Bug 2049591
Summary: | [RFE] Toolbox - make sure we are running on the latest image? | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Michal Dekan <mdekan> |
Component: | RHCOS | Assignee: | Sohan Kunkerkar <skunkerk> |
Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 4.8 | CC: | dornelas, jdohmann, jligon, miabbott, mrussell, nstielau, pmoravec, skunkerk, travier |
Target Milestone: | --- | ||
Target Release: | 4.12.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
* With this update, running the `toolbox` command now checks for updates to the default image before launching the container. This improves security and provides users with the latest bug fixes. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2049591[*BZ#2049591*])
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-17 19:47:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2104116 | ||
Bug Blocks: |
Description
Michal Dekan
2022-02-02 12:14:09 UTC
Proposed patch at https://github.com/coreos/toolbox/pull/74 This landed in toolbox 0.0.9 but is blocked by #2104116 Verified on 4.12.0-0.nightly-2022-08-30-142847 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.nightly-2022-08-30-142847 True False 84m Cluster version is 4.12.0-0.nightly-2022-08-30-142847 $ oc get nodes NAME STATUS ROLES AGE VERSION ci-ln-c88lfib-72292-l7x8z-master-0 Ready control-plane,master 104m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-master-1 Ready control-plane,master 105m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-master-2 Ready control-plane,master 105m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 Ready worker 95m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-b-v2nvn Ready worker 95m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-c-btfkz Ready worker 95m v1.24.0+a097e26 $ oc debug node/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.128.2 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9536e08c1a7d517b24a30f7b08d4a0c84ab3a0bde8f083f09225b59ef4b5eaa0 CustomOrigin: Managed by machine-config-operator Version: 412.86.202208292256-0 (2022-08-29T22:59:17Z) sh-4.4# toolbox Trying to pull registry.redhat.io/rhel8/support-tools:latest... Getting image source signatures Checking if image destination supports signatures Copying blob db0f4cd41250 done Copying blob 1f10f4923dcd done Copying blob 7e3624512448 done Copying config 5ef18a77eb done Writing manifest to image destination Storing signatures 5ef18a77eb271a205c3c4604a67209126dd4d0831f63891ba1e33808c1fd36d7 Spawning a container 'toolbox-root' with image 'registry.redhat.io/rhel8/support-tools' Detected RUN label in the container image. Using that as the default... 567389b337fdff9845525fbf6b04f4a7fb096b0a2a386c343d650246bbf5f97e toolbox-root Container started successfully. To exit, type 'exit'. [root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit exit sh-4.4# toolbox Checking if there is a newer version of registry.redhat.io/rhel8/support-tools available... Container 'toolbox-root' already exists. Trying to start... (To remove the container and start with a fresh toolbox, run: sudo podman rm 'toolbox-root') toolbox-root Container started successfully. To exit, type 'exit'. [root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit exit sh-4.4# sh-4.4# rpm -q toolbox toolbox-0.1.0-1.rhaos4.12.el8.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399 |