OHSS-55168: Fix Dockerfile USER to numeric UID, update boilerplate

[nephomaniac]

Summary

• Replace USER nonroot:nonroot with USER 65534:65534 in build/Dockerfile (OHSS-55168)
• Remove stale distroless comments (base image is UBI minimal, not distroless)

Problem

The Dockerfile uses USER nonroot:nonroot (a string username from Google's distroless convention), but the base image is UBI minimal which does not have a nonroot user. When the deployment sets runAsNonRoot: true, Kubernetes cannot verify the non-numeric user is non-root, resulting in CreateContainerConfigError. Currently affecting ~63 clusters (50 ROSA, 13 OSD) per OHSS-55168.

Fix

Use numeric UID 65534 (nobody, which exists on UBI minimal) instead of the string nonroot.

References

• OHSS-55168

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated build infrastructure container image versions.
  • Adjusted team ownership configurations.

[coderabbitai]

Walkthrough

Three maintenance changes: the CI operator build root image tag is bumped from image-v8.3.6 to image-v8.4.0, the e2e Dockerfile Go builder is bumped from rhel_9_1.25 to rhel_9_1.26, and two alias entries (devppratik, iamkirkbater) are removed from OWNERS_ALIASES.

Changes

Maintenance Updates

Layer / File(s)	Summary
CI and e2e builder image version bumps .ci-operator.yaml, test/e2e/Dockerfile	CI operator build_root_image tag bumped from image-v8.3.6 to image-v8.4.0; e2e Dockerfile builder stage Go image bumped from rhel_9_1.25 to rhel_9_1.26.
OWNERS_ALIASES member removals OWNERS_ALIASES	devppratik removed from srep-functional-team-hulk and iamkirkbater removed from srep-team-leads.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references updating boilerplate and fixing Dockerfile USER configuration, but the actual changes include unrelated modifications to CI operator image tag and OWNERS_ALIASES removals not mentioned in the title.	Revise the title to accurately reflect all main changes: Dockerfile USER fix, boilerplate updates, CI operator image tag update, and OWNERS_ALIASES modifications, or adjust the PR scope to match the title.
Description check	⚠️ Warning	The description focuses on the Dockerfile USER fix but omits explanation of the CI operator image tag change, OWNERS_ALIASES removals, and other boilerplate updates that comprise the actual changeset.	Expand the description to document all changes in the PR: explain the image tag updates and OWNERS_ALIASES modifications, and provide testing steps that validate the entire changeset.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR does not modify any Ginkgo test files or test names. Changes are limited to configuration files (.ci-operator.yaml, OWNERS_ALIASES), a Dockerfile (test/e2e/Dockerfile), and build/Dockerfile...
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code quality is not applicable to this PR as no test files are being modified. The PR only changes configuration files (.ci-operator.yaml, OWNERS_ALIASES), Dockerfi...
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only modifies configuration files (.ci-operator.yaml, OWNERS_ALIASES) and Dockerfiles (test/e2e/Dockerfile, build/Dockerfile), so the MicroShift co...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to configuration files (.ci-operator.yaml, OWNERS_ALIASES), a Dockerfile update (test/e2e/Dockerfile), and a Dockerfile USER direct...
Topology-Aware Scheduling Compatibility	✅ Passed	PR makes only CI/build infrastructure updates and a Dockerfile USER directive change from nonroot:nonroot to 65534:65534; no deployment manifests, scheduling constraints, replica logic, or topology...
Ote Binary Stdout Contract	✅ Passed	PR modifies only configuration files (YAML, Dockerfiles, OWNERS_ALIASES) and adds boilerplate templates—no Go source code changes that could violate OTE binary stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are infrastructure/config only: .ci-operator.yaml tag update, OWNERS_ALIASES cleanup, Dockerfile base image updates. Check not applicable.
No-Weak-Crypto	✅ Passed	PR contains no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons. Changes are configuration, Dockerfile, and documentati...
Container-Privileges	✅ Passed	No container privilege escalation risks found. PR properly configures containers to run as non-root (UID 65534) with Kubernetes enforcing runAsNonRoot: true. No privileged modes, hostPID/Network/IP...
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements that expose sensitive data (passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data) were found in the modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nephomaniac
Once this PR has been reviewed and has the lgtm label, please assign bergmannf for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nephomaniac]

