Bug 2108320

Summary: rpm-ostreed: start limit hit easily
Product: OpenShift Container Platform Reporter: Colin Walters <walters>
Component: RHCOSAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: high Docs Contact:
Priority: high    
Version: 4.12CC: dornelas, jligon, mrussell, nstielau, sregidor
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:53:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2108686    

Description Colin Walters 2022-07-18 20:38:22 UTC 
See https://github.com/openshift/os/pull/898

A recent PR in the MCO openshift/machine-config-operator#3243
tipped things over the edge and we now see failures a lot more often.

For example, in https://bugzilla.redhat.com/show_bug.cgi?id=2104978
Comment 1 Sinny Kumari 2022-07-19 13:14:55 UTC 
*** Bug 2108488 has been marked as a duplicate of this bug. ***
Comment 3 Michael Nguyen 2022-07-21 13:39:16 UTC 
[core@cosa-devsh ~]$ rpm-ostree status
State: idle
Deployments:
● b5f3cb5e22deb72c001194feee40a7c0607313da03c6322effc2a55c5e3bedf5
                   Version: 412.86.202207200219-0 (2022-07-20T02:22:48Z)

[core@cosa-devsh ~]$ systemctl cat rpm-ostreed
# /usr/lib/systemd/system/rpm-ostreed.service
[Unit]
Description=rpm-ostree System Management Daemon
Documentation=man:rpm-ostree(1)
ConditionPathExists=/ostree
RequiresMountsFor=/boot

[Service]
Type=dbus
BusName=org.projectatomic.rpmostree1
# To use the read-only sysroot bits
MountFlags=slave
# We have no business accessing /var/roothome or /var/home.  In general
# the ostree design clearly avoids touching those, but since systemd offers
# us easy tools to toggle on protection, let's use them.  In the future
# it'd be nice to do something like using DynamicUser=yes for the main service,
# and have a system rpm-ostreed-transaction.service that runs privileged
# but as a subprocess.
ProtectHome=true
# Explicitly list paths here which we should never access.  The initial
# entry here ensures that the skopeo process we fork won't interact with
# application containers.
InaccessiblePaths=/var/lib/containers
NotifyAccess=main
ExecStart=/usr/bin/rpm-ostree start-daemon
ExecReload=/usr/bin/rpm-ostree reload

# /usr/lib/systemd/system/rpm-ostreed.service.d/startlimit.conf
[Unit]
# Work around for lack of https://github.com/coreos/rpm-ostree/pull/3523/commit>
# on older RHEL
StartLimitBurst=1000
Comment 4 Michael Nguyen 2022-07-21 13:59:09 UTC 
OCP registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2022-07-21-044416 run RHCOS 412.86.202207200219-0 from comment 3
Comment 7 errata-xmlrpc 2023-01-17 19:53:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399