Bug 1928537
| Summary: | Cannot IPI with tang/tpm disk encryption | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yuval Kashtan <ykashtan> | |
| Component: | Installer | Assignee: | Beth White <beth.white> | |
| Installer sub component: | OpenShift on Bare Metal IPI | QA Contact: | Ori Michaeli <omichael> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | high | |||
| Priority: | high | CC: | mstaeble, nstielau, rbartal, sdasu, tsedovic, wking | |
| Version: | 4.7 | Keywords: | Triaged | |
| Target Milestone: | --- | |||
| Target Release: | 4.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1930106 (view as bug list) | Environment: | ||
| Last Closed: | 2021-07-27 22:44:28 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1930106 | |||
|
Description
Yuval Kashtan
2021-02-14 19:30:01 UTC
my naive fixing attempt: https://github.com/openshift/installer/pull/4653 We're asking the following questions to evaluate whether or not this bug warrants blocking an upgrade edge from either the previous X.Y or X.Y.Z. The ultimate goal is to avoid delivering an update which introduces new risk or reduces cluster functionality in any way. Sample answers are provided to give more context and the UpgradeBlocker keyword has been added to this bug. The expectation is that the assignee answers these questions. Who is impacted? If we have to block upgrade edges based on this issue, which edges would need blocking? * example: Customers upgrading from 4.y.Z to 4.y+1.z running on GCP with thousands of namespaces, approximately 5% of the subscribed fleet * example: All customers upgrading from 4.y.z to 4.y+1.z fail approximately 10% of the time What is the impact? Is it serious enough to warrant blocking edges? * example: Up to 2 minute disruption in edge routing * example: Up to 90 seconds of API downtime * example: etcd loses quorum and you have to restore from backup How involved is remediation (even moderately serious impacts might be acceptable if they are easy to mitigate)? * example: Issue resolves itself after five minutes * example: Admin uses oc to fix things * example: Admin must SSH to hosts, restore from backups, or other non standard admin activities Is this a regression (if all previous versions were also vulnerable, updating to the new, vulnerable version does not increase exposure)? * example: No, it’s always been like this we just never noticed * example: Yes, from 4.y.z to 4.y+1.z Or 4.y.z to 4.y.z+1 > Who is impacted? any customer utilizing disk encryption as well as any other ignition config shown here https://github.com/coreos/ignition/blob/master/docs/migrating-configs.md#from-version-310-to-320 I dont know if we have any data on how many such customers do we have > What is the impact? can't provision new nodes for existing (upgraded) clusters, that also means cannot replace nodes so this can actually cause downtime and data loss > How involved is remediation ? I cant think of any way to resolve this beside amending the installer > Is this a regression? Yes, from any 4.6 to 4.7.0 till 4.7.z where this will be fixed (probably 4.7.4) note: disk encryption resolution also needs https://bugzilla.redhat.com/show_bug.cgi?id=1934863 and https://bugzilla.redhat.com/show_bug.cgi?id=1934557 I've removed the UpgradeBlocker as I was confused with all the related NBDE bugs. and obviously mistaken, the installer bug cannot block upgrades. I'll add the keyword on the other, relevant bugs (Such as the growfs one) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |