Skip to content

OCPBUGS-83863: Remove rhel8 build stage, strip debug info#228

Open
sdodson wants to merge 3 commits into
mainfrom
OCPBUGS-83863-remove-rhel8-add-rhel10
Open

OCPBUGS-83863: Remove rhel8 build stage, strip debug info#228
sdodson wants to merge 3 commits into
mainfrom
OCPBUGS-83863-remove-rhel8-add-rhel10

Conversation

@sdodson

@sdodson sdodson commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown
Member

Remove the rhel8 build stage and strip debug symbols from binaries.

The rhel9 version-specific subdirectory is retained as a hardlink to avoid duplicating the layer.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 28, 2026
@openshift-ci-robot

openshift-ci-robot commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

@sdodson: This pull request references Jira Issue OCPBUGS-83863, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Remove the rhel8 build stage (RHEL 8 is EOL) and switch the windows builder to the rhel-9 image
  • Use rhel9-built binaries as the canonical /usr/src/plugins/bin/ and populate rhel9/bin/ via hardlinks instead of a duplicate COPY
  • Add rhel10/bin/ directory populated with hardlinks to the rhel9 binaries, assuming compatibility for now

Test plan

  • Verify the container image builds successfully
  • Verify /usr/src/plugins/bin/ contains the expected CNI plugin binaries
  • Verify /usr/src/plugins/rhel9/bin/ and /usr/src/plugins/rhel10/bin/ contain hardlinks to the same binaries
  • Verify /usr/src/plugins/windows/bin/ contains the Windows binaries
  • Verify no rhel8/ directory exists in the final image

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Apr 28, 2026
@coderabbitai

coderabbitai Bot commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

The Dockerfile removes the rhel8 builder stage, updates the windows build stage to use rhel-9, and changes the runtime to copy Linux binaries into /usr/src/plugins/bin while creating rhel9 and rhel10 compat dirs as symlinks; Windows artifacts remain under /usr/src/plugins/windows/bin. build_linux.sh adds -ldflags "-s -w" to non-Windows go build invocations.

Changes

Build and packaging updates

Layer / File(s) Summary
Windows builder base image
Dockerfile		 Updated the windows build stage to use the rhel-9 OpenShift/go image (replacing the prior rhel-8 image).
Runtime artifact layout and compatibility symlinks
Dockerfile		 Runtime now copies Linux binaries from the rhel9 builder into /usr/src/plugins/bin and creates /usr/src/plugins/rhel9/bin and /usr/src/plugins/rhel10/bin as symlinks to those binaries; Windows artifacts remain under /usr/src/plugins/windows/bin.
Strip symbols from Linux builds
build_linux.sh		 Non-windows go build invocations now include -ldflags "-s -w" to strip symbol/debug info; output paths and existing build args unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • dougbtv
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes both main changes: removing the rhel8 build stage and stripping debug info from binaries, which directly align with the Dockerfile and build_linux.sh modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test files are modified in this PR. The changes only affect Dockerfile and build_linux.sh (build configuration), neither of which contain test definitions. The check is not applicable.
Test Structure And Quality ✅ Passed PR modifies only Dockerfile and build_linux.sh (build/infrastructure changes). No Ginkgo test code is modified, so the test structure check is not applicable.
Microshift Test Compatibility ✅ Passed PR only modifies build infrastructure (Dockerfile and build_linux.sh); no new Ginkgo e2e tests are added, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR modifies only Dockerfile and build_linux.sh—no Ginkgo e2e tests are added. The custom check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR is build-time changes (Dockerfile, build_linux.sh) in CNI plugins library—no deployment manifests, operator code, or controllers; check does not apply.
Ote Binary Stdout Contract ✅ Passed PR only modifies Dockerfile and build_linux.sh (build infrastructure), no Go source code. OTE stdout check only applies to process-level code and suite setup, which were not modified.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests are added in this PR; changes are limited to Dockerfile and build_linux.sh. Custom check applies only when tests are added.
No-Weak-Crypto ✅ Passed PR changes involve Dockerfile image stage reorganization and build_linux.sh binary stripping flags. No cryptographic operations, weak algorithms, or custom crypto implementations introduced.
Container-Privileges ✅ Passed No Kubernetes manifests or SecurityContext configurations with privileged mode, hostPID/hostNetwork/hostIPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation found in the PR.
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data is exposed in logging. Scripts only log platform names, plugin names, and Go build flags; no passwords, tokens, API keys, or PII found.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch OCPBUGS-83863-remove-rhel8-add-rhel10

