Drop support for RHEL 8

[proietfb]

- What I did

Dropped support for RHEL8

- How to verify it

All CI tests should pass even without RHEL8 custom paths

- Description for the changelog

• Removed RHEL8 paths from the codebase
• Adapted e2e tests by dropping RHEL8 checks

Summary by CodeRabbit

• Chores
  • Streamlined Docker image build process by consolidating multiple builder stages into unified configuration
  • Unified SSH authorized key storage to use a single standardized path across all system types
  • Removed legacy operating system version detection methods and related conditional logic throughout codebase
  • Simplified overall system configuration with corresponding updates to validation tests

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

This PR removes RHEL 8 support from machine-config-daemon by eliminating the RHEL 8 builder stage, consolidating SSH key paths to a single constant, removing OS version checks, simplifying SSH key handling logic, and updating daemon behaviors and tests to standardize on RHEL 9+ systems.

Changes

Drop RHEL 8 Support

Layer / File(s)	Summary
Docker build system simplification Dockerfile, Dockerfile.rhel7	RHEL 8 builder stage is removed from both Dockerfiles; all binaries are now copied directly from the RHEL 9 builder output into the final image.
OS version API cleanup pkg/daemon/osrelease/osrelease.go	The IsEL8() method is removed and version backfill logic that mapped RHEL 4.x to 8.x is eliminated, simplifying OS version detection to start at RHEL 9.
SSH path constants consolidation pkg/daemon/constants/constants.go	Unified RHCOSDefaultSSHKeyPath constant replaces separate RHCOS8SSHKeyPath and RHCOS9SSHKeyPath, pointing to authorized_keys.d/ignition for all supported systems.
SSH key handling logic simplification pkg/daemon/update.go	createSSHKeyDir and updateSSHKeys functions are simplified to use only the default SSH key path; legacy path selection helpers (useNewSSHKeyPath, cleanSSHKeyPaths, removeNonIgnitionKeyPathFragments) are removed.
Daemon OS compatibility adjustments pkg/daemon/daemon.go	PersistNetworkInterfaces now enables NIC persistence only for RHEL 9 (not RHEL 8); ReexecuteForTargetRoot simplifies binary selection; SSH key location migration call is removed from checkStateOnFirstRun.
Daemon formatting and refactoring pkg/daemon/daemon.go	Systemd unit construction and rate limiter queue configurations are reformatted into multi-line literals; surrounding formatting adjustments in createBootstrapMachineConfigDiffFile.
End-to-end test updates test/e2e-1of2/mcd_test.go	Tests (TestNoReboot, TestIgn3Cfg, TestFirstBootHasSSHKeys) now assert SSH keys using unified RHCOSDefaultSSHKeyPath instead of OS-derived sshPaths logic; dual-path detection removed.
Single-node test updates test/e2e-single-node/sno_mcd_test.go	TestNoReboot updated to delete, verify, and validate SSH keys using unified RHCOSDefaultSSHKeyPath instead of per-OS path selection.
Test utilities cleanup test/helpers/utils.go	SSHPaths struct and GetSSHPaths function are removed; CollectDebugInfoFromNode now collects only the unified RHCOSDefaultSSHKeyPath.
Template and minor updates templates/common/on-prem/files/NetworkManager-resolv-prepender.yaml, test/e2e-1of2/mcd_test.go, test/e2e-single-node/sno_mcd_test.go	NetworkManager dispatcher comment narrowed to RHEL 9; test formatting adjustments and variable declaration simplification in several test functions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, approved, verified

Suggested reviewers

• dkhater-redhat
• isabella-janssen

🚥 Pre-merge checks | ✅ 4 | ❌ 11

❌ Failed checks (1 warning, 10 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Drop support for RHEL 8' directly and clearly summarizes the main objective of the changeset, which is to remove all RHEL 8-specific code paths, constants, builder stages, and test logic across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: proietfb
Once this PR has been reviewed and has the lgtm label, please assign dkhater-redhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/daemon/update.go (1)

2482-2492: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Re-create /home/core/.ssh explicitly before the subdir.

mkdir -p -m 0700 /home/core/.ssh/authorized_keys.d only guarantees 0700 on the final authorized_keys.d component. If /home/core/.ssh is missing, it gets recreated with the runuser umask, so this helper no longer guarantees the parent-directory permissions its comment promises and the tests assert.

