Bug 1885419

Summary: node tuning operator builds and installs an unsigned RPM
Product: OpenShift Container Platform Reporter: Luke Meyer <lmeyer>
Component: Node Tuning OperatorAssignee: Jiří Mencák <jmencak>
Status: CLOSED ERRATA QA Contact: Simon <skordas>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.6CC: jdelft, sejug, vlaad, wking, zkosic
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1885543 (view as bug list) Environment:
Last Closed: 2020-10-27 16:47:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1885543    
Bug Blocks:    

Description Luke Meyer 2020-10-05 21:18:38 UTC 
Description of problem:
This operator builds and installs an unsigned RPM as part of the image build. This causes erratatool to block the errata if it is attached. Since this is part of the payload, we can't simply drop it from the release (... unless there is no functional reference to it in core OCP).

Version-Release number of selected component (if applicable):
cluster-node-tuning-operator-container-v4.6.0-202010030042.p0
(https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1339925)

How reproducible:
Build in OSBS. Attach build to advisory, or just look at logs:
http://download.eng.bos.redhat.com/brewroot/packages/cluster-node-tuning-operator-container/v4.6.0/202010030042.p0/data/logs/x86_64-build.log

Actual results:
rpmbuild [...] -tb tuned-2.14.0.tar.gz
====================================================================================================

 Package                           Arch    Version               Repository                     Size

====================================================================================================

Installing:

 tuned                             noarch  2.14.0-1.el8          @commandline                  295 k

 tuned-profiles-atomic             noarch  2.14.0-1.el8          @commandline                   33 k

 tuned-profiles-cpu-partitioning   noarch  2.14.0-1.el8          @commandline                   36 k

 tuned-profiles-mssql              noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-nfv                noarch  2.14.0-1.el8          @commandline                   31 k

 tuned-profiles-nfv-guest          noarch  2.14.0-1.el8          @commandline                   33 k

 tuned-profiles-nfv-host           noarch  2.14.0-1.el8          @commandline                   34 k

 tuned-profiles-oracle             noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-realtime           noarch  2.14.0-1.el8          @commandline                   34 k

 tuned-profiles-sap                noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-sap-hana           noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-spectrumscale      noarch  2.14.0-1.el8          @commandline                   32 k


Expected results:
All RPMs installed are built in brew and signed with RH signing key.

Additional info:
Can I suggest just... installing the content without building an RPM? In an ideal world, the RPM would be built in brew. There's also nothing wrong with building from source in a container, it's just the presence of an unsigned RPM sets off all sorts of alarms when it's time to ship. 

For the minimal change, I suppose something like this might be an acceptable way to mask this:

$ rpm -e --justdb tuned tuned-profiles-{atomic, mysql,...}
Comment 5 Jiří Mencák 2020-10-07 05:51:11 UTC 
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-10-07-022140   True        False         36m     Cluster version is 4.6.0-0.nightly-2020-10-07-022140

$ oc project openshift-cluster-node-tuning-operator
Now using project "openshift-cluster-node-tuning-operator" on server "https://api.jm20201007.psap.aws.rhperfscale.org:6443".

$ oc get po
NAME                                         READY   STATUS    RESTARTS   AGE
cluster-node-tuning-operator-b8bdf58-v4fz4   1/1     Running   0          61m
tuned-2dpj8                                  1/1     Running   0          55m
tuned-578fv                                  1/1     Running   0          55m
tuned-bhhr5                                  1/1     Running   0          55m
tuned-j946q                                  1/1     Running   0          47m
tuned-jzgdc                                  1/1     Running   0          47m

$ oc rsh tuned-2dpj8 
sh-4.4# rpm -qa|grep tuned
sh-4.4#
Comment 6 Simon 2020-10-09 19:10:35 UTC 
Verification positive.
Cluster version: 4.6.0-0.nightly-2020-10-09-033719
Comment 8 errata-xmlrpc 2020-10-27 16:47:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196