Skip to content

USHIFT-7245: Revert crio SELinux workaround #6969

Open
ggiguash wants to merge 2 commits into
openshift:mainfrom
ggiguash:revert-crio-workaround
Open

USHIFT-7245: Revert crio SELinux workaround #6969
ggiguash wants to merge 2 commits into
openshift:mainfrom
ggiguash:revert-crio-workaround

Conversation

@ggiguash

@ggiguash ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Bug Fixes

    • Updated SELinux policy requirements to better align with the current system, helping avoid policy-related issues during operation.
  • Chores

    • Switched one container image reference from a staging registry to the production Red Hat registry for more reliable builds.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 1, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 1, 2026

Copy link
Copy Markdown

@ggiguash: This pull request references USHIFT-7245 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ggiguash

ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/test ?

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@ggiguash

ggiguash commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-bootc-periodic-el10
/test e2e-aws-tests-bootc-periodic-arm-el10

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d30cb9d3-12e0-45fd-98a0-4742c0c6f555

📥 Commits

Reviewing files that changed from the base of the PR and between f62e887 and bbb8995.

📒 Files selected for processing (2)
  • packaging/selinux/microshift.te
  • test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile

Walkthrough

This PR makes two unrelated, small changes: it removes the kernel_t type requirement from the SELinux policy's gen_require block in microshift.te, and updates the base image reference in a RHEL10 test agent containerfile from the staging registry to the production registry.

Changes

SELinux Policy Cleanup

Layer / File(s) Summary
Remove unused kernel_t requirement
packaging/selinux/microshift.te
The gen_require stanza no longer requires kernel_t, leaving only kubelet_t, var_lib_t, and container_var_lib_t; other rules including allow kernel_t self:process execmem; remain unchanged.

Test Agent Base Image Update

Layer / File(s) Summary
Switch to production registry
test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile
The FROM base image reference changed from registry.stage.redhat.io/rhel10/rhel-bootc:10.2 to registry.redhat.io/rhel10/rhel-bootc:10.2.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is specific and matches the SELinux workaround revert that is part of the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only touches a SELinux policy file and a containerfile; no Ginkgo test files or titles were added/changed.
Test Structure And Quality ✅ Passed PR only changes SELinux policy and a containerfile; no Ginkgo test code was modified, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PASS: The PR only changes SELinux policy and a bootc containerfile; it adds no Ginkgo e2e tests or MicroShift-unsupported OpenShift API usage.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes SELinux policy and a containerfile; no new Ginkgo e2e tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only SELinux policy and a bootc containerfile changed; no manifests, operator code, or scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed PR only changes SELinux policy and a containerfile; no main/init/TestMain/RunSpecs code or stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the changed files are SELinux policy and a containerfile, so this compatibility check is not applicable.
No-Weak-Crypto ✅ Passed The changed SELinux policy and containerfile contain no weak ciphers, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed The only touched containerfile just changes the base image; no privileged, hostPID/Network/IPC, SYS_ADMIN, root, or allowPrivilegeEscalation settings were added.
No-Sensitive-Data-In-Logs ✅ Passed Touched files only change SELinux policy and a container base image; scans found no log statements or sensitive strings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@ggiguash ggiguash marked this pull request as ready for review July 1, 2026 17:36
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@openshift-ci openshift-ci Bot requested review from eslutsky and kasturinarra July 1, 2026 17:38
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@ggiguash: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-tests-bootc-periodic-el10 bbb8995 link true /test e2e-aws-tests-bootc-periodic-el10
ci/prow/e2e-aws-tests-bootc-el10 bbb8995 link true /test e2e-aws-tests-bootc-el10

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants