Description of problem: This operator builds and installs an unsigned RPM as part of the image build. This causes erratatool to block the errata if it is attached. Since this is part of the payload, we can't simply drop it from the release (... unless there is no functional reference to it in core OCP). Version-Release number of selected component (if applicable): cluster-node-tuning-operator-container-v4.6.0-202010030042.p0 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1339925) How reproducible: Build in OSBS. Attach build to advisory, or just look at logs: http://download.eng.bos.redhat.com/brewroot/packages/cluster-node-tuning-operator-container/v4.6.0/202010030042.p0/data/logs/x86_64-build.log Actual results: rpmbuild [...] -tb tuned-2.14.0.tar.gz ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: tuned noarch 2.14.0-1.el8 @commandline 295 k tuned-profiles-atomic noarch 2.14.0-1.el8 @commandline 33 k tuned-profiles-cpu-partitioning noarch 2.14.0-1.el8 @commandline 36 k tuned-profiles-mssql noarch 2.14.0-1.el8 @commandline 32 k tuned-profiles-nfv noarch 2.14.0-1.el8 @commandline 31 k tuned-profiles-nfv-guest noarch 2.14.0-1.el8 @commandline 33 k tuned-profiles-nfv-host noarch 2.14.0-1.el8 @commandline 34 k tuned-profiles-oracle noarch 2.14.0-1.el8 @commandline 32 k tuned-profiles-realtime noarch 2.14.0-1.el8 @commandline 34 k tuned-profiles-sap noarch 2.14.0-1.el8 @commandline 32 k tuned-profiles-sap-hana noarch 2.14.0-1.el8 @commandline 32 k tuned-profiles-spectrumscale noarch 2.14.0-1.el8 @commandline 32 k Expected results: All RPMs installed are built in brew and signed with RH signing key. Additional info: Can I suggest just... installing the content without building an RPM? In an ideal world, the RPM would be built in brew. There's also nothing wrong with building from source in a container, it's just the presence of an unsigned RPM sets off all sorts of alarms when it's time to ship. For the minimal change, I suppose something like this might be an acceptable way to mask this: $ rpm -e --justdb tuned tuned-profiles-{atomic, mysql,...}
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-10-07-022140 True False 36m Cluster version is 4.6.0-0.nightly-2020-10-07-022140 $ oc project openshift-cluster-node-tuning-operator Now using project "openshift-cluster-node-tuning-operator" on server "https://api.jm20201007.psap.aws.rhperfscale.org:6443". $ oc get po NAME READY STATUS RESTARTS AGE cluster-node-tuning-operator-b8bdf58-v4fz4 1/1 Running 0 61m tuned-2dpj8 1/1 Running 0 55m tuned-578fv 1/1 Running 0 55m tuned-bhhr5 1/1 Running 0 55m tuned-j946q 1/1 Running 0 47m tuned-jzgdc 1/1 Running 0 47m $ oc rsh tuned-2dpj8 sh-4.4# rpm -qa|grep tuned sh-4.4#
Verification positive. Cluster version: 4.6.0-0.nightly-2020-10-09-033719
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196