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from dougbtv and s1061123 April 28, 2026 19:26
@openshift-ci

openshift-ci Bot commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sdodson
Once this PR has been reviewed and has the lgtm label, please assign dougbtv for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai[bot]
coderabbitai Bot reviewed Apr 28, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 24-26: The two separate RUN layers creating hardlinks should be
combined into a single RUN so the hardlinks share the same inode; update the
Dockerfile so the ln operations that link /usr/src/plugins/bin/* into
/usr/src/plugins/rhel9/bin/ and /usr/src/plugins/rhel10/bin/ are executed in one
RUN instruction (i.e., run both ln commands together in the same shell
invocation) to avoid duplicate file data across layers and preserve inode
identity.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5cdb716f-6ea1-43d1-9996-e288ff5a7acc

📥 Commits

Reviewing files that changed from the base of the PR and between 747ad66 and c536523.

📒 Files selected for processing (1)
  • Dockerfile

Comment thread Dockerfile Outdated
@sdodson sdodson mentioned this pull request Apr 28, 2026
Merged
3 tasks
@sdodson sdodson force-pushed the OCPBUGS-83863-remove-rhel8-add-rhel10 branch from 2bde2a8 to 93bb9d6 Compare May 23, 2026 16:49
@sdodson sdodson changed the title OCPBUGS-83863: Dockerfile: remove rhel8, use rhel9 as base, add rhel10 support OCPBUGS-83863: Remove rhel8 build stage, strip debug info May 23, 2026
coderabbitai[bot]
coderabbitai Bot reviewed May 23, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build_linux.sh`:
- Line 20: The build command in build_linux.sh calls ${GO:-go} build with a
hardcoded -ldflags "-s -w" before "$@", which allows caller-supplied -ldflags in
"$@" to override and drop the strip flags; update the script to scan and remove
any -ldflags and its argument from the "$@" array, capture the caller's ldflags
value (handling both -ldflags <val> and -ldflags=<val> forms), merge it with "-s
-w" (ensuring no duplication) into one combined ldflags string, and then invoke
${GO:-go} build -o "${PWD}/bin/$plugin" -ldflags "<combined>" "$@" so only a
single -ldflags is passed to go build.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c7c78c96-b587-40e7-9c03-c3c553fb4899

📥 Commits

Reviewing files that changed from the base of the PR and between 2bde2a8 and 93bb9d6.

📒 Files selected for processing (2)
  • Dockerfile
  • build_linux.sh
💤 Files with no reviewable changes (1)
  • Dockerfile

Comment thread build_linux.sh Outdated
if [ "${plugin}" != "windows" ]; then
echo " $plugin"
${GO:-go} build -o "${PWD}/bin/$plugin" "$@" ./"$d"
${GO:-go} build -o "${PWD}/bin/$plugin" -ldflags "-s -w" "$@" ./"$d"

@coderabbitai coderabbitai Bot May 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For go build, when -ldflags is provided multiple times in one command, does the last value override earlier ones or are they merged?

💡 Result:

When the -ldflags flag is provided multiple times in a single go build command, the values are not merged; instead, the last value provided on the command line overrides any earlier instances of the flag [1]. The go command processes flags in the order they appear. If you specify -ldflags multiple times, the go tool effectively discards the previous -ldflags settings in favor of the final one [1]. This behavior is consistent with how the go command handles many other flags, where later command-line arguments take precedence over earlier ones or over defaults set via environment variables like GOFLAGS [1]. If you need to pass multiple linker flags, you must include them within a single -ldflags argument, separated by spaces [2][3]. For example: go build -ldflags "-s -w -X main.Version=1.0.0" In this example, all three flags (-s, -w, and -X) are passed to the linker because they are contained within a single -ldflags string [2][3]. If you were to write go build -ldflags "-s" -ldflags "-w", the linker would only receive the -w flag [1].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== build_linux.sh (around line 15-40) ==="
nl -ba build_linux.sh | sed -n '1,120p'

