OCPBUGS-83863: Remove rhel8 CNI binary logic, fall back to default paths

[sdodson]

Summary

• Replace hardcoded rhel8/rhel9 case statements in both cnibincopy scripts with dynamic OS version detection
• Consolidate RHEL8_SOURCE_DIRECTORY, RHEL9_SOURCE_DIRECTORY, and DEFAULT_SOURCE_DIRECTORY env vars into a single SOURCE_DIRECTORY
• Update Fedora CoreOS hardcoded rhelmajor from 8 to 9

multus.yaml

The script detects the RHEL major version at runtime and probes for a version-specific directory in two layouts:

1. Standard: rhel<N> inserted before the last path component (e.g., /usr/src/multus-cni/rhel9/bin/)
2. Flat: rhel<N> as a subdirectory (e.g., /bondcni/rhel9/)

Falls back to SOURCE_DIRECTORY with a warning when neither exists.

008-script-lib.yaml (OVN)

Tries /usr/libexec/cni/rhel${rhelmajor} first, falls back to /usr/libexec/cni/ with a warning.

This unblocks removing rhel8 build stages from upstream images (openshift/ovn-kubernetes#3149, openshift/multus-cni#285) and is forwards-compatible with future RHEL versions without any CNO changes.

Test plan

• Verify OVN CNI shim binary is correctly copied on RHEL 9 CoreOS nodes
• Verify multus and ancillary CNI plugin binaries are correctly copied on RHEL 9 nodes
• Verify graceful fallback to default directory when version-specific directory is absent
• Verify no regression on clusters with current images (rhel9 directories still present)

Summary by CodeRabbit

• Chores

  • Simplified how CNI binaries are selected and copied by containers; source location is now set explicitly per component.
  • Removed host OS detection from initialization, reducing variance across platforms.
  • Consolidated and clarified logging around CNI copy operations for easier troubleshooting.

• Bug Fixes

  • Ensured bond-related networking uses a consistent source path to avoid missing plugin issues.

[openshift-ci-robot]

@sdodson: This pull request references Jira Issue OCPBUGS-83863, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Replace hardcoded rhel8/rhel9 case statements in both cnibincopy scripts with dynamic OS version detection that tries the version-specific directory first and falls back to the default path when it doesn't exist
• Remove all RHEL8_SOURCE_DIRECTORY env vars from multus init containers
• Update Fedora CoreOS hardcoded rhelmajor from 8 to 9

This unblocks removing rhel8 build stages from upstream images (openshift/ovn-kubernetes#3149, openshift/multus-cni#285) and is forwards-compatible with future RHEL versions — adding RHEL 10 support only requires adding RHEL10_SOURCE_DIRECTORY env vars to the init containers.

Files changed

• bindata/network/ovn-kubernetes/common/008-script-lib.yaml — cni-bin-copy() now tries /usr/libexec/cni/rhel${rhelmajor}, falls back to /usr/libexec/cni/
• bindata/network/multus/multus.yaml — cnibincopy.sh dynamically looks up RHEL${rhelmajor}_SOURCE_DIRECTORY via bash indirect reference, falls back to DEFAULT_SOURCE_DIRECTORY

Test plan

• Verify OVN CNI shim binary is correctly copied on RHEL 9 CoreOS nodes
• Verify multus and ancillary CNI plugin binaries are correctly copied on RHEL 9 nodes
• Verify graceful fallback to default directory when version-specific directory is absent
• Verify no regression on clusters with current images (rhel9 directories still present)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Removed OS/version-based CNI source selection and replaced it with a single required SOURCE_DIRECTORY environment variable; scripts now read SOURCE_DIRECTORY, log the chosen source, and copy directly from it. Corresponding DaemonSet/ConfigMap YAML removed os-release mounts and RHEL8/RHEL9/DEFAULT env vars and set SOURCE_DIRECTORY per container/initContainer.

Changes

Multus manifests

Layer / File(s)	Summary
DaemonSet env and mounts bindata/network/multus/multus.yaml	Removed RHEL8_SOURCE_DIRECTORY, RHEL9_SOURCE_DIRECTORY, and DEFAULT_SOURCE_DIRECTORY env vars; added SOURCE_DIRECTORY env var for kube-multus container and all CNI/binary copy initContainers.
Remove os-release mounts/volumes bindata/network/multus/multus.yaml	Removed /host/etc/os-release volumeMounts from containers and deleted the os-release volume entries used for host OS detection.
Per-plugin SOURCE_DIRECTORY values bindata/network/multus/multus.yaml	Set explicit SOURCE_DIRECTORY values for each copy initContainer (e.g., multus CNI path, /bondcni/ for bond plugin, plugin-specific /usr/src/.../bin/).

OVN Kubernetes script lib & cni copy

Layer / File(s)	Summary
cni-bin-copy implementation change bindata/network/ovn-kubernetes/common/008-script-lib.yaml	Simplified cni-bin-copy() to use a fixed source path for the overlay (/usr/libexec/cni/ovn-k8s-cni-overlay), log the source directory, and perform a direct cp into /cni-bin-dir/. Removed host OS detection and rhel-major branching.
Script contract: SOURCE_DIRECTORY usage bindata/network/ovn-kubernetes/common/008-script-lib.yaml, bindata/network/multus/multus.yaml	Script now expects SOURCE_DIRECTORY (set in YAML) instead of per-version env vars; callers updated in manifests to provide the concrete source paths.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: removing RHEL8 CNI binary logic and falling back to default paths, which aligns with the commit's removal of version-specific directory probing and OS detection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies YAML configuration files only. Repository does not use Ginkgo testing framework. No test files were modified. Check not applicable.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code is not applicable. This PR modifies only YAML configuration files, not Go/Ginkgo tests.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added. PR modifies YAML configuration files with embedded shell scripts for CNI binary copying, not test code. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to YAML ConfigMaps with embedded shell scripts for CNI binary operations. The SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No topology-breaking constraints. Script-only changes within pods. Universal tolerations and OS nodeSelector work on all supported OpenShift topologies including SNO, Two-Node, and HyperShift.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML ConfigMap files with embedded shell scripts, not Go test binaries. OTE Stdout Contract check only applies to Go binaries, making it inapplicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies YAML ConfigMaps with embedded shell scripts for CNI binary copying. The custom check is not applicable to this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sdodson
Once this PR has been reviewed and has the lgtm label, please assign abhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (2)

bindata/network/multus/multus.yaml (1)

24-26: Also validate that DEFAULT_SOURCE_DIRECTORY is an existing directory.

Right now only variable presence is validated. Add a -d check so failures are explicit and happen before copy-time exits.

Suggested patch

 if [ -z "$DEFAULT_SOURCE_DIRECTORY" ]; then
   log "FATAL ERROR: You must set the DEFAULT_SOURCE_DIRECTORY env variable"
   exit 1
 fi
+if [ ! -d "$DEFAULT_SOURCE_DIRECTORY" ]; then
+  log "FATAL ERROR: DEFAULT_SOURCE_DIRECTORY ($DEFAULT_SOURCE_DIRECTORY) does not exist"
+  exit 1
+fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/network/multus/multus.yaml` around lines 24 - 26, The script
currently checks only for presence of DEFAULT_SOURCE_DIRECTORY; modify the
validation around that variable (the if block referencing
DEFAULT_SOURCE_DIRECTORY and the log function) to also verify it is an existing
directory (use a -d style check), and if the check fails call log with a clear
fatal message including the variable name and then exit 1 so failures occur
immediately before any copy operations.

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

500-503: Prefer deriving FCOS major dynamically instead of hardcoding 9.

Line 502 hardcodes Fedora CoreOS to RHEL9, which means this path won’t pick rhel10+ directories without another code change. Consider deriving/probing dynamically to keep the new fallback logic future-proof.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml` around lines 500 -
503, The fedora) branch currently hardcodes rhelmajor=9 for FCOS (VARIANT_ID ==
"coreos"); replace that hardcoded assignment with runtime detection: inside the
fedora) block (where VARIANT_ID and rhelmajor are used) probe the host image to
derive the RHEL major version (e.g., parse /etc/os-release fields like
VERSION_ID/ID_LIKE or run an rpm macro query such as rpm -E '%{rhel}' as a
fallback) and set rhelmajor to the detected major number, falling back to a
sensible default only if detection fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@bindata/network/multus/multus.yaml`:
- Around line 24-26: The script currently checks only for presence of
DEFAULT_SOURCE_DIRECTORY; modify the validation around that variable (the if
block referencing DEFAULT_SOURCE_DIRECTORY and the log function) to also verify
it is an existing directory (use a -d style check), and if the check fails call
log with a clear fatal message including the variable name and then exit 1 so
failures occur immediately before any copy operations.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml`:
- Around line 500-503: The fedora) branch currently hardcodes rhelmajor=9 for
FCOS (VARIANT_ID == "coreos"); replace that hardcoded assignment with runtime
detection: inside the fedora) block (where VARIANT_ID and rhelmajor are used)
probe the host image to derive the RHEL major version (e.g., parse
/etc/os-release fields like VERSION_ID/ID_LIKE or run an rpm macro query such as
rpm -E '%{rhel}' as a fallback) and set rhelmajor to the detected major number,
falling back to a sensible default only if detection fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 899d45c2-d48a-447b-a74a-f98028b409f0

📥 Commits

Reviewing files that changed from the base of the PR and between bdbba59 and 71efd9d.

