fix(e2e): replace Docker Hub images with quay.io mirrors and remove curl dependency #2073
Conversation
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
…iners Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
WalkthroughMultiple test manifests updated container images (alpine, mongo, nginx, curl-tool → UBI), several curl-based initContainers removed, and HTTP probe paths changed from "/" to "/healthz" in multiple deployments. Several Go tests had ginkgo.Entry calls switched to ginkgo.PEntry. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Comment |
openshift-ci
bot
added
the
approved
|
todo: rebase when #2069 |
There was a problem hiding this comment.
Pull request overview
This PR aims to improve the consistency and security of container images used in test applications by migrating from various sources (docker.io, unqualified images) to more trusted registries (quay.io/migtools, registry.access.redhat.com), and replacing curl-based connection checks with netcat (nc) in init containers.
Changes:
- Replaced
docker.io/curlimages/curl:8.5.0withregistry.access.redhat.com/ubi8/ubi:latestfor utility containers and init containers - Updated MongoDB images from
docker.io/library/mongo:7.0toquay.io/migtools/mongo:7.0.28 - Replaced nginx image from
bitnamisecure/nginxtoquay.io/migtools/nginx:latest - Updated alpine images from unqualified
alpinetoquay.io/migtools/alpine:latest - Changed init container connection checks from curl to nc (netcat) commands
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/e2e/sample-applications/virtual-machines/fedora-todolist/fedora-todolist.yaml | Replaced curl image with UBI8 for utility container and init container with nc-based MySQL connectivity check |
| tests/e2e/sample-applications/parks-app/manifest.yaml | Updated MongoDB images to quay.io/migtools/mongo:7.0.28 |
| tests/e2e/sample-applications/nginx/nginx-deployment.yaml | Updated nginx image to quay.io/migtools/nginx:latest |
| tests/e2e/sample-applications/mysql-persistent/mysql-persistent.yaml | Replaced curl images with UBI8 and changed init container to use nc for MySQL connectivity check |
| tests/e2e/sample-applications/mysql-persistent/mysql-persistent-twovol-csi.yaml | Replaced curl images with UBI8 and changed init container to use nc for MySQL connectivity check |
| tests/e2e/sample-applications/mysql-persistent/mysql-persistent-csi.yaml | Replaced curl images with UBI8 and changed init container to use nc for MySQL connectivity check |
| tests/e2e/sample-applications/mongo-persistent/mongo-persistent.yaml | Updated MongoDB image to quay.io/migtools/mongo:7.0.28, replaced curl images with UBI8, and changed init container to use nc for MongoDB connectivity check |
| tests/e2e/sample-applications/mongo-persistent/mongo-persistent-csi.yaml | Updated MongoDB image to quay.io/migtools/mongo:7.0.28, replaced curl images with UBI8, and changed init container to use nc for MongoDB connectivity check |
| tests/e2e/sample-applications/mongo-persistent/mongo-persistent-block.yaml | Updated MongoDB image to quay.io/migtools/mongo:7.0.28, replaced curl images with UBI8, and changed init container to use nc for MongoDB connectivity check |
| tests/e2e/sample-applications/minimal-8csivol/minimal-8csivol.yaml | Updated alpine image to quay.io/migtools/alpine:latest |
| tests/e2e/sample-applications/minimal-8csivol/minimal-3csivol.yaml | Updated alpine image to quay.io/migtools/alpine:latest |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| image: docker.io/curlimages/curl:8.5.0 | ||
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until curl -s --connect-timeout 2 mongo:27017 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mongo DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mongo after $max_attempts attempts"; exit 1; fi; echo "mongo DB port reachable"'] | ||
| image: registry.access.redhat.com/ubi8/ubi:latest | ||
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mongo 27017 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mongo DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mongo after $max_attempts attempts"; exit 1; fi; echo "mongo DB port reachable"'] |
There was a problem hiding this comment.
The UBI8 base image does not include nc (netcat) by default. The command references /usr/bin/nc which will not exist in registry.access.redhat.com/ubi8/ubi:latest, causing the init container to fail. Consider either:
- Using a UBI8 image with nmap-ncat installed (which provides /usr/bin/ncat), or
- Using registry.access.redhat.com/ubi8/ubi-minimal with nc installed, or
- Installing nc in the init container before use with: microdnf install -y nmap-ncat && /usr/bin/nc ...
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mongo 27017 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mongo DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mongo after $max_attempts attempts"; exit 1; fi; echo "mongo DB port reachable"'] | |
| command: ['sh', '-c', 'sleep 30; microdnf install -y nmap-ncat && max_attempts=180; attempt=0; until /usr/bin/ncat -z -w 1 mongo 27017 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mongo DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mongo after $max_attempts attempts"; exit 1; fi; echo "mongo DB port reachable"'] |
There was a problem hiding this comment.
@kaovilai ok.. this looks like it's going to fail on microdnf install, I just pulled the ubi9 image and we should use dnf
| failureThreshold: 12 # 12x10sec = 2min before restart pod | ||
| - image: docker.io/curlimages/curl:8.5.0 | ||
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| name: curl-tool | |
| name: debug-tool |
| failureThreshold: 12 # 12x10sec = 2min before restart pod | ||
| - image: docker.io/curlimages/curl:8.5.0 | ||
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| name: curl-tool | |
| name: debug-tool |
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| - name: init-myservice | ||
| image: docker.io/curlimages/curl:8.5.0 | ||
| image: registry.access.redhat.com/ubi8/ubi:latest | ||
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
There was a problem hiding this comment.
The UBI8 base image does not include nc (netcat) by default. The command references /usr/bin/nc which will not exist in registry.access.redhat.com/ubi8/ubi:latest, causing the init container to fail. Consider either:
- Using a UBI8 image with nmap-ncat installed (which provides /usr/bin/ncat), or
- Using registry.access.redhat.com/ubi8/ubi-minimal with nc installed, or
- Installing nc in the init container before use with: microdnf install -y nmap-ncat && /usr/bin/nc ...
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] | |
| command: ['sh', '-c', 'microdnf install -y nmap-ncat && sleep 30; max_attempts=180; attempt=0; until /usr/bin/ncat -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
| - name: init-myservice | ||
| image: docker.io/curlimages/curl:8.5.0 | ||
| image: registry.access.redhat.com/ubi8/ubi:latest | ||
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
There was a problem hiding this comment.
The UBI8 base image does not include nc (netcat) by default. The command references /usr/bin/nc which will not exist in registry.access.redhat.com/ubi8/ubi:latest, causing the init container to fail. Consider either:
- Using a UBI8 image with nmap-ncat installed (which provides /usr/bin/ncat), or
- Using registry.access.redhat.com/ubi8/ubi-minimal with nc installed, or
- Installing nc in the init container before use with: microdnf install -y nmap-ncat && /usr/bin/nc ...
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] | |
| command: ['sh', '-c', 'sleep 30; microdnf install -y nmap-ncat; max_attempts=180; attempt=0; until /usr/bin/ncat -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
| - name: init-myservice | ||
| image: docker.io/curlimages/curl:8.5.0 | ||
| image: registry.access.redhat.com/ubi8/ubi:latest | ||
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
There was a problem hiding this comment.
The UBI8 base image does not include nc (netcat) by default. The command references /usr/bin/nc which will not exist in registry.access.redhat.com/ubi8/ubi:latest, causing the init container to fail. Consider either:
- Using a UBI8 image with nmap-ncat installed (which provides /usr/bin/ncat), or
- Using registry.access.redhat.com/ubi8/ubi-minimal with nc installed, or
- Installing nc in the init container before use with: microdnf install -y nmap-ncat && /usr/bin/nc ...
| command: ['sh', '-c', 'sleep 30; max_attempts=180; attempt=0; until /usr/bin/nc -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] | |
| command: ['sh', '-c', 'microdnf install -y nmap-ncat && sleep 30; max_attempts=180; attempt=0; until /usr/bin/ncat -z -w 1 mysql 3306 || [ $attempt -ge $max_attempts ]; do attempt=$((attempt+1)); echo "Attempt $attempt/$max_attempts: Trying to connect to mysql DB port"; sleep 5; done; if [ $attempt -ge $max_attempts ]; then echo "ERROR: Failed to connect to mysql after $max_attempts attempts"; exit 1; fi; echo "mysql DB port reachable"'] |
| failureThreshold: 40 # 40x30sec before restart pod | ||
| - image: docker.io/curlimages/curl:8.5.0 | ||
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| name: curl-tool | |
| name: debug-tool |
| failureThreshold: 40 # 40x30sec before restart pod | ||
| - image: docker.io/curlimages/curl:8.5.0 | ||
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| name: curl-tool | |
| name: debug-tool |
| failureThreshold: 40 # 40x30sec before restart pod | ||
| - image: docker.io/curlimages/curl:8.5.0 | ||
| - image: registry.access.redhat.com/ubi8/ubi:latest | ||
| name: curl-tool |
There was a problem hiding this comment.
The container name is 'curl-tool' but it no longer uses the curl image and doesn't provide curl functionality. Consider renaming this container to something more generic like 'debug-tool' or 'utility-tool' to better reflect its purpose as a debugging sidecar.
| name: curl-tool | |
| name: debug-tool |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Fix all issues with AI agents
In `@tests/e2e/sample-applications/mysql-persistent/mysql-persistent-csi.yaml`:
- Around line 229-230: The container command uses nc which is not present in the
registry.access.redhat.com/ubi8/ubi:latest image; update the command field to
avoid nc (or switch to an image that includes it). For example, replace the nc
check in the command with a bash TCP probe using /dev/tcp (e.g., attempt
connecting via >/dev/tcp/mysql/3306 in the same command string) or change the
image to one that provides nc; modify the command value shown in the diff
accordingly so the readiness loop works without relying on nc.
In
`@tests/e2e/sample-applications/mysql-persistent/mysql-persistent-twovol-csi.yaml`:
- Around line 227-228: The init container command uses /usr/bin/nc which is not
present in the registry.access.redhat.com/ubi8/ubi:latest image; update the init
container to either use an image that includes nc (e.g., busybox/netcat) or
replace the nc-dependent healthcheck with a portable alternative (e.g., a shell
TCP probe using /dev/tcp or curl) so the probe succeeds; specifically modify the
command entry that references /usr/bin/nc and/or swap the image field
(registry.access.redhat.com/ubi8/ubi:latest) to a minimal image that provides
netcat so the until /usr/bin/nc -z -w 1 mysql 3306 loop will work at runtime.
In `@tests/e2e/sample-applications/mysql-persistent/mysql-persistent.yaml`:
- Around line 242-243: The container command relies on /usr/bin/nc which is not
present in the specified image (image:
registry.access.redhat.com/ubi8/ubi:latest) — replace the nc invocation in the
command string with a portable shell TCP check using bash's /dev/tcp (e.g., test
connectivity via "echo > /dev/tcp/mysql/3306 >/dev/null 2>&1" and check its exit
status in the until loop) or alternatively switch the image to one that includes
nc; update the command string accordingly so the loop and max_attempts logic
remain the same but use the /dev/tcp check instead of /usr/bin/nc.
In
`@tests/e2e/sample-applications/virtual-machines/fedora-todolist/fedora-todolist.yaml`:
- Around line 202-203: The init container command relies on /usr/bin/nc which is
not present in the specified image (registry.access.redhat.com/ubi8/ubi:latest);
update the init container to either install nmap-ncat before using nc (e.g., run
a short yum install nmap-ncat step in the same command sequence) or replace the
nc-based check with a POSIX/bash fallback such as a /dev/tcp timeout loop.
Locate the init container block that sets image and command (the command
containing '/usr/bin/nc -z -w 1 mysql 3306') and modify that command to perform
installation of nmap-ncat or swap to the /dev/tcp connectivity check so the
readiness probe succeeds without failing at runtime.
♻️ Duplicate comments (1)
tests/e2e/sample-applications/mongo-persistent/mongo-persistent-block.yaml (1)
239-240: Samencavailability concern applies here.See the earlier comments regarding
/usr/bin/ncpotentially not being available in the UBI8 base image. The same bash/dev/tcpalternative would work here as well.
tests/e2e/sample-applications/mysql-persistent/mysql-persistent-csi.yaml
Outdated
Show resolved
Hide resolved
tests/e2e/sample-applications/mysql-persistent/mysql-persistent-twovol-csi.yaml
Outdated
Show resolved
Hide resolved
tests/e2e/sample-applications/mysql-persistent/mysql-persistent.yaml
Outdated
Show resolved
Hide resolved
tests/e2e/sample-applications/virtual-machines/fedora-todolist/fedora-todolist.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
…ngoDB and MySQL configurations Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
kaovilai
changed the title
weshayutin
left a comment
weshayutin
left a comment
There was a problem hiding this comment.
This is the one :)
/LGTM
|
@mpryc @Joeavaikath fyi, note the changes, Tiger and I test locally and these changes LGTM. The mongo app /healthz endpoint is not working correctly, due to ME. I'll update it in time for now we're going to keep mongo as a skip in oadp-dev. |
|
@mpryc please check in your morning sir, let's merge it up if possible |
|
/retest |
|
@kaovilai: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
mpryc
left a comment
mpryc
left a comment
There was a problem hiding this comment.
Checked existence of images as (example):
$ podman pull quay.io/migtools/alpine:latest
Trying to pull quay.io/migtools/alpine:latest...
Getting image source signatures
Copying blob 1074353eec0d done |
Copying config e7b39c54cd done |
Writing manifest to image destination
e7b39c54cdeca0d2aae83114bb605753a5f5bc511fe8be7590e38f6d9f915dadCheck arch:
$ podman manifest inspect quay.io/migtools/alpine:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 427,
"digest": "sha256:6482ff2a2ac6504c202dc499915831ce159b68c27b057d437a8012c2b26056a5",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 427,
"digest": "sha256:fd889ee4eeaad47519e7b9fd3587ddeb69c9954b962fe10573285120207be759",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v6"
}
},
[...]
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kaovilai, mpryc, weshayutin The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
mirrors to avoid rate limits
docker.io/curlimages/curlsidecar withregistry.access.redhat.com/ubi9/ubi(lighter, no curl)(todolist app now relies on Kubernetes restart policy)
/healthzpathstabilization is in progress
Why the changes were made
How to test the changes made