Bug 2009467

Summary: [4.9] container-selinux should come from rhel8-appstream
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Micah Abbott <miabbott>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: low Docs Contact:
Priority: low    
Version: 4.9CC: dornelas, hhei, jligon, miabbott, mnguyen, mrussell, nstielau
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2009465 Environment:
Last Closed: 2021-10-18 17:51:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2009465    
Bug Blocks:    

Description Micah Abbott 2021-09-30 17:37:05 UTC 
+++ This bug was initially created as a clone of Bug #2009465 +++

In order to land the fix for BZ#1969998 (and the follow-ons) as part of OCP 4.9, we needed to tag a build of `container-selinux` so that it would show up in the RHAOS plashets and be consumed by RHCOS.  

Since then, the `container-selinux` build shipped as part of https://access.redhat.com/errata/RHBA-2021:3661 and no longer needs to come from the RHAOS plashets.

This bug is merely paperwork to allow a backport of the change to the `master` branch of `openshift/os` into the `release-4.9` branch.

--- Additional comment from Micah Abbott on 2021-09-30 17:35:24 UTC ---

To verify this BZ, inspect the build logs for RHCOS and ensure the following:

- container-selinux-2.167.0-1 or newer is included
- container-selinux comes from rhel8-appstream repo
Comment 3 HuijingHei 2021-10-13 06:20:24 UTC 
Verify passed with 4.9.0-rc.7 and container-selinux-2:2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch (from rhel-8-appstream)

$ oc get clusterversion
NAME      VERSION      AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-rc.7   True        False         137m    Cluster version is 4.9.0-rc.7
$ oc get nodes
NAME                                                STATUS   ROLES    AGE    VERSION
ci-ln-qzfnnct-002ac-bb2g7-master-0                  Ready    master   154m   v1.22.0-rc.0+894a78b
ci-ln-qzfnnct-002ac-bb2g7-master-1                  Ready    master   154m   v1.22.0-rc.0+894a78b
ci-ln-qzfnnct-002ac-bb2g7-master-2                  Ready    master   154m   v1.22.0-rc.0+894a78b
ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28   Ready    worker   145m   v1.22.0-rc.0+894a78b
ci-ln-qzfnnct-002ac-bb2g7-worker-centralus2-4mwkt   Ready    worker   144m   v1.22.0-rc.0+894a78b
ci-ln-qzfnnct-002ac-bb2g7-worker-centralus3-m45sr   Ready    worker   147m   v1.22.0-rc.0+894a78b

$ oc debug node/ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28
sh-4.4# chroot /host
sh-4.4# rpm -q container-selinux
container-selinux-2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch

sh-4.4# echo TEST=foobar > /etc/kubernetes/test
sh-4.4# cat /etc/systemd/system/echo.service
[Unit]
Description=An echo unit
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/kubernetes/test
ExecStart=/usr/bin/echo ${PAUSE}
[Install]
WantedBy=multi-user.target

sh-4.4# systemctl daemon-reload && systemctl start echo.service
sh-4.4# systemctl status echo.service
● echo.service - An echo unit
   Loaded: loaded (/etc/systemd/system/echo.service; disabled; vendor preset: disabled)
   Active: active (exited) since Wed 2021-10-13 06:04:25 UTC; 5s ago
  Process: 143541 ExecStart=/usr/bin/echo ${PAUSE} (code=exited, status=0/SUCCESS)
 Main PID: 143541 (code=exited, status=0/SUCCESS)
      CPU: 1ms

Oct 13 06:04:25 ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 systemd[1]: Starting An echo unit...
Oct 13 06:04:25 ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 systemd[1]: Started An echo unit.

sh-4.4# cat /etc/os-release
NAME="Red Hat Enterprise Linux CoreOS"
VERSION="49.84.202110081407-0"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION_ID="4.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 49.84.202110081407-0 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.9"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.9"
OPENSHIFT_VERSION="4.9"
RHEL_VERSION="8.4"
OSTREE_VERSION='49.84.202110081407-0'
Comment 4 HuijingHei 2021-10-13 06:33:17 UTC 
Confirm with OCP QE, this fix was merged in 4.9 rc build, so change the title and execute verification
Comment 6 errata-xmlrpc 2021-10-18 17:51:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759