From e63d18954bfd73697165b2a08efe5f2c491647e1 Mon Sep 17 00:00:00 2001
From: Zack Zlotnik <zzlotnik@redhat.com>
Date: Wed, 12 Nov 2025 14:09:11 -0500
Subject: [PATCH 1/3] adds testing images for dual-stream image-mode

These images will be built by the CI system and injected into the e2e
tests so that we can test image-mode on dual-stream.
---
 Containerfile.helpers-ci                      |  4 +--
 Dockerfile.rhel7                              |  3 +-
 Makefile                                      | 29 ++++++++++++++++++-
 .../Containerfile.rhel-coreos-10              | 15 ++++++++++
 .../Containerfile.rhel-coreos-9               | 13 +++++++++
 test/custom-os-images/README.md               | 11 +++++++
 6 files changed, 71 insertions(+), 4 deletions(-)
 create mode 100644 test/custom-os-images/Containerfile.rhel-coreos-10
 create mode 100644 test/custom-os-images/Containerfile.rhel-coreos-9
 create mode 100644 test/custom-os-images/README.md

diff --git a/Containerfile.helpers-ci b/Containerfile.helpers-ci
index 4a244dca96..294e40486d 100644
--- a/Containerfile.helpers-ci
+++ b/Containerfile.helpers-ci
@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.22-builder-multi-openshift-4.18 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
 ENV GOCACHE="/go/.cache" \
     GOMODCACHE="/go/pkg/mod"
 WORKDIR /go/src/github.com/openshift/machine-config-operator
@@ -7,5 +7,5 @@ RUN --mount=type=cache,target=/go/.cache,z \
     --mount=type=cache,target=/go/pkg/mod,z \
     make install-helpers DESTDIR=/helpers
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-enterprise-base-multi-openshift-4.18 AS final
+FROM registry.ci.openshift.org/ocp/4.21:base-rhel9 AS final
 COPY --from=builder /helpers/usr/bin /usr/bin
diff --git a/Dockerfile.rhel7 b/Dockerfile.rhel7
index 94829e7295..8d30e0b1f8 100644
--- a/Dockerfile.rhel7
+++ b/Dockerfile.rhel7
@@ -45,7 +45,8 @@ RUN --mount=type=cache,target=/var/cache/dnf,z \
     # Create the build user which will be used for doing OS image builds. We
     # use the username "build" and the uid 1000 since this matches what is in
     # the official Buildah image.
-    useradd --uid 1000 build
+    # Conditional checks if "build" user does not exist before adding user.
+    if ! id -u "build" >/dev/null 2>&1; then useradd --uid 1000 build; fi
 # Copy the binaries *after* we install nmstate so we don't invalidate our cache for local builds.
 COPY --from=rhel9-builder /go/src/github.com/openshift/machine-config-operator/instroot-rhel9.tar /tmp/instroot-rhel9.tar
 RUN cd / && tar xf /tmp/instroot-rhel9.tar && rm -f /tmp/instroot-rhel9.tar
diff --git a/Makefile b/Makefile
index ff2328ac57..052faa4b7a 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,11 @@ PREFIX ?= /usr
 GO111MODULE?=on
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
+# Find all of the test OS image Containerfiles so they can be built.
+CUSTOM_OS_TEST_IMAGE_DIR := $(E2E_ROOT_DIR)/custom-os-images
+CUSTOM_OS_TEST_CONTAINERFILES := $(wildcard $(CUSTOM_OS_TEST_IMAGE_DIR)/Containerfile.*)
+CUSTOM_OS_TEST_IMAGE_NAMES := $(patsubst $(CUSTOM_OS_TEST_IMAGE_DIR)/Containerfile.%,%,$(CUSTOM_OS_TEST_CONTAINERFILES))
+
 # Copied from coreos-assembler
 GOARCH := $(shell uname -m)
 ifeq ($(GOARCH),x86_64)
@@ -30,7 +35,7 @@ GOTAGS = "containers_image_openpgp exclude_graphdriver_devicemapper exclude_grap
 
 all: binaries
 
-.PHONY: clean test test-unit test-e2e verify update update-amis install-tools
+.PHONY: clean test test-unit test-e2e verify update update-amis install-tools custom-os-images
 
 # Remove build artifaces
 # Example:
@@ -57,6 +62,28 @@ _verify-e2e-%:
 image:
 	hack/build-image
 
+# Define a template rule to build a specific test image.
+# Accepts the image name suffix (e.g., "rhel-coreos-9") as the
+# sole argument.
+#
+# The images will be produced with the names like localhost/custom-os-image:rhel-coreos-9.
+define custom_os_image_build_template =
+.PHONY: custom-os-image-$(1)
+custom-os-image-$(1):
+	podman build \
+		-f $(CUSTOM_OS_TEST_IMAGE_DIR)/Containerfile.$(1) \
+		-t localhost/custom-os-image:$(1) \
+		$(CUSTOM_OS_TEST_IMAGE_DIR)
+endef
+
+# Create a target for each detected test image (e.g., rhel-coreos-9).
+$(foreach C, $(CUSTOM_OS_TEST_IMAGE_NAMES), $(eval $(call custom_os_image_build_template,$(C))))
+
+# Target to build all detected custom OS test images. This is mostly for use by
+# developers on their workstations since they must be explicitly declared in
+# OpenShift CI.
+custom-os-images: $(patsubst %,custom-os-image-%,$(CUSTOM_OS_TEST_IMAGE_NAMES))
+
 # Run tests
 test: test-unit test-e2e
 
diff --git a/test/custom-os-images/Containerfile.rhel-coreos-10 b/test/custom-os-images/Containerfile.rhel-coreos-10
new file mode 100644
index 0000000000..f55cc25360
--- /dev/null
+++ b/test/custom-os-images/Containerfile.rhel-coreos-10
@@ -0,0 +1,15 @@
+FROM registry.ci.openshift.org/ocp/4.21:rhel-coreos-10 AS base
+
+FROM quay.io/centos/centos:stream10 AS epel
+WORKDIR /etc/yum.repos.d
+RUN dnf install -y --setopt=keepcache=True epel-release && \
+    curl -LO https://pkgs.tailscale.com/stable/rhel/10/tailscale.repo && \
+    sed -i 's/\$stream/10-stream/g' /etc/yum.repos.d/centos*.repo && \
+    sed -i 's/EPEL\-\$releasever_major/EPEL-10/g' /etc/yum.repos.d/epel*.repo && \
+    sed -i -E 's/\$\{releasever_minor\:\+\-z\}//g' /etc/yum.repos.d/epel*.repo
+
+FROM base AS final
+COPY --from=epel /etc/yum.repos.d /etc/yum.repos.d
+COPY --from=epel /etc/pki/rpm-gpg/RPM-GPG-KEY-* /etc/pki/rpm-gpg/
+RUN rpm-ostree install ripgrep yq tailscale && \
+    ostree container commit
diff --git a/test/custom-os-images/Containerfile.rhel-coreos-9 b/test/custom-os-images/Containerfile.rhel-coreos-9
new file mode 100644
index 0000000000..ee77e2b06d
--- /dev/null
+++ b/test/custom-os-images/Containerfile.rhel-coreos-9
@@ -0,0 +1,13 @@
+FROM registry.ci.openshift.org/ocp/4.21:rhel-coreos AS base
+
+FROM quay.io/centos/centos:stream9 AS epel
+WORKDIR /etc/yum.repos.d
+RUN dnf install -y epel-release && \
+    curl -LO https://pkgs.tailscale.com/stable/rhel/9/tailscale.repo && \
+    sed -i 's/\$stream/9-stream/g' /etc/yum.repos.d/centos*.repo
+
+FROM base AS final
+COPY --from=epel /etc/yum.repos.d /etc/yum.repos.d
+COPY --from=epel /etc/pki/rpm-gpg/RPM-GPG-KEY-* /etc/pki/rpm-gpg/
+RUN rpm-ostree install ripgrep yq tailscale && \
+    ostree container commit
diff --git a/test/custom-os-images/README.md b/test/custom-os-images/README.md
new file mode 100644
index 0000000000..da7fe13fc7
--- /dev/null
+++ b/test/custom-os-images/README.md
@@ -0,0 +1,11 @@
+# custom-os-images
+
+This directory contains two Containerfiles, `Containerfile.rhel-coreos-9` and
+`Containerfile.rhel-coreos-10`, respectively. These images are intended for
+testing Image Mode OpenShift and are intended to be built by the CI system and
+injected into the e2e test suites. They're ephemeral since they'll be discarded
+when the CI run is finished.
+
+To make maintaining and debugging these images easier, there is a Makefile
+target that can be used locally by developers to validate that the images build
+without issue. Just run `make custom-os-images`.

