Adding support for payload multiple-stream.

[ybettan]

The multiple-stream effort will contain multiple images considered as machine-os in the payload as well as multiple driver-toolkit images.

This commit is adding some labels to the container such as the rhel-stream and kernel-version.

In addition it adds a reference to the rhel-coreos-10 image in order to specify to the payload that DTK depends on the rhel-coreos-10 image.

---

/assign @jlebon
/cc @dustymabe @sdodson @travier @joepvd

Summary by CodeRabbit

• New Features

  • Added RHEL 10–based driver-toolkit images with kernel dev/tools, modules, and real-time kernel support for x86_64 and aarch64.

• Infrastructure

  • Image metadata now exposes kernel version, real-time kernel version, and RHEL release information in build/runtime metadata.
  • Manifest references refined into explicit image entries for clearer image management.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ybettan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ybettan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ybettan]

/hold
Let's wait with the merge util ART, oc and rhcos sides are ready.

[ybettan]

CI is failing with

error: failed to push image registry.build09.ci.openshift.org/ci-op-s32ks3md/release:latest: unable to upload new layer (0): Patch "https://registry.build09.ci.openshift.org/v2/ci-op-s32ks3md/release/blobs/uploads/28f7b512-00ca-497d-90d5-af8add973312?_state=jrqAoJunzNy78omjdQYHrhN7hEN1H5TseZNpvtDe2257Ik5hbWUiOiJjaS1vcC1zMzJrczNtZC9yZWxlYXNlIiwiVVVJRCI6IjI4ZjdiNTEyLTAwY2EtNDk3ZC05MGQ1LWFmOGFkZDk3MzMxMiIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNi0wMi0wNVQwOTo1NjowOC44NTg5NTQyNjdaIn0%3D": operator "driver-toolkit" contained an invalid image-references file: no input image tag named "stream-coreos-10"

@sdodson What version of OKD introduce the rhel-coreos-10 image to the payload?

[ybettan]

/retest

[joepvd]

Did you test how this works in a PR to release repo? The images jon only produces one image.

Also, OKD needs to work.

[ybettan]

@joepvd
There is no registry.ci.openshift.org/ocp/4.22:base-rhel10 in the release repo.
Should I use registry.ci.openshift.org/ocp/4.22:rhel-coreos-10 or should we add a new registry.ci.openshift.org/ocp/4.22:base-rhel10 image in the CI registry?

[ybettan]

TODO: Replace the base image.
The base-rhel10 should be available in the next few days:
https://redhat-internal.slack.com/archives/CBN38N3MW/p1772993158695559?thread_ts=1772982114.642989&cid=CBN38N3MW

[ybettan]

Did you test how this works in a PR to release repo? The images jon only produces one image.

Also, OKD needs to work.

I have now because I split the Dockerfile. This is the chicken and egg problem though. CI fill fail here because the is no Dockerfile anymore to use in the images job and the release job will fail because it looks for Dockerfile.rhelx files which doesn't exist in the main branch yet.

openshift/release#75027

[coderabbitai]

Walkthrough

Adds RHEL 10 support and expands runtime/kernel metadata: introduces Dockerfile.rhel10, updates Dockerfile to copy manifests explicitly and add kernel-related labels, and adds an OpenShift ImageStream manifest for RHEL 10; final image metadata now includes KERNEL_VERSION, RT_KERNEL_VERSION, and RHEL_VERSION.

