1559935 – /var/lib/atomic/install.json gets overwritten when multiple containers are deployed based on a single image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1559935 - /var/lib/atomic/install.json gets overwritten when multiple containers are deployed based on a single image

Summary: /var/lib/atomic/install.json gets overwritten when multiple containers are d...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Giuseppe Scrivano
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-23 14:59 UTC by Niranjan Mallapadi Raghavender
Modified:	2018-06-04 19:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-04 19:28:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Niranjan Mallapadi Raghavender 2018-03-23 14:59:20 UTC

Description of problem:

I am trying to create multiple containers from rhel7/sssd image idm2 and idm3

So first i create the first application container called idm2 and it updates /var/lib/atomic/install.json  as below:

{"registry.access.redhat.com/rhel7/sssd:latest": {"install_date": "2018-03-23 14:20:04", "id":
"d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c", "container_name": "idm2"}}

When i start another container idm3 based on rhel7/sssd the above entry is overwritten

{"registry.access.redhat.com/rhel7/sssd:latest": {"install_date": "2018-03-23 14:22:55", "id":
"d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c", "container_name": "idm3"}}

[root@client2 sssd]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
8463b275766b        rhel7/sssd          "/bin/run.sh"       4 seconds ago       Up 3 seconds                            idm3
d9e4c7331904        rhel7/sssd          "/bin/run.sh"       33 seconds ago      Up 32 seconds                           idm2

if i try to uninstall idm3 container, i get below error


[root@client2 sssd]# atomic uninstall -n idm3 rhel7/sssd
Containers `idm2` are using this image, delete them first or use --force


So if i uninstall idm2 container it gets deleted
[root@client2 sssd]# atomic uninstall -n idm2 rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=idm2 -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh


But now when i try to delete idm3 now, i get this error:

[root@client2 sssd]# atomic uninstall -n idm3 rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=idm3 -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh
Unable to find d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c in installed image data (/var/lib/atomic/install.json). Re-run command
with -i to ignore

cat /var/lib/atomic/install.json
{}

Version-Release number of selected component (if applicable):


● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.5.0 (2018-02-22 15:51:49)
                    Commit: 474534b1a1a2945c8ff2ad72cb646aaa25ec7b2d9fa9413a99a8cd2ef885dfdc

atomic-1.21.1-1.git1170769.el7.x86_64
sssd-docker-7.5-3


How reproducible:


Steps to Reproduce:
1. Get a rhel7/sssd image 
2. Create an unprivileged container based on rhel7/sssd image and these container join to Windows AD 
 A. In /etc/sssd/ create 2 directories idm2, idm3
  <snip>
[root@client2 sssd]# ls -l /etc/sssd
total 40
drwx--x--x. 2 sssd sssd     6 Feb 22 18:05 conf.d
drwxr-xr-x. 2 root root    33 Mar 23 09:57 idm2
drwxr-xr-x. 2 root root    33 Mar 23 09:57 idm3
-rw-r--r--. 1 root root 25429 Feb 23 11:35 keyring.json
-rw-r--r--. 1 root root    10 Mar  1 13:58 realm-join-password
-rw-------. 1 root root    63 Mar  1 12:41 sssd.conf
-rw-------. 1 root root   411 Mar  1 12:40 sssd.conf.backup
drwxr-xr-x. 2 root root    29 Mar  1 12:41 systemctl-lite-enabled
  <snip>

B. Create a file called "realm-join-password" containing Active Directory Administrator password. 

<snip>
[root@client2 idm2]# cat /etc/sssd/idm2/realm-join-password 
Secret123
[root@client2 idm2]# cat /etc/sssd/idm3/realm-join-password 
Secret123
<snip>

C. Now create 2 application containers idm2 and idm3 using below commands:

atomic install --opt1='--dns=192.168.122.187 --dns-search=centaur.test --hostname=idm2.centaur.test -e SSSD_CONTAINER_TYPE=application --net=default' --name=idm2 rhel7/sssd realm join -v  CENTAUR.TEST