Suggested fix

 func createSSHKeyDir(authKeyDir string) error {
 	klog.Infof("Creating missing SSH key dir at %q", authKeyDir)

 	mkdir := func(dir string) error {
 		return exec.Command("runuser", "-u", constants.CoreUserName, "--", "mkdir", "-m", "0700", "-p", dir).Run()
 	}

-	// Create the SSH key directory (/home/core/.ssh/authorized_keys.d).
-	return mkdir(filepath.Dir(constants.RHCOSDefaultSSHKeyPath))
+	if err := mkdir(constants.CoreUserSSHPath); err != nil {
+		return err
+	}
+	return mkdir(authKeyDir)
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/daemon/update.go` around lines 2482 - 2492, The createSSHKeyDir function
currently only runs mkdir on the leaf directory (using
filepath.Dir(constants.RHCOSDefaultSSHKeyPath)), which can leave the parent
(/home/core/.ssh) with incorrect permissions; update createSSHKeyDir to
explicitly create the parent directory first and then the target subdirectory
using the same runuser mkdir wrapper (the inner mkdir closure) so both the
parent (/home/core/.ssh) and the subdir (authorized_keys.d) are created with
mode 0700; reference the createSSHKeyDir function, the mkdir closure, and
constants.RHCOSDefaultSSHKeyPath when making the change.

test/helpers/utils.go (1)

1672-1679: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the fallback os-release path in the debug bundle.

This list still uses /usr/lib/osrelease, so failed-node artifacts miss the standard fallback OS release file. Since this hunk is already updating the collected paths, switch it to /usr/lib/os-release.

Suggested fix

 	nodeFilesToWrite := []string{
 		"/etc/machine-config-daemon/currentconfig",
 		"/etc/os-release",
-		"/usr/lib/osrelease",
+		"/usr/lib/os-release",
 		constants.RHCOSDefaultSSHKeyPath,
 		"/etc/machine-config-daemon/node-annotation.json.bak",
 		"/etc/ignition-machine-config-encapsulated.json.bak",
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/helpers/utils.go` around lines 1672 - 1679, The nodeFilesToWrite slice
in test/helpers/utils.go contains an incorrect fallback path
"/usr/lib/osrelease"; update that entry to the standard "/usr/lib/os-release" so
the debug bundle includes the proper fallback os-release file. Locate the
nodeFilesToWrite variable and replace the "/usr/lib/osrelease" string with
"/usr/lib/os-release" (the rest of the slice entries remain unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-1of2/mcd_test.go`:
- Around line 317-320: The call to helpers.WaitForRenderedConfig ignores its
error return causing oldInfraRenderedConfig to be empty on failure; change the
call to capture the error (e.g., oldInfraRenderedConfig, err :=
helpers.WaitForRenderedConfig(...)) and fail fast (use
require.NoError/require.Nil or t.Fatalf) immediately after to stop the test when
the baseline render does not complete; update references to
oldInfraRenderedConfig accordingly so subsequent rollback logic uses a valid
rendered config.

---

Outside diff comments:
In `@pkg/daemon/update.go`:
- Around line 2482-2492: The createSSHKeyDir function currently only runs mkdir
on the leaf directory (using filepath.Dir(constants.RHCOSDefaultSSHKeyPath)),
which can leave the parent (/home/core/.ssh) with incorrect permissions; update
createSSHKeyDir to explicitly create the parent directory first and then the
target subdirectory using the same runuser mkdir wrapper (the inner mkdir
closure) so both the parent (/home/core/.ssh) and the subdir (authorized_keys.d)
are created with mode 0700; reference the createSSHKeyDir function, the mkdir
closure, and constants.RHCOSDefaultSSHKeyPath when making the change.

In `@test/helpers/utils.go`:
- Around line 1672-1679: The nodeFilesToWrite slice in test/helpers/utils.go
contains an incorrect fallback path "/usr/lib/osrelease"; update that entry to
the standard "/usr/lib/os-release" so the debug bundle includes the proper
fallback os-release file. Locate the nodeFilesToWrite variable and replace the
"/usr/lib/osrelease" string with "/usr/lib/os-release" (the rest of the slice
entries remain unchanged).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5a33d8eb-2950-426d-9716-1b1a923fdb0c

📥 Commits

Reviewing files that changed from the base of the PR and between 1d96927 and 3b092a7.