📒 Files selected for processing (2)

• bindata/network/multus/multus.yaml
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindata/network/multus/multus.yaml`:
- Around line 415-416: The SOURCE_DIRECTORY environment for the bond-cni-plugin
is currently set to the EL9-specific path "/bondcni/rhel9/" which causes the
resolver to construct paths like "/bondcni/rhel${rhelmajor}/rhel9"; change
SOURCE_DIRECTORY to the unversioned base path "/bondcni/" (or alternatively keep
explicit per-RHEL wiring) so the resolver derives the correct per-release
subpaths instead of always falling back to rhel9; update the env var named
SOURCE_DIRECTORY in the bond-cni-plugin container spec accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 88d2ddfe-14cd-40c7-9bc4-3a3bd9a94435

📥 Commits

Reviewing files that changed from the base of the PR and between 71efd9d and a4f2c56.

📒 Files selected for processing (2)

• bindata/network/multus/multus.yaml
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

[sdodson]

/hold
Need to test all of these together

[sdodson]

/testwith e2e-gcp-ovn openshift/ovn-kubernetes#3149 openshift/multus-cni#285

[openshift-ci]

@sdodson, testwith: Error processing request. ERROR:

could not determine job runs: requested job is invalid. needs to be formatted like: <org>/<repo>/<branch>/<variant?>/<job>. instead it was: e2e-gcp-ovn

[sdodson]

/testwith openshift/cluster-network-operator/master/e2e-gcp-ovn openshift/ovn-kubernetes#3149 openshift/multus-cni#285

[sdodson]

/testwith openshift/cluster-network-operator/master/e2e-gcp-ovn openshift/ovn-kubernetes#3149 openshift/multus-cni#285 openshift/route-override-cni#66 openshift/bond-cni#113 openshift/egress-router-cni#100 openshift/containernetworking-pluigins#228 openshift/whereabouts-cni#405

[openshift-ci]

@sdodson, testwith: Error processing request. ERROR:

could not determine job runs: couldn't get PR from GitHub: openshift/containernetworking-pluigins#228: status code 404 not one of [200], body: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/pulls/pulls#get-a-pull-request","status":"404"}

[sdodson]

/testwith openshift/cluster-network-operator/master/e2e-gcp-ovn openshift/ovn-kubernetes#3149 openshift/multus-cni#285 openshift/route-override-cni#66 openshift/bond-cni#113 openshift/egress-router-cni#100 openshift/containernetworking-plugins#228 openshift/whereabouts-cni#405

[coderabbitai]

🧹 Nitpick comments (1)

bindata/network/multus/multus.yaml (1)

71-73: Normalize the fallback path before reusing it.

This branch keeps SOURCE_DIRECTORY verbatim, so a future caller that passes /usr/src/plugins/bin instead of /usr/src/plugins/bin/ will make Line 82 copy the bin directory itself rather than its contents. Using the already-trimmed value here avoids making the trailing slash part of the script’s API.

♻️ Proposed fix

     if [ -z "$sourcedir" ]; then
       log "WARNING: No version-specific directory found for rhel${rhelmajor}, using ${SOURCE_DIRECTORY}"
-      sourcedir="${SOURCE_DIRECTORY}"
+      sourcedir="${default_trimmed}/"
     fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindata/network/multus/multus.yaml` around lines 71 - 73, When falling back
to SOURCE_DIRECTORY for sourcedir, normalize the path by removing any trailing
slash before assigning it so callers passing either "/usr/src/plugins/bin" or
"/usr/src/plugins/bin/" behave the same; update the assignment of sourcedir in
the branch that checks if [ -z "$sourcedir" ] to use the already-trimmed value
(or compute a trimmed version of SOURCE_DIRECTORY) so subsequent uses of
sourcedir (e.g., the copy logic later) operate on the directory contents rather
than the directory name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@bindata/network/multus/multus.yaml`:
- Around line 71-73: When falling back to SOURCE_DIRECTORY for sourcedir,
normalize the path by removing any trailing slash before assigning it so callers
passing either "/usr/src/plugins/bin" or "/usr/src/plugins/bin/" behave the
same; update the assignment of sourcedir in the branch that checks if [ -z
"$sourcedir" ] to use the already-trimmed value (or compute a trimmed version of
SOURCE_DIRECTORY) so subsequent uses of sourcedir (e.g., the copy logic later)
operate on the directory contents rather than the directory name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8d7eed9b-550f-42ae-a699-05e7a2f2429b

📥 Commits

Reviewing files that changed from the base of the PR and between a4f2c56 and f5f6667.

