Bug 1905430
| Summary: | usbguard extension fails to install because of missing correct protobuf dependency version | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Sinny Kumari <skumari> | |
| Component: | RHCOS | Assignee: | Micah Abbott <miabbott> | |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.6 | CC: | bbreard, imcleod, jligon, miabbott, nstielau, sdodson | |
| Target Milestone: | --- | |||
| Target Release: | 4.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1905619 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-24 15:41:14 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1905619 | |||
|
Description
Sinny Kumari
2020-12-08 10:50:38 UTC
Setting priority to high as it impacts MCO ci test and will block any PR merge in 4.6 The RHAOS 4.6 repo has a newer version of `protobuf` tagged into it, which is being selected when we download the extensions and dependencies. We recently split the download of extension and dependencies, so we are getting different behavior. If I do `dnf install usbguard` on a RHEL8 system with the same repos enabled that we used to build RHCOS, I get the correct version of `protobuf` ``` $ sudo dnf install usbguard Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Repository 'art-rhaos-4.6' is missing name in configuration, using id. Repository 'rhel-8-baseos' is missing name in configuration, using id. Repository 'rhel-8-appstream' is missing name in configuration, using id. Repository 'rhel-8-nfv' is missing name in configuration, using id. art-rhaos-4.6 4.6 MB/s | 2.7 MB 00:00 Last metadata expiration check: 0:00:01 ago on Tue 08 Dec 2020 09:44:23 AM EST. Dependencies resolved. ============================================================================================================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================================================================================================== Installing: usbguard x86_64 0.7.4-4.el8 rhel-8-appstream 477 k Installing dependencies: libqb x86_64 1.0.3-10.el8 rhel-8-baseos 113 k protobuf x86_64 3.5.0-7.el8 rhel-8-appstream 895 k Transaction Summary ============================================================================================================================================================================================================================================================================================================================== Install 3 Packages ``` If I just do `dnf install protobuf`, I get the newer version that is incompatible. ``` $ sudo dnf install protobuf Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Repository 'art-rhaos-4.6' is missing name in configuration, using id. Repository 'rhel-8-baseos' is missing name in configuration, using id. Repository 'rhel-8-appstream' is missing name in configuration, using id. Repository 'rhel-8-nfv' is missing name in configuration, using id. Last metadata expiration check: 0:00:23 ago on Tue 08 Dec 2020 09:44:23 AM EST. Dependencies resolved. ============================================================================================================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================================================================================================== Installing: protobuf x86_64 3.6.1-4.el8ost art-rhaos-4.6 915 k Installing dependencies: emacs-filesystem noarch 1:26.1-5.el8 rhel-8-baseos 69 k Transaction Summary ============================================================================================================================================================================================================================================================================================================================== Install 2 Packages ``` We should be able to exclude `protobuf` from the RHAOS 4.6 repo definition, which should address this. 4.7 is already excluding `protobuf` from our RHAOS repos, so this is effectively fixed already. https://gitlab.cee.redhat.com/coreos/redhat-coreos/-/commit/db88a46ae0871c75cdb1d7599a6432950bc3605c $ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.7.0-0.nightly-2020-12-14-080124 True False 8m23s Cluster version is 4.7.0-0.nightly-2020-12-14-080124
$ cp ../extensions-usbguard.yaml .
$ cat extensions-usbguard.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: worker-extensions-usbguard
spec:
config:
ignition:
version: 3.1.0
extensions:
- usbguard
$ oc create -f extensions-usbguard.yaml
machineconfig.machineconfiguration.openshift.io/worker-extensions-usbguard created
$ oc get mc
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
00-master d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
00-worker d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
01-master-container-runtime d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
01-master-kubelet d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
01-worker-container-runtime d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
01-worker-kubelet d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
99-master-generated-registries d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
99-master-ssh 3.1.0 41m
99-worker-generated-registries d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
99-worker-ssh 3.1.0 41m
rendered-master-40c3f64d02694a591bec76a6d2564a2f d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
rendered-worker-35512ce18ffc35f865d698d47b22829a d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 0s
rendered-worker-e50a1398ede9fc8469950f35026e78f0 d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 31m
worker-extensions-usbguard
3.1.0 5s
$ oc get mcp/worker
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
worker rendered-worker-e50a1398ede9fc8469950f35026e78f0 False True False 3 0 0 0 33m
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-128-4.us-west-2.compute.internal Ready master 34m v1.19.2+e386040
ip-10-0-150-246.us-west-2.compute.internal Ready,SchedulingDisabled worker 28m v1.19.2+e386040
ip-10-0-191-11.us-west-2.compute.internal Ready master 34m v1.19.2+e386040
ip-10-0-191-160.us-west-2.compute.internal Ready worker 24m v1.19.2+e386040
ip-10-0-209-240.us-west-2.compute.internal Ready master 34m v1.19.2+e386040
ip-10-0-217-215.us-west-2.compute.internal Ready worker 24m v1.19.2+e386040
$ oc debug node/ip-10-0-191-160.us-west-2.compute.internal -- chroot /host rpm -q usbguard
Starting pod/ip-10-0-191-160us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
package usbguard is not installed
Removing debug pod ...
$ watch oc get mcp/worker
$ oc get mcp/worker
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
worker rendered-worker-35512ce18ffc35f865d698d47b22829a True False False 3 3 3 0 46m
$ oc debug node/ip-10-0-191-160.us-west-2.compute.internal -- chroot /host rpm -q usbguard
Starting pod/ip-10-0-191-160us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
usbguard-0.7.8-7.el8.x86_64
Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |