Bug 2074050

Summary: Internal registries with a big number of images delay pod creation due to recursive SELinux file context relabeling
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: Image RegistryAssignee: Ricardo Maraschini <rmarasch>
Status: CLOSED ERRATA QA Contact: Keenon Lee <jitli>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, bdettelb, obulatov, pehunt, rmarasch, wking
Target Milestone: ---   
Target Release: 4.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-25 19:51:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2067995    
Bug Blocks: 2074052    

Comment 1 Keenon Lee 2022-04-13 08:20:03 UTC 
sh-4.4$ df -i 
Filesystem       Inodes    IUsed    IFree IUse% Mounted on
/dev/sdb       13107200 13107200        0  100% /registry

set io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: "true"

Before:
redhat@jitli:~/work/src/test/2074050$ oc get pods -w -n openshift-image-registry
NAME                                              READY   STATUS        RESTARTS   AGE
...
image-registry-5fb7d7fffd-cgd4k                   1/1     Running             0          106s


After:
redhat@jitli:~/work/src/test/2074050$ oc get pods -w -n openshift-image-registry
NAME                                              READY   STATUS        RESTARTS   AGE
...
image-registry-6bdf4f9d79-m9shm                   1/1     Running             0          8s


redhat@jitli:~/work/src/test/2074050$ oc get pod image-registry-6bdf4f9d79-m9shm
...
runtimeClassName: selinux
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000310000
    fsGroupChangePolicy: OnRootMismatch
    seLinuxOptions:
      level: s0:c18,c2
...

redhat@jitli:~/work/src/test/2074050$ oc rsh image-registry-6bdf4f9d79-m9shm
sh-4.4$ ls -lZ /registry/docker/registry/v2/repositories/test
total 4
drwxr-sr-x. 5 1000310000 1000310000 system_u:object_r:container_file_t:s0:c2,c18 4096 Apr 13 07:14 testbuild
Comment 6 errata-xmlrpc 2022-04-25 19:51:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.11 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1431