The subcommand network-test was not working due to /sbin/init command

[rjhowe]

• systemd container was only needed for nginx server which can be replaced with python http server
• For network tests changing all pods created by script to run python server by default
• Remove nginx package from Dockerfile and Dockerfile.fedora as its not needed for testing network
• Made changes to Dockerfile.fedora updating to 4.22 build and changing yum to dnf

Summary by CodeRabbit

• New Features

  • Enhanced debugging tools available in the network-tools image, including additional utilities for network analysis and performance troubleshooting.

• Bug Fixes

  • Removed nginx from container images and debug pod initialization to streamline network debugging workflows.

• Documentation

  • Updated documentation to reflect the available debugging utilities in the network-tools image.

• Chores

  • Updated base image versions to latest available releases.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rjhowe
Once this PR has been reviewed and has the lgtm label, please assign tssurya for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The PR replaces nginx with a lightweight Python HTTP server across the network-tools image and test infrastructure. It removes nginx from container image package lists, updates test pods to run python3 -m http.server 80, bumps Fedora base images from 4.12 to 4.22, switches from yum to dnf, and updates documentation to reflect the new debugging toolset.

Changes

Network Tools Image and Test Script Updates

Layer / File(s)	Summary
Remove nginx from container images Dockerfile, Dockerfile.fedora	nginx package removed from the builder/runtime installation lists in both standard and Fedora build configurations.
Replace nginx with Python HTTP server in test pod debug-scripts/test-networking/common	Test pod startup command changes from /sbin/init to python3 -m http.server 80, and the nginx systemctl start step is removed.
Update Fedora base image and package manager Dockerfile.fedora	Build stage base images bumped from ocp/4.12 to ocp/4.22 and package installation switched from yum to dnf with --setopt=tsflags=nodocs.
Update documentation for available debugging tools docs/user.md	Tools list updated to remove nginx and add numactl, traceroute, wireshark-cli, conntrack-tools, perf, iproute, and ovnkube-trace.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change—replacing the /sbin/init command with a Python HTTP server—which is the core motivation for the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repository contains no Ginkgo tests. PR modifies Dockerfiles, a bash script, and documentation—none contain Ginkgo test titles or unstable test names.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test quality is not applicable; repository contains no Ginkgo test files. PR changes are to Dockerfiles, shell scripts, and documentation only.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Changes are to Dockerfiles, bash scripts, and documentation only. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; changes are limited to Dockerfiles, shell scripts, and documentation. The SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies Dockerfiles, debug scripts, and documentation only—no deployment manifests, operators, or controllers are added or modified. Topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	The custom check for OTE Binary Stdout Contract is not applicable—this PR modifies a network-tools repository (shell scripts and Dockerfiles) with no OTE test binaries or Go test code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It modifies Docker images, debug scripts, and docs only. The check is not applicable here.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom implementations, or non-constant-time comparisons found. PR replaces nginx with Python http.server.
Container-Privileges	✅ Passed	No privileged container settings found. The PR only removes nginx and replaces with Python HTTP server. No privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PR changes involve removing nginx package and replacing /sbin/init with Python HTTP server; no logging of passwords, tokens, API keys, PII, session IDs, or other sensitive credentials.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

debug-scripts/test-networking/common (1)

19-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use an unprivileged HTTP port to avoid pod startup failures

python3 -m http.server 80 (Line 19) can fail when the container runs as non-root, which breaks readiness and leaves the service without endpoints. Use an unprivileged port (for example 8080) and expose the same port.

Suggested patch

-    oc run "$POD_NAME" --image=quay.io/openshift/origin-network-tools:latest \
-        --overrides='{ "spec": { "nodeSelector": {"'"$POD_NAME"'": "network-tools-debug-role"}, "tolerations": [{"key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists"}] }}' \
-        -- python3 -m http.server 80
+    oc run "$POD_NAME" --image=quay.io/openshift/origin-network-tools:latest \
+        --overrides='{ "spec": { "nodeSelector": {"'"$POD_NAME"'": "network-tools-debug-role"}, "tolerations": [{"key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists"}] }}' \
+        -- python3 -m http.server 8080
@@
-    oc expose pod/"$SVC_NAME" --port=80
+    oc expose pod/"$SVC_NAME" --port=8080

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@debug-scripts/test-networking/common` around lines 19 - 39, The pod startup
uses a privileged port (80) which fails for non-root containers; update
create_pod_on_node (the command that starts the server) to run the HTTP server
on an unprivileged port (e.g. 8080) and make create_svc expose that same port
(change the oc expose invocation and any port references from 80 to 8080) so
readiness succeeds and endpoints are created; ensure any wait logic (oc get ep)
still references the service name only and no port-specific jsonpath changes are
required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.fedora`:
- Around line 8-12: The Dockerfile uses an unpinned non-RH runtime base ("FROM
fedora:latest") which violates the base image policy; update the final runtime
stage to either use a UBI minimal or distroless image from catalog.redhat.com
(preferred) or, if using a non-Red Hat image, pin it by digest instead of
:latest—modify the final FROM line accordingly and ensure the change applies to
the runtime stage that follows the ovnkube-trace and tools stages so provenance
and reproducibility are preserved.

---

Outside diff comments:
In `@debug-scripts/test-networking/common`:
- Around line 19-39: The pod startup uses a privileged port (80) which fails for
non-root containers; update create_pod_on_node (the command that starts the
server) to run the HTTP server on an unprivileged port (e.g. 8080) and make
create_svc expose that same port (change the oc expose invocation and any port
references from 80 to 8080) so readiness succeeds and endpoints are created;
ensure any wait logic (oc get ep) still references the service name only and no
port-specific jsonpath changes are required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c554a272-4ea1-4b30-9fcb-c4bc15d56af1

📥 Commits

Reviewing files that changed from the base of the PR and between 507d4f5 and adb9c22.

📒 Files selected for processing (4)

• Dockerfile
• Dockerfile.fedora
• debug-scripts/test-networking/common
• docs/user.md

💤 Files with no reviewable changes (2)

• Dockerfile
• docs/user.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Runtime base image violates container hardening policy

The runtime stage still uses fedora:latest (Line 12), which is neither a UBI minimal/distroless base nor pinned by digest for a non-Red Hat image. This weakens provenance and reproducibility guarantees.

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com" and "non-RH images: pin by digest".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.fedora` around lines 8 - 12, The Dockerfile uses an unpinned
non-RH runtime base ("FROM fedora:latest") which violates the base image policy;
update the final runtime stage to either use a UBI minimal or distroless image
from catalog.redhat.com (preferred) or, if using a non-Red Hat image, pin it by
digest instead of :latest—modify the final FROM line accordingly and ensure the
change applies to the runtime stage that follows the ovnkube-trace and tools
stages so provenance and reproducibility are preserved.

[rjhowe]

Only used for local testing this fedora image is not shipped or pushed to RH repos.

[coderabbitai]

@rjhowe, understood — the Dockerfile.fedora is explicitly a development-only image (noted in its header comment as well) and is never shipped to any registry. The hardening policy applies to production/shipped images. I'll dismiss this concern.

---

✏️ Learnings added

Learnt from: rjhowe
Repo: openshift/network-tools PR: 180
File: Dockerfile.fedora:8-12
Timestamp: 2026-06-03T20:41:39.450Z
Learning: In the `openshift/network-tools` repository, `Dockerfile.fedora` is a **development-only** image used exclusively for local testing. It is never pushed to Red Hat or any other production registry. Container hardening policy requirements (UBI base image, digest pinning, etc.) do not apply to this file.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[rjhowe]

/retest

[openshift-ci]

@rjhowe: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	adb9c22	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.