📒 Files selected for processing (10)

• Dockerfile
• Dockerfile.rhel7
• pkg/daemon/constants/constants.go
• pkg/daemon/daemon.go
• pkg/daemon/osrelease/osrelease.go
• pkg/daemon/update.go
• templates/common/on-prem/files/NetworkManager-resolv-prepender.yaml
• test/e2e-1of2/mcd_test.go
• test/e2e-single-node/sno_mcd_test.go
• test/helpers/utils.go

💤 Files with no reviewable changes (3)

• pkg/daemon/osrelease/osrelease.go
• Dockerfile.rhel7
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast if the baseline render never completes.

If WaitForRenderedConfig fails here, oldInfraRenderedConfig becomes empty and the rollback path later waits for the wrong target, which obscures the original setup failure.

Suggested fix

 	_, err := cs.MachineConfigs().Create(context.TODO(), oldInfraConfig, metav1.CreateOptions{})
 	require.Nil(t, err)
-	oldInfraRenderedConfig, _ := helpers.WaitForRenderedConfig(t, cs, "infra", oldInfraConfig.Name)
+	oldInfraRenderedConfig, err := helpers.WaitForRenderedConfig(t, cs, "infra", oldInfraConfig.Name)
+	require.NoError(t, err)
 	infraNode := helpers.GetSingleNodeByRole(t, cs, "infra")

As per coding guidelines, **/*.go: Never ignore error returns.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	_, err := cs.MachineConfigs().Create(context.TODO(), oldInfraConfig, metav1.CreateOptions{})
	require.Nil(t, err)
	oldInfraRenderedConfig, err := helpers.WaitForRenderedConfig(t, cs, "infra", oldInfraConfig.Name)
	oldInfraRenderedConfig, _ := helpers.WaitForRenderedConfig(t, cs, "infra", oldInfraConfig.Name)
	infraNode := helpers.GetSingleNodeByRole(t, cs, "infra")
	_, err := cs.MachineConfigs().Create(context.TODO(), oldInfraConfig, metav1.CreateOptions{})
	require.Nil(t, err)
	oldInfraRenderedConfig, err := helpers.WaitForRenderedConfig(t, cs, "infra", oldInfraConfig.Name)
	require.NoError(t, err)
	infraNode := helpers.GetSingleNodeByRole(t, cs, "infra")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-1of2/mcd_test.go` around lines 317 - 320, The call to
helpers.WaitForRenderedConfig ignores its error return causing
oldInfraRenderedConfig to be empty on failure; change the call to capture the
error (e.g., oldInfraRenderedConfig, err := helpers.WaitForRenderedConfig(...))
and fail fast (use require.NoError/require.Nil or t.Fatalf) immediately after to
stop the test when the baseline render does not complete; update references to
oldInfraRenderedConfig accordingly so subsequent rollback logic uses a valid
rendered config.

[proietfb]

/payload-jobs periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-azure-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-azure-mco-disruptive
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-vsphere-mco-disruptive
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-gcp-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-dualstack-mco-disruptive-2of2
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-azure-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv4-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-dualstack-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-dualstack-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv6-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv4-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-dualstack-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv4-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv6-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-single-node-disruptive
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-ovn-upgrade-ocl
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-dualstack-mco-disruptive-1of2
periodic-ci-openshift-machine-config-operator-release-5.0-arm64-periodics-e2e-aws-mco-disruptive-2of2
periodic-ci-openshift-machine-config-operator-release-5.0-arm64-periodics-e2e-aws-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-single-node-disruptive-techpreview
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv4-mco-disruptive-2of2
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv4-mco-disruptive-1of2
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv6-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-azure-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv6-mco-disruptive-2of2
periodic-ci-openshift-machine-config-operator-release-5.0-arm64-periodics-e2e-aws-mco-disruptive-1of2
periodic-ci-openshift-machine-config-operator-release-5.0-arm64-periodics-e2e-aws-mco-disruptive-techpreview-2of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-ovn-ocl
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-gcp-mco-disruptive
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-vsphere-mco-disruptive-techpreview
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-gcp-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-ovn-day1-ocl
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-disruptive
periodic-ci-openshift-machine-config-operator-release-5.0-arm64-periodics-e2e-aws-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-gcp-mco-disruptive-techpreview-1of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-aws-mco-disruptive-techpreview-3of3
periodic-ci-openshift-machine-config-operator-release-5.0-periodics-e2e-metal-ipi-ovn-ipv6-mco-disruptive-1of2

[openshift-ci]

@proietfb: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[proietfb]

/test e2e-openstack

[openshift-ci]

@proietfb: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack	3b092a7	link	false	/test e2e-openstack

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.