Updating openshift-enterprise-base-rhel9-container image to be consistent with ART for 5.0

[openshift-bot]

Updating openshift-enterprise-base-rhel9-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-base-rhel9.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/163

[coderabbitai]

Walkthrough

Added a warning comment to base/Dockerfile.rhel9 alerting that ART metadata configuration has a different number of FROM statements than this Dockerfile, stating builds and reconciliation will fail until the mismatch is resolved.

Changes

Configuration Warning

Layer / File(s)	Summary
ART metadata mismatch warning comment base/Dockerfile.rhel9	Added an "URGENT!" comment at the top of the file warning that ART metadata has a mismatched count of FROM statements, which will cause builds and reconciliation to fail.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/images#229: Both PRs address ART consistency issues in base/Dockerfile.rhel9; this PR adds a mismatch warning comment, while that PR updates the FROM image tag alignment.

Suggested reviewers

• jupierce
• sdodson

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title mentions updating the image to be consistent with ART for 5.0, which aligns with the PR's objective of aligning CI configuration with ART's product build configuration. However, the actual change is just adding a warning comment about a FROM statement mismatch, which is a minor addition rather than a substantive update to the image configuration itself.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests; the check for Ginkgo test name stability is not applicable. Test files use Go's standard testing package.
Test Structure And Quality	✅ Passed	The PR adds Go tests using standard testing package, not Ginkgo. The custom check targets Ginkgo test code, making it inapplicable here.
Microshift Test Compatibility	✅ Passed	This PR only modifies a Dockerfile with comment additions; it does not add any Ginkgo e2e tests, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies base/Dockerfile.rhel9 with 3 comment lines; it adds no new Ginkgo e2e tests. The SNO compatibility check applies only to new e2e tests and is not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds container Dockerfiles and CI configuration files, not deployment manifests, operators, or controllers. The custom check requirement does not apply.
Ote Binary Stdout Contract	✅ Passed	Check not applicable: repository contains container definitions and shell scripts, not OTE binaries. No stdout contract violations in Go code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds standard Go unit tests (using testing.T), not Ginkgo e2e tests. The check targets Ginkgo patterns (It(), Describe(), Context(), When()) which are not present in these files.
No-Weak-Crypto	✅ Passed	No weak cryptography detected. File contains no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom implementations, or unsafe comparisons. Promotes post-quantum cryptography.
Container-Privileges	✅ Passed	No privileged configurations found: no 'privileged: true', hostPID/Network/IPC, SYS_ADMIN capabilities, or 'allowPrivilegeEscalation: true' in Kubernetes manifests or Dockerfiles.
No-Sensitive-Data-In-Logs	✅ Passed	The 3 added lines are informational comments about an ART metadata configuration mismatch, containing no passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign sdodson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• base/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@base/Dockerfile.rhel9`:
- Around line 1-3: The Dockerfile currently leaves the container running as root
and lacks a HEALTHCHECK; modify the Dockerfile to create a non-root user/group
(e.g., add a dedicated user and chown any runtime dirs), switch to that account
with a USER non-root instruction before the final image is produced, and add a
HEALTHCHECK instruction (using a small, appropriate command or script that
verifies the app is running and exits with correct codes) so the container meets
hardening/compliance requirements; ensure any files or ports the non-root user
needs are given proper ownership/permissions prior to USER switching and that
the HEALTHCHECK command is reliable for your service.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 826180a6-0021-4403-a206-7ad480cf4b79

📥 Commits

Reviewing files that changed from the base of the PR and between ace822e and 5684c0e.

📒 Files selected for processing (1)

• base/Dockerfile.rhel9

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Warning-only change leaves required container hardening unmet.

This adds visibility, but the Dockerfile still runs as root and has no HEALTHCHECK, so the security/compliance gap remains unresolved in this PR.

As per coding guidelines, USER non-root; never run as root and HEALTHCHECK defined.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@base/Dockerfile.rhel9` around lines 1 - 3, The Dockerfile currently leaves
the container running as root and lacks a HEALTHCHECK; modify the Dockerfile to
create a non-root user/group (e.g., add a dedicated user and chown any runtime
dirs), switch to that account with a USER non-root instruction before the final
image is produced, and add a HEALTHCHECK instruction (using a small, appropriate
command or script that verifies the app is running and exits with correct codes)
so the container meets hardening/compliance requirements; ensure any files or
ports the non-root user needs are given proper ownership/permissions prior to
USER switching and that the HEALTHCHECK command is reliable for your service.

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	5684c0e	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws	5684c0e	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.