Bug 1736480 - Backport: Add coreos-update-ca-trust.service
Summary: Backport: Add coreos-update-ca-trust.service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.1.z
Hardware: All
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.1.z
Assignee: Colin Walters
QA Contact: Micah Abbott
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2019-08-01 17:57 UTC by Stephen Cuppett
Modified: 2019-08-15 14:24 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-15 14:24:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2417 None None None 2019-08-15 14:24:25 UTC

Comment 3 Steve Milner 2019-08-02 14:54:04 UTC
Merged

Comment 5 Micah Abbott 2019-08-05 13:20:48 UTC
This change did not make it into the 4.1.9 release payload.  It first landed in 410.8.20190802.0, but the 4.1.9 payload uses 410.8.20190801.0.

Comment 6 Micah Abbott 2019-08-05 13:41:11 UTC
Marking as FailedQA since the fix is not in the release-payload.

Comment 10 Micah Abbott 2019-08-07 15:06:13 UTC
Verified with latest green 4.1 nightly - 4.1.0-0.nightly-2019-08-06-201533

```
$  oc image info -a ~/openshift-cluster-installs/all-the-pull-secrets.json $(oc adm release info -a ~/openshift-cluster-installs/all-the-pull-secrets.json --image-for=machine-os-content registr
y.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-08-06-201533)
Name:       quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
Media Type: application/vnd.docker.distribution.manifest.v2+json
Created:    4d ago
Image Size: 589.6MB in 1 layers
Layers:     589.6MB sha256:c9a98447dd105fb9ab5eebbe159c2992b4ab4bf4007fed73328cf8ccd23e10cd
OS:         linux
Arch:       amd64
Entrypoint: /noentry
Labels:     com.coreos.ostree-commit=65bea761fa27fcd1c500f58987db717d1528e407838ceca039e765409269fc2e
            version=410.8.20190802.0

$ curl -Ls https://releases-rhcos-art.cloud.privileged.psi.redhat.com/storage/releases/rhcos-4.1/410.8.20190802.0/meta.json | jq '.amis[] | select(.name == "us-west-2")'
{
  "name": "us-west-2",
  "hvm": "ami-0442f7287e63fee27"
}

$ bin/kola spawn --debug -b rhcos -p aws --aws-ami ami-0442f7287e63fee27 --aws-region us-west-2 --aws-type t2.small --aws-profile openshift-dev --ignition-version v2
2019-08-07T15:02:12Z cli: Started logging at level DEBUG
2019-08-07T15:02:18Z platform/api/aws: created security group sg-0739297d1971ffd3a
Red Hat Enterprise Linux CoreOS 410.8.20190802.0
WARNING: Direct SSH access to machines is not recommended.

---
[bound] -bash-4.4$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
              CustomOrigin: Provisioned from oscontainer
                   Version: 410.8.20190802.0 (2019-08-02T15:02:56Z)
[bound] -bash-4.4$ systemctl status coreos-update-ca-trust.service 
● coreos-update-ca-trust.service - Run update-ca-trust
   Loaded: loaded (/usr/lib/systemd/system/coreos-update-ca-trust.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Wed 2019-08-07 15:03:26 UTC; 1min 0s ago
           └─ ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors was not met
[bound] -bash-4.4$ systemctl cat coreos-update-ca-trust.service 
# /usr/lib/systemd/system/coreos-update-ca-trust.service
# This service is currently specific to Fedora CoreOS,
# but we may want to add it to the base OS in the future.
# The idea here is to allow users to just drop in CA roots
# via Ignition without having to know to run the special
# update command.
[Unit]
Description=Run update-ca-trust
ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors/
# We want to run quite early, in particular before anything
# that may speak TLS to external services.  In the future,
# it may make sense to do this in the initramfs too.
DefaultDependencies=no
[Service]
ExecStart=/usr/bin/update-ca-trust
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=basic.target
```

Comment 12 errata-xmlrpc 2019-08-15 14:24:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2417


Note You need to log in before you can comment on or make changes to this bug.