Bug 1945692

Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: high Docs Contact: Rolfe Dlugy-Hegwer <rdlugyhe>
Priority: high    
Version: 4.6CC: ableisch, adam.kaplan, alchan, aos-bugs, ctauchen, gmontero, nalin, npaez, rdlugyhe, wewang, xiuwang
Target Milestone: ---Keywords: Regression
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, after CVE-2021-3344 was fixed, builds did not automatically mount entitlement keys on the node. The fix minimized the amount of data copied from a pod’s `/run/secrets` directory to the build container, causing the `/run/secrets/etc-pki-entitlements` file to be omitted. As a result, the fix prevented entitled builds from working seamlessly when the entitlement certificates were stored on the OpenShift host or node. Now, the OpenShift build image and associated pod mount all entitlement-related files from /run/secrets into the build container. Entitled builds cannot pick up the certificates stored on the OpenShift host/node. Note that you can ignore warning messages like `level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn’t exist, skipping` when running OpenShift Container Platform builds on Red Hat Enterprise Linux CoreOS (RHCOS) nodes
 Story Points: ---
Clone Of: 1940488
: 1946363 (view as bug list) Environment:
Last Closed: 2021-04-20 18:52:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1940488    
Bug Blocks: 1946363    

Comment 6 errata-xmlrpc 2021-04-20 18:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.7 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1149