Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1885419 - node tuning operator builds and installs an unsigned RPM
Summary: node tuning operator builds and installs an unsigned RPM
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node Tuning Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.6.0
Assignee: Jiří Mencák
QA Contact: Simon
URL:
Whiteboard:
Depends On: 1885543
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-05 21:18 UTC by Luke Meyer
Modified: 2020-10-27 16:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1885543 (view as bug list)
Environment:
Last Closed: 2020-10-27 16:47:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-node-tuning-operator pull 161 0 None closed bug 1885419: [release-4.6] Remove traces of unsigned RPMs from the image. 2020-10-24 01:06:38 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:48:11 UTC

Description Luke Meyer 2020-10-05 21:18:38 UTC
Description of problem:
This operator builds and installs an unsigned RPM as part of the image build. This causes erratatool to block the errata if it is attached. Since this is part of the payload, we can't simply drop it from the release (... unless there is no functional reference to it in core OCP).

Version-Release number of selected component (if applicable):
cluster-node-tuning-operator-container-v4.6.0-202010030042.p0
(https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1339925)

How reproducible:
Build in OSBS. Attach build to advisory, or just look at logs:
http://download.eng.bos.redhat.com/brewroot/packages/cluster-node-tuning-operator-container/v4.6.0/202010030042.p0/data/logs/x86_64-build.log

Actual results:
rpmbuild [...] -tb tuned-2.14.0.tar.gz
====================================================================================================

 Package                           Arch    Version               Repository                     Size

====================================================================================================

Installing:

 tuned                             noarch  2.14.0-1.el8          @commandline                  295 k

 tuned-profiles-atomic             noarch  2.14.0-1.el8          @commandline                   33 k

 tuned-profiles-cpu-partitioning   noarch  2.14.0-1.el8          @commandline                   36 k

 tuned-profiles-mssql              noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-nfv                noarch  2.14.0-1.el8          @commandline                   31 k

 tuned-profiles-nfv-guest          noarch  2.14.0-1.el8          @commandline                   33 k

 tuned-profiles-nfv-host           noarch  2.14.0-1.el8          @commandline                   34 k

 tuned-profiles-oracle             noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-realtime           noarch  2.14.0-1.el8          @commandline                   34 k

 tuned-profiles-sap                noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-sap-hana           noarch  2.14.0-1.el8          @commandline                   32 k

 tuned-profiles-spectrumscale      noarch  2.14.0-1.el8          @commandline                   32 k


Expected results:
All RPMs installed are built in brew and signed with RH signing key.

Additional info:
Can I suggest just... installing the content without building an RPM? In an ideal world, the RPM would be built in brew. There's also nothing wrong with building from source in a container, it's just the presence of an unsigned RPM sets off all sorts of alarms when it's time to ship. 

For the minimal change, I suppose something like this might be an acceptable way to mask this:

$ rpm -e --justdb tuned tuned-profiles-{atomic, mysql,...}

Comment 5 Jiří Mencák 2020-10-07 05:51:11 UTC
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-10-07-022140   True        False         36m     Cluster version is 4.6.0-0.nightly-2020-10-07-022140

$ oc project openshift-cluster-node-tuning-operator
Now using project "openshift-cluster-node-tuning-operator" on server "https://api.jm20201007.psap.aws.rhperfscale.org:6443".

$ oc get po
NAME                                         READY   STATUS    RESTARTS   AGE
cluster-node-tuning-operator-b8bdf58-v4fz4   1/1     Running   0          61m
tuned-2dpj8                                  1/1     Running   0          55m
tuned-578fv                                  1/1     Running   0          55m
tuned-bhhr5                                  1/1     Running   0          55m
tuned-j946q                                  1/1     Running   0          47m
tuned-jzgdc                                  1/1     Running   0          47m

$ oc rsh tuned-2dpj8 
sh-4.4# rpm -qa|grep tuned
sh-4.4#

Comment 6 Simon 2020-10-09 19:10:35 UTC
Verification positive.
Cluster version: 4.6.0-0.nightly-2020-10-09-033719

Comment 8 errata-xmlrpc 2020-10-27 16:47:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.