From 8b9f9f73940500939ffa37347e967a713c25f0ce Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 15:29:17 +0530 Subject: [PATCH 1/6] UPSTREAM: : Add RHCOS10 UBI10 migration compliance doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add migration document tracking the UBI9→UBI10 base image migration for RHCOS10 compatibility. Documents all affected Dockerfiles, image replacements, exclusions, and test checklist. Made-with: Cursor --- .../compliance/rhcos10/PR2-ubi10-migration.md | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .work/compliance/rhcos10/PR2-ubi10-migration.md diff --git a/.work/compliance/rhcos10/PR2-ubi10-migration.md b/.work/compliance/rhcos10/PR2-ubi10-migration.md new file mode 100644 index 00000000..f2e50f56 --- /dev/null +++ b/.work/compliance/rhcos10/PR2-ubi10-migration.md @@ -0,0 +1,54 @@ +# RHCOS10 UBI10 Migration + +## Summary + +Migrate all container base images from UBI9/RHEL9 to UBI10/RHEL10 for native RHCOS10 compatibility. +Also moves the registry from `registry.access.redhat.com` to `registry.redhat.io`. + +```text +registry.access.redhat.com → registry.redhat.io +``` + +## Image Changes + +| Dockerfile | Before | After | +| -------------------------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------- | +| `images/ansible-operator/Dockerfile` (basebuilder) | `registry.access.redhat.com/ubi9/ubi-minimal:9.7` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | +| `images/ansible-operator/Dockerfile` (base) | `registry.access.redhat.com/ubi9/ubi-minimal:9.7` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | +| `images/ansible-operator/pipfile.Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.7` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | +| `openshift/Dockerfile` (builder) | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-*` | `registry.redhat.io/ubi10/go-toolset:10.1` | +| `openshift/Dockerfile` (runtime) | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10/ubi:10.1` | +| `openshift/Dockerfile.requirements` | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10/ubi:10.1` | +| `openshift/release/ansible/Dockerfile.collections` | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10/ubi:10.1` | + +## Exclusions + +- `openshift/ci/dockerfiles/ansible-e2e.Dockerfile` — builds `FROM openshift-ansible-operator-plugins` (CI-internal); no base image to change. +- `testdata/memcached-molecule-operator/Dockerfile` — uses `quay.io/operator-framework/ansible-operator:dev`; not in scope. + +## Prerequisite + +PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this. + +## Test Checklist + +- [ ] `e2e-ansible` +- [ ] `e2e-ansible-fips` +- [ ] `e2e-ansible-rhcos10` +- [ ] `e2e-ansible-rhcos10-fips` + +## CI Image References + +```text +registry.access.redhat.com/ubi9/ubi-minimal:9.7 +→ +registry.redhat.io/ubi10/ubi-minimal:10.1 + +registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 +→ +registry.redhat.io/ubi10/go-toolset:10.1 + +registry.ci.openshift.org/ocp/4.22:base-rhel9 +→ +registry.redhat.io/ubi10/ubi:10.1 +``` From 26fabfc2a95ed2d44f40091e1fefc8a72c2a7fc4 Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 15:29:42 +0530 Subject: [PATCH 2/6] UPSTREAM: : Migrate base images from UBI9 to UBI10 for RHCOS10 Update all container base images from UBI9/RHEL9 to UBI10/RHEL10 to align with the RHCOS10 host OS. Moves registry from registry.access.redhat.com to registry.redhat.io. Changes: - ubi9/ubi-minimal:9.7 -> ubi10/ubi-minimal:10.1 (ansible-operator images) - openshift/Dockerfile: replace OCP CI RHEL9 golang builder with registry.redhat.io/ubi10/go-toolset:10.1 (builder stage) - openshift/Dockerfile: replace base-rhel9 runtime with registry.redhat.io/ubi10/ubi:10.1 - openshift/Dockerfile.requirements: base-rhel9 -> ubi10/ubi:10.1 - openshift/release/ansible/Dockerfile.collections: base-rhel9 -> ubi10/ubi:10.1 Made-with: Cursor --- images/ansible-operator/Dockerfile | 4 ++-- images/ansible-operator/pipfile.Dockerfile | 2 +- openshift/Dockerfile | 4 ++-- openshift/Dockerfile.requirements | 2 +- openshift/release/ansible/Dockerfile.collections | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/images/ansible-operator/Dockerfile b/images/ansible-operator/Dockerfile index 741dcced..145af88b 100644 --- a/images/ansible-operator/Dockerfile +++ b/images/ansible-operator/Dockerfile @@ -2,7 +2,7 @@ # It is built with dependencies that take a while to download, thus speeding # up ansible deploy jobs. -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7 AS basebuilder +FROM registry.redhat.io/ubi10/ubi-minimal:10.1 AS basebuilder # Install Rust so that we can ensure backwards compatibility with installing/building the cryptography wheel across all platforms RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y @@ -35,7 +35,7 @@ RUN set -e && microdnf clean all && rm -rf /var/cache/dnf/* \ && microdnf clean all \ && rm -rf /var/cache/dnf -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7 AS base +FROM registry.redhat.io/ubi10/ubi-minimal:10.1 AS base ARG TARGETARCH # Label this image with the repo and commit that built it, for freshmaking purposes. diff --git a/images/ansible-operator/pipfile.Dockerfile b/images/ansible-operator/pipfile.Dockerfile index b559e9b3..092c4418 100644 --- a/images/ansible-operator/pipfile.Dockerfile +++ b/images/ansible-operator/pipfile.Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7 AS basebuilder +FROM registry.redhat.io/ubi10/ubi-minimal:10.1 AS basebuilder # Install Rust so that we can ensure backwards compatibility with installing/building the cryptography wheel across all platforms RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y diff --git a/openshift/Dockerfile b/openshift/Dockerfile index ae33ffe7..d6c8708a 100644 --- a/openshift/Dockerfile +++ b/openshift/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder ENV GO111MODULE=on \ GOFLAGS=-mod=vendor @@ -9,7 +9,7 @@ RUN cd /go/src/github.com/openshift/ansible-operator-plugins \ && export GIT_VERSION="$(make -pRrq --no-print-directory | grep '^IMAGE_VERSION' | awk -F'= ' '{print $2}')-ocp" \ && make -e build -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.redhat.io/ubi10/ubi:10.1 RUN mkdir -p /etc/ansible \ && echo "localhost ansible_connection=local" > /etc/ansible/hosts \ diff --git a/openshift/Dockerfile.requirements b/openshift/Dockerfile.requirements index 612d20ad..c25ed19c 100644 --- a/openshift/Dockerfile.requirements +++ b/openshift/Dockerfile.requirements @@ -1,4 +1,4 @@ -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.redhat.io/ubi10/ubi:10.1 RUN set -e && dnf clean all && rm -rf /var/cache/dnf/* \ && dnf update -y \ diff --git a/openshift/release/ansible/Dockerfile.collections b/openshift/release/ansible/Dockerfile.collections index 90932551..fa0425f4 100644 --- a/openshift/release/ansible/Dockerfile.collections +++ b/openshift/release/ansible/Dockerfile.collections @@ -1,4 +1,4 @@ -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.redhat.io/ubi10/ubi:10.1 RUN set -e && dnf clean all && rm -rf /var/cache/dnf/* \ && dnf update -y \ From 7ccafc7115dec852284b68d8c7534f0a109c7b7d Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 15:52:03 +0530 Subject: [PATCH 3/6] UPSTREAM: : Add USER root in go-toolset builder stage to fix git safe.directory go-toolset:10.1 runs as non-root by default, causing git to reject the source directory as 'dubious ownership' when files are copied as root. Adding USER root before the build step matches the fix applied in ocp-release-operator-sdk PR#453 and allows VCS stamping to succeed. Made-with: Cursor --- openshift/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openshift/Dockerfile b/openshift/Dockerfile index d6c8708a..056d4d9d 100644 --- a/openshift/Dockerfile +++ b/openshift/Dockerfile @@ -1,5 +1,7 @@ FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder +USER root + ENV GO111MODULE=on \ GOFLAGS=-mod=vendor From 2bffb28ff71dde388fade88ebe82d4321060185e Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 16:47:55 +0530 Subject: [PATCH 4/6] UPSTREAM: : Remove RPM-managed urllib3 before pip installs in ubi10 runtime ubi10/ubi:10.1 ships python3-urllib3 as an RPM-managed package with no RECORD file, causing pip to fail when requirements.txt pins a newer version. Remove it with rpm --nodeps so pip can install the required urllib3==2.6.3. Made-with: Cursor --- openshift/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openshift/Dockerfile b/openshift/Dockerfile index 056d4d9d..a4850385 100644 --- a/openshift/Dockerfile +++ b/openshift/Dockerfile @@ -38,7 +38,11 @@ COPY ${REMOTE_SOURCES} ${REMOTE_SOURCES_DIR} # Copy our local ansible-runner-http replacement module COPY images/ansible-operator/ansible_runner_http /ansible_runner_http COPY openshift/install-ansible.sh . -RUN chmod +x /install-ansible.sh \ +# ubi10/ubi:10.1 ships python3-urllib3 as an RPM-managed package; pip cannot +# upgrade it because there is no RECORD file. Remove it first so pip can install +# the version pinned in requirements.txt. +RUN rpm -e --nodeps python3-urllib3 \ + && chmod +x /install-ansible.sh \ && ./install-ansible.sh # Remove packages which are only needed for cachito From 26a787df16cb9293c9fbb2933484fec0d1138c1b Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 17:16:20 +0530 Subject: [PATCH 5/6] UPSTREAM: : Remove all conflicting RPM Python packages before pip installs ubi10/ubi:10.1 pre-installs many Python packages as RPMs (urllib3, six, requests, idna, resolvelib, pyyaml, etc.) with no pip RECORD file, causing pip to fail when requirements.txt pins different versions. Remove all potentially conflicting packages upfront in a loop (|| true per package so missing ones are safely skipped) before running install-ansible.sh. Made-with: Cursor --- openshift/Dockerfile | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/openshift/Dockerfile b/openshift/Dockerfile index a4850385..fd9b1a13 100644 --- a/openshift/Dockerfile +++ b/openshift/Dockerfile @@ -38,10 +38,35 @@ COPY ${REMOTE_SOURCES} ${REMOTE_SOURCES_DIR} # Copy our local ansible-runner-http replacement module COPY images/ansible-operator/ansible_runner_http /ansible_runner_http COPY openshift/install-ansible.sh . -# ubi10/ubi:10.1 ships python3-urllib3 as an RPM-managed package; pip cannot -# upgrade it because there is no RECORD file. Remove it first so pip can install -# the version pinned in requirements.txt. -RUN rpm -e --nodeps python3-urllib3 \ +# ubi10/ubi:10.1 ships many Python packages as RPM-managed installs that have +# no pip RECORD file, causing pip to fail when requirements.txt pins different +# versions. Remove all potentially conflicting RPM Python packages upfront so +# pip can install the pinned versions cleanly. Uses || true per package so the +# step succeeds even if a package is not present in the base image. +RUN for pkg in \ + python3-urllib3 \ + python3-six \ + python3-requests \ + python3-idna \ + python3-certifi \ + python3-charset-normalizer \ + python3-chardet \ + python3-resolvelib \ + python3-pyyaml \ + python3-pyasn1 \ + python3-pyasn1-modules \ + python3-oauthlib \ + python3-markupsafe \ + python3-jinja2 \ + python3-packaging \ + python3-dateutil \ + python3-pexpect \ + python3-ptyprocess \ + python3-lockfile \ + python3-rsa \ + python3-websocket-client; do \ + rpm -e --nodeps "$pkg" 2>/dev/null || true; \ + done \ && chmod +x /install-ansible.sh \ && ./install-ansible.sh From 59de6c0db5f705a887674e53d465c783118d51f9 Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Fri, 10 Apr 2026 17:32:55 +0530 Subject: [PATCH 6/6] UPSTREAM: : Update requirements-build.txt for ubi10 dependency resolution Switching Dockerfile.requirements base from base-rhel9 to ubi10/ubi:10.1 causes pip-compile to resolve newer transitive dependency versions. Update the committed file to match what verify-requirements now generates: - poetry-core: 2.3.1 -> 2.3.2 - setuptools-scm: 9.2.2 -> 10.0.5 - vcs-versioning: new transitive dep of setuptools-scm 10.0.5 Made-with: Cursor --- openshift/requirements-build.txt | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/openshift/requirements-build.txt b/openshift/requirements-build.txt index 2d18f556..a0751038 100644 --- a/openshift/requirements-build.txt +++ b/openshift/requirements-build.txt @@ -27,6 +27,7 @@ packaging==26.0 # -r requirements-build.in # hatchling # setuptools-scm + # vcs-versioning # wheel pathspec==1.0.4 # via @@ -38,18 +39,22 @@ pluggy==1.6.0 # via # -r requirements-build.in # hatchling -poetry-core==2.3.1 +poetry-core==2.3.2 # via -r requirements-build.in semver==3.0.4 # via # -r requirements-build.in # changelog-chug -setuptools-scm==9.2.2 +setuptools-scm==10.0.5 # via hatch-vcs trove-classifiers==2026.1.14.14 # via # -r requirements-build.in # hatchling +vcs-versioning==1.1.1 + # via + # -r requirements-build.in + # setuptools-scm wheel==0.46.3 # via -r requirements-build.in