https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/478
https://gitlab.cee.redhat.com/openshift-art/rhcos-upshift/merge_requests/58
Merged
This change did not make it into the 4.1.9 release payload. It first landed in 410.8.20190802.0, but the 4.1.9 payload uses 410.8.20190801.0.
Marking as FailedQA since the fix is not in the release-payload.
Verified with latest green 4.1 nightly - 4.1.0-0.nightly-2019-08-06-201533 ``` $ oc image info -a ~/openshift-cluster-installs/all-the-pull-secrets.json $(oc adm release info -a ~/openshift-cluster-installs/all-the-pull-secrets.json --image-for=machine-os-content registr y.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-08-06-201533) Name: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9 Media Type: application/vnd.docker.distribution.manifest.v2+json Created: 4d ago Image Size: 589.6MB in 1 layers Layers: 589.6MB sha256:c9a98447dd105fb9ab5eebbe159c2992b4ab4bf4007fed73328cf8ccd23e10cd OS: linux Arch: amd64 Entrypoint: /noentry Labels: com.coreos.ostree-commit=65bea761fa27fcd1c500f58987db717d1528e407838ceca039e765409269fc2e version=410.8.20190802.0 $ curl -Ls https://releases-rhcos-art.cloud.privileged.psi.redhat.com/storage/releases/rhcos-4.1/410.8.20190802.0/meta.json | jq '.amis[] | select(.name == "us-west-2")' { "name": "us-west-2", "hvm": "ami-0442f7287e63fee27" } $ bin/kola spawn --debug -b rhcos -p aws --aws-ami ami-0442f7287e63fee27 --aws-region us-west-2 --aws-type t2.small --aws-profile openshift-dev --ignition-version v2 2019-08-07T15:02:12Z cli: Started logging at level DEBUG 2019-08-07T15:02:18Z platform/api/aws: created security group sg-0739297d1971ffd3a Red Hat Enterprise Linux CoreOS 410.8.20190802.0 WARNING: Direct SSH access to machines is not recommended. --- [bound] -bash-4.4$ rpm-ostree status State: idle AutomaticUpdates: disabled Deployments: ● pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9 CustomOrigin: Provisioned from oscontainer Version: 410.8.20190802.0 (2019-08-02T15:02:56Z) [bound] -bash-4.4$ systemctl status coreos-update-ca-trust.service ● coreos-update-ca-trust.service - Run update-ca-trust Loaded: loaded (/usr/lib/systemd/system/coreos-update-ca-trust.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Wed 2019-08-07 15:03:26 UTC; 1min 0s ago └─ ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors was not met [bound] -bash-4.4$ systemctl cat coreos-update-ca-trust.service # /usr/lib/systemd/system/coreos-update-ca-trust.service # This service is currently specific to Fedora CoreOS, # but we may want to add it to the base OS in the future. # The idea here is to allow users to just drop in CA roots # via Ignition without having to know to run the special # update command. [Unit] Description=Run update-ca-trust ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors/ # We want to run quite early, in particular before anything # that may speak TLS to external services. In the future, # it may make sense to do this in the initramfs too. DefaultDependencies=no [Service] ExecStart=/usr/bin/update-ca-trust Type=oneshot RemainAfterExit=yes [Install] WantedBy=basic.target ```
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2417