Description of problem:
Product Security need a way determining which rpms are in an RHCOS release. We need it so that we can inform customers when a CVE fix is being released of OCP4.
We think that Errata Tool is the best place to inform customers about CVE fixes which are included in a product update. However at the moment Errata Tool doesn't have a tool which can read the rpm data published in brew, . We think that adding the commitmeta.json to the container payload will make it easier for Errata Tool, and other tools such as OpenSCAP to determine the content in the machine-os-content container image, without having to unpack the OSTree content, or inspect brew directly.
Since we are recording this information in brew, it seems like it would be easy to also add it to the actual container being shipped. We could add it directly to the image as a file, or add it to the container metadata.
Version-Release number of selected component (if applicable):
Get the machine-os-content image and inspect the contents for commitmeta.json
Steps to Reproduce:
1. Query the release image for the OCP version:
$ ./oc adm release info --image-for="" quay.io/openshift-release-dev/ocp-release:4.1.3 | grep machine-os-content
2. Inspect the container metadata for the machine-os-content image
$ ./oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:70dfb630dadbc16f15507c01b6d7783c8cb5140ac280ff518296c5ec00484afc | grep version
3. Pull the machine-os-content image
$ sudo podman pull --authfile=pull-secret.txt quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:70dfb630dadbc16f15507c01b6d7783c8cb5140ac280ff518296c5ec00484afc
4. Create a container from the image:
$ sudo podman create --net=none --name machine-os-content quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:70dfb630dadbc16f15507c01b6d7783c8cb5140ac280ff518296c5ec00484afc
5. Mount the filesystem for the image:
$ sudo podman mount machine-os-content
6. Look for the commitmeta.json
$ sudo find /var/lib/containers/storage/overlay/13d586883a9e663128dff327eec36069ec5c05eb2f868c606cede95f295e3927/merged -name commitmeta.json
No commitmeta.json exists
commitmeta exists in the image, or in the container metadata.
This rpm content from commitmeta.json is indexed on the release pages for OCP4, ie:
Not completely against including the commitmeta.json, but I think having it easily linked and exported from the release browser (and now possibly relied upon by more external services) means that we've essentially made public an interface we never really planned to (and I'm partly to blame for this -- https://github.com/coreos/coreos-assembler/pull/226). Although the rpmostree.rpmdb.pkglist key is unlikely to change, other keys have in the past (esp. in the "layered" version of the commit metadata).
It would be pretty easy for cosa to export a package list in a stable format for external consumers (could just match the rpmostree.rpmdb.pkglist format as it is today). For the purposes here, a stable way to retrieve the RPM list is `rpm-ostree db list --repo $mount/srv/repo $commit`, which doesn't require you to extract the rpmdb at all. (This approach also means we don't have two sources of truth in the container, and leaves the door open for having multiple commits in the same container).
I think including this information is fine, especially if it will make errata tool use easier for folks. Following on to Jonathan's idea, would you be fine with us exporting a package list in the container or is `commitmeta.json` literally needed?
Exporting a package list in the container is fine. We still need to come up with a way to use the information in Errata Tool, or LightBlue, so not fixed on the commitmeta.json format yet.
PR merged. Backport to 4.2: https://github.com/coreos/coreos-assembler/pull/665
Tried to verify this with the latest 4.2 builds coming out of ART, but looks like the coreos-assembler image being used to build RHCOS didn't have the necessary commit.
I've kicked off a new build of coreos-assembler and will check again after an RHCOS build has completed using the new coreos-assembler.
Verified with 4.2.0-0.nightly-2019-07-30-073644
$ oc image info -a ~/openshift-cluster-installs/all-the-pull-secrets.json $(oc adm release info -a ~/openshift-cluster-installs/all-the-pull-secrets.json --image-for=machine-os-content registry.svc.ci.openshift.org/ocp/release:4.2.0-0.nightly-2019-07-30-073644)
Media Type: application/vnd.docker.distribution.manifest.v2+json
Created: 10h ago
Image Size: 616.9MB in 1 layers
Layers: 616.9MB sha256:281c3d60f8a892dfde706ede8a96e2030af90d3294723a9a27202e7bc7c080d6
$ sudo podman pull --authfile /home/miabbott/openshift-cluster-installs/all-the-pull-secrets.json quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f0c22748a2b3c75c4e42feab15bfec2e585caa9c99192a5d4a6fc1909f6d812
Trying to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f0c22748a2b3c75c4e42feab15bfec2e585caa9c99192a5d4a6fc1909f6d812...Getting image source signatures
Copying blob 281c3d60f8a8 done
Copying config 760529ea88 done
Writing manifest to image destination
$ sudo podman create --net=none --name machine-os-content 760529ea88e54db8facfbb5f4e43a5a953088d270eb1870d571e77c09e4e56a4
$ sudo podman mount b178a980c34535e8346dd4daa191627e9f29d5c28dc9775e45ce52b838e58f84
$ sudo find /var/lib/containers/storage/overlay/4fd41da6c27b7c36c81fc9961e897606fb74085a94e7f8c3c1e6bcfa1469cfb0/merged -name pkglist.txt
$ sudo head /var/lib/containers/storage/overlay/4fd41da6c27b7c36c81fc9961e897606fb74085a94e7f8c3c1e6bcfa1469cfb0/merged/pkglist.txt
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.