Skip to content

ci: drop running COSA as UID 0 #1716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dustymabe wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci: drop running COSA as UID 0 #1716

dustymabe wants to merge 3 commits into from
+12 −9

Conversation

@dustymabe
Copy link
Member

@dustymabe dustymabe commented Jan 7, 2026

No description provided.

@dustymabe
ci: drop buildroot param to cosaPod
d8dd3b7 
This becaome obsolete when buildPod was introduced in
coreos/coreos-ci-lib@f2a82bd
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 7, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to improve security by no longer running the COSA container as root. This is a great improvement. However, by removing the root privileges, the mechanism for using the newly built coreos-installer binary was removed but not replaced. My review includes a critical suggestion to fix this by updating the PATH environment variable, ensuring that the CI continues to test the correct binary.

dustymabe added a commit to dustymabe/coreos-assembler that referenced this pull request Jan 9, 2026
@dustymabe
build.sh: allow group write on /usr/bin
a76a5d1 
Allow group write permissions on /usr/bin because in upstream
project's CI we want to overwrite binaries for testing. The dir is
owned by root:root and CI runs in openshift as a user that is a
member of the `root` (GID: 0) group.

See coreos/coreos-installer#1716
@dustymabe dustymabe mentioned this pull request Jan 9, 2026
Open
@dustymabe
Copy link
Member Author

dustymabe commented Jan 9, 2026

Ok I think this should be ready to go.

requires https://github.com/coreos/coreos-assembler/pull/4410/changes (please review)

@dustymabe
ci: drop running COSA as UID 0
3907038 
We opened up the permissions when building the COSA container [1] so
this isn't necessary any longer with a few adjustments here.

[1] coreos/coreos-assembler#4410
@dustymabe
ci: stop denylisted ext.config.kdump.crash test
7994979 
This issue should have been fixed a long time ago. Let's drop this
old workaround.
@dustymabe dustymabe marked this pull request as ready for review January 9, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlebon jlebon jlebon left review comments

@HuijingHei HuijingHei HuijingHei left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dustymabe @jlebon @HuijingHei