/label tide/merge-method-squash

[openshift-ci-robot]

@nephomaniac: This pull request references OHSS-55168 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the incident to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Replace USER nonroot:nonroot with USER 65534:65534 in build/Dockerfile (OHSS-55168)
• Remove stale distroless comments (base image is UBI minimal, not distroless)

Problem

The Dockerfile uses USER nonroot:nonroot (a string username from Google's distroless convention), but the base image is UBI minimal which does not have a nonroot user. When the deployment sets runAsNonRoot: true, Kubernetes cannot verify the non-numeric user is non-root, resulting in CreateContainerConfigError. Currently affecting ~63 clusters (50 ROSA, 13 OSD) per OHSS-55168.

Fix

Use numeric UID 65534 (nobody, which exists on UBI minimal) instead of the string nonroot.

References

• OHSS-55168

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/Dockerfile`:
- Line 2: In the Dockerfile at the FROM instruction, replace the fixed Red Hat
builder tag from `rhel_9_1.26` to `rhel_9_1`. This changes the image reference
from `brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.26` to
`brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1`, which
allows Red Hat's automated security patch updates to be applied automatically
rather than being pinned to a specific patch version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2fa99dec-8df9-49ab-9bc2-5a720165d48b

📥 Commits

Reviewing files that changed from the base of the PR and between c9b7e7a and 4b82570.

⛔ Files ignored due to path filters (10)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/_lib/container-make is excluded by !boilerplate/**
• boilerplate/_lib/subscriber-propose-update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-e2e/update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/dependabot.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• build/Dockerfile is excluded by !build/**
• build/Dockerfile.olm-registry is excluded by !build/**

📒 Files selected for processing (3)

• .ci-operator.yaml
• OWNERS_ALIASES
• test/e2e/Dockerfile

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current Dockerfile base-image tag patterns for RH builder images
# and check whether floating tags are used elsewhere in the repo.
rg -n --iglob '*Dockerfile*' 'brew\.registry\.redhat\.io/.+openshift-golang-builder:.+'

Repository: openshift/managed-node-metadata-operator

Length of output: 191

---

🏁 Script executed:

#!/bin/bash
# Find all Dockerfile* files in the repository
fd -t f 'Dockerfile' --type f
# Then show their content to check base image tag patterns
for file in $(fd -t f 'Dockerfile' --type f); do
  echo "=== $file ==="
  head -20 "$file" | grep -E '^FROM|^ARG'
done

Repository: openshift/managed-node-metadata-operator

Length of output: 1270

---

Use a floating Red Hat builder tag instead of a fixed patch tag.

Change rhel_9_1.26 to rhel_9_1 to allow Red Hat's automated patch updates. Per the Dockerfile security guidelines, Red Hat images must use floating tags.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/Dockerfile` at line 2, In the Dockerfile at the FROM instruction,
replace the fixed Red Hat builder tag from `rhel_9_1.26` to `rhel_9_1`. This
changes the image reference from
`brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.26` to
`brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1`, which
allows Red Hat's automated security patch updates to be applied automatically
rather than being pinned to a specific patch version.

Source: Coding guidelines

[openshift-ci]

@nephomaniac: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	4b82570	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.60%. Comparing base (4394d69) to head (4b82570).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #286   +/-   ##
=======================================
  Coverage   58.60%   58.60%           
=======================================
  Files           5        5           
  Lines         244      244           
=======================================
  Hits          143      143           
  Misses         87       87           
  Partials       14       14           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[nephomaniac]

/hold