MCO-396: daemon: FCOS workaround, plus SELinux workaround by cgwalters · Pull Request #3358 · openshift/machine-config-operator

cgwalters · 2022-10-01T11:58:34Z

daemon: Temporarily copy auth file with more open perms on FCOS

This works around an rpm-ostree regression
https://issues.redhat.com/browse/OKD-63

daemon: Temporarily setenforce 0 for inplace update from container

In practice, we should ship a SELinux policy tweak that allows a transition
from spc_t -> install_t but for now I want to see if this works.

This works around an rpm-ostree regression https://issues.redhat.com/browse/OKD-63

vrutkovs · 2022-10-01T12:47:19Z

/test okd-e2e-aws

vrutkovs · 2022-10-01T17:01:20Z

OKD install now passes in okd-e2e-aws, thanks!

yuqi-zhang

/lgtm

openshift-ci-robot · 2022-10-03T15:27:12Z

/retest-required

Remaining retests: 0 against base HEAD 71469ce and 2 for PR HEAD 6ccdd57 in total

openshift-ci-robot · 2022-10-03T18:06:18Z

/retest-required

Remaining retests: 0 against base HEAD 87bde27 and 1 for PR HEAD 6ccdd57 in total

yuqi-zhang · 2022-10-03T20:36:04Z

CI is currently blocked on https://issues.redhat.com/browse/TRT-589

vrutkovs · 2022-10-04T11:03:14Z

/retest

cgwalters · 2022-10-04T20:20:51Z

OK from the controlplane journal on OKD:

Oct 04 11:53:29 ip-10-0-159-199 audit[3599]: AVC avc:  denied  { mac_admin } for  pid=3599 comm="pool-rpm-ostree" capability=33  scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=capability2 permissive=0

Argh. This is likely to bite us in RHEL too. We're going to need to override the container security context. This issue is one of the reasons why running ostree in a container is a bit tricky.

cgwalters · 2022-10-04T20:36:07Z

https://issues.redhat.com/browse/MCO-396

openshift-ci-robot · 2022-10-04T20:39:05Z

/retest-required

Remaining retests: 0 against base HEAD 4c66f8f and 0 for PR HEAD 6ccdd57 in total

cgwalters · 2022-10-04T20:52:38Z

OK I rolled a workaround for https://issues.redhat.com/browse/MCO-396 into this, because the OKD path is hitting this today.

cgwalters · 2022-10-04T21:48:08Z

/test ci/prow/okd-e2e-aws

openshift-ci · 2022-10-04T21:48:22Z

@cgwalters: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test 4.12-upgrade-from-stable-4.11-images
/test cluster-bootimages
/test e2e-agnostic-upgrade
/test e2e-aws
/test e2e-gcp-op
/test images
/test unit
/test verify

The following commands are available to trigger optional jobs:

/test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade
/test bootstrap-unit
/test e2e-aws-disruptive
/test e2e-aws-ovn-workers-rhel8
/test e2e-aws-proxy
/test e2e-aws-serial
/test e2e-aws-single-node
/test e2e-aws-upgrade
/test e2e-aws-upgrade-single-node
/test e2e-aws-workers-rhel8
/test e2e-azure
/test e2e-azure-ovn-upgrade
/test e2e-azure-upgrade
/test e2e-gcp-op-single-node
/test e2e-gcp-single-node
/test e2e-gcp-upgrade
/test e2e-metal-assisted
/test e2e-metal-ipi
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
/test e2e-openstack
/test e2e-openstack-parallel
/test e2e-ovirt
/test e2e-ovirt-upgrade
/test e2e-ovn-step-registry
/test e2e-vsphere
/test e2e-vsphere-upgrade
/test e2e-vsphere-upi
/test okd-e2e-aws
/test okd-e2e-gcp-op
/test okd-e2e-upgrade
/test okd-e2e-vsphere
/test okd-images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-machine-config-operator-master-e2e-agnostic-upgrade
pull-ci-openshift-machine-config-operator-master-e2e-aws
pull-ci-openshift-machine-config-operator-master-e2e-gcp-op
pull-ci-openshift-machine-config-operator-master-images
pull-ci-openshift-machine-config-operator-master-okd-images
pull-ci-openshift-machine-config-operator-master-unit
pull-ci-openshift-machine-config-operator-master-verify

Details

In response to this:

/test ci/prow/okd-e2e-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

cgwalters · 2022-10-04T22:26:20Z

/test okd-e2e-aws

In practice, we should ship a SELinux policy tweak that allows a transition from `spc_t` -> `install_t` but for now I want to see if this works.

cgwalters · 2022-10-05T10:56:02Z

/test okd-e2e-aws

cgwalters · 2022-10-05T16:37:38Z

ci/prow/okd-e2e-aws — Job succeeded.

🎉

cgwalters · 2022-10-05T16:43:30Z

/jira refresh

sinnykumari · 2022-10-06T14:54:31Z

/lgtm

cgwalters · 2022-10-06T14:55:37Z

This undermines my confidence in the old-bootimage path, we'll want to verify that better after this lands.

openshift-ci · 2022-10-06T15:02:47Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, sinnykumari, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [cgwalters,sinnykumari,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2022-10-06T16:03:48Z

