Bug 2049591

Summary: [RFE] Toolbox - make sure we are running on the latest image?
Product: OpenShift Container Platform Reporter: Michal Dekan <mdekan>
Component: RHCOSAssignee: Sohan Kunkerkar <skunkerk>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: low Docs Contact:
Priority: low    
Version: 4.8CC: dornelas, jdohmann, jligon, miabbott, mrussell, nstielau, pmoravec, skunkerk, travier
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
* With this update, running the `toolbox` command now checks for updates to the default image before launching the container. This improves security and provides users with the latest bug fixes. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2049591[*BZ#2049591*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:47:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2104116    
Bug Blocks:    

Description Michal Dekan 2022-02-02 12:14:09 UTC 
At the moment toolbox doesn't inform the user about keeping the pulled image once and for all.

We say only

To remove the container and start fresh, do sudo podman rm ${TOOLBOX_NAME}.
https://github.com/coreos/toolbox/blob/main/rhcos-toolbox#L146

Which can be confusing at times:

1) You have deployed OCP cluster year ago
2) Shortly after the deployment you have ran 'toolbox' which pulled whatever version of registry.redhat.io/rhel8/support-tools:latest was latest at that time
3) Now you want to run support-tools:latest again, but this time again with the latest version,however using `podman rm toolbox-root` will only stop the running container and will keep using image pulled a year ago when `toolbox` is called

This is a problem because we are keep using old version of sos and redhat-support-tool on such node. Using older version of redhat-support-tool can lead to scenario where one will be not be able to upload bigger attachment to the case because dropbox (deprecated and will be decommissioned)[1] a now is being used instead of new sftp.access.redhat.com

Potentially some sos bug can be hit.

For these reasons i think it would make a sense to add some check inside toolbox script to make sure we are running latest image version on the node.

[1] https://access.redhat.com/solutions/2112
Comment 1 Micah Abbott 2022-02-07 13:49:16 UTC 
Proposed patch at https://github.com/coreos/toolbox/pull/74
Comment 2 Timothée Ravier 2022-07-21 16:11:36 UTC 
This landed in toolbox 0.0.9 but is blocked by #2104116
Comment 4 Michael Nguyen 2022-08-30 21:35:27 UTC 
Verified on 4.12.0-0.nightly-2022-08-30-142847

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-08-30-142847   True        False         84m     Cluster version is 4.12.0-0.nightly-2022-08-30-142847
$ oc get nodes
NAME                                       STATUS   ROLES                  AGE    VERSION
ci-ln-c88lfib-72292-l7x8z-master-0         Ready    control-plane,master   104m   v1.24.0+a097e26
ci-ln-c88lfib-72292-l7x8z-master-1         Ready    control-plane,master   105m   v1.24.0+a097e26
ci-ln-c88lfib-72292-l7x8z-master-2         Ready    control-plane,master   105m   v1.24.0+a097e26
ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22   Ready    worker                 95m    v1.24.0+a097e26
ci-ln-c88lfib-72292-l7x8z-worker-b-v2nvn   Ready    worker                 95m    v1.24.0+a097e26
ci-ln-c88lfib-72292-l7x8z-worker-c-btfkz   Ready    worker                 95m    v1.24.0+a097e26
$ oc debug node/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.2
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9536e08c1a7d517b24a30f7b08d4a0c84ab3a0bde8f083f09225b59ef4b5eaa0
             CustomOrigin: Managed by machine-config-operator
                  Version: 412.86.202208292256-0 (2022-08-29T22:59:17Z)
sh-4.4# toolbox
Trying to pull registry.redhat.io/rhel8/support-tools:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob db0f4cd41250 done  
Copying blob 1f10f4923dcd done  
Copying blob 7e3624512448 done  
Copying config 5ef18a77eb done  
Writing manifest to image destination
Storing signatures
5ef18a77eb271a205c3c4604a67209126dd4d0831f63891ba1e33808c1fd36d7
Spawning a container 'toolbox-root' with image 'registry.redhat.io/rhel8/support-tools'
Detected RUN label in the container image. Using that as the default...
567389b337fdff9845525fbf6b04f4a7fb096b0a2a386c343d650246bbf5f97e
toolbox-root
Container started successfully. To exit, type 'exit'.
[root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit
exit

sh-4.4# toolbox
Checking if there is a newer version of registry.redhat.io/rhel8/support-tools available...
Container 'toolbox-root' already exists. Trying to start...
(To remove the container and start with a fresh toolbox, run: sudo podman rm 'toolbox-root')
toolbox-root
Container started successfully. To exit, type 'exit'.
[root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit
exit

sh-4.4# 
sh-4.4# rpm -q toolbox
toolbox-0.1.0-1.rhaos4.12.el8.noarch
Comment 7 errata-xmlrpc 2023-01-17 19:47:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399