Bug 2011087

Summary: Backport audit log silence change
Product: OpenShift Container Platform Reporter: Kirsten Garrison <kgarriso>
Component: Machine Config OperatorAssignee: Kirsten Garrison <kgarriso>
Machine Config Operator sub component: Machine Config Operator QA Contact: Manoj Hans <mhans>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: high CC: aos-bugs, jiazha, kgarriso, mkrejci, mrobson, steven.barre, wking
Version: 4.7   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2011083 Environment:
Last Closed: 2021-10-18 17:52:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2011083, 2011375    

Description Kirsten Garrison 2021-10-05 23:09:20 UTC 
+++ This bug was initially created as a clone of Bug #2011083 +++

Description of problem:

Backport https://github.com/openshift/machine-config-operator/pull/2633 for 4.8 and 4.7

Version-Release number of MCO (Machine Config Operator) (if applicable):
4.7/4.8

Platform (AWS, VSphere, Metal, etc.):
All

Actual results:

Large OCP 4.7.32 cluster seeing 10 million logs per hour during their upgrade from 4.6.25. Overwhelming cluster logging and local SSDs.

--- Additional comment from Eric Paris on 2021-10-05 23:01:48 UTC ---

This bug sets Target Release equal to a z-stream but has no bug in the 'Depends On' field. As such this is not a valid bug state and the target release is being unset.

Any bug targeting 4.1.z must have a bug targeting 4.2 in 'Depends On.'
Similarly, any bug targeting 4.2.z must have a bug with Target Release of 4.3 in 'Depends On.'
Comment 1 Kirsten Garrison 2021-10-05 23:15:17 UTC 
This was already fixed directly in 4.9 via https://github.com/openshift/machine-config-operator/pull/2633

We request QE to review and close this BZ as `CURRENTRELEASE` so we can get the 4.8 fix in.
Comment 2 Kirsten Garrison 2021-10-05 23:33:33 UTC 
To save some bandwidth, this can be verified by comparing audit logs in recent runs in 4.9 vs 4.8:

4.8 has 2900+ NETFILTER_CFG msg=audit messages in the audit logs. for example see:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.8-e2e-aws/1445457563997966336/artifacts/e2e-aws/gather-extra/artifacts/nodes/ip-10-0-146-190.us-east-2.compute.internal/

4.9 has 0 for example see:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws/1445422682387517440/artifacts/e2e-aws/gather-extra/artifacts/nodes/ip-10-0-134-176.ec2.internal/
Comment 6 errata-xmlrpc 2021-10-18 17:52:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759