Bug 2039227

Summary: Improve image customization server parameter passing during installation
Product: OpenShift Container Platform Reporter: Andrea Fasano <afasano>
Component: Bare Metal Hardware ProvisioningAssignee: Andrea Fasano <afasano>
Bare Metal Hardware Provisioning sub component: OS Image Provider QA Contact: Jad Haj Yahya <jhajyahy>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, jhajyahy, zbitter
Version: 4.10Keywords: Triaged
Target Milestone: ---Flags: afasano: needinfo-
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2039241 (view as bug list) Environment:
Last Closed: 2022-03-10 16:38:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2039241    

Description Andrea Fasano 2022-01-11 10:11:20 UTC 
During the installation process of a baremetal IPI platform an instance of the image-customization is launched in server mode to prepare the required images for the nodes to be installed. 
Use podman secrets instead of env vars as a more robust way to pass some of the required container parameters.
Comment 3 Jad Haj Yahya 2022-01-17 06:13:08 UTC 
Please provide steps to reproduce/verify
Comment 4 Andrea Fasano 2022-01-17 08:20:19 UTC 
This bug requires https://bugzilla.redhat.com/show_bug.cgi?id=2039241 for a complete end-to-end verification, since it uses the new injection
mechanism introduced in this bz from the installer.  Its related CI jobs could be checked to verify that it's properly working 
(otherwise the bootstrap would have been failed).
Comment 5 Jad Haj Yahya 2022-01-17 09:02:10 UTC 
CI job running 4.10.0-0.nightly-2022-01-13-061145 passed: https://auto-jenkins-csb-kniqe.apps.ocp-c1.prod.psi.redhat.com/job/ocp-baremetal-ipi-deployment/12396/ 

Also checked during installation on bottstrap VM:


sudo podman inspect image-customization |grep -i env -A3
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=xterm",
                "container=oci",
--
                "--env",
                "DEPLOY_ISO=/shared/html/images/ironic-python-agent.iso",
                "--env",
                "DEPLOY_INITRD=/shared/html/images/ironic-python-agent.initramfs",
                "--env",
                "IRONIC_BASE_URL=http://10.8.1.199",
                "--env",
                "IRONIC_RAMDISK_SSH_KEY=ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcxB/Eo+1/8CcGpsArU1NkasG3dE1R+MfmtTKqvPY7I kni.eng.rdu2.redhat.com",
                "--env",
                "IRONIC_AGENT_IMAGE=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d94ebd7162ddc034259b432ddcca2f2bf27a0672a3b82e13db6d03433449a5f2",
                "--env",
                "IP_OPTIONS=ip=dhcp",
                "--env",
                "REGISTRIES_CONF_PATH=/tmp/containers/registries.conf",
                "--entrypoint",
                "[\"/image-customization-server\", \"--nmstate-dir=/tmp/nmstate/\", \"--images-publish-addr=http://0.0.0.0:8084\"]",

and 
sudo podman exec -it image-customization env |grep -i secret
Comment 8 errata-xmlrpc 2022-03-10 16:38:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056