Bug 1678901

Summary: Only Last Input Used if Build Inputs Use Same Destination Dir
Product: OpenShift Container Platform Reporter: Adam Kaplan <adam.kaplan>
Component: BuildAssignee: Adam Kaplan <adam.kaplan>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, wzheng
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: source strategy builds used directory mounts to inject secret and configMap content Consequence: if two source secrets shared the same destinationDir, only one would be present in the s2i build Fix: source and docker strategy builds in 4.0 copy injected secrets and configMaps to a shared working directory Result: source secrets and configMaps can use the same destinationDir for docker and source build strategies
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:44:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Kaplan 2019-02-19 20:30:24 UTC 
Description of problem:
When using multiple secrets that have 'destinationDir' in BuildConfig, only the very last secret corresponding file gets created. The other secrets get ignored.

Version-Release number of selected component (if applicable):
3.11 (I've also tested in version 3.10 and the issue persists)


How reproducible: Always


Steps to Reproduce:
1. Create new app and save yaml in a temp file :

```
$ oc new-app --name='myapp' -l 'micro-service=myapp' \ -e DEV_MODE='true' \ nodejs:8~git:mygroup/myapp.git \ --context-dir=src --source-secret='bitbucket-sshauth' \ -o yaml > /tmp/myapp.yaml
```

2. Create the secrets that will be needed as well:

```
$ oc secrets new bitbucket-shared-sshkey id_rsa=~/.ssh/bitbucket-sshauth
$ oc create secret generic bitbucket-shared-sshkey --from-file=id_rsa=bitbucket-shared-sshkey --type=Opaque
$ ssh-keyscan -H bitbucket.org >> bitbucket-shared-knownhosts
$ oc create secret generic bitbucket-shared-knownhosts --from-file=known_hosts=bitbucket-shared-knownhosts --type=Opaque`
```

3. Go in /tmp/myapp.yaml and add the 2 secrets:

```
...
source:
  git:
   ref: master
   uri: '[git](git):mygroup/myapp'
  secrets:
  - destinationDir: /opt/app-root/src/.ssh
    secret:
      name: bitbucket-shared-sshkey
 - destinationDir: /opt/app-root/src/.ssh
    secret:
      name: bitbucket-shared-knownhosts
```

4. Build:

```
$ oc create -f /tmp/dpc.yaml oc start-build bc/myapp
```

Actual results:
Only the 'known_hosts' file gets created and is available in /opt/app-root/.ssh
If I swap the order then the 'id_rsa' file will get created only

Expected results:
Both files should get created and available in /opt/app-root/.ssh folder


Additional info:
Originally filed on GitHub - https://github.com/openshift/origin/issues/22032
Comment 1 Adam Kaplan 2019-02-20 18:12:58 UTC 
This has been fixed in OpenShift 4.0 as a result of using buildah to drive OpenShift builds. Note that any secret content is deleted in the final image (configMap content is retained).

For OpenShift 3.x, customers can work around this issue by creating secrets and/or ConfigMaps which reference multiple files:

```
$ oc create secret generic mysecret --from-file=new-filename.txt=/path/to/file.txt --from-file=/path/to/another-file.txt ...
```
Comment 2 wewang 2019-02-27 10:06:55 UTC 
Yes, in 4.0 any secret content is deleted in the final image 
payload: registry.svc.ci.openshift.org/ocp/release@sha256:515085c8949e60364372f208b11f80993d4a786f603ca6f39d903bd4a7065e5c
version: 4.0.0-0.nightly-2019-02-27-054627


check the build log:
STEP 4: USER root
STEP 5: COPY upload/scripts /tmp/scripts
STEP 6: COPY upload/src /tmp/src
STEP 7: COPY upload/injections/var/run/secrets/openshift.io/build/testsecret1 /tmp
STEP 8: COPY upload/injections/var/run/secrets/openshift.io/build/testsecret2 /opt/app-root/src
STEP 9: RUN chown -R 1001:0 /tmp/scripts /tmp/src /tmp /opt/app-root/src
time="2019-02-27T10:03:47Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah853922143/mnt/rootfs\": error checking if \"/tmp/buildah853922143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
time="2019-02-27T10:03:47Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah853922143/mnt/rootfs\": error checking if \"/tmp/buildah853922143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
STEP 10: USER 1001
STEP 11: RUN /tmp/scripts/assemble
relative-secret1=secret1
relative-secret2=secret2
secret1=secret1
secret2=secret2
time="2019-02-27T10:03:49Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah881963239/mnt/rootfs\": error checking if \"/tmp/buildah881963239/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
time="2019-02-27T10:03:49Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah881963239/mnt/rootfs\": error checking if \"/tmp/buildah881963239/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
STEP 12: RUN rm /tmp/..2019_02_27_10_02_30.749623174/secret1 &&     rm /tmp/..2019_02_27_10_02_30.749623174/secret2 &&     rm /tmp/..2019_02_27_10_02_30.749623174/secret3 &&     rm /tmp/secret1 &&     rm /tmp/secret2 &&     rm /tmp/secret3 &&     rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret1 &&     rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret2 &&     rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret3 &&     rm /opt/app-root/src/secret1 &&     rm /opt/app-root/src/secret2 &&     rm /opt/app-root/src/secret3                  ###in STEP 11, deleted all secrets files


time="2019-02-27T10:03:50Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah087308143/mnt/rootfs\": error checking if \"/tmp/buildah087308143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
time="2019-02-27T10:03:50Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah087308143/mnt/rootfs\": error checking if \"/tmp/buildah087308143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory"
STEP 13: CMD /usr/libexec/s2i/run
STEP 14: COMMIT containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.skip_mount_home=false]temp.builder.openshift.io/wewang5/build-secret-1:7ffd0cfb
Getting image source signatures
Copying blob sha256:b1e3561f65d69b456145e08024c6855f87e3ff401a23ce34830913e10b523810
Copying blob sha256:b1933d7f1c6de39dcd1cc9c702d06b5f1dd2a6d3d8574013d9349797687871da
Copying blob sha256:7570c9bb6eb02a54ca3cf9ac3aee75eb8cbf0c6cf77839cc078e7362a29c5631
Copying blob sha256:064aa57f6d5c8f8d864efc0c66ece05d99475ebdc70929cbc480484d45b4321c
Copying blob sha256:aa510ba01285f7d63af45a28dcc86bd1272ee12ffa9fd103e1ab848213640cf7
Copying blob sha256:0e00d99d1e7602a9d541f1a4a3a245082d84421bb9028c739ba286a46c99837d
Copying config sha256:d72af5d3bf3ab89c5c5c61e2c2127c674f1906f5b095cbba838b920007993d6a
Comment 5 errata-xmlrpc 2019-06-04 10:44:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758