OCPBUGS-90502: Run nmstatectl format in nmstate-configuration

[cybertron]

Previously it was very difficult to adopt a day 1 config using nmpolicy constructs into the day 2 operator to allow changes after deployment. This is because nmpolicies rely on having a specific start state for the system, and once the config has been applied that state no longer exists. The operator handles this by saving the start state internally, but since the operator isn't present on day one we need a different approach there.

Running the nmstatectl format command allows us to save off a fully formatted version of the nmpolicy config that can be applied on day 2 with no more changes than any other day 1 NMState config. This makes modifications on day 2 substantially easier.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Chores
  • Network configuration files are now automatically formatted after initial setup for improved consistency and easier post-installation operations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@cybertron: This pull request references Jira Issue OCPBUGS-90502, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Previously it was very difficult to adopt a day 1 config using nmpolicy constructs into the day 2 operator to allow changes after deployment. This is because nmpolicies rely on having a specific start state for the system, and once the config has been applied that state no longer exists. The operator handles this by saving the start state internally, but since the operator isn't present on day one we need a different approach there.

Running the nmstatectl format command allows us to save off a fully formatted version of the nmpolicy config that can be applied on day 2 with no more changes than any other day 1 NMState config. This makes modifications on day 2 substantially easier.

- What I did

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The nmstate-configuration.sh bootstrap script (embedded in nmstate-configuration.yaml) gains three new lines that run nmstatectl format on the just-applied source configuration and write the formatted output to $src_path/formatted, after the copy and applied marker steps already in place.

Changes

nmstate bootstrap formatted config output

Layer / File(s)	Summary
Write formatted nmstate config after apply templates/common/_base/files/nmstate-configuration.yaml	After copying the config and updating the applied marker, the script now runs nmstatectl format on $src_path and writes the result to $src_path/formatted.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing nmstatectl format execution in the nmstate-configuration bootstrap script to support day 2 adoption of network configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for "Stable and Deterministic Test Names" targets Ginkgo test definitions. This PR only modifies YAML configuration files (nmstate-configuration.yaml and nmstate-configuration.serv...
Test Structure And Quality	✅ Passed	This PR modifies only infrastructure configuration (nmstate-configuration.yaml), not Ginkgo test code. The custom check for Ginkgo test quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR modifies a shell script embedded in a MachineConfig YAML file (nmstate-configuration.yaml), not Ginkgo e2e tests. No test code is present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies a YAML manifest containing a shell script for nmstate configuration. The custom check for SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies only a bootstrap shell script template for nmstate network configuration. It does not add or modify any deployment manifests, operator code, controllers, or any Kubernetes resources...
Ote Binary Stdout Contract	✅ Passed	PR modifies nmstate-configuration.sh bootstrap script only, not OTE binary or test code. OTE Stdout Contract check applies only to OTE test binaries, not node bootstrap scripts.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes are limited to a bash bootstrap script in nmstate-configuration.yaml that runs nmstatectl format. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or custom crypto implementations detected. Code uses SHA256 (secure) and nmstatectl format (network utility, non-cryptograph...
Container-Privileges	✅ Passed	The PR modifies a shell script configuration file (nmstate-configuration.yaml) that is embedded in a systemd service unit. This is not a Kubernetes or container manifest and contains no privilege...
No-Sensitive-Data-In-Logs	✅ Passed	The new command line is echoed due to set -x in the script, but only shows file paths and command names. Sensitive nmstate configuration contents are redirected to a file, not logged to stdout/st...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cybertron
Once this PR has been reviewed and has the lgtm label, please assign harshwardhanpatil07 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@cybertron: This pull request references Jira Issue OCPBUGS-90502, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Previously it was very difficult to adopt a day 1 config using nmpolicy constructs into the day 2 operator to allow changes after deployment. This is because nmpolicies rely on having a specific start state for the system, and once the config has been applied that state no longer exists. The operator handles this by saving the start state internally, but since the operator isn't present on day one we need a different approach there.

Running the nmstatectl format command allows us to save off a fully formatted version of the nmpolicy config that can be applied on day 2 with no more changes than any other day 1 NMState config. This makes modifications on day 2 substantially easier.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Chores
• Network configuration files are now automatically formatted after initial setup for improved consistency and easier post-installation operations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@templates/common/_base/files/nmstate-configuration.yaml`:
- Line 48: The nmstatectl format command is directly redirecting output which
can fail and leave a truncated file, and any failure will stop the entire
bootstrap due to set -e. Refactor the nmstatectl format line to first write the
output to a temporary file (using mktemp), then on successful completion
atomically move that temp file to the final location at "$src_path/formatted"
using mv. Wrap this in a conditional or error handling that logs a message if
the formatting fails but allows the script to continue, since this is just a
day-2 convenience feature and should not block the bootstrap process.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 091b10dd-5e7a-4b1c-8ea3-1786cc8a8dd8

📥 Commits

Reviewing files that changed from the base of the PR and between c1c3fbf and 3b6f88f.

📒 Files selected for processing (1)

• templates/common/_base/files/nmstate-configuration.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make formatted-output generation best-effort and atomic.

This command can fail the whole bootstrap due to set -e, and direct > can leave a truncated/empty "$src_path/formatted" on failure. Since this is a day-2 convenience artifact, write to a temp file and atomically move only on success; otherwise log and continue.

Suggested patch

-    nmstatectl format "$src_path/$config_file" > "$src_path/formatted"
+    tmp_formatted="$(mktemp "$src_path/formatted.XXXXXX")"
+    if nmstatectl format "$src_path/$config_file" > "$tmp_formatted"; then
+      mv -f "$tmp_formatted" "$src_path/formatted"
+    else
+      rm -f "$tmp_formatted"
+      echo "Warning: failed to generate formatted nmstate config; continuing"
+    fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	nmstatectl format "$src_path/$config_file" > "$src_path/formatted"
	tmp_formatted="$(mktemp "$src_path/formatted.XXXXXX")"
	if nmstatectl format "$src_path/$config_file" > "$tmp_formatted"; then
	mv -f "$tmp_formatted" "$src_path/formatted"
	else
	rm -f "$tmp_formatted"
	echo "Warning: failed to generate formatted nmstate config; continuing"
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@templates/common/_base/files/nmstate-configuration.yaml` at line 48, The
nmstatectl format command is directly redirecting output which can fail and
leave a truncated file, and any failure will stop the entire bootstrap due to
set -e. Refactor the nmstatectl format line to first write the output to a
temporary file (using mktemp), then on successful completion atomically move
that temp file to the final location at "$src_path/formatted" using mv. Wrap
this in a conditional or error handling that logs a message if the formatting
fails but allows the script to continue, since this is just a day-2 convenience
feature and should not block the bootstrap process.

[openshift-ci]

@cybertron: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.