Bug 1940488

Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Product: OpenShift Container Platform Reporter: Adam Kaplan <adam.kaplan>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: high Docs Contact: Rolfe Dlugy-Hegwer <rdlugyhe>
Priority: high    
Version: 4.6CC: ableisch, alchan, aos-bugs, gmontero, nalin, npaez, wewang
Target Milestone: ---Keywords: Regression
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1945692 (view as bug list) Environment:
Last Closed: 2021-07-27 22:54:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1945692    

Description Adam Kaplan 2021-03-18 14:31:24 UTC 
Description of problem:

After fixing CVE-2021-3344, builds do not automatically mount entitlement keys that may be present on the node.


Version-Release number of selected component (if applicable): 4.5.33, 4.6.16, 4.7.0


How reproducible: Always


Steps to Reproduce:
1. Install OpenShift with a MachineConfig that adds entitlement keys to worker nodes
2. Create a Docker strategy BuildConfig that executes a yum install of subscription content.
3. Run a build from this BuildConfig

Actual results:

yum install of subscription content fails


Expected results:

yum install succeeds because entitlement keys are present


Additional info:

Reported in GitHub: https://github.com/openshift/builder/issues/227
Comment 49 Rolfe Dlugy-Hegwer 2021-04-09 12:53:10 UTC 
Supporting information for release notes:

Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Bug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available.

Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node

Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container

Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node.  Note:  warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.
Comment 54 errata-xmlrpc 2021-07-27 22:54:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438