Below entries are seen in /var/lib/atomic/install.json

{"registry.access.redhat.com/rhel7/sssd:latest": {"install_date": "2018-03-23 14:20:04", "id":
"d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c", "container_name": "idm2"}}


atomic install --opt1='--dns=192.168.122.187 --dns-search=centaur.test --hostname=idm3.centaur.test -e SSSD_CONTAINER_TYPE=application --net=default' --name=idm3 rhel7/sssd realm join -v  CENTAUR.TEST


{"registry.access.redhat.com/rhel7/sssd:latest": {"install_date": "2018-03-23 14:22:55", "id":
"d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c", "container_name": "idm3"}}



3. Uninstalling the container

   A. Stop the containers
   $ atomic stop idm3
   $ atomic stop idm2 



Actual results:

So if i uninstall idm2 container it gets deleted
[root@client2 sssd]# atomic uninstall -n idm2 rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=idm2 -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh


But now when i try to delete idm3 now, i get this error:

[root@client2 sssd]# atomic uninstall -n idm3 rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=idm3 -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh
Unable to find d4759b2e17a34649877d3f1acfe0b69365e84ecf27939a75a749ed070791952c in installed image data (/var/lib/atomic/install.json). Re-run command
with -i to ignore

cat /var/lib/atomic/install.json
{}





Additional info:

1. So the question i have is should /var/lib/atomic/install.json  have both the entries of idm2 and idm3 ,
2. when we are uninstalling containers, it totally empties /var/lib/atomic/install.json file

Comment 2 Giuseppe Scrivano 2018-03-23 21:46:39 UTC

proposed PR here:

https://github.com/projectatomic/atomic/pull/1214

Comment 3 Giuseppe Scrivano 2018-03-28 08:06:55 UTC

PR was merged

Comment 4 Micah Abbott 2018-05-10 14:46:46 UTC

Verified with atomic-1.22.1-3.git2fd0860.el7.x86_64

# atomic install --name cockpit1 registry.access.redhat.com/rhel7/cockpit-ws
/usr/bin/docker run --rm --privileged -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-install
+ sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit
+ mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ mkdir -p /host/var/lib/cockpit
+ chmod 775 /host/var/lib/cockpit
+ chown root:wheel /host/var/lib/cockpit
+ mkdir -p /etc/ssh
+ /bin/mount --bind /host/etc/cockpit /etc/cockpit
+ /usr/sbin/remotectl certificate --ensure

# atomic install --name cockpit1 registry.access.redhat.com/rhel7/cockpit-ws
/usr/bin/docker run --rm --privileged -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-install
+ sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit
+ mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ mkdir -p /host/var/lib/cockpit
+ chmod 775 /host/var/lib/cockpit
+ chown root:wheel /host/var/lib/cockpit
+ mkdir -p /etc/ssh
+ /bin/mount --bind /host/etc/cockpit /etc/cockpit
+ /usr/sbin/remotectl certificate --ensure

# cat /var/lib/atomic/install.json
{"registry.access.redhat.com/rhel7/cockpit-ws:latest": [{"install_date": "2018-05-10 14:42:06", "id": "ada3c4cdaa62fa3e0dfcd6578b211bbd8911a6fe4e7f178e50e6c64831e351af", "container_name": "cockpit1"}, {"install_
date": "2018-05-10 14:42:12", "id": "ada3c4cdaa62fa3e0dfcd6578b211bbd8911a6fe4e7f178e50e6c64831e351af", "container_name": "cockpit2"}]}

# atomic uninstall --name cockpit2 registry.access.redhat.com/rhel7/cockpit-ws                                                                                                       
/usr/bin/docker run --rm --privileged -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-uninstall                                                                                          
+ rm -f /host/etc/pam.d/cockpit

# atomic uninstall --name cockpit1 registry.access.redhat.com/rhel7/cockpit-ws                                                                                                       
/usr/bin/docker run --rm --privileged -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-uninstall                                                                                          
+ rm -f /host/etc/pam.d/cockpit

# cat /var/lib/atomic/install.json
{}

Comment 5 Lokesh Mandvekar 2018-06-04 19:28:22 UTC

atomic-1.22.1-3.git2fd0860.el7.x86_64 was shipped in 7.5.1 Extras

Note You need to log in before you can comment on or make changes to this bug.