Skip to content

USHIFT-7245: Revert crio SELinux workaround #6969

Draft
ggiguash wants to merge 6 commits into
openshift:mainfrom
ggiguash:revert-crio-workaround
Draft

USHIFT-7245: Revert crio SELinux workaround #6969
ggiguash wants to merge 6 commits into
openshift:mainfrom
ggiguash:revert-crio-workaround

Conversation

@ggiguash

@ggiguash ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Also fixes USHIFT-7294 in cc05663

Summary by CodeRabbit

Summary by CodeRabbit

  • Bug Fixes

    • Updated SELinux policy requirements for expected runtime contexts.
  • Chores

    • Switched BootC and base imagery to production registries.
    • Updated RPM repository setup to use EUS and removed staging-specific mirror configuration.
    • Refreshed BootC image blueprints to use direct RHEL 10.2 references.
    • Dropped microshift metrics server RPMs from the optional list.
    • Simplified RHEL 10.2 repository entries in the mirror repo test config.
  • Tests

    • Improved BootC image build tooling to pick the correct Image Builder for RHEL 9 vs RHEL 10.
    • Parallelized ISO build cache generation for el9 and el10.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 1, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 1, 2026

Copy link
Copy Markdown

@ggiguash: This pull request references USHIFT-7245 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ggiguash

ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/test ?

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@ggiguash

ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-bootc-periodic-el10
/test e2e-aws-tests-bootc-periodic-arm-el10

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR updates SELinux policy inputs, bootc test image sources, bootc image-builder selection, and cache build orchestration.

Changes

Bootc and test infrastructure updates

Layer / File(s) Summary
Policy and RPM inputs
packaging/selinux/microshift.te, test/bin/common.sh
kernel_t is removed from the SELinux gen_require block, and the optional RPM list drops the metrics server packages.
Bootc image inputs
test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile, test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-bootc.image-bootc, test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-installer.image-installer, test/package-sources-bootc/rhel102-mirror.repo
The bootc test container and blueprint inputs switch to updated RHEL 10.2 sources and remove the staging mirror repo blocks.
Bootc image-builder selection
test/bin/pyutils/build_bootc_images.py
The bootc image builder script now selects an image-builder by bootc image reference, updates cleanup, and uses that selection for pull and run.
Cache build parallelism
test/bin/ci_phase_iso_build.sh
The cache update step runs the el9 and el10 bootc base-layer builds in parallel and waits for both jobs.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches one real part of the changeset, the SELinux policy tweak, though it does not cover the broader bootc test/build updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No changed Go/Ginkgo test files were present in the commit diff; the PR only touches scripts, blueprints, policy, and containerfiles.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed; the PR touches scripts, blueprints, SELinux policy, and image metadata only.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests or MicroShift-unsafe APIs/resources were added; the changed files are build scripts and blueprints only.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR only changes scripts, SELinux policy, and bootc image blueprints; no Ginkgo e2e tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed No deployment manifests, operator code, or controllers were changed; the PR only touches build/test scripts, SELinux, and image sources, so topology scheduling isn’t implicated.
Ote Binary Stdout Contract ✅ Passed The changed Python entrypoint logs via stderr, and the patch adds no new process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the changed files are build/config scripts and blueprints, so this IPv6/disconnected-network check is not applicable.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were added; only image-ref string checks and build-script changes.
Container-Privileges ✅ Passed No modified container/K8s manifest adds privileged, hostNetwork, hostPID/IPC, SYS_ADMIN, or allowPrivilegeEscalation; touched files only change image refs and repo setup.
No-Sensitive-Data-In-Logs ✅ Passed Changed hunks only adjust bootc image-builder selection and parallel cache builds; no new logging or secret/PII-bearing output was added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@ggiguash ggiguash marked this pull request as ready for review July 1, 2026 17:36
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@openshift-ci openshift-ci Bot requested review from eslutsky and kasturinarra July 1, 2026 17:38
@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test ?

@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@pacevedom pacevedom left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@ggiguash ggiguash marked this pull request as draft July 2, 2026 09:18
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 2, 2026
@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

1 similar comment
@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/bin/ci_phase_iso_build.sh`:
- Around line 73-75: The backgrounded build steps in ci_phase_iso_build.sh can
fail without stopping the script because the plain wait at the end does not
surface individual job exit codes. Update the el9 and el10 background launches
so their PIDs are captured, then use wait with each PID and check the return
status before continuing; if either build_bootc_images.sh invocation fails, exit
immediately so upload/cleanup does not run. Use the existing
build_bootc_images.sh calls and the trailing wait as the main place to fix this.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8ecbb032-9616-49b8-966d-4a639380c0bf

📥 Commits

Reviewing files that changed from the base of the PR and between 5f52a37 and b0db71c.

📒 Files selected for processing (1)
  • test/bin/ci_phase_iso_build.sh

Comment thread test/bin/ci_phase_iso_build.sh Outdated
@ggiguash ggiguash force-pushed the revert-crio-workaround branch from b0db71c to fe61cec Compare July 2, 2026 16:50
@ggiguash

ggiguash commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@ggiguash ggiguash force-pushed the revert-crio-workaround branch from fe61cec to 82ce7f2 Compare July 3, 2026 05:09
@ggiguash

ggiguash commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@ggiguash ggiguash force-pushed the revert-crio-workaround branch from 82ce7f2 to a4722e2 Compare July 3, 2026 08:41
@ggiguash

ggiguash commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

1 similar comment
@ggiguash

ggiguash commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test e2e-aws-tests-cache-arm

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@ggiguash: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-tests-cache a4722e2 link true /test e2e-aws-tests-cache
ci/prow/e2e-aws-tests-cache-arm a4722e2 link true /test e2e-aws-tests-cache-arm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants