Bug 1951084

Summary: avoid benign "Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping" messages
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: medium Docs Contact: Srivaralakshmi Ramani <srr>
Priority: unspecified    
Version: 4.8CC: aos-bugs
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, after CVE-2021-3344 was fixed, builds did not automatically mount entitlement keys on the node. As a result, when the entitlement certificates were stored on the OpenShift host or node, the fix prevented entitled builds from working seamlessly. The failure to bring in entitlement certificates stored in the OpenShift host or node was fixed with link:https://bugzilla.redhat.com/show_bug.cgi?id=1945692[BZ#1945692] in 4.7.z and link:https://bugzilla.redhat.com/show_bug.cgi?id=1946363[BZ#1946363] in 4.6.z; however, those fixes introduced a benign warning message for OpenShift builds running on Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. The current release fixes this issue by allowing builds to automatically mount entitlements only on RHEL worker nodes, and avoiding mount attempts on RHCOS worker nodes. Now, there will not be any benign warnings around entitlement mounts when running OpenShift builds on RHCOS nodes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:01:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabe Montero 2021-04-19 15:16:06 UTC 
Description of problem:

For https://bugzilla.redhat.com/show_bug.cgi?id=1940488 we had to move the mounts of entitlements from transient mounts to mounts.conf to work around a buildah bug where they would overwrite entitlement mounts with a fips mount.

And while things work perfectly on the RHEL worker nodes that have entitlements, on RHCOS worker nodes those entitlement files will never exists, and we get 
warning messages like 

time="2021-03-31T17:16:09Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-03-31T17:16:09Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"

while those message are benign warnings, such messages of course can distract / mislead users when then see them.

In 4.8 we will vendor in the buildah change which addresses the original bug there, and switch back from mounts.conf to transient mounts.

With this, we can avoid the attempt to mount entitlement files on RHCOS worker nodes.
Comment 1 wewang 2021-04-20 08:42:30 UTC 
Launched a cluster and tested entitlement build, no warning anymore.

Version:
4.8.0-0.ci.test-2021-04-20-063706-ci-ln-1xhd8gk
Comment 3 wewang 2021-04-23 02:00:28 UTC 
Verify it manually, seems cannot verify automatically
Comment 4 Srivaralakshmi Ramani 2021-06-03 12:34:00 UTC 
Updated the Doc Text field.
Comment 5 Gabe Montero 2021-06-03 14:48:14 UTC 
Per our discussion in slack, I now realized that we should cite the 4.7.z / 4.7.z bz's instead of the 4.8 bz.

Then convey that if your are upgrading from systems at those levels, moving from those to 4.8 removes this warning message via this change.

the 4.7.z bz is https://bugzilla.redhat.com/show_bug.cgi?id=1945692

the 4.6.z bz is https://bugzilla.redhat.com/show_bug.cgi?id=1946363

Does that make sense Srivaralakshmi ?
Comment 13 errata-xmlrpc 2021-07-27 23:01:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438