echo "=== release workflow(s) referencing build_linux.sh or -ldflags ==="
rg -n "build_linux\.sh|ldflags" .github/workflows -S || true
for f in $(rg -l "build_linux\.sh|ldflags" .github/workflows -S || true); do
  echo "--- $f (around matches) ---"
  nl -ba "$f" | rg -n "build_linux\.sh|ldflags" -n || true
done

echo "=== Any other callers of build_linux.sh ==="
rg -n "./build_linux\.sh|build_linux\.sh" -S . || true

Repository: openshift/containernetworking-plugins

Length of output: 185

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== build_linux.sh (around lines 1-120) ==="
cat -n build_linux.sh | sed -n '1,120p'

echo "=== release workflow(s) referencing build_linux.sh or -ldflags ==="
rg -n "build_linux\.sh|ldflags" .github/workflows -S || true

echo "=== Any other callers of build_linux.sh ==="
rg -n "build_linux\.sh" . -S || true

Repository: openshift/containernetworking-plugins

Length of output: 1599

Merge caller and script linker flags in build_linux.sh (avoid duplicate -ldflags)

build_linux.sh unconditionally adds -ldflags "-s -w" before "$@", but release.yaml passes its own -ldflags (including -X ...BuildVersion=...). For go build, the last -ldflags wins (not merged), so the release-provided -ldflags overrides "-s -w", meaning the strip flags are dropped.

Fix: remove/consume any caller -ldflags from "$@" and re-emit a single combined -ldflags containing both the caller linker flags and -s -w.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build_linux.sh` at line 20, The build command in build_linux.sh calls
${GO:-go} build with a hardcoded -ldflags "-s -w" before "$@", which allows
caller-supplied -ldflags in "$@" to override and drop the strip flags; update
the script to scan and remove any -ldflags and its argument from the "$@" array,
capture the caller's ldflags value (handling both -ldflags <val> and
-ldflags=<val> forms), merge it with "-s -w" (ensuring no duplication) into one
combined ldflags string, and then invoke ${GO:-go} build -o "${PWD}/bin/$plugin"
-ldflags "<combined>" "$@" so only a single -ldflags is passed to go build.

@sdodson sdodson force-pushed the OCPBUGS-83863-remove-rhel8-add-rhel10 branch from 93bb9d6 to f07fb4b Compare May 23, 2026 17:56
coderabbitai[bot]
coderabbitai Bot reviewed May 23, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
build_linux.sh (1)

20-20: ⚠️ Potential issue | 🔴 Critical

Caller-supplied -ldflags in "$@" will override the strip flags.

When "$@" contains another -ldflags argument (e.g., from release.yaml passing -X ...BuildVersion=...), Go's build command uses only the last -ldflags value, discarding the earlier -s -w. This means the strip flags are lost when the script is invoked with additional linker flags.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build_linux.sh` at line 20, The build invocation currently hardcodes -ldflags
"-s -w" before passing "$@", which allows a caller-supplied -ldflags in "$@" to
override and drop the strip flags; change the script to detect if "$@" contains
an -ldflags argument and, if so, append " -s -w" to that -ldflags value,
otherwise keep passing -ldflags "-s -w" as before; update the command that
constructs the build invocation (the line using ${GO:-go} build ... -ldflags "-s
-w" "$@" ./"$d") to use the merged/modified arguments so -s -w are preserved
while still allowing caller -X or other linker flags, handling both the forms
-ldflagsVALUE and -ldflags VALUE and leaving other "$@" items untouched.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@build_linux.sh`:
- Line 20: The build invocation currently hardcodes -ldflags "-s -w" before
passing "$@", which allows a caller-supplied -ldflags in "$@" to override and
drop the strip flags; change the script to detect if "$@" contains an -ldflags
argument and, if so, append " -s -w" to that -ldflags value, otherwise keep
passing -ldflags "-s -w" as before; update the command that constructs the build
invocation (the line using ${GO:-go} build ... -ldflags "-s -w" "$@" ./"$d") to
use the merged/modified arguments so -s -w are preserved while still allowing
caller -X or other linker flags, handling both the forms -ldflagsVALUE and
-ldflags VALUE and leaving other "$@" items untouched.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ee2d22d1-364a-4218-b10d-dbb23186f0b7

📥 Commits

Reviewing files that changed from the base of the PR and between 93bb9d6 and f07fb4b.

