Bug 1736480 - Backport: Add coreos-update-ca-trust.service
Summary: Backport: Add coreos-update-ca-trust.service
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.1.z
Hardware: All
OS: Unspecified
Target Milestone: ---
: 4.1.z
Assignee: Colin Walters
QA Contact: Micah Abbott
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
Reported: 2019-08-01 17:57 UTC by Stephen Cuppett
Modified: 2019-08-15 14:24 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-15 14:24:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2417 None None None 2019-08-15 14:24:25 UTC

Comment 3 Steve Milner 2019-08-02 14:54:04 UTC

Comment 5 Micah Abbott 2019-08-05 13:20:48 UTC
This change did not make it into the 4.1.9 release payload.  It first landed in 410.8.20190802.0, but the 4.1.9 payload uses 410.8.20190801.0.

Comment 6 Micah Abbott 2019-08-05 13:41:11 UTC
Marking as FailedQA since the fix is not in the release-payload.

Comment 10 Micah Abbott 2019-08-07 15:06:13 UTC
Verified with latest green 4.1 nightly - 4.1.0-0.nightly-2019-08-06-201533

$  oc image info -a ~/openshift-cluster-installs/all-the-pull-secrets.json $(oc adm release info -a ~/openshift-cluster-installs/all-the-pull-secrets.json --image-for=machine-os-content registr
Name:       quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
Media Type: application/vnd.docker.distribution.manifest.v2+json
Created:    4d ago
Image Size: 589.6MB in 1 layers
Layers:     589.6MB sha256:c9a98447dd105fb9ab5eebbe159c2992b4ab4bf4007fed73328cf8ccd23e10cd
OS:         linux
Arch:       amd64
Entrypoint: /noentry
Labels:     com.coreos.ostree-commit=65bea761fa27fcd1c500f58987db717d1528e407838ceca039e765409269fc2e

$ curl -Ls https://releases-rhcos-art.cloud.privileged.psi.redhat.com/storage/releases/rhcos-4.1/410.8.20190802.0/meta.json | jq '.amis[] | select(.name == "us-west-2")'
  "name": "us-west-2",
  "hvm": "ami-0442f7287e63fee27"

$ bin/kola spawn --debug -b rhcos -p aws --aws-ami ami-0442f7287e63fee27 --aws-region us-west-2 --aws-type t2.small --aws-profile openshift-dev --ignition-version v2
2019-08-07T15:02:12Z cli: Started logging at level DEBUG
2019-08-07T15:02:18Z platform/api/aws: created security group sg-0739297d1971ffd3a
Red Hat Enterprise Linux CoreOS 410.8.20190802.0
WARNING: Direct SSH access to machines is not recommended.

[bound] -bash-4.4$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
● pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
              CustomOrigin: Provisioned from oscontainer
                   Version: 410.8.20190802.0 (2019-08-02T15:02:56Z)
[bound] -bash-4.4$ systemctl status coreos-update-ca-trust.service 
● coreos-update-ca-trust.service - Run update-ca-trust
   Loaded: loaded (/usr/lib/systemd/system/coreos-update-ca-trust.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Wed 2019-08-07 15:03:26 UTC; 1min 0s ago
           └─ ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors was not met
[bound] -bash-4.4$ systemctl cat coreos-update-ca-trust.service 
# /usr/lib/systemd/system/coreos-update-ca-trust.service
# This service is currently specific to Fedora CoreOS,
# but we may want to add it to the base OS in the future.
# The idea here is to allow users to just drop in CA roots
# via Ignition without having to know to run the special
# update command.
Description=Run update-ca-trust
# We want to run quite early, in particular before anything
# that may speak TLS to external services.  In the future,
# it may make sense to do this in the initramfs too.

Comment 12 errata-xmlrpc 2019-08-15 14:24:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.