NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#64
NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#64PillaiManish wants to merge 2 commits intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@PillaiManish: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
needs-rebase
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughReplaced OCP CI/RHEL9 base images with Red Hat UBI10 toolset/runtime in three Dockerfiles, added Changes
Sequence Diagram(s)(Skipped — changes are image/runtime substitutions and documentation, not new multi-component sequential flows.) Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 10✅ Passed checks (10 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PillaiManish The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
PillaiManish
force-pushed
the
rhcos10-ubi10-migration
branch
from
8a4e53a to
85e2d4c
Compare
openshift-ci
bot
removed
the
needs-rebase
|
/test e2e-azure-rhcos10-fips e2e-azure-rhcos10 |
|
/retest |
Replace OCP CI registry RHEL9-based builder and runtime images with
registry.redhat.io UBI10 equivalents across all OpenShift-variant
Dockerfiles:
- Dockerfile.openshift: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1
ocp/4.20:base-rhel9 → ubi10:10.1
- Dockerfile.bats: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1
- Dockerfile.e2eprovider: rhel-9-golang-1.24-openshift-4.20 → ubi10/go-toolset:10.1
ocp/4.20:base-rhel9 → ubi10:10.1
Adds USER 0 (required by go-toolset) and installs util-linux/ca-certificates
in the runtime stage of Dockerfile.openshift.
Also adds docs/rhcos10-ubi10-migration.md documenting the migration.
Made-with: Cursor
PillaiManish
force-pushed
the
rhcos10-ubi10-migration
branch
from
85e2d4c to
4bbae6f
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
Dockerfile.bats (1)
39-43:⚠️ Potential issue | 🟠 MajorUpdate Azure CLI installation to use RHEL10 packages.
Microsoft provides RHEL10-compatible packages at
rhel/10/packages-microsoft-prod.rpm(verified available). The current reference torhel/9/packages-microsoft-prod.rpmshould be updated to match the runtime environment and ensure compatibility:Suggested fix
RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc && \ dnf install -y https://packages.microsoft.com/config/rhel/10/packages-microsoft-prod.rpm && \ mv /etc/yum.repos.d/microsoft-prod.repo /etc/yum.repos.art/ci/ && \ dnf install -y azure-cli && \ dnf clean all🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.bats` around lines 39 - 43, The Dockerfile RUN block installs Microsoft packages for RHEL9; update the package URL to the RHEL10 package (replace "https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm" with the RHEL10 equivalent) so the RUN command that imports the Microsoft key and installs the packages (the RUN line that calls rpm --import and dnf install -y ...) uses rhel/10; leave the subsequent mv of /etc/yum.repos.d/microsoft-prod.repo and the dnf install -y azure-cli and dnf clean all steps unchanged.
🧹 Nitpick comments (1)
docs/rhcos10-ubi10-migration.md (1)
26-29: Add language identifier to fenced code block.Per markdownlint MD040, fenced code blocks should specify a language for proper syntax highlighting.
📝 Suggested fix
-``` +```text registry.ci.openshift.org/ocp/builder:rhel-9-golang-* → registry.redhat.io/ubi10/go-toolset:10.1 registry.ci.openshift.org/ocp/4.20:base-rhel9 → registry.redhat.io/ubi10:10.1</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@docs/rhcos10-ubi10-migration.mdaround lines 26 - 29, The fenced code block
containing the two registry lines
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-*" and
"registry.ci.openshift.org/ocp/4.20:base-rhel9") needs a language identifier for
markdownlint MD040; update the opening fence fromtotext (leave the
content and closing fence unchanged) so the block becomestext ...to
enable proper syntax highlighting.</details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against the current code and only fix it if needed.
Inline comments:
In@docs/rhcos10-ubi10-migration.md:
- Around line 35-56: Update the documented "Before" image tags to match the
actual previous images (replace occurrences of4.20with4.22and
golang-1.24withgolang-1.25) so the tables for Dockerfile.e2eprovider,
Dockerfile.bats and the primary Dockerfile reflect the true originals; ensure
the same replacements are applied to all three tables and any inline mentions
(e.g., the builder strings like
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20) so
they read
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22where
appropriate.
Outside diff comments:
In@Dockerfile.bats:
- Around line 39-43: The Dockerfile RUN block installs Microsoft packages for
RHEL9; update the package URL to the RHEL10 package (replace
"https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm" with
the RHEL10 equivalent) so the RUN command that imports the Microsoft key and
installs the packages (the RUN line that calls rpm --import and dnf install -y
...) uses rhel/10; leave the subsequent mv of
/etc/yum.repos.d/microsoft-prod.repo and the dnf install -y azure-cli and dnf
clean all steps unchanged.
