Bug 2115089
| Summary: | Update container-tools:4.0/toolbox to 0.0.99.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Juan Sebastian Castro <jucastro> |
| Component: | toolbox | Assignee: | Debarshi Ray <debarshir> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Schindler <pschindl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.6 | CC: | jcastran, jnovy, sbarcomb |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | toolbox-0.0.99.3-2.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 08:30:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2022-11-14 | ||
|
Description
Juan Sebastian Castro
2022-08-03 19:46:07 UTC
We don't have the upstream toolbox-0.0.99.3 release built in RHEL 8. That's why there's no toolbox-0.0.99.3-1 build. See bug 2047290 for that. (In reply to Juan Sebastian Castro from comment #0) > > [...] > > Actual results: > Versions available in rhel8 stream: > > toolbox-0.0.99.3-0.4 > toolbox-0.0.99.3-0.6 That said, the latest RHEL 8 build should be toolbox-0.0.99.3-0.8. (In reply to Debarshi Ray from comment #1) > (In reply to Juan Sebastian Castro from comment #0) > > > > [...] > > > > Actual results: > > Versions available in rhel8 stream: > > > > toolbox-0.0.99.3-0.4 > > toolbox-0.0.99.3-0.6 > > That said, the latest RHEL 8 build should be toolbox-0.0.99.3-0.8. Could you please show me the contents of your /etc/containers/toolbox.conf ? Hello Debarshi, from test box r86 toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 was installed and content of /etc/containers/toolbox.conf is: [root@rhel86 ~]# cat /etc/containers/toolbox.conf [general] # Create a toolbox container for a different operating system distro than the # host. Cannot be used with 'image'. ## distro = "fedora" # Create a toolbox container for a different operating system release than the # host. Cannot be used with 'image'. ## release = "33" # Change the name of the image used to create the toolbox container. This is # useful for creating containers from custom-built images. Cannot be used with # 'distro' or 'release'. # # If the name does not contain a registry, the local image storage will be # consulted, and if it's not present there then it will be pulled from a # suitable remote registry. image = "registry.access.redhat.com/ubi8/toolbox:latest" [root@rhel86 ~]# rpm -qa | grep toolbox toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 -------------------------------------------------------------------------------------------------------------------------------- [root@rhel86 ~]# cat /etc/containers/toolbox.conf [general] # Create a toolbox container for a different operating system distro than the # host. Cannot be used with 'image'. ## distro = "fedora" # Create a toolbox container for a different operating system release than the # host. Cannot be used with 'image'. ## release = "33" # Change the name of the image used to create the toolbox container. This is # useful for creating containers from custom-built images. Cannot be used with # 'distro' or 'release'. # # If the name does not contain a registry, the local image storage will be # consulted, and if it's not present there then it will be pulled from a # suitable remote registry. image = "registry.access.redhat.com/ubi8/toolbox:latest" [root@rhel86 ~]# rpm -qa | grep toolbox toolbox-0.0.99.3-0.6.module+el8.6.0+15917+093ca6f8.x86_64 Both versions are available from rhel8 stream, that is the most recent (rolling) version that provides latest packages for podman, buildah, etc.. as well as dependencies packages for those componentes. But toolbox-0.0.99.3-1 is not coming on rhel8 stream but on 3.0. First question raised by customer was why the latest version wasn't found in rhel8 stream but 3.0 stream instead. Since most security scanners will pop up a warning as latest version is not being used. Of course looking within https://access.redhat.com/security/cve/CVE-2022-1227 and https://bugzilla.redhat.com/show_bug.cgi?id=2070368 we can see that psgo: Privilege escalation in 'podman top' is fixed. Now there is only the versioning concerns about why 0.0.99.3-1 is not within rhel8 stream. Thanks for doing all that ground work, Juan! It was really helpful. (In reply to Juan Sebastian Castro from comment #4) > Hello Debarshi, from test box r86 > toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 was installed and > content of /etc/containers/toolbox.conf is: > > [root@rhel86 ~]# cat /etc/containers/toolbox.conf > [general] > > [...] > > # If the name does not contain a registry, the local image storage will be > # consulted, and if it's not present there then it will be pulled from a > # suitable remote registry. > image = "registry.access.redhat.com/ubi8/toolbox:latest" Ok. This looks good. I was worried about the value of the 'image' setting. > [root@rhel86 ~]# rpm -qa | grep toolbox > toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 > > ----------------------------------------------------------------------------- > > [root@rhel86 ~]# cat /etc/containers/toolbox.conf > [general] > > [...] > > # If the name does not contain a registry, the local image storage will be > # consulted, and if it's not present there then it will be pulled from a > # suitable remote registry. > image = "registry.access.redhat.com/ubi8/toolbox:latest" Ok. This also looks good. I was again worried about the value of the 'image' setting. > [root@rhel86 ~]# rpm -qa | grep toolbox > toolbox-0.0.99.3-0.6.module+el8.6.0+15917+093ca6f8.x86_64 From a user's (or customer's) perspective, the main difference between toolbox-0.0.99.3-0.4 and toolbox-0.0.99.3-0.6 is a rebuild with a newer Go toolchain to fix bug 1975365 This means that if FIPS-mode is important for someone, then they should use toolbox-0.0.99.3-0.6 (In reply to Juan Sebastian Castro from comment #4) > First question > raised by customer was why the latest version wasn't found in rhel8 stream > but 3.0 stream instead. Since most security scanners will pop up a warning > as latest version is not being used. > > Of course looking within > https://access.redhat.com/security/cve/CVE-2022-1227 and > https://bugzilla.redhat.com/show_bug.cgi?id=2070368 we can see that psgo: > Privilege escalation in 'podman top' is fixed. Are there specific CVEs that the customer is worried about? I am not aware of any important unfixed CVEs, but I could be wrong. I am re-labeling this bug for the 4.0 stream of the container-tools module in RHEL 8. We can use bug 2047290 for the 'rolling' stream of the container-tools module in RHEL 8. Built toolbox-0.0.99.3-2.el8 as part of container-tools:4.0: https://mbs.engineering.redhat.com/module-build-service/2/module-builds/17177 https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48831787 (In reply to Debarshi Ray from comment #1) > We don't have the upstream toolbox-0.0.99.3 release built in RHEL 8. It turns out that this is still true. The fact that there's a toolbox-0.0.99.3-1 RPM in container-tools:3.0 doesn't mean that it actually has the upstream 0.0.99.3 sources. It doesn't. :( I filed bug 2140643 to fix that. All tests pass. toolbox works as intended. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:4.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2802 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:4.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2802 |