Bug 1975554

Summary: Installing rng-tools via Image Builder might hang the installation
Product: Red Hat Enterprise Linux 8 Reporter: Christian Kellner <ckellner>
Component: rng-toolsAssignee: Vladis Dronov <vdronov>
Status: CLOSED ERRATA QA Contact: Vilém Maršík <vmarsik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: akoutsou, core-kernel-mgr, dbohanno, dwojewod, perobins, rvr, skozina, vdronov, vmarsik, yih
Target Milestone: betaKeywords: Rebase, Reopened, Triaged, ZStream
Target Release: 8.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rng-tools-6.13-1.git.d207e0b6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2057030 (view as bug list) Environment:
Last Closed: 2021-11-09 19:44:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2057030    

Description Christian Kellner 2021-06-23 22:07:30 UTC
During the installation of rng-tools, the command "udevadm trigger --sysname-match=hw_random --settle" is triggered, via the "%post" section in the spec file.
Image Builder, and more specifically the low-level tool, osbuild is installing the rpm packages in a contained, isolated environment with a different network, mount et al. namespaces (via bubblewrap). In part this is done to abstract from the build host hardware, since the resulting image might run on completely different hardware than it is built on (e.g. cloud images). Specifically, in such a container, no uevents might be delivered and thus `udevadm --settle` might block. See upstream bug: https://github.com/osbuild/image-builder/issues/206

Comment 1 Yi He 2021-07-02 01:26:25 UTC
Verified with latest main branch, fixed. Image-builder service can build installer ISO image successfully.

Env:
[root@rhel84iso2 keyring]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.4"


[root@rhel84iso2 keyring]# rpm -qa|grep osbuild
python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64

Comment 2 Vladis Dronov 2021-07-03 19:47:11 UTC
hello, Christian,

thank you for reporting this. indeed, udevadm call lacks the container virtualization
guard. i'm posting a fix and i need to wait for Mon to approve this bz from qe side.

hello, Yi,
i have changed nothing yet. so i believe, smth else have changed, os-builder, i presume.
nevertheless, i'm rolling out the fix anyway.

Comment 4 Yi He 2021-07-07 08:56:25 UTC
Hi Vladis Dronov,

Thanks for fixing this bug in rng-tools side, I will keep an eye on this bug in later testing.

Comment 5 Yi He 2021-07-19 08:48:32 UTC
Update on this bug:

This bug is fixed by Christian in osbuild in this commit https://github.com/osbuild/osbuild/commit/704d5d305a4168e9720cfae510114d44aa52318b, I have verified on the main branch after this commit merged, the bug is fixed and can not be reproduced.

Following is the verification steps:

Env:
[root@rhel84iso2 keyring]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.4"


[root@rhel84iso2 keyring]# rpm -qa|grep osbuild
python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64

Steps:
1. Send a request to build Edge commit image and upload to s3.
2. Download and extract commit tar and serve over httpd.
3. Install Edge vm with the commit repo.
4. Can install Edge vm successfully, can login/ssh to it, run some sanity test, everything is fine.
5. Send a request to build Edge iso image and upload to s3.
6. Image-builder can build ISO image and upload to s3 successfully.


And Vladis Dronov also fixed it in rng-tools side and provided a scratch build of rng-tools, but I cannot test it at that time because I have to wait for an osbuild official build that picks up the latest rng-tools package. In the meantime, I talked with Christian and Peter about this bug, as we already fixed it in osbuild, and we will remove rng-tools from osbuild forever, there is no urgent need for composer QE to test the rng-tools package. Better to ask rng-tools QE to verify this issue.

Comment 10 Vladis Dronov 2021-08-09 16:03:49 UTC
hello, Vilem,

i'm sorry for the mess in this bz, i've got lost in multiple bzs for rng-rools.

the test plan is the same as in the bz1975588 (RHEL9 bz), since this is the same issue, just for RHEL8.

1) grab the packages from brew, task url: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38803046

wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm

2) install:

# dnf -y install jitterentropy*rpm rng-tools*rpm

3) verify that both service files contain "ConditionVirtualization=!container" line:

# grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
/usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container
/usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container

6) clean up

# dnf -y erase jitterentropy rng-tools
# rm -f jitterentropy*rpm rng-tools*rpm

Comment 11 Vilém Maršík 2021-08-09 22:30:13 UTC
Looks good, thanks for detailed instructions. Setting verified.

----

# wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm
(...)
2021-08-09 18:23:25 (1.05 MB/s) - ‘rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm’ saved [71408/71408]
# dnf -y install jitterentropy*rpm rng-tools*rpm
(...)
Installed:
  rng-tools-6.13-1.git.d207e0b6.el8.x86_64
Complete!
# grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
/usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container
/usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container
# dnf -y erase jitterentropy rng-tools
(...)
Removed:
  rng-tools-6.13-1.git.d207e0b6.el8.x86_64
Complete!
# rm -f jitterentropy*rpm rng-tools*rpm

Comment 15 errata-xmlrpc 2021-11-09 19:44:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4427