MULTIARCH-6023: PowerVS IPI install signal handling to prevent deprovision failures

[Neha-dot-Yadav]

Problem

When PowerVS IPI installations timeout, the deprovision step fails with:

Skipping: /tmp/secret/metadata.json not found.

This prevents cleanup of cloud resources (VMs, networks, DNS records), leading to stale resource and subsequent job failures.

Root Cause

The script has two issues with signal handling:

1. Trap overwriting: Two traps are set for SIGTERM, where the second overwrites the first:

   trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
   trap 'prepare_next_steps' EXIT TERM  # ← Overwrites line above
   

2. Pipeline blocking: Bash cannot execute trap handlers while blocked on pipeline execution:
   openshift-install ... | grep ... # Bash is blocked here

When SIGTERM arrives, it's queued but cannot be processed until the pipeline completes. If the pipeline never completes (stuck installation), SIGKILL arrives after the grace period and terminates everything without running cleanup.

Solution

1. Combine traps: Merge both handlers into a single trap for EXIT/TERM signals
2. Use background processes: Run openshift-install in background with process substitution instead of pipelines
3. Use interruptible wait: The wait command can be interrupted by signals (unlike pipeline execution)

Summary by CodeRabbit

This PR improves the reliability of PowerVS IPI installation cleanup in OpenShift CI by fixing signal-handling behavior during install timeouts, preventing deprovision failures that previously left stale cloud resources behind (e.g., VMs, networks, and DNS records) and could cause later job failures.

What changed (practical impact)

In ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh, the script’s termination/cleanup logic was reworked so that when the install step is interrupted (such as by timeout), the script can still execute its “next steps”/cleanup path instead of failing early with errors like Skipping: /tmp/secret/metadata.json not found.

How it fixes timeout/deprovision failures

• Trap handling is consolidated and corrected: The SIGTERM behavior is handled by a dedicated TERM trap (rather than having handlers that could be overwritten), ensuring termination signals trigger the intended cleanup behavior.
• Background execution avoids blocked pipeline behavior: openshift-install ... | grep ... (a blocking pipeline) was replaced with running openshift-install in the background while filtering output via process substitution, so the script remains responsive to signals.
• Uses wait to preserve interruptibility: The script captures the installer PID, waits on it, and propagates the status so the process can be cleanly interrupted while still running termination cleanup logic.

These adjustments apply to both:

• openshift-install --dir=... create cluster
• openshift-install wait-for install-complete

Temporary CI timing tweak to validate TERM handling

In ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-ref.yaml, the step timeout was set to 30 minutes and the grace_period reduced to 15 minutes (temporarily) to exercise/test the TERM-triggered cleanup behavior during timeouts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1c395b82-2b36-44a1-a9bd-2acaf812f456

📥 Commits

Reviewing files that changed from the base of the PR and between ae07ba4 and 2bb8be2.

📒 Files selected for processing (2)

• ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh
• ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh

---

Walkthrough

The script now uses separate TERM and EXIT traps, with TERM terminating child jobs and exiting 143. Both installer phases run in the background with PID-based waiting, and the step config updates timeout and grace period values.

Changes

Powervs install TERM handling

Layer / File(s)	Summary
Trap handling split ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh	The combined EXIT/TERM trap is replaced with a dedicated TERM trap that kills background child jobs, waits for them, disables the EXIT trap, runs prepare_next_steps, and exits with status 143; EXIT still runs prepare_next_steps on normal termination.
Installer commands wait on PID ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh	openshift-install create cluster and openshift-install wait-for install-complete now run in the background with output filtered through process substitution, capture the installer PID, and derive the exit code from wait.
Step timing values ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-ref.yaml	The step registry config sets a 30-minute timeout and changes grace_period to 15 minutes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• openshift/release#80803: Both PRs change how the IPI install script waits on openshift-install during install-complete, including background execution and exit handling.
• openshift/release#80923: Both PRs adjust Bash TERM/EXIT trap behavior so termination and normal cleanup follow separate paths.

