Bug 1827576
| Summary: | Changing aide config from non-empty to empty, will not trigger a re-initialization of the aide database | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan |
| Component: | File Integrity Operator | Assignee: | Matt Rogers <mrogers> |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.5 | CC: | jhrozek, josorior, mrogers, nkinder |
| Target Milestone: | --- | Flags: | mrogers:
needinfo-
|
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 15:58:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Matt, Changing aide config from non-empty to empty, NO re-initialization was triggered. Could you help to check? Thanks. Using bundle image https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1306329 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-09-02-210353 True False 47m Cluster version is 4.6.0-0.nightly-2020-09-02-210353 $ oc create configmap myconf --from-file=aide-conf=file-integrity-operator/aide.conf.rhel8 configmap/myconf created $ oc apply -f - <<EOF > apiVersion: fileintegrity.openshift.io/v1alpha1 > kind: FileIntegrity > metadata: > name: example-fileintegrity > namespace: test1 > spec: > config: > name: myconf > namespace: openshift-file-integrity > key: aide-conf > EOF fileintegrity.fileintegrity.openshift.io/example-fileintegrity created $ oc get pod NAME READY STATUS RESTARTS AGE pod/aide-ds-example-fileintegrity-6nqdv 1/1 Running 0 7s pod/aide-ds-example-fileintegrity-c7p56 1/1 Running 0 7s pod/aide-ds-example-fileintegrity-fvzdt 1/1 Running 0 7s pod/aide-ds-example-fileintegrity-t6gqg 1/1 Running 0 7s pod/aide-ds-example-fileintegrity-vl8tw 1/1 Running 0 7s pod/aide-ds-example-fileintegrity-wbj29 1/1 Running 0 7s pod/file-integrity-operator-779f66dcbf-bx4fm 1/1 Running 0 16m pod/ip-10-0-133-139.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m pod/ip-10-0-147-193.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m pod/ip-10-0-176-135.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m pod/ip-10-0-190-118.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m pod/ip-10-0-195-137.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m pod/ip-10-0-214-208.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 15m $ oc apply -f - <<EOF > apiVersion: fileintegrity.openshift.io/v1alpha1 > kind: FileIntegrity > metadata: > name: example-fileintegrity > namespace: test1 > spec: > config: {} > EOF fileintegrity.fileintegrity.openshift.io/example-fileintegrity configured $ oc describe fileintegrity/example-fileintegrity Name: example-fileintegrity Namespace: test1 Labels: <none> Annotations: API Version: fileintegrity.openshift.io/v1alpha1 Kind: FileIntegrity Metadata: Creation Timestamp: 2020-09-03T02:52:51Z Generation: 2 Managed Fields: API Version: fileintegrity.openshift.io/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:phase: Manager: file-integrity-operator Operation: Update Time: 2020-09-03T02:53:21Z API Version: fileintegrity.openshift.io/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:spec: .: f:config: f:tolerations: Manager: oc Operation: Update Time: 2020-09-03T02:56:25Z Resource Version: 80818 Self Link: /apis/fileintegrity.openshift.io/v1alpha1/namespaces/test1/fileintegrities/example-fileintegrity UID: d904ad01-cb81-4a3e-9bb2-20900b51c8c6 Spec: Config: Tolerations: Effect: NoSchedule Key: node-role.kubernetes.io/master Operator: Exists Status: Phase: Active Events: <none> $ oc get pod NAME READY STATUS RESTARTS AGE pod/aide-ds-example-fileintegrity-6nqdv 1/1 Running 0 4m55s pod/aide-ds-example-fileintegrity-c7p56 1/1 Running 0 4m55s pod/aide-ds-example-fileintegrity-fvzdt 1/1 Running 0 4m55s pod/aide-ds-example-fileintegrity-t6gqg 1/1 Running 0 4m55s pod/aide-ds-example-fileintegrity-vl8tw 1/1 Running 0 4m55s pod/aide-ds-example-fileintegrity-wbj29 1/1 Running 0 4m55s pod/file-integrity-operator-779f66dcbf-bx4fm 1/1 Running 0 20m pod/ip-10-0-133-139.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m pod/ip-10-0-147-193.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m pod/ip-10-0-176-135.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m pod/ip-10-0-190-118.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m pod/ip-10-0-195-137.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m pod/ip-10-0-214-208.us-east-2.compute.internal-rmholdoff 0/1 Completed 0 20m $ oc debug no/ip-10-0-133-139.us-east-2.compute.internal Starting pod/ip-10-0-133-139us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.133.139 If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# cd /etc/kubernetes/ sh-4.4# ls -ltr total 1824 -rw-r--r--. 1 root root 7787 Sep 3 01:54 kubeconfig drwxr-xr-x. 3 root root 19 Sep 3 01:56 cni drwxr-xr-x. 3 root root 20 Sep 3 01:56 kubelet-plugins drwxr-xr-x. 3 root root 24 Sep 3 01:56 static-pod-resources drwxr-xr-x. 2 root root 6 Sep 3 01:56 manifests -rw-r--r--. 1 root root 5875 Sep 3 02:19 kubelet-ca.crt -rw-r--r--. 1 root root 6998 Sep 3 02:19 ca.crt -rw-r--r--. 1 root root 0 Sep 3 02:19 cloud.conf -rw-r--r--. 1 root root 778 Sep 3 02:19 kubelet.conf -rw-------. 1 root root 1838633 Sep 3 02:53 aide.db.gz -rw-------. 1 root root 0 Sep 3 03:06 aide.log sh-4.4# date Thu Sep 3 03:06:37 UTC 2020 sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ...
