Skip to content

Clean up the testing-farm bootc images used for containers #517

New issue
New issue
Open
Open
Clean up the testing-farm bootc images used for containers#517
@comps

Description

@comps
comps
opened on Jan 16, 2026

/hardening/container/* tests use

src_image = f'images.paas.redhat.com/testingfarm/rhel-bootc:{major}.{minor}'

as RHEL image source.

However those images are not "vanilla RHEL", they have (sometimes intrusive) OS customizations suited for a "traditional" Beakerlib-based testing environment, which includes gpgcheck=0 on repositories, installing additional packages from non-standard repositories, etc.

Try to revert these changes using logic stolen from https://github.com/RHSecurityCompliance/atex-reserve/blob/main/reserve/test.sh with a few simplifications:

# remove non-standard repos and downgrade (if unable to remove)
# or remove the extra non-standard packages from them
rm -v -f /etc/yum.repos.d/{beaker-harness,rcm-tools}.repo
function list_foreign_rpms {
    dnf list --installed \
    | grep -e @epel -e @beaker-harness -e rcm-tools \
    | sed 's/ .*//'
}
rpms=$(list_foreign_rpms)
[[ $rpms ]] && dnf downgrade -y --skip-broken $rpms || true
rpms=$(list_foreign_rpms)
[[ $rpms ]] && dnf remove -y --noautoremove $rpms
dnf clean all 

# set all RHEL repos to gpgcheck=1 and provide a gpgkey= for each of them,
# as RHSM-created repos would have
# - since we can't be sure what GPG key is used for what repo, we simply add
#   all GPG keys to all repos, which works (see dnf documentation)
gpgkeys=()
for key in /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*; do
    gpgkeys+=("file://$key")
done
sed 's/^gpgcheck=0$/gpgcheck=1/' -i /etc/yum.repos.d/rhel.repo
if ! grep -q '^gpgkey=' /etc/yum.repos.d/rhel.repo; then 
    sed '/^gpgcheck=1$/a'" gpgkey=${gpgkeys[*]}" -i /etc/yum.repos.d/rhel.repo
fi

This should be somehow executed before oscap-im when building the hardened image.
Alternatively, we can build a "cleaned up RHEL" image before re-building it again via oscap-im, as this hack is only needed for testingfarm RHEL, not for CentOS Stream from quay.io.

The script above could be COPY-ed into the image and executed via RUN, or (more ideally if possible) executed directly via RUN if RUN supports multi-line strings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions