OCPEDGE-2396: Add containerized resource-agents build tooling

[vimauro]

• Add helpers/resource-agents-build/ directory with Dockerfiles (Stream 9 and 10) and scripts for building custom resource-agents RPMs
• local-build-test.sh validates that resource-agents compiles on CentOS Stream 9 and 10 locally via podman, with configurable repo/branch

Note: I've moved and edited those scripts from openshift/release#75815 since I thought it could be more useful in this repo instead of Release

[openshift-ci-robot]

@vimauro: This pull request references OCPEDGE-2396 which is a valid jira issue.

Details

In response to this:

• Add helpers/resource-agents-build/ directory with Dockerfiles (Stream 9 and 10) and scripts for building custom resource-agents RPMs
• local-build-test.sh validates that resource-agents compiles on CentOS Stream 9 and 10 locally via podman, with configurable repo/branch

Note: I've moved and edited those scripts from openshift/release#75815 since I thought it could be more useful in this repo instead of Release

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vimauro
Once this PR has been reviewed and has the lgtm label, please assign jerpeter1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Added containerized build validation tooling and documentation for resource-agents RPMs targeting CentOS Stream 9 and 10. Includes two Dockerfiles with build pipelines, a local Podman build orchestration script, and README documentation describing usage and build behavior.

Changes

Cohort / File(s)	Summary
Documentation helpers/README.md	Added "Containerized Build Validation" section documenting usage of Dockerfiles and local-build-test.sh script, including command examples, script flags (--repo, --ref, -h/--help), and Stream 10 build limitations regarding missing libqb-devel.
Build Images helpers/resource-agents-build/Dockerfile.stream9, helpers/resource-agents-build/Dockerfile.stream10	Two new Dockerfiles for building resource-agents RPMs. Stream 9 performs full make rpm packaging from source. Stream 10 attempts libqb-devel installation and falls back to building libqb from source; make rpm is skipped due to unsatisfied build requirements, with placeholder RPM creation.
Build Orchestration helpers/resource-agents-build/local-build-test.sh	New Bash script that orchestrates container builds via Podman for both Stream 9 and 10, accepting optional --repo and --ref arguments, with built-in help output and image tagging to local registry.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

helpers/resource-agents-build/Dockerfile.stream10 (2)

17-19: Optional: Add dnf clean all for consistency with best practices.

Same consideration as Dockerfile.stream9 - adding dnf clean all would reduce image size, though it's optional for a local build/test image.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream10` around lines 17 - 19, Add
a cleanup step after the package installation RUN commands to reduce image size:
locate the RUN lines that call "dnf install -y epel-release ..." and the long
"dnf install -y git autoconf ..." and append a "dnf clean all" (or add a
separate RUN dnf clean all) after those installs so cached metadata and package
files are removed; ensure the cleanup is placed in the same layer or immediately
following the install to maintain consistency with the Dockerfile.stream10
install steps.

---

22-25: Error suppression may hide legitimate failures.

Redirecting stderr with 2>/dev/null hides all errors, not just "package not found." Network issues or repo misconfigurations would silently fall through to the source build. Consider checking for the specific exit code or package availability first.

Proposed improvement

 # TODO: remove libqb source build once libqb-devel is available in EPEL/CRB for Stream 10
 # Check: podman run --rm quay.io/centos/centos:stream10 dnf repoquery libqb-devel --available
-RUN (dnf install -y libqb-devel 2>/dev/null) || ( \
+RUN dnf install -y libqb-devel || ( \
+  echo "libqb-devel not available, building from source..." && \
   git clone --depth 1 https://github.com/ClusterLabs/libqb /tmp/libqb-build \
   && cd /tmp/libqb-build && autoreconf -fi && ./configure --prefix=/usr && make -j$(nproc) && make install \
   && cd / && rm -rf /tmp/libqb-build )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream10` around lines 22 - 25, The
RUN line currently swallows all dnf errors by redirecting stderr to /dev/null,
which can hide real failures; change the logic so you first check package
availability (e.g., run a query like dnf list available libqb-devel or similar
check) and only fall back to the git clone/build when the package is truly
unavailable, and when falling back propagate or log the original dnf error
output instead of discarding it; update the RUN block that references
libqb-devel and the git clone /tmp/libqb-build fallback to perform the
availability check, branch on that result, and ensure any non-package-not-found
errors are surfaced (logged or cause failure) rather than being ignored.

helpers/resource-agents-build/Dockerfile.stream9 (2)

12-14: Optional: Add dnf clean all to reduce image size.