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: PowerVS IPI install signal handling to avoid deprovision failures.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Only a shell script and step YAML changed; no Ginkgo test declarations or test titles were added or modified in the touched path.
Test Structure And Quality	✅ Passed	PR only changes a shell script and YAML step config; no Ginkgo tests were added or modified, so this test-quality check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes an install-step shell script and YAML timeout settings.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes a shell script and step YAML, with no It/Describe/Context/When blocks or SNO assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Only an install shell script and step timeout metadata changed; no pod affinity, nodeSelector, replica, or topology-aware scheduling logic was added.
Ote Binary Stdout Contract	✅ Passed	The PR only changes a ci-operator shell script and YAML; no OTE binary process-level stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the diff only changes a shell script and CI ref YAML, so the IPv4/disconnected-network check is not applicable.
No-Weak-Crypto	✅ Passed	The PR only changes trap handling and install timing; scans of both touched files found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons.
Container-Privileges	✅ Passed	The changed files only adjust trap logic and timeout/grace settings; no privileged, hostPID/hostNetwork/hostIPC, SYS_ADMIN, or allowPrivilegeEscalation fields are added.
No-Sensitive-Data-In-Logs	✅ Passed	The patch only changes signal handling and keeps installer output filtered; no new logging of secrets, tokens, PII, or host data was introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh (1)

972-976: 🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Same redirection-order bug as create cluster — stderr bypasses the filter here too.

🔒 Proposed fix

-  openshift-install wait-for install-complete --dir="${dir}" 2>&1 > >(grep --line-buffered -v 'password\|X-Auth-Token\|UserData:') &
+  openshift-install wait-for install-complete --dir="${dir}" > >(grep --line-buffered -v 'password\|X-Auth-Token\|UserData:') 2>&1 &
   INSTALL_PID=$!
   wait $INSTALL_PID
   ret=$?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh`
around lines 972 - 976, The redirection order in the openshift-install wait-for
install-complete command is incorrect, causing stderr to bypass the grep filter.
The current order `2>&1 > >(grep ...)` redirects stderr before stdout is piped
to grep, so stderr goes to the original stdout instead of through the filter.
Move the `2>&1` redirection to come after the process substitution `> >(grep
...)` so that both stdout and stderr are properly filtered through the grep
command that removes sensitive information like passwords and authentication
tokens.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh`:
- Around line 940-944: The redirection order in the openshift-install command is
incorrect, causing stderr to bypass the secret-scrubbing grep filter. Currently,
stderr is redirected to stdout before stdout is redirected to the grep process
substitution, allowing sensitive information like passwords and tokens to leak
into CI logs unredacted. Fix this by swapping the redirection order in the
openshift-install invocation so that stdout is first redirected to the grep
process substitution using > >(...), and then stderr is merged into it using
2>&1, ensuring both output streams pass through the password, X-Auth-Token, and
UserData filtering.
- Around line 707-710: Split the combined trap statement handling both EXIT and
TERM into two separate trap handlers to prevent prepare_next_steps from
executing twice and to preserve the correct exit code. Create a TERM trap that
kills background children and exits the script immediately, and a separate EXIT
trap that captures the exit code before running prepare_next_steps, ensuring the
function reads the actual installation result rather than the status from the
wait command.

---

Duplicate comments:
In
`@ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh`:
- Around line 972-976: The redirection order in the openshift-install wait-for
install-complete command is incorrect, causing stderr to bypass the grep filter.
The current order `2>&1 > >(grep ...)` redirects stderr before stdout is piped
to grep, so stderr goes to the original stdout instead of through the filter.
Move the `2>&1` redirection to come after the process substitution `> >(grep
...)` so that both stdout and stderr are properly filtered through the grep
command that removes sensitive information like passwords and authentication
tokens.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b04622d5-638c-4b9d-86ce-8f97b938dad7

📥 Commits

Reviewing files that changed from the base of the PR and between c75ad6f and ae07ba4.

📒 Files selected for processing (1)

• ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh

[hamzy]

/pj-rehearse periodic-ci-openshift-multiarch-main-nightly-5.0-ocp-e2e-ovn-powervc-multi-p-p

[openshift-merge-bot]

@hamzy: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@hamzy: job(s): periodic-ci-openshift-multiarch-main-nightly-5.0-ocp-e2e-ovn-powervc-multi-p-p either don't exist or were not found to be affected, and cannot be rehearsed

[hamzy]

/pj-rehearse periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p

[openshift-merge-bot]

@hamzy: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[prb112]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Neha-dot-Yadav, prb112

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/ipi/install/powervs/OWNERS [prb112]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[prb112]

/retitle MULTIARCH-6023: PowerVS IPI install signal handling to prevent deprovision failures

[openshift-ci-robot]

@Neha-dot-Yadav: This pull request references MULTIARCH-6023 which is a valid jira issue.

