Skip to content

Revert "OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile" #8652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Jun 4, 2026
+1 −1
Merged

Revert "OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile" #8652

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile.e2e
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,5 @@ COPY --from=builder /hypershift/hack/run-reqserving-e2e.sh /hypershift/hack/run-
RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc && \
dnf install -y https://packages.microsoft.com/config/rhel/9/packages-microsoft-prod.rpm && \
mv /etc/yum.repos.d/microsoft-prod.repo /etc/yum.repos.art/ci/ && \
dnf install -y azure-cli-2.72.0 && \
dnf install -y azure-cli && \
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check available azure-cli versions in the Microsoft repository
dnf list --showduplicates azure-cli 2>/dev/null | grep azure-cli | tail -10

Repository: openshift/hypershift

Length of output: 46

🏁 Script executed:

#!/bin/bash
# Search for context about why 2.72.0 was originally pinned
gh pr view 8638 --json title,body,comments

Repository: openshift/hypershift

Length of output: 43580

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show Dockerfile.e2e around the cited line 33
if [ -f Dockerfile.e2e ]; then
  nl -ba Dockerfile.e2e | sed -n '20,50p'
else
  echo "Missing Dockerfile.e2e at repo root"
fi

# Also capture any azure-cli dnf install lines in the Dockerfile.e2e
if [ -f Dockerfile.e2e ]; then
  rg -n "dnf .*install .*azure-cli" Dockerfile.e2e || true
  rg -n "azure-cli" Dockerfile.e2e || true
fi

Repository: openshift/hypershift

Length of output: 107

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la

# Locate and display Dockerfile.e2e (with line numbers) around line 33
if [ -f Dockerfile.e2e ]; then
  echo "== Dockerfile.e2e exists at ./Dockerfile.e2e =="
  awk 'NR>=20 && NR<=50 {printf "%d:%s\n", NR, $0}' Dockerfile.e2e
else
  echo "== Dockerfile.e2e not found at repo root; searching by name =="
  fd -t f -i "Dockerfile.e2e" .
  exit 0
fi

echo "== azure-cli install lines =="
rg -n "dnf .*install .*azure-cli|azure-cli-[0-9]|azure-cli" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 6394

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== dockerfile.e2e azure-cli installs and i686 excludes =="
rg -n "dnf .*install .*azure-cli|azure-cli-|azure-cli|--exclude='\\*\\.i686'|i686" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 159

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Top of Dockerfile.e2e =="
awk 'NR>=1 && NR<=80 {printf "%d:%s\n", NR, $0}' Dockerfile.e2e

echo
echo "== USER / HEALTHCHECK =="
rg -n "^(USER|HEALTHCHECK)\b" Dockerfile.e2e || true

echo
echo "== COPY patterns (quick scan) =="
rg -n "\bCOPY\b" Dockerfile.e2e || true

echo
echo "== dnf/yum install usage =="
rg -n "\b(dnf|yum)\s+(install|update)" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 3246

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== azure-cli dnf exclude i686 =="
rg -n "exclude=.*i686|i686" Dockerfile.e2e || true

echo
echo "== USER / HEALTHCHECK directives =="
rg -n "^(USER|HEALTHCHECK)\b" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 134

Pin azure-cli (and restore the i686 exclusion) in Dockerfile.e2e to avoid reintroducing known e2e image build failures.

Removing the pin at dnf install -y azure-cli reintroduces the same class of issue fixed by PR #8638:

  • E4S/EUS incompatibility: PR #8638 pinned azure-cli-2.72.0 because azure-cli >= 2.73.0 requires python3.12, which isn’t available in the E4S/EUS repos; unpinned installs can select a newer (uninstallable) version.
  • dnf resolution failures from i686 metadata: PR #8638 added --exclude='*.i686' to avoid unsatisfied i686 dependencies; this Dockerfile.e2e no longer excludes i686.

Additionally, this Dockerfile.e2e currently violates the provided container hardening guidelines: no USER, no HEALTHCHECK, and builder uses COPY . . (and the final stage reuses the builder image).

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.e2e` at line 33, The Dockerfile.e2e currently installs azure-cli
without pinning and removed the i686 exclusion, and also lacks container
hardening (no USER, no HEALTHCHECK) and uses COPY . . in the builder and reuses
the builder as the final image; update the dnf install line to pin azure-cli to
the known-good version (azure-cli-2.72.0) and restore the exclusion flag
(--exclude='*.i686') to avoid E4S/EUS python3.12 and i686 resolution failures,
add a non-root USER declaration and a HEALTHCHECK per our guidelines, and change
the builder stage to use explicit COPY of only needed artifacts (avoid COPY . .)
and ensure the final stage does not reuse the builder image but instead copies
artifacts from the builder stage into a minimal runtime image.

dnf clean all