Static analysis flags that dnf clean all is missing after installs. While this is a local build/test container where size is less critical, adding cleanup could be beneficial if images are retained.

Proposed change

 RUN dnf config-manager --set-enabled crb || true
-RUN dnf install -y epel-release || dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
-RUN dnf install -y git autoconf automake docbook-style-xsl glib2-devel libqb-devel make rpm-build perl python3-devel libnet-devel python3-pyroute2 libxslt systemd which
+RUN dnf install -y epel-release || dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
+    && dnf install -y git autoconf automake docbook-style-xsl glib2-devel libqb-devel make rpm-build perl python3-devel libnet-devel python3-pyroute2 libxslt systemd which \
+    && dnf clean all

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream9` around lines 12 - 14, Add a
cleanup step to the package-install RUN commands in Dockerfile.stream9 to reduce
image size: after the dnf install lines (the RUN commands that call "dnf install
-y epel-release ..." and "dnf install -y git autoconf ..."), append a cleanup
command such as "dnf clean all && rm -rf /var/cache/dnf /var/cache/yum" (or
combine into a single RUN so cache isn't persisted across layers) to remove
metadata and caches.

---

25-26: Consider adding explicit error handling if no RPM is found.

If find returns no matches, xargs -I{} executes nothing and the subsequent test -f fails with an opaque error. Adding an explicit check would improve debuggability.

Proposed improvement

-RUN find . -name 'resource-agents-*.rpm' ! -name '*debug*' ! -name '*.src.rpm' | head -1 | xargs -I{} cp {} /tmp/resource-agents.rpm
-RUN test -f /tmp/resource-agents.rpm && rpm -qip /tmp/resource-agents.rpm
+RUN RPM_PATH=$(find . -name 'resource-agents-*.rpm' ! -name '*debug*' ! -name '*.src.rpm' | head -n 1) \
+    && if [ -z "$RPM_PATH" ]; then echo "ERROR: No RPM artifact found after build"; exit 1; fi \
+    && cp "$RPM_PATH" /tmp/resource-agents.rpm \
+    && rpm -qip /tmp/resource-agents.rpm

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream9` around lines 25 - 26, The
Dockerfile's two RUN steps should explicitly fail with a clear error if no RPM
is found: replace the pipeline that runs find | xargs -I{} cp {}
/tmp/resource-agents.rpm with logic that captures the first match into a shell
variable (e.g., FILE or RA_RPM), test if that variable is empty, and if so echo
a descriptive error to stderr and exit 1; otherwise cp "$FILE"
/tmp/resource-agents.rpm and then run rpm -qip /tmp/resource-agents.rpm. Ensure
you reference the same target path /tmp/resource-agents.rpm so the subsequent
rpm inspection only runs when the file exists.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helpers/resource-agents-build/Dockerfile.stream10`:
- Around line 28-30: The shallow clone uses "--depth 1" in the RUN command
cloning "${RESOURCE_AGENTS_REPO}" to /tmp/resource-agents-build which can fail
when checking out non-default refs; update the RUN line that contains git clone
--depth 1 "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build so it does a full
clone (remove the "--depth 1" flag) or replace with an init/remote-add/fetch
sequence that fetches the specific "${RESOURCE_AGENTS_REF}" into
/tmp/resource-agents-build before running git -C /tmp/resource-agents-build
checkout FETCH_HEAD, ensuring RESOURCE_AGENTS_REPO and RESOURCE_AGENTS_REF are
used as in the existing commands.

In `@helpers/resource-agents-build/Dockerfile.stream9`:
- Around line 17-19: The shallow git clone using --depth 1 can prevent fetching
non-default branches/tags/SHAs; update the RUN git clone/fetch sequence so the
clone supports arbitrary refs referenced by RESOURCE_AGENTS_REF (e.g., remove
--depth 1 or add --no-single-branch to the git clone, or after cloning run git
fetch --unshallow || git fetch --depth=1 origin "${RESOURCE_AGENTS_REF}" before
git checkout FETCH_HEAD) so that the subsequent git -C
/tmp/resource-agents-build fetch origin "${RESOURCE_AGENTS_REF}" and git -C
/tmp/resource-agents-build checkout FETCH_HEAD succeed reliably for tags, SHAs,
and non-default branches.

In `@helpers/resource-agents-build/local-build-test.sh`:
- Around line 29-36: The argument parsing in the while/case block doesn't
validate that an option value exists for --repo and --ref and calls usage with a
zero exit on unknown options; update the case arms for --repo and --ref in the
while loop to first check that a next argument exists and is not another option
(i.e., test that "$2" is set and not starting with '-') and if missing print a
clear error referencing RESOURCE_AGENTS_REPO or RESOURCE_AGENTS_REF and exit
non‑zero; also change the default unknown option path (and any usage invocation
for invalid input) to print the error and call usage with a non‑zero exit code
so failures are signalled (reference the while loop, case pattern,
RESOURCE_AGENTS_REPO, RESOURCE_AGENTS_REF and usage).

---

Nitpick comments:
In `@helpers/resource-agents-build/Dockerfile.stream10`:
- Around line 17-19: Add a cleanup step after the package installation RUN
commands to reduce image size: locate the RUN lines that call "dnf install -y
epel-release ..." and the long "dnf install -y git autoconf ..." and append a
"dnf clean all" (or add a separate RUN dnf clean all) after those installs so
cached metadata and package files are removed; ensure the cleanup is placed in
the same layer or immediately following the install to maintain consistency with
the Dockerfile.stream10 install steps.
- Around line 22-25: The RUN line currently swallows all dnf errors by
redirecting stderr to /dev/null, which can hide real failures; change the logic
so you first check package availability (e.g., run a query like dnf list
available libqb-devel or similar check) and only fall back to the git
clone/build when the package is truly unavailable, and when falling back
propagate or log the original dnf error output instead of discarding it; update
the RUN block that references libqb-devel and the git clone /tmp/libqb-build
fallback to perform the availability check, branch on that result, and ensure
any non-package-not-found errors are surfaced (logged or cause failure) rather
than being ignored.

In `@helpers/resource-agents-build/Dockerfile.stream9`:
- Around line 12-14: Add a cleanup step to the package-install RUN commands in
Dockerfile.stream9 to reduce image size: after the dnf install lines (the RUN
commands that call "dnf install -y epel-release ..." and "dnf install -y git
autoconf ..."), append a cleanup command such as "dnf clean all && rm -rf
/var/cache/dnf /var/cache/yum" (or combine into a single RUN so cache isn't
persisted across layers) to remove metadata and caches.
- Around line 25-26: The Dockerfile's two RUN steps should explicitly fail with
a clear error if no RPM is found: replace the pipeline that runs find | xargs
-I{} cp {} /tmp/resource-agents.rpm with logic that captures the first match
into a shell variable (e.g., FILE or RA_RPM), test if that variable is empty,
and if so echo a descriptive error to stderr and exit 1; otherwise cp "$FILE"
/tmp/resource-agents.rpm and then run rpm -qip /tmp/resource-agents.rpm. Ensure
you reference the same target path /tmp/resource-agents.rpm so the subsequent
rpm inspection only runs when the file exists.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 78ba7ecf-e4ec-498e-977b-3b774d0ef45b

📥 Commits

Reviewing files that changed from the base of the PR and between c2c0209 and 3657f98.

📒 Files selected for processing (4)

• helpers/README.md
• helpers/resource-agents-build/Dockerfile.stream10
• helpers/resource-agents-build/Dockerfile.stream9
• helpers/resource-agents-build/local-build-test.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same shallow clone concern as Stream 9.

This has the same issue as Dockerfile.stream9 - the shallow clone with --depth 1 may fail when fetching non-default refs. Consider applying the same fix here for consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream10` around lines 28 - 30, The
shallow clone uses "--depth 1" in the RUN command cloning
"${RESOURCE_AGENTS_REPO}" to /tmp/resource-agents-build which can fail when
checking out non-default refs; update the RUN line that contains git clone
--depth 1 "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build so it does a full
clone (remove the "--depth 1" flag) or replace with an init/remote-add/fetch
sequence that fetches the specific "${RESOURCE_AGENTS_REF}" into
/tmp/resource-agents-build before running git -C /tmp/resource-agents-build
checkout FETCH_HEAD, ensuring RESOURCE_AGENTS_REPO and RESOURCE_AGENTS_REF are
used as in the existing commands.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Shallow clone may fail for non-default branches or tags.

Using --depth 1 creates a shallow clone of only the default branch. The subsequent fetch origin "${RESOURCE_AGENTS_REF}" may fail if the ref is a tag, commit SHA, or branch that doesn't exist in the shallow history. Consider using --no-single-branch or removing --depth 1 for full ref flexibility.

Proposed fix

-RUN git clone --depth 1 "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
+RUN git clone "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
     && git -C /tmp/resource-agents-build fetch origin "${RESOURCE_AGENTS_REF}" \
     && git -C /tmp/resource-agents-build checkout FETCH_HEAD

Or alternatively, if you want to keep shallow clones for speed on the common case:

-RUN git clone --depth 1 "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
-    && git -C /tmp/resource-agents-build fetch origin "${RESOURCE_AGENTS_REF}" \
-    && git -C /tmp/resource-agents-build checkout FETCH_HEAD
+RUN git clone --depth 1 --branch "${RESOURCE_AGENTS_REF}" "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
+    || git clone "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build && git -C /tmp/resource-agents-build checkout "${RESOURCE_AGENTS_REF}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN git clone --depth 1 "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
	&& git -C /tmp/resource-agents-build fetch origin "${RESOURCE_AGENTS_REF}" \
	&& git -C /tmp/resource-agents-build checkout FETCH_HEAD
	RUN git clone "${RESOURCE_AGENTS_REPO}" /tmp/resource-agents-build \
	&& git -C /tmp/resource-agents-build fetch origin "${RESOURCE_AGENTS_REF}" \
	&& git -C /tmp/resource-agents-build checkout FETCH_HEAD

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/Dockerfile.stream9` around lines 17 - 19, The
shallow git clone using --depth 1 can prevent fetching non-default
branches/tags/SHAs; update the RUN git clone/fetch sequence so the clone
supports arbitrary refs referenced by RESOURCE_AGENTS_REF (e.g., remove --depth
1 or add --no-single-branch to the git clone, or after cloning run git fetch
--unshallow || git fetch --depth=1 origin "${RESOURCE_AGENTS_REF}" before git
checkout FETCH_HEAD) so that the subsequent git -C /tmp/resource-agents-build
fetch origin "${RESOURCE_AGENTS_REF}" and git -C /tmp/resource-agents-build
checkout FETCH_HEAD succeed reliably for tags, SHAs, and non-default branches.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Argument parsing lacks validation for missing option values.

If a user passes --repo without a following argument (e.g., ./local-build-test.sh --repo), shift 2 will fail or $2 will be unset, causing an error due to set -u. Additionally, calling usage on unknown options exits with code 0, which may be unexpected.

Proposed fix

 while [[ $# -gt 0 ]]; do
     case "$1" in
-        --repo) RESOURCE_AGENTS_REPO="$2"; shift 2 ;;
-        --ref)  RESOURCE_AGENTS_REF="$2"; shift 2 ;;
+        --repo)
+            [[ $# -ge 2 ]] || { echo "Error: --repo requires an argument"; exit 1; }
+            RESOURCE_AGENTS_REPO="$2"; shift 2 ;;
+        --ref)
+            [[ $# -ge 2 ]] || { echo "Error: --ref requires an argument"; exit 1; }
+            RESOURCE_AGENTS_REF="$2"; shift 2 ;;
         -h|--help) usage ;;
-        *) echo "Unknown option: $1"; usage ;;
+        *) echo "Unknown option: $1" >&2; exit 1 ;;
     esac
 done

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	while [[ $# -gt 0 ]]; do
	case "$1" in
	--repo) RESOURCE_AGENTS_REPO="$2"; shift 2 ;;
	--ref) RESOURCE_AGENTS_REF="$2"; shift 2 ;;
	-h|--help) usage ;;
	*) echo "Unknown option: $1"; usage ;;
	esac
	done
	while [[ $# -gt 0 ]]; do
	case "$1" in
	--repo)
	[[ $# -ge 2 ]] || { echo "Error: --repo requires an argument"; exit 1; }
	RESOURCE_AGENTS_REPO="$2"; shift 2 ;;
	--ref)
	[[ $# -ge 2 ]] || { echo "Error: --ref requires an argument"; exit 1; }
	RESOURCE_AGENTS_REF="$2"; shift 2 ;;
	-h|--help) usage ;;
	*) echo "Unknown option: $1" >&2; exit 1 ;;
	esac
	done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helpers/resource-agents-build/local-build-test.sh` around lines 29 - 36, The
argument parsing in the while/case block doesn't validate that an option value
exists for --repo and --ref and calls usage with a zero exit on unknown options;
update the case arms for --repo and --ref in the while loop to first check that
a next argument exists and is not another option (i.e., test that "$2" is set
and not starting with '-') and if missing print a clear error referencing
RESOURCE_AGENTS_REPO or RESOURCE_AGENTS_REF and exit non‑zero; also change the
default unknown option path (and any usage invocation for invalid input) to
print the error and call usage with a non‑zero exit code so failures are
signalled (reference the while loop, case pattern, RESOURCE_AGENTS_REPO,
RESOURCE_AGENTS_REF and usage).