Bug 2060147

Summary: RHEL8 Workers Need to Ensure libseccomp is up to date at install time
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Nobody <nobody>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: padillon
Version: 4.9   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: runc has an unversioned dependency on libseccomp 2.5 or later Consequence: This creates problems whenever the OS was installed using 8.3 or earlier and not fully updated to 8.4 or later. Fix: include dependency on latest version of libseccomp in ansible playbooks Result: rhel hosts can install successfully by avoiding any issues that would come with early versions of the package
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:51:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2061523    

Description Scott Dodson 2022-03-02 20:04:28 UTC 
runc has an unversioned dependency on libseccomp 2.5 or later, see https://bugzilla.redhat.com/show_bug.cgi?id=2053990

This creates problems whenever the OS was installed using 8.3 or earlier and not fully updated to 8.4 or later. If we were to ensure that libseccomp is the latest version we can avoid this problem in openshift-ansible.

While there's other work ongoing to cause openshift-ansible to complaine whenever the OS is less than 8.4 that depends on the ansible fact which can be tricked by upgrading only the `redhat-release` package to 8.4 so it's better to ensure any specific packages we are about are updated as well.
Comment 1 Scott Dodson 2022-03-02 20:06:43 UTC 
An example of libseccomp < 2.5

https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.10-e2e-aws-workers-rhel8/1497764935583666176

 <ip-10-0-167-102.ec2.internal> Failed to connect to the host via ssh: 
fatal: [ip-10-0-167-102.ec2.internal]: FAILED! => {
    "changed": true, 
    "cmd": [
        "podman", 
        "run", 
        "--rm", 
        "registry.build04.ci.openshift.org/ci-op-l6lsng5p/release@sha256:75ab5dcba3187cfcc9525c3c9b2873bcaba3f8bf7d1026a534cd0e178ec38f2a", 
        "image", 
        "machine-config-operator"
    ], 
    "delta": "0:00:02.736082", 
    "end": "2022-02-27 03:34:54.323513", 
    "invocation": {
        "module_args": {
            "_raw_params": "podman run --rm registry.build04.ci.openshift.org/ci-op-l6lsng5p/release@sha256:75ab5dcba3187cfcc9525c3c9b2873bcaba3f8bf7d1026a534cd0e178ec38f2a image machine-config-operator", 
            "_uses_shell": false, 
            "argv": null, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "stdin_add_newline": true, 
            "strip_empty_ends": true, 
            "warn": true
        }
    }, 
    "msg": "non-zero return code", 
    "rc": 126, 
    "start": "2022-02-27 03:34:51.587431", 
    "stderr": "/usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond\ntime=\"2022-02-27T03:34:51Z\" level=error msg=\"Error removing container ef7c5eb4b9a9cb9794f739605d88eb7abf6fd2881d41ad8aeb32fe6b9fe77ca4 from runtime after creation failed\"\nError: OCI runtime error: /usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond", 
    "stderr_lines": [
        "/usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond", 
        "time=\"2022-02-27T03:34:51Z\" level=error msg=\"Error removing container ef7c5eb4b9a9cb9794f739605d88eb7abf6fd2881d41ad8aeb32fe6b9fe77ca4 from runtime after creation failed\"", 
        "Error: OCI runtime error: /usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond"
    ], 
    "stdout": "", 
    "stdout_lines": []
}
Comment 4 Gaoyun Pei 2022-03-09 02:26:45 UTC 
Considering the libseccomp shipped with RHEL-8.4 is already libseccomp-2.5.1-1.el8, so using a RHEL-8.3 image and update the redhat-release to latest(8.5) to workaround the playbook checking. 

[ec2-user@ip-10-0-52-112 ~]$ rpm -q libseccomp
libseccomp-2.4.3-1.el8.x86_64
[ec2-user@ip-10-0-52-112 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 (Ootpa)

Run the scaleup playbook, we can see libseccomp was updated to the latest one.

TASK [openshift_node : Install openshift packages] *****************************
...
"Installed: libseccomp-2.5.1-1.el8.x86_64",
...
"Removed: libseccomp-2.4.3-1.el8.x86_64"
Comment 7 errata-xmlrpc 2022-08-10 10:51:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069