Bug 1974850

Summary: [4.8] coreos-installer failing Execshield
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Jonathan Lebon <jlebon>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: low Docs Contact:
Priority: high    
Version: 4.8CC: bgilbert, dornelas, jlebon, jligon, miabbott, mnguyen, mrussell, nstielau, xiuwang
Target Milestone: ---   
Target Release: 4.8.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1974453 Environment:
Last Closed: 2021-07-27 23:13:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969651, 1974453    
Bug Blocks:    

Description Micah Abbott 2021-06-22 16:16:42 UTC 
+++ This bug was initially created as a clone of Bug #1974453 +++

From https://rpmdiff.engineering.redhat.com/run/496970/7/:

```
/usr/lib/dracut/modules.d/50rdcore/rdcore may have lost -DFORTIFY_SOURCE on ppc64le
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```

```
Detecting usr/lib/dracut/modules.d/50rdcore/rdcore with not-hardened warnings '
Hardened: rdcore: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: rdcore: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
Detecting usr/bin/coreos-installer with not-hardened warnings '
Hardened: coreos-installer: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: coreos-installer: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
/usr/lib/dracut/modules.d/50rdcore/rdcore lost -DFORTIFY_SOURCE on aarch64 x86_64 s390x
  The new binary lost all fortified symbols (__snprintf_chk) but includes the following unfortified symbol: readlink
```

```
/usr/bin/coreos-installer may have lost -DFORTIFY_SOURCE on aarch64 x86_64 ppc64le s390x
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,pread64,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```

--- Additional comment from Jonathan Lebon on 2021-06-21 21:02:16 UTC ---

I had a hunch we were somehow compiling C code in the background. Digging deeper revealed: https://src.osci.redhat.com/rpms/coreos-installer/pull-request/27.
Comment 1 Micah Abbott 2021-06-28 15:52:18 UTC 
Fixed in coreos-installer-0.9.0-6.rhaos4.8.el8

Included in RHCOS 48.84.202106222143-0

It should land as part of a boot image bump, but I don't think it is necessary to hold up the release for this.  Targeting for 4.8.z
Comment 4 Michael Nguyen 2021-06-30 17:53:40 UTC 
Verified on 4.8.0-0.nightly-2021-06-29-033219 - lzma no longer bundled


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-29-033219   True        False         4m42s   Cluster version is 4.8.0-0.nightly-2021-06-29-033219
[mnguyen@pet32 4.8]$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-138-233.us-west-2.compute.internal   Ready    worker   23m   v1.21.0-rc.0+766a5fe
ip-10-0-144-166.us-west-2.compute.internal   Ready    master   31m   v1.21.0-rc.0+766a5fe
ip-10-0-168-94.us-west-2.compute.internal    Ready    master   31m   v1.21.0-rc.0+766a5fe
ip-10-0-175-88.us-west-2.compute.internal    Ready    worker   24m   v1.21.0-rc.0+766a5fe
ip-10-0-203-100.us-west-2.compute.internal   Ready    worker   24m   v1.21.0-rc.0+766a5fe
ip-10-0-221-14.us-west-2.compute.internal    Ready    master   31m   v1.21.0-rc.0+766a5fe

$ oc debug node/ip-10-0-138-233.us-west-2.compute.internal
Starting pod/ip-10-0-138-233us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9a23adde268dc8937ae293594f58fc4039b574210f320ebdac85a50ef40220dd
              CustomOrigin: Managed by machine-config-operator
                   Version: 48.84.202106231817-0 (2021-06-23T18:21:06Z)

  ostree://457db8ff03dda5b3ce1a8e242fd91ddbe6a82f838d1b0047c3d4aeaf6c53f572
                   Version: 48.84.202106091622-0 (2021-06-09T16:25:42Z)
sh-4.4# rpm -q --requires coreos-installer | grep lzma   
liblzma.so.5()(64bit)
liblzma.so.5(XZ_5.0)(64bit)
sh-4.4# rpm -qa coreos-installer
coreos-installer-0.9.0-6.rhaos4.8.el8.x86_64
sh-4.4# rpm -qf /usr/lib64/liblzma.so.5
xz-libs-5.2.4-3.el8.x86_64
sh-4.4#
Comment 8 errata-xmlrpc 2021-07-27 23:13:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Comment 9 Red Hat Bugzilla 2023-09-15 01:10:23 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days