📒 Files selected for processing (2)
  • Dockerfile
  • build_linux.sh

@sdodson

sdodson commented May 23, 2026

Copy link
Copy Markdown
Member Author

/retest-required

@sdodson sdodson mentioned this pull request May 23, 2026
Open
sdodson added 2 commits June 9, 2026 13:55
@sdodson
Dockerfile: remove rhel8 build stage and use rhel9 as base
c7eb28a 
RHEL 8 is end-of-life. Remove the rhel8 build stage, switch the
windows builder to the rhel-9 image, and use rhel9-built binaries
as the default in /usr/src/plugins/bin/.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@sdodson
Dockerfile: use hardlinks for rhel9/bin/ instead of a separate COPY
0ab1d69 
The rhel9/bin/ directory contains the same binaries as bin/. Use
hardlinks to avoid duplicating them in the image layer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@sdodson sdodson force-pushed the OCPBUGS-83863-remove-rhel8-add-rhel10 branch 2 times, most recently from b573d98 to d14eba2 Compare June 9, 2026 17:57
coderabbitai[bot]
coderabbitai Bot reviewed Jun 9, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 2: Replace all FROM lines that reference registry.ci.openshift.org with
UBI minimal or distroless images hosted on catalog.redhat.com; specifically
update the stage declared as "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS
rhel9" and the other two FROM statements (the other build/runtime stages) to use
the appropriate catalog.redhat.com UBI or distroless equivalents, ensuring tags
match required Go and OpenShift tooling versions and preserving the same AS
aliases (e.g., rhel9) so the rest of the Dockerfile continues to reference the
same stage names.
- Line 3: The Dockerfile currently uses the broad COPY . /usr/src/plugins
instruction (appearing as "COPY . /usr/src/plugins") in the builder stages;
change these to copy only the required artifacts (for example copy package.json
and package-lock.json, then the source directory or specific files needed for
build, and any Docker-related config) and remove the blanket context copy to
avoid leaking secrets—replace each "COPY . /usr/src/plugins" occurrence with
precise COPY lines for the minimal set of files needed for the build and runtime
(e.g., COPY package*.json, COPY src/, COPY Dockerfile or other explicit files)
and ensure any .dockerignore excludes secrets.
- Around line 18-28: The final image currently runs as root; update the
Dockerfile to create a non-root user and switch to it at runtime: add steps to
create a dedicated user/group (e.g., "plugins" or "nonroot"), chown the plugin
directories (/usr/src/plugins and subpaths referenced by the COPY/ln steps) to
that user, and add a USER instruction near the end of the Dockerfile to set the
non-root user as the runtime user so containers do not run as root; ensure
ownership changes occur after the COPY/ln operations that populate
/usr/src/plugins.
- Around line 18-28: Add a Docker HEALTHCHECK instruction to the Dockerfile
(after the plugin binaries are copied/linked) to provide a runtime liveness
probe; the HEALTHCHECK should run a lightweight command that validates the
container’s main service (for example an HTTP GET to the service health endpoint
or invoking a packaged health-check binary under /usr/src/plugins/bin/) and
include sensible parameters (interval, timeout and start-period). Place the
HEALTHCHECK after the COPY/ln steps that populate /usr/src/plugins/bin (so the
health binary/endpoint is available) and ensure it returns non-zero on failure
so the container runtime marks unhealthy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a01254eb-6bf7-401b-a3fe-e5e89605f7ef

📥 Commits

Reviewing files that changed from the base of the PR and between f07fb4b and b573d98.

