Updating ironic-container image to be consistent with ART for 4.22

[openshift-bot]

Updating ironic-container image to be consistent with ART for 4.22
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ironic.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team: @release-artists
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out to @release-artists in the #forum-ocp-art coreos slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/scheduled-builds/job/sync-ci-images/49667

[coderabbitai]

Walkthrough

Added three header comment lines to Dockerfile.ocp documenting a warning about ART metadata configuration differences and the need for synchronization with Dockerfile.scos. No functional changes introduced.

Changes

Cohort / File(s)	Summary
Documentation Comments Dockerfile.ocp	Added three comment lines warning about ART metadata configuration differences in FROMs count and requirement to keep synchronized with Dockerfile.scos.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign dtantsur for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.ocp (1)

92-96: ⚠️ Potential issue | 🟠 Major

Set an explicit non-root runtime user in the final image.

configure-nonroot.sh prepares permissions, but without a USER instruction the container still defaults to root at runtime. Add USER after the non-root setup (Line 92-96 block).

Suggested fix

 RUN <<EORUN
 set -euxo pipefail
 configure-nonroot.sh
 rm -f /bin/configure-nonroot.sh
 EORUN
+
+# Run as non-root user configured by configure-nonroot.sh
+USER 1001

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.ocp` around lines 92 - 96, After running configure-nonroot.sh in
the RUN <<EORUN block, add an explicit USER instruction to switch the final
image to the non-root runtime account created/configured by configure-nonroot.sh
(e.g., the configured non-root username or UID such as "nonroot" or "1001");
update the Dockerfile so that after the RUN <<EORUN ... EORUN section you set
USER to that non-root identity to ensure the container does not run as root at
runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile.ocp`:
- Around line 92-96: After running configure-nonroot.sh in the RUN <<EORUN
block, add an explicit USER instruction to switch the final image to the
non-root runtime account created/configured by configure-nonroot.sh (e.g., the
configured non-root username or UID such as "nonroot" or "1001"); update the
Dockerfile so that after the RUN <<EORUN ... EORUN section you set USER to that
non-root identity to ensure the container does not run as root at runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eabae818-8456-4741-a9d0-af50a46caf43

📥 Commits

Reviewing files that changed from the base of the PR and between b18db38 and bc67e93.

📒 Files selected for processing (1)

• Dockerfile.ocp

[elfosardo]

we're waiting for openshift-eng/ocp-build-data#8913 to merge