From fd138cb2ed667018c62fafbbe2e1bc8fc802532b Mon Sep 17 00:00:00 2001
From: Zack Zlotnik <zzlotnik@redhat.com>
Date: Fri, 14 Nov 2025 12:06:34 -0500
Subject: [PATCH 2/3] update TestOSImageURLOverride to use the new env var

---
 test/e2e-2of2/osimageurl_override_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/e2e-2of2/osimageurl_override_test.go b/test/e2e-2of2/osimageurl_override_test.go
index fd12f8e6b9..0e28a8c534 100644
--- a/test/e2e-2of2/osimageurl_override_test.go
+++ b/test/e2e-2of2/osimageurl_override_test.go
@@ -22,7 +22,7 @@ import (
 // 6. Wait for the node to roll back.
 // 7. Assert that the binaries are no longer present.
 func TestOSImageURLOverride(t *testing.T) {
-	envVarName := "MCO_OS_IMAGE_URL"
+	envVarName := "MCO_OS_IMAGE_URL_RHEL_9"
 
 	osImageURL, ok := os.LookupEnv(envVarName)
 	if ok && osImageURL != "" {

From d4a5db5793f08a0b6893c89a848abc84344af2b8 Mon Sep 17 00:00:00 2001
From: Zack Zlotnik <zzlotnik@redhat.com>
Date: Tue, 18 Nov 2025 10:32:29 -0500
Subject: [PATCH 3/3] remove tailscale from custom-os-image

---
 test/custom-os-images/Containerfile.rhel-coreos-10 | 3 +--
 test/custom-os-images/Containerfile.rhel-coreos-9  | 3 +--
 test/e2e-2of2/osimageurl_override_test.go          | 1 -
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/test/custom-os-images/Containerfile.rhel-coreos-10 b/test/custom-os-images/Containerfile.rhel-coreos-10
index f55cc25360..6affa00b86 100644
--- a/test/custom-os-images/Containerfile.rhel-coreos-10
+++ b/test/custom-os-images/Containerfile.rhel-coreos-10
@@ -3,7 +3,6 @@ FROM registry.ci.openshift.org/ocp/4.21:rhel-coreos-10 AS base
 FROM quay.io/centos/centos:stream10 AS epel
 WORKDIR /etc/yum.repos.d
 RUN dnf install -y --setopt=keepcache=True epel-release && \
-    curl -LO https://pkgs.tailscale.com/stable/rhel/10/tailscale.repo && \
     sed -i 's/\$stream/10-stream/g' /etc/yum.repos.d/centos*.repo && \
     sed -i 's/EPEL\-\$releasever_major/EPEL-10/g' /etc/yum.repos.d/epel*.repo && \
     sed -i -E 's/\$\{releasever_minor\:\+\-z\}//g' /etc/yum.repos.d/epel*.repo
@@ -11,5 +10,5 @@ RUN dnf install -y --setopt=keepcache=True epel-release && \
 FROM base AS final
 COPY --from=epel /etc/yum.repos.d /etc/yum.repos.d
 COPY --from=epel /etc/pki/rpm-gpg/RPM-GPG-KEY-* /etc/pki/rpm-gpg/
-RUN rpm-ostree install ripgrep yq tailscale && \
+RUN rpm-ostree install ripgrep yq && \
     ostree container commit
diff --git a/test/custom-os-images/Containerfile.rhel-coreos-9 b/test/custom-os-images/Containerfile.rhel-coreos-9
index ee77e2b06d..38f83af8d2 100644
--- a/test/custom-os-images/Containerfile.rhel-coreos-9
+++ b/test/custom-os-images/Containerfile.rhel-coreos-9
@@ -3,11 +3,10 @@ FROM registry.ci.openshift.org/ocp/4.21:rhel-coreos AS base
 FROM quay.io/centos/centos:stream9 AS epel
 WORKDIR /etc/yum.repos.d
 RUN dnf install -y epel-release && \
-    curl -LO https://pkgs.tailscale.com/stable/rhel/9/tailscale.repo && \
     sed -i 's/\$stream/9-stream/g' /etc/yum.repos.d/centos*.repo
 
 FROM base AS final
 COPY --from=epel /etc/yum.repos.d /etc/yum.repos.d
 COPY --from=epel /etc/pki/rpm-gpg/RPM-GPG-KEY-* /etc/pki/rpm-gpg/
-RUN rpm-ostree install ripgrep yq tailscale && \
+RUN rpm-ostree install ripgrep yq && \
     ostree container commit
diff --git a/test/e2e-2of2/osimageurl_override_test.go b/test/e2e-2of2/osimageurl_override_test.go
index 0e28a8c534..ec0013797b 100644
--- a/test/e2e-2of2/osimageurl_override_test.go
+++ b/test/e2e-2of2/osimageurl_override_test.go
@@ -37,7 +37,6 @@ func TestOSImageURLOverride(t *testing.T) {
 	node := helpers.GetRandomNode(t, cs, "worker")
 
 	binaries := []string{
-		"/usr/bin/tailscale",
 		"/usr/bin/rg",
 		"/usr/bin/yq",
 	}