Nitpick comments:
In@docs/rhcos10-ubi10-migration.md:
- Around line 26-29: The fenced code block containing the two registry lines
("registry.ci.openshift.org/ocp/builder:rhel-9-golang-*" and
"registry.ci.openshift.org/ocp/4.20:base-rhel9") needs a language identifier for
markdownlint MD040; update the opening fence fromtotext (leave the
content and closing fence unchanged) so the block becomestext ...to
enable proper syntax highlighting.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Organization UI **Review profile**: CHILL **Plan**: Pro **Run ID**: `260f4dfe-d301-486b-bda8-104c4e8a161b` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 85e2d4c862bd9367b97f36aa1b19570d5961c8a1 and 4bbae6fd0e84991c6fbd3cdef2f01c37a01bb99b. </details> <details> <summary>📒 Files selected for processing (4)</summary> * `Dockerfile.bats` * `Dockerfile.e2eprovider` * `Dockerfile.openshift` * `docs/rhcos10-ubi10-migration.md` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
| | Stage | Before | After | | ||
| |---|---|---| | ||
| | Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | | ||
| | Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` | | ||
|
|
||
| Additional change: added `USER 0` after the builder `FROM` line (required by | ||
| `go-toolset`) and `RUN dnf install -y util-linux ca-certificates && dnf clean all` in | ||
| the runtime stage. | ||
|
|
||
| #### `Dockerfile.e2eprovider` — e2e mock provider | ||
|
|
||
| | Stage | Before | After | | ||
| |---|---|---| | ||
| | Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | | ||
| | Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` | | ||
|
|
||
| #### `Dockerfile.bats` — bats test runner | ||
|
|
||
| | Stage | Before | After | | ||
| |---|---|---| | ||
| | Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` | | ||
| | Runtime | `src` (prow-injected) | unchanged | |
There was a problem hiding this comment.
Documentation version numbers appear stale.
The "Before" column references 4.20 and golang-1.24, but the AI summary indicates the actual previous images were 4.22 and golang-1.25. Ensure the documentation accurately reflects the versions being replaced to avoid confusion during reviews.
📝 Suggested fix
-| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20` | `registry.redhat.io/ubi10/go-toolset:10.1` |
-| Runtime | `registry.ci.openshift.org/ocp/4.20:base-rhel9` | `registry.redhat.io/ubi10:10.1` |
+| Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` | `registry.redhat.io/ubi10/go-toolset:10.1` |
+| Runtime | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10:10.1` |Apply similar updates to the other Dockerfile tables.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/rhcos10-ubi10-migration.md` around lines 35 - 56, Update the documented
"Before" image tags to match the actual previous images (replace occurrences of
`4.20` with `4.22` and `golang-1.24` with `golang-1.25`) so the tables for
Dockerfile.e2eprovider, Dockerfile.bats and the primary Dockerfile reflect the
true originals; ensure the same replacements are applied to all three tables and
any inline mentions (e.g., the builder strings like
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20`) so
they read
`registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22` where
appropriate.
b223e02 to
36e16ee
Compare
|
/test e2e-azure-rhcos10-fips e2e-azure-rhcos10 |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
Dockerfile.openshift (1)
9-14: Add explicit USER directive to document root runtime requirement.The final image has no USER directive and defaults to running as root (uid 0). CSI node drivers require privileged access for mounting volumes, which is documented in the Kubernetes manifests (
privileged: true,runAsUser: 0). Make this intent explicit by addingUSER 0after the COPY instruction, or document the necessity in a comment.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.openshift` around lines 9 - 14, The final image currently lacks an explicit USER directive and thus defaults to root; add an explicit USER 0 directive immediately after the COPY line (or add a clarifying comment) to document the root runtime requirement for the CSI node driver (relating to the existing COPY and ENTRYPOINT lines and the binary /bin/secrets-store-csi) so the Dockerfile clearly states the container must run as UID 0.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile.openshift`:
- Line 9: Update the FROM directive image registry domain from
registry.access.redhat.com to registry.redhat.io for consistency: change the
FROM line that currently references
"registry.access.redhat.com/ubi10/ubi-minimal:10.1" to
"registry.redhat.io/ubi10/ubi-minimal:10.1" in both Dockerfile.openshift and
Dockerfile.e2eprovider (look for the FROM instruction with the
"ubi10/ubi-minimal:10.1" image string).
---
Nitpick comments:
In `@Dockerfile.openshift`:
- Around line 9-14: The final image currently lacks an explicit USER directive
and thus defaults to root; add an explicit USER 0 directive immediately after
the COPY line (or add a clarifying comment) to document the root runtime
requirement for the CSI node driver (relating to the existing COPY and
ENTRYPOINT lines and the binary /bin/secrets-store-csi) so the Dockerfile
clearly states the container must run as UID 0.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 7076ed5e-36e0-497d-b6b1-1966cb834855
📒 Files selected for processing (2)
Dockerfile.e2eproviderDockerfile.openshift
| RUN go version -m _output/secrets-store-csi | ||
|
|
||
| FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 | ||
| FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify current registry domain usage in Dockerfiles touched by this migration.
rg -n 'FROM\s+registry\.(access|redhat)\.redhat\.com/ubi10/(go-toolset|ubi-minimal):10\.1' \
Dockerfile.openshift Dockerfile.e2eprovider Dockerfile.bats
# Verify documented expectation in migration notes.
rg -n 'registry\.redhat\.io/ubi10' docs/rhcos10-ubi10-migration.mdRepository: openshift/secrets-store-csi-driver
Length of output: 1035
🏁 Script executed:
# Search for all registry.access.redhat.com references in Dockerfiles
rg -n 'registry\.access\.redhat\.com' --glob='Dockerfile*'
# Check broader migration context in docs
rg -n 'registry\.access\.redhat\.com|registry\.redhat\.io' docs/rhcos10-ubi10-migration.md -A 2 -B 2Repository: openshift/secrets-store-csi-driver
Length of output: 1653
Standardize runtime registry domain in both Dockerfiles — extend fix to Dockerfile.e2eprovider.
Both Dockerfile.openshift (line 9) and Dockerfile.e2eprovider (line 7) use registry.access.redhat.com. Per the migration docs, both should target registry.redhat.io/ubi10/ubi-minimal:10.1 to maintain consistent registry domains across the codebase.
🔧 Proposed fixes
-FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1
+FROM registry.redhat.io/ubi10/ubi-minimal:10.1Apply to both Dockerfile.openshift (line 9) and Dockerfile.e2eprovider (line 7).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1 | |
| FROM registry.redhat.io/ubi10/ubi-minimal:10.1 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.openshift` at line 9, Update the FROM directive image registry
domain from registry.access.redhat.com to registry.redhat.io for consistency:
change the FROM line that currently references
"registry.access.redhat.com/ubi10/ubi-minimal:10.1" to
"registry.redhat.io/ubi10/ubi-minimal:10.1" in both Dockerfile.openshift and
Dockerfile.e2eprovider (look for the FROM instruction with the
"ubi10/ubi-minimal:10.1" image string).
There was a problem hiding this comment.
♻️ Duplicate comments (1)
Dockerfile.openshift (1)
9-9:⚠️ Potential issue | 🟡 MinorAlign runtime image registry with the UBI10 migration target.
Line 9 still uses
registry.access.redhat.com, while the migration objective and other updated bases targetregistry.redhat.io. Please switch this runtimeFROM(and the same one inDockerfile.e2eprovider, Line 7) to keep registry source consistent.🔧 Proposed fix
-FROM registry.access.redhat.com/ubi10/ubi-minimal:10.1 +FROM registry.redhat.io/ubi10/ubi-minimal:10.1Apply the same change to
Dockerfile.e2eproviderLine 7.#!/bin/bash set -euo pipefail # Verify current runtime registry domains across touched Dockerfiles. rg -n 'FROM\s+registry\.(access|redhat)\.redhat\.com/ubi10/ubi-minimal:10\.1' \ Dockerfile.openshift Dockerfile.e2eprovider Dockerfile.bats # Verify documented registry target in migration notes. rg -n 'registry\.redhat\.io/ubi10|registry\.access\.redhat\.com/ubi10' \ docs/rhcos10-ubi10-migration.md -C2🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.openshift` at line 9, Update the runtime image registry in the Dockerfile FROM lines from registry.access.redhat.com to registry.redhat.io so the base image matches the UBI10 migration target; specifically edit the FROM statement in Dockerfile.openshift (currently using registry.access.redhat.com/ubi10/ubi-minimal:10.1) and make the identical change in Dockerfile.e2eprovider (the corresponding FROM using registry.access.redhat.com) to use registry.redhat.io/ubi10/ubi-minimal:10.1.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@Dockerfile.openshift`:
- Line 9: Update the runtime image registry in the Dockerfile FROM lines from
registry.access.redhat.com to registry.redhat.io so the base image matches the
UBI10 migration target; specifically edit the FROM statement in
Dockerfile.openshift (currently using
registry.access.redhat.com/ubi10/ubi-minimal:10.1) and make the identical change
in Dockerfile.e2eprovider (the corresponding FROM using
registry.access.redhat.com) to use registry.redhat.io/ubi10/ubi-minimal:10.1.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 33bed539-c02a-4f71-8c67-44745cf26490
📒 Files selected for processing (2)
Dockerfile.e2eproviderDockerfile.openshift
|
/test e2e-azure-rhcos10-fips e2e-azure-rhcos10 |
|
@PillaiManish: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Summary
Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
registry.redhat.ioUBI10 for native RHCOS10 compatibility.Dockerfile.openshiftocp/builder:rhel-9-golang-1.24-openshift-4.20ubi10/go-toolset:10.1ocp/4.20:base-rhel9ubi10:10.1Dockerfile.batsocp/builder:rhel-9-golang-1.24-openshift-4.20ubi10/go-toolset:10.1src(unchanged)src(unchanged)Dockerfile.e2eproviderocp/builder:rhel-9-golang-1.24-openshift-4.20ubi10/go-toolset:10.1ocp/4.20:base-rhel9ubi10:10.1All images move from
registry.ci.openshift.org→registry.redhat.io.Prerequisite
PR1 (
rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.Summary by CodeRabbit
Chores
Documentation