Bug 1946363

Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: ableisch, adam.kaplan, alchan, aos-bugs, gmontero, nalin, npaez, wewang, xiuwang
Target Milestone: ---Keywords: Regression
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Bug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available. Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node. Note: warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.
Story Points: ---
Clone Of: 1945692 Environment:
Last Closed: 2021-04-27 14:20:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1945692    
Bug Blocks:    

Comment 5 errata-xmlrpc 2021-04-27 14:20:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1232