owned by a non-root user and the
image sets USER before ENTRYPOINT. Create or use a non-root UID/GID (or an
unprivileged user like 1001), chown the binary to that user/group in the final
stage, and add a USER instruction (referencing the runtime stage's ENTRYPOINT
and the copied binary) so the container runs non-root.
---
Nitpick comments:
In `@Dockerfile.openshift`:
- Line 1: Replace mutable tags with immutible digests: locate the two FROM lines
(the initial "FROM registry.redhat.io/ubi10/go-toolset:10.1" and the second FROM
on line 8) in Dockerfile.openshift, retrieve the exact image digests from the
registry (e.g., via skopeo inspect or the registry API), and replace the
tag-style references with digest-style references
(registry.../image@sha256:<digest>) so builds are reproducible; update both
occurrences and commit the change with a note that the base images are pinned by
digest.
In `@docs/rhcos10-ubi10-migration.md`:
- Around line 34-37: Update the test matrix table so each row contains
actionable Prow job identifiers/links instead of just "Pass"; specifically
replace or augment the cells for "e2e-azure-rhcos10" and
"e2e-azure-rhcos10-fips" with the exact Prow job names or links (or a pointer to
their configuration) so verification is auditable—e.g., add a "Prow Job" column
or append the job name/URL next to the test-suite names in the existing rows to
reference the concrete job definitions.
- Around line 5-6: The migration summary is inconsistent: update the opening
summary phrase "Migrate all OpenShift Dockerfile base images..." to clearly
scope which files were changed (e.g., "Migrate OpenShift Dockerfile base images
used in build artifacts to registry.redhat.io UBI10") and explicitly exclude or
call out exceptions by name (retain mention that Dockerfile.mustgather and
.ci-operator.yaml were not modified and are tracked separately); revise any
other occurrences of "all images" (including the later phrase at line 13) to the
same clarified wording so the doc consistently states the exact scope.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ccf20921-92f8-4545-8ac7-dc2770452fd0
📒 Files selected for processing (2)
Dockerfile.openshiftdocs/rhcos10-ubi10-migration.md
| FROM registry.redhat.io/ubi10-minimal:10.1 | ||
| COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/ | ||
| ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"] |
There was a problem hiding this comment.
Run the final container as non-root.
Lines 8-10 define the runtime image but never set a non-root USER, so the container will run with the base image default (typically root). Please set an explicit non-root user in the final stage.
Proposed fix
FROM registry.redhat.io/ubi10-minimal:10.1
COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/
+USER 65532
ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM registry.redhat.io/ubi10-minimal:10.1 | |
| COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/ | |
| ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"] | |
| FROM registry.redhat.io/ubi10-minimal:10.1 | |
| COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/ | |
| USER 65532 | |
| ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"] |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.openshift` around lines 8 - 10, The final image is left running as
root; update the final stage so the runtime binary copied by COPY --from=builder
(the /usr/bin/secrets-store-csi-driver-operator) is owned by a non-root user and
the image sets USER before ENTRYPOINT. Create or use a non-root UID/GID (or an
unprivileged user like 1001), chown the binary to that user/group in the final
stage, and add a USER instruction (referencing the runtime stage's ENTRYPOINT
and the copied binary) so the container runs non-root.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
Dockerfile.openshift (1)
8-10:⚠️ Potential issue | 🟠 MajorSet a non-root user in the final runtime stage.
On Line 8 through Line 10, the final image does not set
USER, so the operator process runs as root by default in runtime.Suggested fix
FROM registry.redhat.io/ubi10-minimal:10.1 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/ +USER 65532 ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]As per coding guidelines,
**: -Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.openshift` around lines 8 - 10, The final runtime stage runs the operator as root; create or use a non-root user and switch to it: add steps in the final stage to create a dedicated non-root user/group (or use an existing unprivileged UID/GID), chown the binary at /usr/bin/secrets-store-csi-driver-operator to that user, and add a USER instruction so ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"] runs unprivileged; ensure file permissions remain executable and the chosen UID/GID are consistent with any OpenShift SCC requirements.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@Dockerfile.openshift`:
- Around line 8-10: The final runtime stage runs the operator as root; create or
use a non-root user and switch to it: add steps in the final stage to create a
dedicated non-root user/group (or use an existing unprivileged UID/GID), chown
the binary at /usr/bin/secrets-store-csi-driver-operator to that user, and add a
USER instruction so ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]
runs unprivileged; ensure file permissions remain executable and the chosen
UID/GID are consistent with any OpenShift SCC requirements.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 923518e0-1eb3-4f6d-ae65-301c8c6269b2
📒 Files selected for processing (2)
Dockerfile.openshiftdocs/rhcos10-ubi10-migration.md
✅ Files skipped from review due to trivial changes (1)
- docs/rhcos10-ubi10-migration.md
|
/retest |
1 similar comment
|
/retest |
|
/test operator-e2e-azure-rhcos10-fips operator-e2e-azure-rhcos10 |
|
@PillaiManish: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Summary
Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.ioUBI10 for native RHCOS10 compatibility.All images move from
registry.ci.openshift.org→registry.redhat.io.Prerequisite
PR1 (
rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.