Bug 2101863

Summary: [sig-auth][Feature:SecurityContextConstraints] TestPodDefaultCapabilities [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: NodeAssignee: Peter Hunt <pehunt>
Node sub component: CRI-O QA Contact: Sunil Choudhary <schoudha>
Status: CLOSED DUPLICATE Docs Contact:
Severity: unspecified    
Priority: unspecified CC: sippy
Version: 4.9   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 15:55:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Micah Abbott 2022-06-28 14:50:03 UTC
[sig-auth][Feature:SecurityContextConstraints]  TestPodDefaultCapabilities [Skipped:Disconnected] [Suite:openshift/conformance/parallel]

is failing frequently in CI, see:
https://sippy.ci.openshift.org/sippy-ng/tests/4.9/analysis?test=%5Bsig-auth%5D%5BFeature%3ASecurityContextConstraints%5D%20%20TestPodDefaultCapabilities%20%5BSkipped%3ADisconnected%5D%20%5BSuite%3Aopenshift%2Fconformance%2Fparallel%5D


See example failure:

https://storage.googleapis.com/origin-ci-test/logs/promote-release-openshift-machine-os-content-e2e-aws-4.9/1541758382023643136/build-log.txt

```
[BeforeEach] [Top Level]
  github.com/openshift/origin/test/extended/util/framework.go:1453
[BeforeEach] [Top Level]
  github.com/openshift/origin/test/extended/util/framework.go:1453
[BeforeEach] [Top Level]
  github.com/openshift/origin/test/extended/util/test.go:61
[BeforeEach] [sig-auth][Feature:SecurityContextConstraints] 
  github.com/openshift/origin/test/extended/util/client.go:142
STEP: Creating a kubernetes client
[BeforeEach] [sig-auth][Feature:SecurityContextConstraints] 
  github.com/openshift/origin/test/extended/util/client.go:116
Jun 28 13:20:08.718: INFO: configPath is now "/tmp/configfile649196342"
Jun 28 13:20:08.718: INFO: The user is now "e2e-test-ssc-52hbk-user"
Jun 28 13:20:08.718: INFO: Creating project "e2e-test-ssc-52hbk"
Jun 28 13:20:09.299: INFO: Waiting on permissions in project "e2e-test-ssc-52hbk" ...
Jun 28 13:20:09.386: INFO: Waiting for ServiceAccount "default" to be provisioned...
Jun 28 13:20:09.575: INFO: Waiting for service account "default" secrets (default-dockercfg-tgbsc,default-dockercfg-tgbsc) to include dockercfg/token ...
Jun 28 13:20:09.695: INFO: Waiting for service account "default" secrets (default-dockercfg-tgbsc,default-dockercfg-tgbsc) to include dockercfg/token ...
Jun 28 13:20:09.872: INFO: Waiting for service account "default" secrets (default-dockercfg-tgbsc,default-dockercfg-tgbsc) to include dockercfg/token ...
Jun 28 13:20:09.972: INFO: Waiting for ServiceAccount "deployer" to be provisioned...
Jun 28 13:20:10.180: INFO: Waiting for ServiceAccount "builder" to be provisioned...
Jun 28 13:20:10.390: INFO: Waiting for RoleBinding "system:image-pullers" to be provisioned...
Jun 28 13:20:10.558: INFO: Waiting for RoleBinding "system:image-builders" to be provisioned...
Jun 28 13:20:10.788: INFO: Waiting for RoleBinding "system:deployers" to be provisioned...
Jun 28 13:20:11.610: INFO: Project "e2e-test-ssc-52hbk" has been fully provisioned.
[It] TestPodDefaultCapabilities [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
  github.com/openshift/origin/test/extended/security/scc.go:268
STEP: Running a restricted pod and getting it's inherited capabilities
Jun 28 13:20:11.610: INFO: Running 'oc --namespace=e2e-test-ssc-52hbk --kubeconfig=/tmp/configfile649196342 run restrictedcapsh --labels name=restrictedcapsh --image image-registry.openshift-image-registry.svc:5000/openshift/tools:latest --restart Never --command -- /bin/bash -c sleep infinity'
Jun 28 13:20:16.245: INFO: Running 'oc --namespace=e2e-test-ssc-52hbk --kubeconfig=/tmp/configfile649196342 exec restrictedcapsh -- /bin/bash -c cat /proc/1/status | grep CapInh | cut -f 2'
Jun 28 13:20:18.682: INFO: Running 'oc --namespace=e2e-test-ssc-52hbk --kubeconfig=/tmp/configfile649196342 exec restrictedcapsh -- /bin/bash -c capsh --decode=0000000000000000'
Jun 28 13:20:20.045: INFO: Running 'oc --namespace=e2e-test-ssc-52hbk --kubeconfig=/tmp/configfile649196342 exec restrictedcapsh -- /bin/bash -c capsh --decode=000000000000051b'
Jun 28 13:20:21.102: INFO: comparing capabilities: 0000000000000000 with desired: 000000000000051b
Jun 28 13:20:21.102: INFO: which translates to: 0x0000000000000000= compared with desired: 0x000000000000051b=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setpcap,cap_net_bind_service
[AfterEach] [sig-auth][Feature:SecurityContextConstraints] 
  github.com/openshift/origin/test/extended/util/client.go:140
STEP: Collecting events from namespace "e2e-test-ssc-52hbk".
STEP: Found 6 events.
Jun 28 13:20:21.194: INFO: At 0001-01-01 00:00:00 +0000 UTC - event for restrictedcapsh: { } Scheduled: Successfully assigned e2e-test-ssc-52hbk/restrictedcapsh to ip-10-0-157-132.us-west-2.compute.internal
Jun 28 13:20:21.194: INFO: At 2022-06-28 13:20:14 +0000 UTC - event for restrictedcapsh: {multus } AddedInterface: Add eth0 [10.131.0.140/23] from openshift-sdn
Jun 28 13:20:21.194: INFO: At 2022-06-28 13:20:14 +0000 UTC - event for restrictedcapsh: {kubelet ip-10-0-157-132.us-west-2.compute.internal} Pulling: Pulling image "image-registry.openshift-image-registry.svc:5000/openshift/tools:latest"
Jun 28 13:20:21.194: INFO: At 2022-06-28 13:20:14 +0000 UTC - event for restrictedcapsh: {kubelet ip-10-0-157-132.us-west-2.compute.internal} Pulled: Successfully pulled image "image-registry.openshift-image-registry.svc:5000/openshift/tools:latest" in 158.779207ms
Jun 28 13:20:21.194: INFO: At 2022-06-28 13:20:15 +0000 UTC - event for restrictedcapsh: {kubelet ip-10-0-157-132.us-west-2.compute.internal} Created: Created container restrictedcapsh
Jun 28 13:20:21.194: INFO: At 2022-06-28 13:20:15 +0000 UTC - event for restrictedcapsh: {kubelet ip-10-0-157-132.us-west-2.compute.internal} Started: Started container restrictedcapsh
Jun 28 13:20:21.290: INFO: POD              NODE                                        PHASE    GRACE  CONDITIONS
Jun 28 13:20:21.290: INFO: restrictedcapsh  ip-10-0-157-132.us-west-2.compute.internal  Running         [{Initialized True 0001-01-01 00:00:00 +0000 UTC 2022-06-28 13:20:12 +0000 UTC  } {Ready True 0001-01-01 00:00:00 +0000 UTC 2022-06-28 13:20:15 +0000 UTC  } {ContainersReady True 0001-01-01 00:00:00 +0000 UTC 2022-06-28 13:20:15 +0000 UTC  } {PodScheduled True 0001-01-01 00:00:00 +0000 UTC 2022-06-28 13:20:12 +0000 UTC  }]
Jun 28 13:20:21.290: INFO: 
Jun 28 13:20:21.564: INFO: skipping dumping cluster info - cluster too large
Jun 28 13:20:21.680: INFO: Deleted {user.openshift.io/v1, Resource=users  e2e-test-ssc-52hbk-user}, err: <nil>
Jun 28 13:20:21.779: INFO: Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-ssc-52hbk}, err: <nil>
Jun 28 13:20:21.880: INFO: Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~4pL71Xc016AYEiMVZSI0bOvU5pxrxKtxKBeQkF4Zh8I}, err: <nil>
[AfterEach] [sig-auth][Feature:SecurityContextConstraints] 
  github.com/openshift/origin/test/extended/util/client.go:141
STEP: Destroying namespace "e2e-test-ssc-52hbk" for this suite.
fail [github.com/openshift/origin/test/extended/security/scc.go:286]: Expected
    <string>: 0000000000000000
to equal
    <string>: 000000000000051b
```

This promote job started failing on June 27; the new version of RHCOS that is trying to be promoted is 49.84.202206271140-0

Looking at the RHCOS build, the only package that changed was `cri-o`:

`cri-o 1.22.5-6.rhaos4.9.gitc972b0a.el8 → 1.22.5-7.rhaos4.9.git3dbcd3c.el8`

https://url.corp.redhat.com/bd01d81

Comment 1 Peter Hunt 2022-06-28 15:55:26 UTC
I will dup this to 2101429, as it is attached to the PR that will fix it

*** This bug has been marked as a duplicate of bug 2101429 ***