/retest-required

Remaining retests: 0 against base HEAD 3589316 and 2 for PR HEAD 0451275 in total

vrutkovs · 2022-10-06T16:54:44Z

/test okd-scos-images

vrutkovs · 2022-10-07T05:35:22Z

/retest

vrutkovs · 2022-10-07T09:38:58Z

/skip

SKipping optional tests as it unblocks OKD nightlies

vrutkovs · 2022-10-07T09:44:26Z

/retest

vrutkovs · 2022-10-07T13:23:12Z

/retest

openshift-ci-robot · 2022-10-07T16:47:18Z

/retest-required

Remaining retests: 0 against base HEAD 2cd6ace and 1 for PR HEAD 0451275 in total

openshift-ci-robot · 2022-10-07T21:46:02Z

/retest-required

Remaining retests: 0 against base HEAD 48e94f5 and 0 for PR HEAD 0451275 in total

openshift-ci-robot · 2022-10-07T22:46:01Z

/hold

Revision 0451275 was retested 3 times: holding

vrutkovs · 2022-10-08T06:30:08Z

/test e2e-agnostic-upgrade

vrutkovs · 2022-10-08T09:17:47Z

/hold cancel

openshift-ci-robot · 2022-10-08T10:45:59Z

/retest-required

Remaining retests: 0 against base HEAD 48e94f5 and 2 for PR HEAD 0451275 in total

vrutkovs · 2022-10-08T16:46:01Z

/retest

openshift-ci · 2022-10-08T19:20:00Z

@cgwalters: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-hypershift	`0451275`	link	false	`/test e2e-hypershift`
ci/prow/okd-scos-e2e-vsphere	`0451275`	link	false	`/test okd-scos-e2e-vsphere`
ci/prow/okd-scos-e2e-upgrade	`0451275`	link	false	`/test okd-scos-e2e-upgrade`
ci/prow/okd-scos-e2e-gcp-op	`0451275`	link	false	`/test okd-scos-e2e-gcp-op`
ci/prow/okd-scos-e2e-aws	`0451275`	link	false	`/test okd-scos-e2e-aws`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

vrutkovs · 2022-10-09T05:36:49Z

/retest

daemon: Temporarily copy auth file with more open perms on FCOS

6ccdd57

This works around an rpm-ostree regression https://issues.redhat.com/browse/OKD-63

cgwalters mentioned this pull request Oct 1, 2022

MCO-289: OCPBUGS-1324: Teach the MCO to use new format image #3317

Merged

openshift-ci Bot requested review from cheesesashimi and jkyros October 1, 2022 11:58

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 1, 2022

yuqi-zhang approved these changes Oct 3, 2022

View reviewed changes

openshift-ci Bot assigned yuqi-zhang Oct 3, 2022

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Oct 3, 2022

openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 4, 2022

cgwalters changed the title ~~daemon: Temporarily copy auth file with more open perms on FCOS~~ daemon: FCOS workaround, plus SELinux workaround Oct 4, 2022

daemon: Temporarily setenforce 0 for inplace update from container

0451275

In practice, we should ship a SELinux policy tweak that allows a transition from `spc_t` -> `install_t` but for now I want to see if this works.

cgwalters force-pushed the chmod-auth-for-fcos branch from 36d9ff0 to 0451275 Compare October 5, 2022 10:48

cgwalters changed the title ~~daemon: FCOS workaround, plus SELinux workaround~~ MCO-396: daemon: FCOS workaround, plus SELinux workaround Oct 5, 2022

openshift-ci Bot assigned sinnykumari Oct 6, 2022

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Oct 6, 2022

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 7, 2022

openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 8, 2022

openshift-merge-robot merged commit 10c8a66 into openshift:master Oct 9, 2022

This was referenced Mar 7, 2023

OCPBUGS-8523: Revert "daemon: Temporarily copy auth file with more open perms on FCOS" #3591

Merged

[release-4.12] OCPBUGS-9993: Revert "daemon: Temporarily copy auth file with more open perms on FCOS" #3608

Merged

Conversation

cgwalters commented Oct 1, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vrutkovs commented Oct 1, 2022

Uh oh!

vrutkovs commented Oct 1, 2022

Uh oh!

yuqi-zhang left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Oct 3, 2022

Uh oh!

openshift-ci-robot commented Oct 3, 2022

Uh oh!

yuqi-zhang commented Oct 3, 2022

Uh oh!

vrutkovs commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 4, 2022

Uh oh!

openshift-ci-robot commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 4, 2022

Uh oh!

openshift-ci Bot commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 4, 2022

Uh oh!

cgwalters commented Oct 5, 2022

Uh oh!

cgwalters commented Oct 5, 2022

Uh oh!

cgwalters commented Oct 5, 2022

Uh oh!

sinnykumari commented Oct 6, 2022

Uh oh!

cgwalters commented Oct 6, 2022

Uh oh!

openshift-ci Bot commented Oct 6, 2022

Uh oh!

openshift-ci-robot commented Oct 6, 2022

Uh oh!

vrutkovs commented Oct 6, 2022

Uh oh!

vrutkovs commented Oct 7, 2022

Uh oh!

vrutkovs commented Oct 7, 2022

Uh oh!

vrutkovs commented Oct 7, 2022

Uh oh!

vrutkovs commented Oct 7, 2022

Uh oh!

openshift-ci-robot commented Oct 7, 2022

Uh oh!

openshift-ci-robot commented Oct 7, 2022

Uh oh!

openshift-ci-robot commented Oct 7, 2022

Uh oh!

vrutkovs commented Oct 8, 2022

Uh oh!

vrutkovs commented Oct 8, 2022

Uh oh!

openshift-ci-robot commented Oct 8, 2022

Uh oh!

vrutkovs commented Oct 8, 2022

Uh oh!

openshift-ci Bot commented Oct 8, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vrutkovs commented Oct 9, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

cgwalters commented Oct 1, 2022 •

edited

Loading

openshift-ci Bot commented Oct 8, 2022 •

edited

Loading