NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#76
NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#76PillaiManish wants to merge 6 commits intoopenshift:mainfrom
Conversation
Add migration document tracking the UBI9→UBI10 base image migration for RHCOS10 compatibility. Documents all affected Dockerfiles, image replacements, exclusions, and test checklist. Made-with: Cursor
Update all container base images from UBI9/RHEL9 to UBI10/RHEL10 to align with the RHCOS10 host OS. Moves registry from registry.access.redhat.com to registry.redhat.io. Changes: - ubi9/ubi-minimal:9.7 -> ubi10/ubi-minimal:10.1 (ansible-operator images) - openshift/Dockerfile: replace OCP CI RHEL9 golang builder with registry.redhat.io/ubi10/go-toolset:10.1 (builder stage) - openshift/Dockerfile: replace base-rhel9 runtime with registry.redhat.io/ubi10/ubi:10.1 - openshift/Dockerfile.requirements: base-rhel9 -> ubi10/ubi:10.1 - openshift/release/ansible/Dockerfile.collections: base-rhel9 -> ubi10/ubi:10.1 Made-with: Cursor
openshift-ci-robot
added
the
jira/valid-reference
|
@PillaiManish: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughMigrates container base images from UBI9/RHEL9 and OpenShift RHEL9 to UBI10/RHEL10 (registry.access.redhat.com → registry.redhat.io) and adds a compliance document enumerating affected Dockerfiles, explicit exclusions, CI prerequisites, and an e2e checklist. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PillaiManish The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/test e2e-ansible-fips e2e-ansible-rhcos10-fips e2e-ansible-rhcos10 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.work/compliance/rhcos10/PR2-ubi10-migration.md:
- Around line 29-38: Add an explicit build-path check that verifies the new
registry.redhat.io base images are accessible and buildable before relying
solely on downstream e2e lanes: update the CI checks to include a lightweight
image build job (or docker/podman pull test) that attempts to pull/build using
the bases referenced in openshift/Dockerfile and
openshift/Dockerfile.requirements and fail fast if credentials or UBI10 package
issues occur; ensure this new job is added alongside the existing e2e entries
(`e2e-ansible`, `e2e-ansible-fips`, `e2e-ansible-rhcos10`,
`e2e-ansible-rhcos10-fips`) in the test checklist and CI pipeline so build-time
regressions are caught early.
In `@openshift/Dockerfile`:
- Line 1: The builder image in the Dockerfile currently uses "FROM
registry.redhat.io/ubi10/go-toolset:10.1" which pulls Go 1.25.x while
openshift/go.mod declares "go 1.21.3"; fix by either (A) pinning the builder
image to a tag that provides Go 1.21.3 (replace the FROM image with the
appropriate ubi/go-toolset tag that bundles Go 1.21.3) or (B) if the intent is
to use a newer Go, update openshift/go.mod to "go 1.25" (or the exact minor
version you intend) and run go mod tidy; change the Dockerfile's FROM or the
go.mod "go" directive accordingly and re-run your build to verify consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: adaba4ea-5071-4568-9edf-5795870a7101
📒 Files selected for processing (6)
.work/compliance/rhcos10/PR2-ubi10-migration.mdimages/ansible-operator/Dockerfileimages/ansible-operator/pipfile.Dockerfileopenshift/Dockerfileopenshift/Dockerfile.requirementsopenshift/release/ansible/Dockerfile.collections
| ## Prerequisite | ||
|
|
||
| PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this. | ||
|
|
||
| ## Test Checklist | ||
|
|
||
| - [ ] `e2e-ansible` | ||
| - [ ] `e2e-ansible-fips` | ||
| - [ ] `e2e-ansible-rhcos10` | ||
| - [ ] `e2e-ansible-rhcos10-fips` |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Dockerfiles now pulling from registry.redhat.io:"
rg -n '^\s*FROM\s+registry\.redhat\.io/' --glob 'images/**Dockerfile*' --glob 'openshift/**Dockerfile*'
echo
echo "Current prerequisite + checklist section:"
sed -n '29,38p' .work/compliance/rhcos10/PR2-ubi10-migration.mdRepository: openshift/ansible-operator-plugins
Length of output: 616
Add a build-path check for the new registry.redhat.io bases.
Multiple Dockerfiles in this PR now pull from registry.redhat.io (e.g., openshift/Dockerfile, openshift/Dockerfile.requirements), but the test checklist only covers downstream e2e lanes. Missing credentials or UBI10 package regressions will fail much earlier during the build phase, not during e2e.
Suggested doc update
## Prerequisite
PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this.
+- All CI/rehearsal/local build environments that build these Dockerfiles must have pull credentials for `registry.redhat.io`.
## Test Checklist
+- [ ] Rehearsal/build validation for each changed Dockerfile can pull from `registry.redhat.io`
- [ ] `e2e-ansible`
- [ ] `e2e-ansible-fips`
- [ ] `e2e-ansible-rhcos10`
- [ ] `e2e-ansible-rhcos10-fips`📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ## Prerequisite | |
| PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this. | |
| ## Test Checklist | |
| - [ ] `e2e-ansible` | |
| - [ ] `e2e-ansible-fips` | |
| - [ ] `e2e-ansible-rhcos10` | |
| - [ ] `e2e-ansible-rhcos10-fips` | |
| ## Prerequisite | |
| PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this. | |
| - All CI/rehearsal/local build environments that build these Dockerfiles must have pull credentials for `registry.redhat.io`. | |
| ## Test Checklist | |
| - [ ] Rehearsal/build validation for each changed Dockerfile can pull from `registry.redhat.io` | |
| - [ ] `e2e-ansible` | |
| - [ ] `e2e-ansible-fips` | |
| - [ ] `e2e-ansible-rhcos10` | |
| - [ ] `e2e-ansible-rhcos10-fips` |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.work/compliance/rhcos10/PR2-ubi10-migration.md around lines 29 - 38, Add an
explicit build-path check that verifies the new registry.redhat.io base images
are accessible and buildable before relying solely on downstream e2e lanes:
update the CI checks to include a lightweight image build job (or docker/podman
pull test) that attempts to pull/build using the bases referenced in
openshift/Dockerfile and openshift/Dockerfile.requirements and fail fast if
credentials or UBI10 package issues occur; ensure this new job is added
alongside the existing e2e entries (`e2e-ansible`, `e2e-ansible-fips`,
`e2e-ansible-rhcos10`, `e2e-ansible-rhcos10-fips`) in the test checklist and CI
pipeline so build-time regressions are caught early.
| @@ -1,4 +1,4 @@ | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder | |||
| FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
if [[ -f go.mod ]]; then
echo "go.mod version directives:"
awk '/^go / || /^toolchain / { print FILENAME ":" NR ": " $0 }' go.mod
else
echo "go.mod not found"
fi
echo
echo "Other repo references to Go versions or builder images:"
rg -n -C2 'go-toolset|golang-[0-9]+\.[0-9]+|^go [0-9]+\.[0-9]+|^toolchain go[0-9]+\.[0-9]+' --glob '!**/vendor/**'Repository: openshift/ansible-operator-plugins
Length of output: 675
🌐 Web query:
registry.redhat.io ubi10 go-toolset 10.1 Go version
💡 Result:
For registry.redhat.io/ubi10/go-toolset:10.1, the Go toolchain version is Go 1.25.x—the Red Hat Ecosystem Catalog lists the current image version as 1.25.8 for UBI 10.1 Go Toolset. [1]
Red Hat’s Go Toolset status page also shows RHEL/UBI 10.1 carrying Go 1.25.3 (and later 1.25.z updates), consistent with the 1.25 series used in that stream. [2]
Sources: [1], [2]
Builder image Go version mismatch: openshift/Dockerfile uses Go 1.25.x, but openshift/go.mod requires Go 1.21.3.
The ubi10/go-toolset:10.1 image provides Go 1.25.x (1.25.8 or later), but the openshift/go.mod specifies go 1.21.3. Update the builder image tag to one that provides Go 1.21.3, or update go.mod if the version bump is intentional.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@openshift/Dockerfile` at line 1, The builder image in the Dockerfile
currently uses "FROM registry.redhat.io/ubi10/go-toolset:10.1" which pulls Go
1.25.x while openshift/go.mod declares "go 1.21.3"; fix by either (A) pinning
the builder image to a tag that provides Go 1.21.3 (replace the FROM image with
the appropriate ubi/go-toolset tag that bundles Go 1.21.3) or (B) if the intent
is to use a newer Go, update openshift/go.mod to "go 1.25" (or the exact minor
version you intend) and run go mod tidy; change the Dockerfile's FROM or the
go.mod "go" directive accordingly and re-run your build to verify consistency.
…it safe.directory go-toolset:10.1 runs as non-root by default, causing git to reject the source directory as 'dubious ownership' when files are copied as root. Adding USER root before the build step matches the fix applied in ocp-release-operator-sdk PR#453 and allows VCS stamping to succeed. Made-with: Cursor
…ubi10 runtime ubi10/ubi:10.1 ships python3-urllib3 as an RPM-managed package with no RECORD file, causing pip to fail when requirements.txt pins a newer version. Remove it with rpm --nodeps so pip can install the required urllib3==2.6.3. Made-with: Cursor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
openshift/Dockerfile (1)
1-1: Confirmregistry.redhat.iopull credentials are wired into every consuming build path.Line 1 and Line 14 now depend on authenticated Red Hat registry pulls. Any CI or local flow still relying on public access will fail before this Dockerfile executes, so please verify the release/build configs that consume it already provide the required pull secret.
Also applies to: 14-14
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@openshift/Dockerfile` at line 1, The Dockerfile now uses authenticated Red Hat images (e.g., the FROM line "FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder" and the second registry reference on line 14), so verify and wire the registry.redhat.io pull credentials into every consuming build path: ensure OpenShift BuildConfig/BuildPipeline objects that build or reference this Dockerfile include the proper imagePullSecrets, ensure any Deployment/Pod specs that pull these images include imagePullSecrets, and update CI pipelines (credentials stored in the CI secret store or DOCKER_CONFIG/registry login steps) so all consumers of this Dockerfile can authenticate to registry.redhat.io before pulling.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@openshift/Dockerfile`:
- Line 1: The Dockerfile now uses authenticated Red Hat images (e.g., the FROM
line "FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder" and the second
registry reference on line 14), so verify and wire the registry.redhat.io pull
credentials into every consuming build path: ensure OpenShift
BuildConfig/BuildPipeline objects that build or reference this Dockerfile
include the proper imagePullSecrets, ensure any Deployment/Pod specs that pull
these images include imagePullSecrets, and update CI pipelines (credentials
stored in the CI secret store or DOCKER_CONFIG/registry login steps) so all
consumers of this Dockerfile can authenticate to registry.redhat.io before
pulling.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e6683ed7-ab3a-4194-af27-92b458dca05d
📒 Files selected for processing (1)
openshift/Dockerfile
…pip installs ubi10/ubi:10.1 pre-installs many Python packages as RPMs (urllib3, six, requests, idna, resolvelib, pyyaml, etc.) with no pip RECORD file, causing pip to fail when requirements.txt pins different versions. Remove all potentially conflicting packages upfront in a loop (|| true per package so missing ones are safely skipped) before running install-ansible.sh. Made-with: Cursor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
openshift/Dockerfile (1)
41-70: Move this RPM-removal list behind a single source of truth.This workaround is now manually coupled to the pip dependency set installed by
openshift/install-ansible.sh, whileopenshift/requirements.txtis autogenerated. The next dependency refresh can reintroduce the UBI10 pip/RPM conflict unless both places are updated in lockstep. Consider keeping the removal list inopenshift/install-ansible.shor a dedicated manifest/script so the workaround evolves with the Python requirements in one place.As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@openshift/Dockerfile` around lines 41 - 70, The RPM-removal list in the Dockerfile is duplicated and can drift from the pip deps generated in openshift/requirements.txt and the installation logic in openshift/install-ansible.sh; move the package list into a single source of truth (either add the RPM names as a variable or a small helper script inside openshift/install-ansible.sh or a new openshift/strip-rpm-python-packages.sh) and have the Dockerfile call that script or reference that variable (keep the rpm -e --nodeps loop and chmod +x /install-ansible.sh in the Dockerfile but remove the hardcoded list), update install-ansible.sh to expose the same list or perform the removals so future changes to Python requirements only need to be made in one place (refer to /install-ansible.sh and openshift/requirements.txt to ensure consistency).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@openshift/Dockerfile`:
- Around line 41-70: The RPM-removal list in the Dockerfile is duplicated and
can drift from the pip deps generated in openshift/requirements.txt and the
installation logic in openshift/install-ansible.sh; move the package list into a
single source of truth (either add the RPM names as a variable or a small helper
script inside openshift/install-ansible.sh or a new
openshift/strip-rpm-python-packages.sh) and have the Dockerfile call that script
or reference that variable (keep the rpm -e --nodeps loop and chmod +x
/install-ansible.sh in the Dockerfile but remove the hardcoded list), update
install-ansible.sh to expose the same list or perform the removals so future
changes to Python requirements only need to be made in one place (refer to
/install-ansible.sh and openshift/requirements.txt to ensure consistency).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7de987ae-084a-4eb7-8620-5f03f92aa614
📒 Files selected for processing (1)
openshift/Dockerfile
… resolution Switching Dockerfile.requirements base from base-rhel9 to ubi10/ubi:10.1 causes pip-compile to resolve newer transitive dependency versions. Update the committed file to match what verify-requirements now generates: - poetry-core: 2.3.1 -> 2.3.2 - setuptools-scm: 9.2.2 -> 10.0.5 - vcs-versioning: new transitive dep of setuptools-scm 10.0.5 Made-with: Cursor
|
/test e2e-ansible-fips e2e-ansible-rhcos10-fips e2e-ansible-rhcos10 |
|
@PillaiManish: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Summary
Migrate all container base images from UBI9/RHEL9 to UBI10/RHEL10 for native RHCOS10 compatibility.
Also moves the registry from
registry.access.redhat.comtoregistry.redhat.io.images/ansible-operator/Dockerfile(basebuilder)ubi9/ubi-minimal:9.7ubi10/ubi-minimal:10.1images/ansible-operator/Dockerfile(base)ubi9/ubi-minimal:9.7ubi10/ubi-minimal:10.1images/ansible-operator/pipfile.Dockerfileubi9/ubi-minimal:9.7ubi10/ubi-minimal:10.1openshift/Dockerfile(builder)registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22registry.redhat.io/ubi10/go-toolset:10.1openshift/Dockerfile(runtime)registry.ci.openshift.org/ocp/4.22:base-rhel9registry.redhat.io/ubi10/ubi:10.1openshift/Dockerfile.requirementsregistry.ci.openshift.org/ocp/4.22:base-rhel9registry.redhat.io/ubi10/ubi:10.1openshift/release/ansible/Dockerfile.collectionsregistry.ci.openshift.org/ocp/4.22:base-rhel9registry.redhat.io/ubi10/ubi:10.1Prerequisite
PR1 (
rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.