Skip to content

The subcommand network-test was not working due to /sbin/init command #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rjhowe wants to merge 1 commit into
base: main
Choose a base branch
from
+6 −10
Open

The subcommand network-test was not working due to /sbin/init command #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ RUN rm -rf /opt/bin/local-scripts && ln -s /opt/bin/network-tools /usr/bin/netwo
RUN INSTALL_PKGS="\
conntrack-tools \
iproute \
nginx \
numactl \
traceroute \
wireshark-cli \
Expand Down
9 changes: 4 additions & 5 deletions Dockerfile.fedora
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@
# This image is only for development environment, so please DO NOT DEPLOY
# this image in any production environment.
#
FROM registry.ci.openshift.org/ocp/4.12:ovn-kubernetes AS ovnkube-trace
FROM registry.ci.openshift.org/ocp/4.22:ovn-kubernetes AS ovnkube-trace

FROM registry.ci.openshift.org/ocp/4.12:tools AS tools
FROM registry.ci.openshift.org/ocp/4.22:tools AS tools

FROM fedora:latest
Comment on lines +8 to 12

@coderabbitai coderabbitai Bot Jun 3, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Runtime base image violates container hardening policy

The runtime stage still uses fedora:latest (Line 12), which is neither a UBI minimal/distroless base nor pinned by digest for a non-Red Hat image. This weakens provenance and reproducibility guarantees.

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com" and "non-RH images: pin by digest".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.fedora` around lines 8 - 12, The Dockerfile uses an unpinned
non-RH runtime base ("FROM fedora:latest") which violates the base image policy;
update the final runtime stage to either use a UBI minimal or distroless image
from catalog.redhat.com (preferred) or, if using a non-Red Hat image, pin it by
digest instead of :latest—modify the final FROM line accordingly and ensure the
change applies to the runtime stage that follows the ovnkube-trace and tools
stages so provenance and reproducibility are preserved.

@rjhowe rjhowe Jun 3, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only used for local testing this fedora image is not shipped or pushed to RH repos.

@coderabbitai coderabbitai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rjhowe, understood — the Dockerfile.fedora is explicitly a development-only image (noted in its header comment as well) and is never shipped to any registry. The hardening policy applies to production/shipped images. I'll dismiss this concern.

✏️ Learnings added 
Learnt from: rjhowe
Repo: openshift/network-tools PR: 180
File: Dockerfile.fedora:8-12
Timestamp: 2026-06-03T20:41:39.450Z
Learning: In the `openshift/network-tools` repository, `Dockerfile.fedora` is a **development-only** image used exclusively for local testing. It is never pushed to Red Hat or any other production registry. Container hardening policy requirements (UBI base image, digest pinning, etc.) do not apply to this file.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

COPY --from=ovnkube-trace /usr/bin/ovnkube-trace /usr/bin/
Expand Down Expand Up @@ -41,7 +41,6 @@ RUN INSTALL_PKGS="\
ltrace \
mailx \
net-tools \
nginx \
nmap-ncat \
numactl \
parted \
Expand All @@ -62,8 +61,8 @@ RUN INSTALL_PKGS="\
wireshark-cli \
xfsprogs \
" && \
yum -y install --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
yum clean all && rm -rf /var/cache/*
dnf -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
dnf clean all && rm -rf /var/cache/*

COPY debug-scripts/ /opt/bin/
# remove internal scripts from the image and create a symlink for network-tools and gather entrypoint for must-gather
Expand Down
5 changes: 2 additions & 3 deletions debug-scripts/test-networking/common
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ create_pod_on_node () {

oc run "$POD_NAME" --image=quay.io/openshift/origin-network-tools:latest \
--overrides='{ "spec": { "nodeSelector": {"'"$POD_NAME"'": "network-tools-debug-role"}, "tolerations": [{"key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists"}] }}' \
-- /sbin/init
-- python3 -m http.server 80

# wait till pod is running
oc wait --for=condition=Ready pod/"$POD_NAME" --timeout=3m
Expand All @@ -31,8 +31,7 @@ create_svc () {
# create the backing pod
create_pod_on_node "$SVC_NAME" "$NODE_NAME"
echo "INFO: Creating a ClusterIP service: "$SVC_NAME""
# start webserver and expose the port
oc rsh "$SVC_NAME" systemctl start nginx

# TODO: Allow users to specify which svc type they want to test
oc expose pod/"$SVC_NAME" --port=80
# wait till svc endpoint is created
Expand Down
1 change: 0 additions & 1 deletion docs/user.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ To run script that are not included in the `network-tools -h` call them directly
* bcc
* bcc-tools
* python3-bcc
* nginx
* numactl
* traceroute
* wireshark-cli
Expand Down