Bug 2095528

Summary: Update to latest ostree container stack, also support entitled builds
Product: Red Hat Enterprise Linux 8 Reporter: Colin Walters <walters>
Component: rpm-ostreeAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: HuijingHei <hhei>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: hhei, miabbott, qzhang
Target Milestone: rcKeywords: Triaged
Target Release: 8.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rpm-ostree-2022.2.8.gd50a74bd-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:49:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2105414    

Description Colin Walters 2022-06-09 20:57:08 UTC 
We're seeing issues with the older rpm-ostree v2022.2 when trying to consume new base images.

Plus, we know we want at least https://github.com/coreos/rpm-ostree/pull/3679 to support entitled builds.

And it'd be *really* useful to support split layers.

Update to the latest ostree-rs-ext code plus the entitlement bits.
Comment 1 Colin Walters 2022-06-15 21:39:47 UTC 
OK so in this update we want to test the merged PRs to the rhel8 branch: https://github.com/coreos/rpm-ostree/pulls?q=is%3Apr+label%3Arhel8+is%3Aclosed

Which is basically

- https://github.com/coreos/rpm-ostree/pull/3749
- https://github.com/coreos/rpm-ostree/pull/3751
Comment 2 Colin Walters 2022-07-05 21:19:44 UTC 
OK I tested this; it also needs https://github.com/openshift/os/pull/876

But basically, if you add this build in cosa, or craft a dockerfile that installs it (and librhsm), then along with the above fix (which you can also do manually in a container) then running the built rhcos container on a subscribed rhel8 host made `rpm-ostree install usbguard` work.
Comment 3 Colin Walters 2022-07-06 15:25:24 UTC 
OK, we found out that the librhsm feature enablement was missing; this should be fixed by
 https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=46408122
Comment 8 Colin Walters 2022-07-07 15:57:22 UTC 
> libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/active to /etc/selinux/targeted/previous. (Invalid cross-device link).

This was fixed by https://github.com/SELinuxProject/selinux/commit/c7a3b93e31df312ed5b71436ec874054a95d4209
(See https://github.com/SELinuxProject/selinux/pull/342 )

It's not a change in rpm-ostree, but in libselinux I think.

So it's a great thing that the fix made it into current RHCOS!
Comment 9 HuijingHei 2022-07-08 00:45:56 UTC 
(In reply to Colin Walters from comment #8)
> > libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/active to /etc/selinux/targeted/previous. (Invalid cross-device link).
> 
> This was fixed by
> https://github.com/SELinuxProject/selinux/commit/
> c7a3b93e31df312ed5b71436ec874054a95d4209
> (See https://github.com/SELinuxProject/selinux/pull/342 )
> 
> It's not a change in rpm-ostree, but in libselinux I think.
> 
> So it's a great thing that the fix made it into current RHCOS!

Sorry, I meant not related to the bug as can not reproduce in latest RHCOS.

Thanks for your confirmation!
Comment 10 HuijingHei 2022-07-12 03:44:15 UTC 
Verify passed with rpm-ostree-2022.2.8.gd50a74bd-2.el8.x86_64, build rhcos container (and include fixed rpm-ostree) with Dockerfile on a subscribed rhel8 host, run container and exec `rpm-ostree install usbguard` successfully


[test@hhei-rhel8 ~]$ podman build -t rhcos .

[test@hhei-rhel8 ~]$ podman run --rm --name rhcos -it localhost/rhcos:latest /bin/bash
bash-4.4# rpm -q librhsm rpm-ostree
librhsm-0.0.3-4.el8.x86_64
rpm-ostree-2022.2.8.gd50a74bd-2.el8.x86_64
bash-4.4# ls /etc/pki/entitlement-host
1020239473089209096-key.pem  1020239473089209096.pem
bash-4.4# ls /etc/rhsm-host
ca  logging.conf  rhsm.conf  syspurpose

bash-4.4# rpm-ostree install usbguard
Enabled rpm-md repositories: rhel-8-for-x86_64-baseos-rpms rhel-8-for-x86_64-appstream-rpms
Updating metadata for 'rhel-8-for-x86_64-baseos-rpms'... done
Updating metadata for 'rhel-8-for-x86_64-appstream-rpms'... done
Importing rpm-md... done
rpm-md repo 'rhel-8-for-x86_64-baseos-rpms'; generated: 2022-06-30T20:05:32Z solvables: 12609
rpm-md repo 'rhel-8-for-x86_64-appstream-rpms'; generated: 2022-07-06T14:05:13Z solvables: 27858
Resolving dependencies... done
Will download: 4 packages (1.6 MB)
Downloading from 'rhel-8-for-x86_64-appstream-rpms'... done
Downloading from 'rhel-8-for-x86_64-baseos-rpms'... done
Installing: usbguard-selinux-1.0.0-8.el8.noarch (rhel-8-for-x86_64-appstream-rpms)
libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/active to /etc/selinux/targeted/previous. (Invalid cross-device link).
/usr/sbin/semodule:  Failed!
Installing: protobuf-3.5.0-13.el8.x86_64 (rhel-8-for-x86_64-appstream-rpms)
Installing: libqb-1.0.3-12.el8.x86_64 (rhel-8-for-x86_64-baseos-rpms)
Installing: usbguard-1.0.0-8.el8.x86_64 (rhel-8-for-x86_64-appstream-rpms)
bash-4.4# rpm -q usbguard
usbguard-1.0.0-8.el8.x86_64
Comment 12 errata-xmlrpc 2022-11-08 09:49:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm-ostree bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7612