Details

In response to this:

Problem

When PowerVS IPI installations timeout, the deprovision step fails with:

Skipping: /tmp/secret/metadata.json not found.

This prevents cleanup of cloud resources (VMs, networks, DNS records), leading to stale resource and subsequent job failures.

Root Cause

The script has two issues with signal handling:

1. Trap overwriting: Two traps are set for SIGTERM, where the second overwrites the first:

trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
trap 'prepare_next_steps' EXIT TERM  # ← Overwrites line above

2. Pipeline blocking: Bash cannot execute trap handlers while blocked on pipeline execution:
`openshift-install ... | grep ...  # Bash is blocked here`

When SIGTERM arrives, it's queued but cannot be processed until the pipeline completes. If the pipeline never completes (stuck installation), SIGKILL arrives after the grace period and terminates everything without running cleanup.

## Solution
1. Combine traps: Merge both handlers into a single trap for EXIT/TERM signals
2. Use background processes: Run openshift-install in background with process substitution instead of pipelines
3. Use interruptible wait: The wait command can be interrupted by signals (unlike pipeline execution)


<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

This PR improves the reliability of PowerVS IPI provisioning cleanup in OpenShift CI by fixing signal-handling behavior during install timeouts—preventing failures that previously left stale infrastructure behind (VMs, networks, and DNS records) and caused subsequent jobs to fail.

### What changed (practical impact)
In `ci-operator/step-registry/ipi/install/powervs/install/ipi-install-powervs-install-commands.sh`, the install flow was adjusted so that when an install is interrupted (e.g., due to timeout), the script can still run its cleanup/“next steps” logic instead of exiting prematurely with errors like `Skipping: /tmp/secret/metadata.json not found`.

### How it fixes the timeout/deprovision failure
- **Signal handling is consolidated:** The script’s trap setup was reworked so the intended handler is not overwritten (ensuring termination signals trigger the correct logic).
- **Installer execution no longer blocks signal processing:** Instead of running `openshift-install ... | grep ...` as a foreground pipeline (which can delay trap execution until the pipeline completes), `openshift-install` is now run in the background with output filtered via process substitution.
- **Uses `wait` for interruptible lifecycle control:** The script captures the installer PID, waits on it, and propagates the resulting status—so SIGTERM/SIGKILL timing doesn’t prevent the script from executing its termination path.

These adjustments apply to both phases:
- `openshift-install --dir=... create cluster`
- `openshift-install wait-for install-complete`

Overall, PowerVS IPI jobs are less likely to strand cloud resources when interrupted, reducing downstream retries and cascading failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hamzy]

/pj-rehearse periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p

[openshift-merge-bot]

@hamzy: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Neha-dot-Yadav: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-installer-main-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-5.1-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-5.0-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.23-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.22-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.21-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.20-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.19-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.18-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.17-e2e-powervs-ovn	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.16-altinfra-e2e-powervs-capi-ovn	openshift/installer	presubmit	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.18-ocp-e2e-ovn-powervs-capi-multi-p-p	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-ppc64le-nightly-powervs-ipi-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.13-ocp-e2e-ovn-ppc64le-powervs	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.17-ocp-e2e-ovn-powervs-capi-multi-p-p	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-ppc64le-nightly-powervs-ipi-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-ppc64le-nightly-powervs-ipi-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-ppc64le-nightly-powervs-ipi-f14-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.14-ocp-e2e-serial-ovn-ppc64le-powervs	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.20-ocp-e2e-ovn-powervs-capi-multi-p-p	N/A	periodic	Registry content changed
periodic-ci-openshift-multiarch-main-nightly-4.23-ocp-e2e-ovn-powervs-capi-multi-p-p	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-ppc64le-nightly-powervs-ipi-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-ppc64le-nightly-powervs-ipi-f7-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-ppc64le-nightly-powervs-ipi-f14-destructive	N/A	periodic	Registry content changed

A total of 43 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Neha-dot-Yadav]

/pj-rehearse periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p

[openshift-merge-bot]

@Neha-dot-Yadav: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@Neha-dot-Yadav: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p	2bb8be2	link	unknown	/pj-rehearse periodic-ci-openshift-multiarch-main-nightly-4.22-ocp-e2e-ovn-powervs-capi-multi-p-p

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hamzy]

/hold

[hamzy]

Why did you do this?