📒 Files selected for processing (2)

• bindata/network/multus/multus.yaml
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

[coderabbitai]

🧹 Nitpick comments (2)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

481-491: 💤 Low value

Outdated function docstring.

The docstring on lines 481-486 states the function "detects the host OS" and requires the /host volume mount, but the implementation now copies from a fixed path without any OS detection. Update the comment to reflect the simplified behavior.

📝 Suggested docstring update

-    # cni-bin-copy() detects the host OS and copies the correct shim binary to
-    # the CNI binary directory.
-    #
-    # Requires the following volume mounts:
-    #   /host
-    #   /cni-bin-dir
+    # cni-bin-copy() copies the CNI shim binary to the CNI binary directory.
+    #
+    # Requires the following volume mounts:
+    #   /cni-bin-dir
     cni-bin-copy()
     {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml` around lines 481 -
491, The comment above the cni-bin-copy() function is outdated: it claims the
function detects the host OS and requires a /host mount, but the implementation
simply copies a fixed shim from /usr/libexec/cni/ovn-k8s-cni-overlay to
/cni-bin-dir/. Update the docstring for cni-bin-copy() to remove any mention of
OS detection and the /host volume, and instead state that it copies the fixed
shim from /usr/libexec/cni/ovn-k8s-cni-overlay into /cni-bin-dir/ (and list only
the /cni-bin-dir/ mount as required).

bindata/network/multus/multus.yaml (1)

8-9: 💤 Low value

Outdated ConfigMap description.

The annotation states "copy CNI binaries based on host OS" but the script no longer performs OS detection—it copies directly from SOURCE_DIRECTORY.

📝 Suggested description update

   annotations:
     kubernetes.io/description: |
-      This is a script used to copy CNI binaries based on host OS
+      This is a script used to copy CNI binaries from a specified source directory

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/multus/multus.yaml` around lines 8 - 9, Update the
kubernetes.io/description annotation in multus.yaml to reflect current behavior:
the script no longer detects host OS but copies CNI binaries directly from
SOURCE_DIRECTORY; edit the description text (kubernetes.io/description) to
remove references to "based on host OS" and instead state it copies CNI binaries
from SOURCE_DIRECTORY without OS detection.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@bindata/network/multus/multus.yaml`:
- Around line 8-9: Update the kubernetes.io/description annotation in
multus.yaml to reflect current behavior: the script no longer detects host OS
but copies CNI binaries directly from SOURCE_DIRECTORY; edit the description
text (kubernetes.io/description) to remove references to "based on host OS" and
instead state it copies CNI binaries from SOURCE_DIRECTORY without OS detection.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml`:
- Around line 481-491: The comment above the cni-bin-copy() function is
outdated: it claims the function detects the host OS and requires a /host mount,
but the implementation simply copies a fixed shim from
/usr/libexec/cni/ovn-k8s-cni-overlay to /cni-bin-dir/. Update the docstring for
cni-bin-copy() to remove any mention of OS detection and the /host volume, and
instead state that it copies the fixed shim from
/usr/libexec/cni/ovn-k8s-cni-overlay into /cni-bin-dir/ (and list only the
/cni-bin-dir/ mount as required).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ad37a26c-b2a6-418c-8c87-3fd0b41857ec

📥 Commits

Reviewing files that changed from the base of the PR and between f5f6667 and a5c883c.

📒 Files selected for processing (2)

• bindata/network/multus/multus.yaml
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

[openshift-ci]

@sdodson: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-fdp-qe	a5c883c	link	true	/test e2e-aws-ovn-fdp-qe
ci/prow/e2e-ovn-ipsec-step-registry	a5c883c	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade	a5c883c	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
ci/prow/e2e-aws-ovn-serial-1of2	a5c883c	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	a5c883c	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-rhcos10-techpreview	a5c883c	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-serial-2of2	a5c883c	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade	a5c883c	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
ci/prow/security	a5c883c	link	false	/test security
ci/prow/e2e-aws-ovn-upgrade	a5c883c	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-ovn	a5c883c	link	true	/test e2e-gcp-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	a5c883c	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-windows	a5c883c	link	true	/test e2e-aws-ovn-windows

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.