Bug 1945238

Summary: [Edge] RHEL-Edge container image failed running on OpenShift 4
Product: Red Hat Enterprise Linux 8 Reporter: Xiaofeng Wang <xiaofwan>
Component: osbuild-composerAssignee: Achilleas Koutsou <akoutsou>
Status: CLOSED ERRATA QA Contact: Xiaofeng Wang <xiaofwan>
Severity: unspecified Docs Contact: Eliane Ramos Pereira <elpereir>
Priority: unspecified    
Version: 8.4CC: akoutsou, atodorov, elpereir, leiwang, obudai, tgunders, yih
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: osbuild-composer-32-1.el8 Doc Type: Bug Fix
Doc Text:
.RHEL-Edge container image now uses `nginx` and serves on port 8080 Previously, the `edge-container` image type was unable to run in non-root mode. As a result, Red Hat OpenShift 4 was unable to use the `edge-container` image type. With this enhancement, the container now uses `nginx` HTTP server to serve the commit and a configuration file that allows the server to run as a non-root user inside the container, enabling its use on Red Hat OpenShift 4. The internal web server now uses the port `8080` instead of `80`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:46:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
edge image ocp4 template none

Description Xiaofeng Wang 2021-03-31 13:54:57 UTC 
Created attachment 1768092 [details]
edge image ocp4 template

Description of problem:
When I run edge container image on OpenShift 4. I got the following error:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.20.7.62. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00058: Error retrieving pid file run/httpd.pid
AH00059: Remove it before continuing if it is corrupted.

Error "(13)Permission denied: AH00058: Error retrieving pid file run/httpd.pid" should be related with ocp arbitrary UID issue.

Version-Release number of selected component (if applicable):
I have to use scratch ostree build due to bz#1944473
python3-osbuild-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-core-28.3-1.el8.x86_64
osbuild-selinux-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-ostree-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-28.3-1.el8.x86_64
osbuild-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-worker-28.3-1.el8.x86_64

How reproducible:

Steps to Reproduce:
1. Install osbuild*
2. Configure blueprint in container.toml
$ cat container.toml
name = "container"
description = "A base rhel-edge container image"
version = "0.0.1"
modules = []
groups = []
[[packages]]
name = "python36"
version = "*"
[customizations.kernel]
name = "kernel-rt"
[[customizations.user]]
name = "admin"
description = "Administrator account"
password = "$6$GRmb7S0p8vsYmXzH$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC61wMCjOSHwbVb4VfVyl5sn497qW4PsdQ7Ty7aD6wDNZ/QjjULkDV/yW5WjDlDQ7UqFH0Sr7vywjqDizUAqK7zM5FsUKsUXWHWwg/ehKg8j9xKcMv11AkFoUoujtfAujnKODkk58XSA9whPr7qcw3vPrmog680pnMSzf9LC7J6kXfs6lkoKfBh9VnlxusCrw2yg0qI1fHAZBLPx7mW6+me71QZsS6sVz8v8KXyrXsKTdnF50FjzHcK9HXDBtSJS5wA3fkcRYymJe0o6WMWNdgSRVpoSiWaHHmFgdMUJaYoCfhXzyl7LtNb3Q+Sveg+tJK7JaRXBLMUllOlJ6ll5Hod root@localhost"
home = "/home/admin/"
groups = ["wheel"]

3. Push container.toml
$ sudo composer-cli blueprints push container.toml
4. Check package dependens
$ sudo composer-cli blueprints depsolve container
5. Build image
$ sudo composer-cli compose start-ostree --ref rhel/8/x86_64/edge container rhel-edge-container
6. Wait until it's FINISHED
$ sudo composer-cli compose status
6. Download image
$ sudo composer-cli compose image e4fa3a99-11f4-4035-971c-fbc58c49725c
7. Upload image to docker.io
$ skopeo copy --dest-creds username:password oci-archive:e4fa3a99-11f4-4035-971c-fbc58c49725c-rhel84-container.tar docker://docker.io/username/rhel-edge:latest
8. Download attachment template and run it(image repository in template might be changed according to where to save image)
$ oc login --server=<ocp4 api server>
$ oc process -f edge-stage-server-template.yaml | oc4 apply -f

Actual results:
Can't run container and have error message "(13)Permission denied: AH00058: Error retrieving pid file run/httpd.pid"

Expected results:
Run edge container image on ocp4 successfully.

Additional info:
Comment 1 Achilleas Koutsou 2021-04-21 12:40:17 UTC 
The plan for this is to change the web service in the container from httpd (apache) to nginx.  On top of that, we need to configure the service to run without root privileges, which requires a more flexible OCI container creation stage and maybe a service config stage of some kind.
Comment 2 Xiaofeng Wang 2021-08-04 08:26:38 UTC 
Pre-verified on the following build:
python3-osbuild-30-1.20210722git35de309.20210722git35de309.el8.noarch
osbuild-composer-30-1.20210728git6ecb00a.el8.x86_64
osbuild-30-1.20210722git35de309.20210722git35de309.el8.noarch
osbuild-ostree-30-1.20210722git35de309.20210722git35de309.el8.noarch
osbuild-composer-worker-30-1.20210728git6ecb00a.el8.x86_64
osbuild-composer-core-30-1.20210728git6ecb00a.el8.x86_64
osbuild-selinux-30-1.20210722git35de309.20210722git35de309.el8.noarch
Comment 5 Alexander Todorov 2021-08-24 07:42:02 UTC 
(In reply to Xiaofeng Wang from comment #2)
> Pre-verified on the following build:
> python3-osbuild-30-1.20210722git35de309.20210722git35de309.el8.noarch
> osbuild-composer-30-1.20210728git6ecb00a.el8.x86_64
> osbuild-30-1.20210722git35de309.20210722git35de309.el8.noarch
> osbuild-ostree-30-1.20210722git35de309.20210722git35de309.el8.noarch
> osbuild-composer-worker-30-1.20210728git6ecb00a.el8.x86_64
> osbuild-composer-core-30-1.20210728git6ecb00a.el8.x86_64
> osbuild-selinux-30-1.20210722git35de309.20210722git35de309.el8.noarch


@Xiaofeng, @Yi,
can you verify with the latest official builds in a nightly/devel tree ?
Comment 6 Xiaofeng Wang 2021-08-24 11:08:21 UTC 
@atodorov, the fix PR(https://github.com/osbuild/osbuild-composer/pull/1595) still not got merged. So have to wait PR merged and new RHEL 8.5 release.
Comment 7 Alexander Todorov 2021-08-24 12:32:17 UTC 
(In reply to Xiaofeng Wang from comment #6)
> @atodorov, the fix PR(https://github.com/osbuild/osbuild-composer/pull/1595)
> still not got merged. So have to wait PR merged and new RHEL 8.5 release.

In 8.5 we've got osbuild-composer-31-1.el8 and in Comment #2 you indicated that you have tested with v30-1. How is it possible that you were able to pre-verify with an older build but not with the latest one?
Comment 8 Alexander Todorov 2021-08-24 12:33:34 UTC 
(In reply to Xiaofeng Wang from comment #6)
> @atodorov, the fix PR(https://github.com/osbuild/osbuild-composer/pull/1595)
> still not got merged. So have to wait PR merged and new RHEL 8.5 release.

@Achilleas,
what's the hold up for this PR being merged and how does that relate to this particular BZ ? Please see my reminder about schedule on the internal ML.
Comment 9 Achilleas Koutsou 2021-08-26 10:31:08 UTC 
No hold-up or blockage.  Just needs to be reviewed again and merged.
Comment 10 Alexander Todorov 2021-08-31 08:45:54 UTC 
(In reply to Achilleas Koutsou from comment #9)
> No hold-up or blockage.  Just needs to be reviewed again and merged.

I see PR has already been merged. Can you update the Fixed in version field ? Will this be in 33-1 ?
Comment 11 Ondřej Budai 2021-08-31 08:59:05 UTC 
This was fixed in osbuild-composer-32-1.el8, see https://github.com/osbuild/osbuild-composer/commit/17a1d3818917488985793a84e316e9e5f34b4fca
Comment 12 Xiaofeng Wang 2021-08-31 12:43:55 UTC 
Verified. Build info:
osbuild-composer-worker-33-1.el8.x86_64
osbuild-35-1.el8.noarch
osbuild-composer-core-33-1.el8.x86_64
osbuild-selinux-35-1.el8.noarch
osbuild-composer-33-1.el8.x86_64
osbuild-ostree-35-1.el8.noarch
python3-osbuild-35-1.el8.noarch
Comment 14 errata-xmlrpc 2021-11-09 18:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (osbuild bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4273