Bug 1974453

Summary: coreos-installer failing Execshield
Product: OpenShift Container Platform Reporter: Jonathan Lebon <jlebon>
Component: RHCOSAssignee: Jonathan Lebon <jlebon>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: low Docs Contact:
Priority: high    
Version: 4.8CC: dornelas, jligon, miabbott, mrussell, nstielau
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1974850 (view as bug list) Environment:
Last Closed: 2021-10-18 17:35:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1974850    

Description Jonathan Lebon 2021-06-21 18:00:57 UTC 
From https://rpmdiff.engineering.redhat.com/run/496970/7/:

```
/usr/lib/dracut/modules.d/50rdcore/rdcore may have lost -DFORTIFY_SOURCE on ppc64le
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```

```
Detecting usr/lib/dracut/modules.d/50rdcore/rdcore with not-hardened warnings '
Hardened: rdcore: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: rdcore: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
Detecting usr/bin/coreos-installer with not-hardened warnings '
Hardened: coreos-installer: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: coreos-installer: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
/usr/lib/dracut/modules.d/50rdcore/rdcore lost -DFORTIFY_SOURCE on aarch64 x86_64 s390x
  The new binary lost all fortified symbols (__snprintf_chk) but includes the following unfortified symbol: readlink
```

```
/usr/bin/coreos-installer may have lost -DFORTIFY_SOURCE on aarch64 x86_64 ppc64le s390x
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,pread64,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```
Comment 1 Jonathan Lebon 2021-06-21 21:02:16 UTC 
I had a hunch we were somehow compiling C code in the background. Digging deeper revealed: https://src.osci.redhat.com/rpms/coreos-installer/pull-request/27.
Comment 2 Jonathan Lebon 2021-06-22 20:00:59 UTC 
In the end we still needed a waiver, but we can use this RHBZ to at least track the lzma debundling.
PR above for that was merged and the package was rebuilt.
Comment 3 Micah Abbott 2021-08-25 12:33:31 UTC 
Latest builds of RHCOS 4.9 include coreos-installer-0.9.1-4.rhaos4.9.el8, which includes the dependency on `xz-devel`

Moving to MODIFIED
Comment 6 Michael Nguyen 2021-08-30 18:18:44 UTC 
Verified on 4.9.0-0.nightly-2021-08-30-070917

lzma no longer bundled with coreos-installer

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-30-070917   True        False         123m    Cluster version is 4.9.0-0.nightly-2021-08-30-070917
$ oc get nodes
NAME                                         STATUS   ROLES    AGE    VERSION
ip-10-0-142-160.us-west-2.compute.internal   Ready    master   147m   v1.22.0-rc.0+b708912
ip-10-0-154-16.us-west-2.compute.internal    Ready    worker   136m   v1.22.0-rc.0+b708912
ip-10-0-161-64.us-west-2.compute.internal    Ready    master   147m   v1.22.0-rc.0+b708912
ip-10-0-181-110.us-west-2.compute.internal   Ready    worker   140m   v1.22.0-rc.0+b708912
ip-10-0-196-10.us-west-2.compute.internal    Ready    worker   141m   v1.22.0-rc.0+b708912
ip-10-0-199-150.us-west-2.compute.internal   Ready    master   147m   v1.22.0-rc.0+b708912
$ oc debug node/ip-10-0-154-16.us-west-2.compute.internal
Starting pod/ip-10-0-154-16us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm -q --requires coreos-installer
gnupg
kpartx
ld-linux-x86-64.so.2()(64bit)
ld-linux-x86-64.so.2(GLIBC_2.3)(64bit)
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.15)(64bit)
libc.so.6(GLIBC_2.17)(64bit)
libc.so.6(GLIBC_2.18)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3)(64bit)
libc.so.6(GLIBC_2.3.2)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.7)(64bit)
libc.so.6(GLIBC_2.9)(64bit)
libcrypto.so.1.1()(64bit)
libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
libdl.so.2()(64bit)
libdl.so.2(GLIBC_2.2.5)(64bit)
libgcc_s.so.1()(64bit)
libgcc_s.so.1(GCC_3.0)(64bit)
libgcc_s.so.1(GCC_3.3)(64bit)
libgcc_s.so.1(GCC_4.2.0)(64bit)
liblzma.so.5()(64bit)
liblzma.so.5(XZ_5.0)(64bit)
libpthread.so.0()(64bit)
libpthread.so.0(GLIBC_2.2.5)(64bit)
libpthread.so.0(GLIBC_2.3.2)(64bit)
libpthread.so.0(GLIBC_2.3.3)(64bit)
librt.so.1()(64bit)
libssl.so.1.1()(64bit)
libssl.so.1.1(OPENSSL_1_1_0)(64bit)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
rtld(GNU_HASH)
systemd-udev
util-linux
sh-4.4# rpm -qf /usr/lib64/liblz
liblz4.so.1       liblzma.so.5      liblzo2.so.2      
liblz4.so.1.8.3   liblzma.so.5.2.4  liblzo2.so.2.0.0  
sh-4.4# rpm -qf /usr/lib64/liblzma.so.5
xz-libs-5.2.4-3.el8.x86_64
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c32cf7cd356c9b12cce1cf022acb1f053d5ccaf5bea22e1757cf466d360ae22f
              CustomOrigin: Managed by machine-config-operator
                   Version: 49.84.202108272238-0 (2021-08-27T22:41:52Z)

  ostree://95aec436ee83751dea39060f5234a45c8eb389e19f4b535eb34f33c9d42208fb
                   Version: 49.84.202108221651-0 (2021-08-22T16:55:03Z)
sh-4.4#
Comment 9 errata-xmlrpc 2021-10-18 17:35:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759