Changes

Cohort / File(s)	Summary
Dockerfile updates Dockerfile	Replaces broad manifests copy with explicit copies of manifests/01-openshift-imagestream.yaml and manifests/image-references. Extends LABELs with io.openshift.os.streamclass, kernel-version, and kernel-rt-version. Final layer exports INSTALLED_RT_KERNEL and writes JSON containing KERNEL_VERSION, RT_KERNEL_VERSION, and RHEL_VERSION.
RHEL 10 driver-toolkit Dockerfile.rhel10	New Dockerfile targeting rhel-coreos-10 with ARGs for KERNEL_VERSION, RT_KERNEL_VERSION, RHEL_VERSION; conditional RHEL_VERSION inference from /etc/os-release; arch-specific package installation (x86_64, aarch64 including 64k pages); installs kernel and RT headers/modules, dev toolchain, signing/runtime deps, and DPDK-related packages; verifies kernel-core and kernel-rt Source RPMs match; cleans caches, copies manifests, sets labels, and writes /etc/driver-toolkit-release.json with KERNEL_VERSION, RT_KERNEL_VERSION, RHEL_VERSION.
RHEL 10 image manifest manifests/image-references-rhel10	Adds OpenShift ImageStream manifest defining tags for driver-toolkit and rhel-coreos-10 with placeholder DockerImage references.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Adding support for payload multiple-stream' is directly related to the main objective of the changeset, which is to add support for multiple-stream payloads containing multiple machine-os and driver-toolkit images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This pull request modifies Dockerfiles and manifest files for a container toolkit repository that does not contain Ginkgo tests or Go code.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code quality is not applicable to this pull request. The PR exclusively modifies Docker-related files (Dockerfiles and manifest YAML files) and does not contain any Ginkgo test code, Go test files, or test modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

Dockerfile.rhel10 (3)

59-59: Minor inconsistency in cache cleanup.

The RHEL9 Dockerfile additionally runs rm -rf /var/cache/dnf/* after dnf clean all. Consider aligning for consistency, though dnf clean all alone is typically sufficient.

♻️ Proposed fix for consistency

-RUN dnf clean all
+RUN dnf clean all && rm -rf /var/cache/dnf/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.rhel10` at line 59, The Dockerfile.rhel10 currently runs "dnf
clean all" but omits the extra cache purge used in the RHEL9 Dockerfile; update
the RUN instruction that contains "dnf clean all" to also remove the dnf cache
(e.g., append an rm -rf /var/cache/dnf/* after dnf clean all) so the cache
cleanup is consistent with the RHEL9 Dockerfile.

---

72-75: Pre-existing concern: RT kernel metadata on non-x86_64 architectures.

On architectures other than x86_64, kernel-rt-core is not installed (see lines 19-25), so rpm -q kernel-rt-core will fail or return an error message. This could result in an incorrect RT_KERNEL_VERSION value in the JSON.

This is a pre-existing pattern from the RHEL9 Dockerfile, so no action is required in this PR, but worth noting for future improvement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.rhel10` around lines 72 - 75, The RT kernel query can fail on
non-x86_64 arches because kernel-rt-core isn't installed; update the RUN step
that sets INSTALLED_RT_KERNEL (and the JSON write to
/etc/driver-toolkit-release.json) to handle missing packages gracefully by
detecting rpm -q kernel-rt-core failure and setting INSTALLED_RT_KERNEL to an
explicit empty/null value or "N/A" instead of propagating the error; ensure the
logic around INSTALLED_KERNEL and INSTALLED_RT_KERNEL uses conditional checks
(e.g., test rpm -q kernel-rt-core exit status) before composing the JSON so
RT_KERNEL_VERSION is accurate on architectures that lack kernel-rt-core.

---

6-7: Minor inconsistency with RHEL9 Dockerfile's dnf configuration approach.

The RHEL9 Dockerfile uses echo >> /etc/dnf/dnf.conf while this uses dnf config-manager. Both achieve the same result. The dnf config-manager approach here is arguably cleaner; consider aligning both files to use the same method for maintainability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.rhel10` around lines 6 - 7, The dnf configuration step in
Dockerfile.rhel10 uses "dnf config-manager" while the RHEL9 Dockerfile appends
settings to /etc/dnf/dnf.conf; make them consistent by replacing the "dnf
config-manager --best --setopt=install_weak_deps=False --save" usage in the RUN
that sets RHEL_VERSION with an explicit append to /etc/dnf/dnf.conf (e.g., echo
"install_weak_deps=False" >> /etc/dnf/dnf.conf), keeping the existing
RHEL_VERSION detection logic (RHEL_VERSION, sourcing /etc/os-release) intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.rhel10`:
- Around line 39-40: The RUN instruction installing mandatory driver-container
packages is missing autoconf, automake, and libtool; update the RUN dnf -y
install elfutils-libelf-devel kmod binutils kabi-dw glibc invocation in
Dockerfile.rhel10 to include autoconf, automake, and libtool so the RHEL10
package list matches the RHEL9 Dockerfile and driver container builds remain
consistent.

---

Nitpick comments:
In `@Dockerfile.rhel10`:
- Line 59: The Dockerfile.rhel10 currently runs "dnf clean all" but omits the
extra cache purge used in the RHEL9 Dockerfile; update the RUN instruction that
contains "dnf clean all" to also remove the dnf cache (e.g., append an rm -rf
/var/cache/dnf/* after dnf clean all) so the cache cleanup is consistent with
the RHEL9 Dockerfile.
- Around line 72-75: The RT kernel query can fail on non-x86_64 arches because
kernel-rt-core isn't installed; update the RUN step that sets
INSTALLED_RT_KERNEL (and the JSON write to /etc/driver-toolkit-release.json) to
handle missing packages gracefully by detecting rpm -q kernel-rt-core failure
and setting INSTALLED_RT_KERNEL to an explicit empty/null value or "N/A" instead
of propagating the error; ensure the logic around INSTALLED_KERNEL and
INSTALLED_RT_KERNEL uses conditional checks (e.g., test rpm -q kernel-rt-core
exit status) before composing the JSON so RT_KERNEL_VERSION is accurate on
architectures that lack kernel-rt-core.
- Around line 6-7: The dnf configuration step in Dockerfile.rhel10 uses "dnf
config-manager" while the RHEL9 Dockerfile appends settings to
/etc/dnf/dnf.conf; make them consistent by replacing the "dnf config-manager
--best --setopt=install_weak_deps=False --save" usage in the RUN that sets
RHEL_VERSION with an explicit append to /etc/dnf/dnf.conf (e.g., echo
"install_weak_deps=False" >> /etc/dnf/dnf.conf), keeping the existing
RHEL_VERSION detection logic (RHEL_VERSION, sourcing /etc/os-release) intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a7ce7e2b-de73-46ed-98df-cd2ac87f1d58

📥 Commits

Reviewing files that changed from the base of the PR and between 7aa4007 and fcad0e1.

📒 Files selected for processing (3)

• Dockerfile
• Dockerfile.rhel10
• manifests/image-references-rhel10

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 61-62: The current blanket replacement using
s/rhel-coreos/stream-coreos/g is too broad and rewrites tags like
rhel-coreos-10; update the replacement to target only the exact tag name (or the
tag suffix) so only SCOS manifests are changed: adjust the sed invocation (the
s/.../.../g command) to match whole-word or delimiter-aware occurrences (for
example use a word-boundary or capture the trailing colon/line-end such as
s/\brhel-coreos\b/stream-coreos/g or s/rhel-coreos(:|$)/stream-coreos\1/g) and
apply it only to the SCOS manifest(s) (e.g.,
manifests/01-openshift-imagestream.yaml or the SCOS-specific entries in
manifests/image-references) instead of globally replacing across all manifests.

In `@Dockerfile.rhel10`:
- Around line 73-75: The RUN layer unconditionally queries kernel-rt-core into
INSTALLED_RT_KERNEL causing empty/incorrect RT metadata on non-x86_64 builds;
modify the RUN block to detect architecture (e.g., via uname -m or
/etc/os-release arch) and only query rpm -q --qf
"%{VERSION}-%{RELEASE}.%{ARCH}+rt" kernel-rt-core when arch == "x86_64",
otherwise set INSTALLED_RT_KERNEL to an explicit empty/null value; ensure the
final echo writing /etc/driver-toolkit-release.json includes the conditional
value of INSTALLED_RT_KERNEL so the file accurately reflects whether RT kernel
metadata exists.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8099f538-68a8-407c-ba4b-dfbbf39ca586

📥 Commits

Reviewing files that changed from the base of the PR and between fcad0e1 and 12c0fd1.

📒 Files selected for processing (3)

• Dockerfile
• Dockerfile.rhel10
• manifests/image-references-rhel10

🚧 Files skipped from review as they are similar to previous changes (1)

• manifests/image-references-rhel10

[ybettan]

/retest

[openshift-ci]

@ybettan: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-image-content-dtk-for-rhel-10	12c0fd1	link	true	/test verify-image-content-dtk-for-rhel-10

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.