Setup RHEL container testing for OpenSSL backend

[ronaldtse]

We need to test against RHEL containers, using the vanilla OpenSSL backend that comes with it.

[ni4]

Note sure whether this applies to the issue, but may be useful: https://redhat-scholars.github.io/openshift-starter-guides/rhs-openshift-starter-guides/4.7/nationalparks-java-codechanges-github-actions.html

[andrey-utkin]

Thanks for the link @ni4 ! I see two options for us.

1. No-cost RHEL for Development Use, but it's a traditional installable machine, so good for manual iteration but no CI integration. https://developers.redhat.com/promotions/download-rhel
2. Set up RH OpenShift subscription (perhaps cloud, but self-hosted way also requires paid sub) and run GH Actions runners using it. There's 30 (dev sandbox) / 60 (marketplace) days trial, but also RH Marketplace says there is 60 days trial and that it costs $0.2/hr or ~$2000/yr. https://marketplace.redhat.com/en-us/products/red-hat-openshift-dedicated/pricing https://www.redhat.com/en/technologies/cloud-computing/openshift/dedicated .

I'd start with the first one to test and make it work, then use it periodically to see how often it breaks without us noticing it otherwise. If it breaks easily, it would be a serious consideration for employing OpenShift CI. I mean, if it turns out that RH compatibility is (eventually) solid and strongly correlated with Fedora and CentOS, then it might be not worth it.

[ronaldtse]

@andrey-utkin the easiest way is to use the RHEL UBI base images and use them in GitHub Actions:

• RHEL UBI 8 https://catalog.redhat.com/software/containers/ubi8/ubi/5c359854d70cc534b3a3784e
• RHEL UBI 9 https://catalog.redhat.com/software/containers/ubi9/618326f8c0d15aff4912fe0b

During yum install you will see some warnings but it still works:

$ docker run -it registry.access.redhat.com/ubi8/ubi:latest bash
[root@3369cc80ab59 /]# yum update
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Universal Base Image 8 (RPMs) - BaseOS                                       248 kB/s | 578 kB     00:02    
Red Hat Universal Base Image 8 (RPMs) - AppStream                                    1.2 MB/s | 2.6 MB     00:02    
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder                            9.0 kB/s |  14 kB     00:01    
Dependencies resolved.
Nothing to do.
Complete!
[root@3369cc80ab59 /]# yum install -y vim
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:00:07 ago on Tue Aug 23 04:01:08 2022.
Dependencies resolved.
=====================================================================================================================
 Package                    Architecture        Version                            Repository                   Size
=====================================================================================================================
Installing:
 vim-enhanced               aarch64             2:8.0.1763-19.el8_6.4              ubi-8-appstream             1.3 M
Installing dependencies:
 gpm-libs                   aarch64             1.20.7-17.el8                      ubi-8-appstream              39 k
 vim-common                 aarch64             2:8.0.1763-19.el8_6.4              ubi-8-appstream             6.3 M
 vim-filesystem             noarch              2:8.0.1763-19.el8_6.4              ubi-8-appstream              50 k

Here's an example of pylibssh's workflows that directly use the UBI images:

• https://github.com/ansible/pylibssh/blob/f2089ba4c5186ad03884d2513444f6d1a3562a58/.github/workflows/build-test-n-publish.yml#L614-L630