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.6.0-0.nightly-2020-09-08-123737 True False 5h21m Cluster version is 4.6.0-0.nightly-2020-09-08-123737
$ oc logs pod/aide-ds-example-fileintegrity-6fq7r
Starting the AIDE runner daemon
running aide check
aide check returned status 6
[xiyuan@MiWiFi-R3G-srv securitycompliance]$ oc apply -f - <<EOF
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
name: example-fileintegrity
namespace: openshift-file-integrity
spec:
config:
name: myconf
namespace: openshift-file-integrity
key: aide-conf
gracePeriod: 11
debug: true
EOF
fileintegrity.fileintegrity.openshift.io/example-fileintegrity configured
$ oc get pod
NAME READY STATUS RESTARTS AGE
aide-ds-example-fileintegrity-2q6pv 1/1 Running 0 7m37s
aide-ds-example-fileintegrity-8jgd2 1/1 Running 0 7m37s
aide-ds-example-fileintegrity-8nrrt 1/1 Running 0 7m36s
aide-ds-example-fileintegrity-hwtjm 1/1 Running 0 7m39s
aide-ds-example-fileintegrity-nzm2m 1/1 Running 0 7m40s
aide-ds-example-fileintegrity-t9kld 1/1 Running 0 7m37s
aide-ds-example-fileintegrity-wh7wz 1/1 Running 0 7m40s
aide-ds-example-fileintegrity-zbk7w 1/1 Running 0 7m29s
file-integrity-operator-65db875847-fj7cv 1/1 Running 0 69m
xiyuan09095-09090321-master-0-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-master-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-master-2-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-rhel-0-debug 1/1 Running 0 54m
xiyuan09095-09090321-rhel-0-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-rhel-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-2-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-3-rmholdoff 0/1 Completed 0 68m
$ oc apply -f - <<EOF
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
name: example-fileintegrity
namespace: openshift-file-integrity
spec:
# Change to debug: true to enable more verbose logging from the logcollector
# container in the aide pods
debug: false
config: {}
EOF
fileintegrity.fileintegrity.openshift.io/example-fileintegrity configured
$ oc get pod
NAME READY STATUS RESTARTS AGE
aide-ds-example-fileintegrity-2q6pv 1/1 Terminating 0 7m59s
aide-ds-example-fileintegrity-6mg7m 0/1 ContainerCreating 0 0s
aide-ds-example-fileintegrity-8jgd2 0/1 Terminating 0 7m59s
aide-ds-example-fileintegrity-8nrrt 0/1 Terminating 0 7m58s
aide-ds-example-fileintegrity-hwtjm 0/1 Terminating 0 8m1s
aide-ds-example-fileintegrity-kvm85 1/1 Running 0 6s
aide-ds-example-fileintegrity-mlx22 0/1 ContainerCreating 0 1s
aide-ds-example-fileintegrity-t9kld 0/1 Terminating 0 7m59s
file-integrity-operator-65db875847-fj7cv 1/1 Running 0 69m
xiyuan09095-09090321-master-0-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-master-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-master-2-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-rhel-0-debug 1/1 Running 0 55m
xiyuan09095-09090321-rhel-0-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-rhel-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-1-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-2-rmholdoff 0/1 Completed 0 68m
xiyuan09095-09090321-worker-northcentralus-3-rmholdoff 0/1 Completed 0 68m
$ oc get pod
NAME READY STATUS RESTARTS AGE
aide-ds-example-fileintegrity-2j6mr 1/1 Running 0 2m25s
aide-ds-example-fileintegrity-6mg7m 1/1 Running 0 2m27s
aide-ds-example-fileintegrity-kvm85 1/1 Running 0 2m33s
aide-ds-example-fileintegrity-mjsss 1/1 Running 0 2m26s
aide-ds-example-fileintegrity-mlx22 1/1 Running 0 2m28s
aide-ds-example-fileintegrity-n7t7s 1/1 Running 0 2m25s
aide-ds-example-fileintegrity-xfwh5 1/1 Running 0 2m26s
aide-ds-example-fileintegrity-z4xxh 1/1 Running 0 116s
file-integrity-operator-65db875847-fj7cv 1/1 Running 0 71m
xiyuan09095-09090321-master-0-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-master-1-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-master-2-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-rhel-0-debug 1/1 Running 0 57m
xiyuan09095-09090321-rhel-0-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-rhel-1-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-worker-northcentralus-1-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-worker-northcentralus-2-rmholdoff 0/1 Completed 0 71m
xiyuan09095-09090321-worker-northcentralus-3-rmholdoff 0/1 Completed 0 71m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Changing aide config from non-empty to empty, will not trigger a re-initialization of the aide database Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-04-21-103613 How reproducible: always Steps to reproduce: 1. install operator 2. apply a aide config: $ oc create configmap myconf --from-file=aide-conf=file-integrity-operator/aide.conf.rhel8 $ oc apply -f - <<EOF apiVersion: file-integrity.openshift.io/v1alpha1 kind: FileIntegrity metadata: name: example-fileintegrity namespace: openshift-file-integrity spec: config: name: myconf namespace: openshift-file-integrity key: aide-conf EOF 3. Change the config from non-empty to empty: $ oc apply -f - <<EOF apiVersion: file-integrity.openshift.io/v1alpha1 kind: FileIntegrity metadata: name: example-fileintegrity namespace: openshift-file-integrity spec: config: {} EOF Actual results: Changing aide config from non-empty to empty, will not trigger a re-initialization of the aide database Expected results: Changing aide config from non-empty to empty should trigger a re-initialization of the aide database and all aide-check pods should be restarted to confirm scan with default configuration. Additional info: