Fix tests-private-base/baseui DockerBuildFailed on release-4.18 and r…

[pruan-rht]

…elease-4.20

release-4.18: Add ENV ART_DNF_WRAPPER_POLICY=append to tests-private-base and tests-private-baseui dockerfile_literal blocks so the ART yum/dnf wrapper also searches /etc/yum.repos.d/, enabling local RPM installs (google-chrome) and external repo access (azure-cli, google-cloud-cli, nodesource).

release-4.20: Replace yum config-manager --disable with inline --disablerepo= flags on yum update/install commands, matching the pattern used by 4.21 and 4.22. The yum config-manager subcommand requires dnf-plugins-core which is no longer pre-installed in the 4.20 tools base image.

Summary by CodeRabbit

This PR addresses Docker build failures in the openshift-tests-private CI configuration across two release branches by fixing package repository access issues.

Release 4.18 Changes:

• Adds ENV ART_DNF_WRAPPER_POLICY=append to the Dockerfile definitions for both the tests-private-base and tests-private-baseui builder images
• This environment variable enables the ART yum/dnf wrapper to also search the /etc/yum.repos.d/ directory, which allows:
  • Local RPM installations (e.g., google-chrome)
  • Access to external package repositories (azure-cli, google-cloud-cli, nodesource)

Release 4.20 Changes:

• Replaces yum config-manager --disable calls with inline --disablerepo= flags on both yum update and yum install commands
• Specifically disables the UBI repository mirrors (ubi-9-appstream, ubi-9-baseos, ubi-9-codeready-builder)
• This change is necessary because the yum config-manager subcommand requires the dnf-plugins-core package, which is no longer pre-installed in the 4.20 tools base image
• Aligns the 4.20 configuration with the approach already used in 4.21 and 4.22

Both changes fix Docker build failures (DockerBuildFailed) by resolving repository and package installation issues in the test infrastructure images.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 625396cf-9a21-4984-a4e0-37eea022db1c

📥 Commits

Reviewing files that changed from the base of the PR and between e1f542b and e79b9b4.

📒 Files selected for processing (2)

• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18.yaml
• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__images.yaml

---

Walkthrough

This PR updates CI operator configurations for two OpenShift release versions: adding a DNF wrapper policy environment variable to test builder stages in release 4.18, and refactoring how repository disabling works in the tools image build for release 4.20 by applying flags directly to yum commands instead of using a configuration manager.

Changes

CI Operator Configuration Updates

Layer / File(s)	Summary
Release 4.18 DNF Wrapper Policy Configuration ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18.yaml	The tests-private-base and tests-private-baseui builder stages each receive ENV ART_DNF_WRAPPER_POLICY=append in their embedded Dockerfile snippets.
Release 4.20 Repository Disabling Refactor ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__images.yaml	The tools image build replaces yum config-manager --disable with --disablerepo flags applied directly to yum update and yum install commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, approved, ok-to-test, rehearsals-ack

Suggested reviewers

• asood-rh
• jechen0648
• oliver-smakal

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title identifies the core issues being fixed (DockerBuildFailed) and mentions both release versions involved, clearly conveying the main changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only CI/CD configuration YAML files (openshift-openshift-tests-private release configs), not Ginkgo test code. No test definitions with dynamic names are present in modified files.
Test Structure And Quality	✅ Passed	This PR modifies only YAML build configuration files, not Ginkgo test code. The custom check is not applicable as the PR contains no test code to review.
Microshift Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests; it only modifies YAML CI/CD pipeline configuration files with Docker build step changes. The MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR modifies only CI build config YAML files, not test code. SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are CI configuration files with only Dockerfile build instructions. No Kubernetes deployment manifests, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI/CD configuration changes for Docker builds; no Go source code, stdout writes, or test extension binary code modifications present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only CI operator YAML configuration files with embedded Dockerfile content, not Ginkgo e2e test code. No new tests are being added.
No-Weak-Crypto	✅ Passed	PR contains only infrastructure/config changes (ENV variable and yum flags) with no weak crypto, custom crypto, or insecure secret comparisons added or modified.
Container-Privileges	✅ Passed	The PR modifies CI/CD configuration files with Dockerfile build instructions only. No Kubernetes manifests or container privilege settings are present in the changes.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data found in the PR. Changes add ENV and --disablerepo flags to existing Dockerfile configs. All URLs and GPG keys are PUBLIC, not authentication credentials.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pruan-rht

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/openshift-tests-private/OWNERS [pruan-rht]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@pruan-rht: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-openshift-tests-private-release-4.20-images-images	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-bindata-check	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-code-check	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-disasterrecovery-aws-ipi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-disasterrecovery-metal-upi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-aws-upi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-vsphere-ipi-disconnected	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-e2e-aws	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-e2e-console	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-images	openshift/openshift-tests-private	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-tests-private-release-4.18-title-check	openshift/openshift-tests-private	presubmit	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-4.18-upgrade-from-stable-4.18-metal-ipi-ovn-ipv4-basecap-none-arm-f60	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-4.18-upgrade-from-stable-4.18-gcp-ipi-xpn-mini-perm-arm-f60	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.18-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f60	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-gcp-ipi-proxy-oidc-mini-perm-arm-f28	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-basecap-vset-additionalcap-arm-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-aws-ipi-ovn-hypershift-arm-nodepool-guest-efs-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-gcp-ipi-confidential-secureboot-mini-perm-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-4.18-upgrade-from-stable-4.17-gcp-ipi-proxy-private-mini-perm-arm-f28	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-vsphere-upi-disconnecting-network-f28-destructive	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-vsphere-ipi-multi-nic-f28-destructive	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.18-aws-ipi-wavelength-sts-fips-mini-perm-f60	N/A	periodic	Ci-operator config changed

A total of 937 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@pruan-rht: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.