📒 Files selected for processing (2)
  • Dockerfile
  • build_linux.sh

coderabbitai[bot]
coderabbitai Bot reviewed Jun 9, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 2: Replace all FROM lines that reference registry.ci.openshift.org with
UBI minimal or distroless images hosted on catalog.redhat.com; specifically
update the stage declared as "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS
rhel9" and the other two FROM statements (the other build/runtime stages) to use
the appropriate catalog.redhat.com UBI or distroless equivalents, ensuring tags
match required Go and OpenShift tooling versions and preserving the same AS
aliases (e.g., rhel9) so the rest of the Dockerfile continues to reference the
same stage names.
- Line 3: The Dockerfile currently uses the broad COPY . /usr/src/plugins
instruction (appearing as "COPY . /usr/src/plugins") in the builder stages;
change these to copy only the required artifacts (for example copy package.json
and package-lock.json, then the source directory or specific files needed for
build, and any Docker-related config) and remove the blanket context copy to
avoid leaking secrets—replace each "COPY . /usr/src/plugins" occurrence with
precise COPY lines for the minimal set of files needed for the build and runtime
(e.g., COPY package*.json, COPY src/, COPY Dockerfile or other explicit files)
and ensure any .dockerignore excludes secrets.
- Around line 18-28: The final image currently runs as root; update the
Dockerfile to create a non-root user and switch to it at runtime: add steps to
create a dedicated user/group (e.g., "plugins" or "nonroot"), chown the plugin
directories (/usr/src/plugins and subpaths referenced by the COPY/ln steps) to
that user, and add a USER instruction near the end of the Dockerfile to set the
non-root user as the runtime user so containers do not run as root; ensure
ownership changes occur after the COPY/ln operations that populate
/usr/src/plugins.
- Around line 18-28: Add a Docker HEALTHCHECK instruction to the Dockerfile
(after the plugin binaries are copied/linked) to provide a runtime liveness
probe; the HEALTHCHECK should run a lightweight command that validates the
container’s main service (for example an HTTP GET to the service health endpoint
or invoking a packaged health-check binary under /usr/src/plugins/bin/) and
include sensible parameters (interval, timeout and start-period). Place the
HEALTHCHECK after the COPY/ln steps that populate /usr/src/plugins/bin (so the
health binary/endpoint is available) and ensure it returns non-zero on failure
so the container runtime marks unhealthy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a01254eb-6bf7-401b-a3fe-e5e89605f7ef

📥 Commits

Reviewing files that changed from the base of the PR and between f07fb4b and b573d98.

📒 Files selected for processing (2)
  • Dockerfile
  • build_linux.sh
🛑 Comments failed to post (3)
Dockerfile (3)

2-2: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use catalog.redhat.com UBI/distroless base images for all stages.

Line 2, Line 10, and Line 18 use registry.ci.openshift.org/... images, which does not satisfy the repository container-base policy.

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com".

Also applies to: 10-10, 18-18

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 2, Replace all FROM lines that reference
registry.ci.openshift.org with UBI minimal or distroless images hosted on
catalog.redhat.com; specifically update the stage declared as "FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS
rhel9" and the other two FROM statements (the other build/runtime stages) to use
the appropriate catalog.redhat.com UBI or distroless equivalents, ensuring tags
match required Go and OpenShift tooling versions and preserving the same AS
aliases (e.g., rhel9) so the rest of the Dockerfile continues to reference the
same stage names.

Source: Coding guidelines

3-3: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Avoid copying the entire build context into builder stages.

Line 3 and Line 11 use COPY . /usr/src/plugins; this violates the rule to copy only explicit required files and increases secret-exposure risk.

As per coding guidelines, "COPY specific files, not entire context".

Also applies to: 11-11

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The Dockerfile currently uses the broad COPY .
/usr/src/plugins instruction (appearing as "COPY . /usr/src/plugins") in the
builder stages; change these to copy only the required artifacts (for example
copy package.json and package-lock.json, then the source directory or specific
files needed for build, and any Docker-related config) and remove the blanket
context copy to avoid leaking secrets—replace each "COPY . /usr/src/plugins"
occurrence with precise COPY lines for the minimal set of files needed for the
build and runtime (e.g., COPY package*.json, COPY src/, COPY Dockerfile or other
explicit files) and ensure any .dockerignore excludes secrets.

Source: Coding guidelines

18-28: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the final image as a non-root user.

The runtime stage never sets USER, so containers run as root by default.

