OCPBUGS-76394: Ignore group ownership on rpm -V

[sdodson]

What's happening is since we're removing subscription-manager from the base image and a subsequent step write /etc/yum.repos.d/redhat.repo with group ownership that differs from what's defined in subscription-manager rpm it fails verification. The intent of this command seems to be to ensure that all requested rpms are installed so group ownership doesn't seem critical to verify here.

Note: subscription-manager doesn't actually deliver /etc/yum.repos.d/redhat.repo but it does lay claim to it via its rpm file list.

Summary by CodeRabbit

• Chores
  • Updated Docker build configuration for package verification.

[openshift-ci-robot]

@sdodson: This pull request references Jira Issue OCPBUGS-76394, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What's happening is since we're removing subscription-manager from the base image and a subsequent step writes the file with group ownership that differs from what's defined in subscription-manager rpm it fails verification. The intent of this command seems to be to ensure that all requested rpms are installed so group ownership doesn't seem critical to verify here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The Dockerfile for the tools image has been updated to add the --nogroup flag to an existing rpm -V verification command alongside other verification flags. This modifies the package verification step without altering the installation process or control flow.

Changes

Cohort / File(s)	Summary
Dockerfile Configuration images/tools/Dockerfile	Added --nogroup flag to rpm -V verification command for $INSTALL_PKGS.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding the --nogroup flag to rpm -V verification. It directly relates to the only file modified and the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR only modifies a Dockerfile and contains no test files or test naming changes.
Test Structure And Quality	✅ Passed	PR modifies only Dockerfile infrastructure code, not test code, so test quality requirements do not apply.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sdodson]

/jira refresh

FWIW, I intend to merge this once it passes CI.

[openshift-ci-robot]

@sdodson: This pull request references Jira Issue OCPBUGS-76394, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @rbbratta

Details

In response to this:

/jira refresh

FWIW, I intend to merge this once it passes CI.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sdodson]

/verified by CI

[openshift-ci-robot]

@sdodson: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sdodson]

/override ci/prow/e2e-aws-ovn-serial-1of2 ci/prow/e2e-aws-ovn-serial-1of2 ci/prow/e2e-aws-ovn-upgrade

[ardaguclu]

/lgtm

[openshift-ci-robot]

@sdodson: This pull request references Jira Issue OCPBUGS-76394, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @rbbratta

Details

In response to this:

What's happening is since we're removing subscription-manager from the base image and a subsequent step write /etc/yum.repos.d/redhat.repo with group ownership that differs from what's defined in subscription-manager rpm it fails verification. The intent of this command seems to be to ensure that all requested rpms are installed so group ownership doesn't seem critical to verify here.

Note: subscription-manager doesn't actually deliver /etc/yum.repos.d/redhat.repo but it does lay claim to it via its rpm file list.

Summary by CodeRabbit

• Chores
• Updated Docker build configuration for package verification.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

There is another indirectly related PR, just for awareness #2205

[openshift-ci]

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-aws-ovn-serial-1of2, ci/prow/e2e-aws-ovn-upgrade

Details

In response to this:

/override ci/prow/e2e-aws-ovn-serial-1of2 ci/prow/e2e-aws-ovn-serial-1of2 ci/prow/e2e-aws-ovn-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ardaguclu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

There is another indirectly related PR, just for awareness #2205

Thanks for the pointer and also for quick review on these, I think these two can go forward without conflict.

[sdodson]

/override ci/prow/e2e-agnostic-ovn-cmd ci/prow/e2e-aws-ovn ci/prow/e2e-aws-serial-2of2

[openshift-ci]

@sdodson: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• ci/prow/e2e-aws-serial-2of2

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/build-rpms-from-tar
• ci/prow/e2e-agnostic-ovn-cmd
• ci/prow/e2e-aws-oc-ote
• ci/prow/e2e-aws-oc-ote-serial
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-aws-ovn-serial-1of2
• ci/prow/e2e-aws-ovn-serial-2of2
• ci/prow/e2e-aws-ovn-upgrade
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/rpm-build
• ci/prow/security
• ci/prow/unit
• ci/prow/verify
• ci/prow/verify-deps
• pull-ci-openshift-oc-main-build-rpms-from-tar
• pull-ci-openshift-oc-main-e2e-agnostic-ovn-cmd
• pull-ci-openshift-oc-main-e2e-aws-oc-ote
• pull-ci-openshift-oc-main-e2e-aws-oc-ote-serial
• pull-ci-openshift-oc-main-e2e-aws-ovn
• pull-ci-openshift-oc-main-e2e-aws-ovn-serial-1of2
• pull-ci-openshift-oc-main-e2e-aws-ovn-serial-2of2
• pull-ci-openshift-oc-main-e2e-aws-ovn-upgrade
• pull-ci-openshift-oc-main-images
• pull-ci-openshift-oc-main-okd-scos-images
• pull-ci-openshift-oc-main-rpm-build
• pull-ci-openshift-oc-main-security
• pull-ci-openshift-oc-main-unit
• pull-ci-openshift-oc-main-verify
• pull-ci-openshift-oc-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override ci/prow/e2e-agnostic-ovn-cmd ci/prow/e2e-aws-ovn ci/prow/e2e-aws-serial-2of2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sdodson]

/override ci/prow/e2e-agnostic-ovn-cmd ci/prow/e2e-aws-ovn ci/prow/e2e-aws-ovn-serial-2of2

[openshift-ci]

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-agnostic-ovn-cmd, ci/prow/e2e-aws-ovn, ci/prow/e2e-aws-ovn-serial-2of2

Details

In response to this:

/override ci/prow/e2e-agnostic-ovn-cmd ci/prow/e2e-aws-ovn ci/prow/e2e-aws-ovn-serial-2of2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@sdodson: Jira Issue Verification Checks: Jira Issue OCPBUGS-76394
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-76394 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What's happening is since we're removing subscription-manager from the base image and a subsequent step write /etc/yum.repos.d/redhat.repo with group ownership that differs from what's defined in subscription-manager rpm it fails verification. The intent of this command seems to be to ensure that all requested rpms are installed so group ownership doesn't seem critical to verify here.

Note: subscription-manager doesn't actually deliver /etc/yum.repos.d/redhat.repo but it does lay claim to it via its rpm file list.

Summary by CodeRabbit

• Chores
• Updated Docker build configuration for package verification.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-02-21-040517

[sdodson]

/cherry-pick release-4.21 release-4.20

[openshift-cherrypick-robot]

@sdodson: new pull request created: #2208

Details

In response to this:

/cherry-pick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.