Suggested patch 
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 RUN mkdir -p /usr/src/plugins/bin && \
     mkdir -p /usr/src/plugins/rhel9/bin && \
     mkdir -p /usr/src/plugins/rhel10/bin && \
     mkdir -p /usr/src/plugins/windows/bin
 COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/bin/
 RUN ln /usr/src/plugins/bin/* /usr/src/plugins/rhel9/bin/
 # For now assume rhel9 binaries are compatible with rhel10
 RUN ln /usr/src/plugins/bin/* /usr/src/plugins/rhel10/bin/
 COPY --from=windows /usr/src/plugins/bin/* /usr/src/plugins/windows/bin/
+USER 65532:65532

As per coding guidelines, "USER non-root; never run as root".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
RUN mkdir -p /usr/src/plugins/bin && \
    mkdir -p /usr/src/plugins/rhel9/bin && \
    mkdir -p /usr/src/plugins/rhel10/bin && \
    mkdir -p /usr/src/plugins/windows/bin
COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/bin/
RUN ln /usr/src/plugins/bin/* /usr/src/plugins/rhel9/bin/
# For now assume rhel9 binaries are compatible with rhel10
RUN ln /usr/src/plugins/bin/* /usr/src/plugins/rhel10/bin/
COPY --from=windows /usr/src/plugins/bin/* /usr/src/plugins/windows/bin/
USER 65532:65532
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 18 - 28, The final image currently runs as root;
update the Dockerfile to create a non-root user and switch to it at runtime: add
steps to create a dedicated user/group (e.g., "plugins" or "nonroot"), chown the
plugin directories (/usr/src/plugins and subpaths referenced by the COPY/ln
steps) to that user, and add a USER instruction near the end of the Dockerfile
to set the non-root user as the runtime user so containers do not run as root;
ensure ownership changes occur after the COPY/ln operations that populate
/usr/src/plugins.

Source: Coding guidelines

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a HEALTHCHECK for runtime liveness.

The final image has no health probe, which violates the container policy and weakens runtime observability.

Suggested patch 
 COPY --from=windows /usr/src/plugins/bin/* /usr/src/plugins/windows/bin/
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD ["/bin/sh", "-c", "test -x /usr/src/plugins/bin/bridge"]

As per coding guidelines, "HEALTHCHECK defined".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 18 - 28, Add a Docker HEALTHCHECK instruction to the
Dockerfile (after the plugin binaries are copied/linked) to provide a runtime
liveness probe; the HEALTHCHECK should run a lightweight command that validates
the container’s main service (for example an HTTP GET to the service health
endpoint or invoking a packaged health-check binary under /usr/src/plugins/bin/)
and include sensible parameters (interval, timeout and start-period). Place the
HEALTHCHECK after the COPY/ln steps that populate /usr/src/plugins/bin (so the
health binary/endpoint is available) and ensure it returns non-zero on failure
so the container runtime marks unhealthy.

Source: Coding guidelines

@sdodson sdodson force-pushed the OCPBUGS-83863-remove-rhel8-add-rhel10 branch from d14eba2 to 5c5552a Compare June 9, 2026 18:04
@sdodson
build_linux.sh: strip symbols and debug info from binaries
25477af 
Pass -ldflags "-s -w" to go build to reduce binary size by
stripping the symbol table and DWARF debug information.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@sdodson sdodson force-pushed the OCPBUGS-83863-remove-rhel8-add-rhel10 branch from 5c5552a to 25477af Compare June 9, 2026 18:12
sdodson
sdodson commented Jun 9, 2026
View reviewed changes
Comment thread build_linux.sh
if [ "${plugin}" != "windows" ]; then
echo " $plugin"
${GO:-go} build -o "${PWD}/bin/$plugin" "$@" ./"$d"
${GO:-go} build -o "${PWD}/bin/$plugin" -ldflags "$LDFLAGS" "$@" ./"$d"

@sdodson sdodson Jun 9, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bpickard22 Should I be pushing these changes upstream?

@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@sdodson: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws 25477af link true /test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@dougbtv dougbtv Awaiting requested review from dougbtv

@s1061123 s1061123 Awaiting requested review from s1061123

Assignees

No one assigned

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sdodson @openshift-ci-robot