Bug 1886134
| Summary: | Need to set GODEBUG=x509ignoreCN=0 in initrd | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Scott Dodson <sdodson> | |
| Component: | RHCOS | Assignee: | Nikita Dubrovskii (IBM) <ndubrovs> | |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.6 | CC: | bbreard, bgilbert, danili, hhei, imcleod, jligon, jnordell, miabbott, nstielau, slowrie, smilner, sreber, tmicheli, walters, wvoesch | |
| Target Milestone: | --- | |||
| Target Release: | 4.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | non-multi-arch, bootimage | |||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1899289 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-24 15:23:52 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1899289 | |||
|
Description
Scott Dodson
2020-10-07 17:39:25 UTC
Sorry, I forgot to copy/paste what "this change" is. I'm referring to https://golang.google.cn/doc/go1.15#commonname https://github.com/openshift/machine-config-operator/pull/2141#issuecomment-704989651 is where the discussion as to this need arose @Benjamin do you think it is reasonable to set the GODEBUG variable for just Ignition in the initrd? Setting UpcomingSprint keyword as there are other higher priority tasks and issues being worked on. Yes, I do. xref https://github.com/openshift/oc/pull/628#issuecomment-725698791 Note this requires a bootimage update; we already have a request for one to pull in the fix for https://github.com/coreos/fedora-coreos-config/pull/733 too. I do not have access to z system. I verified that OCP 4.7.0-0.nightly-2020-11-24-113830 has the dracut module aand RHCOS 47.83.202011240323-0 has the environment variable set in the initramfs. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2020-11-24-113830 True False 51m Cluster version is 4.7.0-0.nightly-2020-11-24-113830 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-134-48.us-west-2.compute.internal Ready worker 67m v1.19.2+13d6aa9 ip-10-0-146-93.us-west-2.compute.internal Ready master 76m v1.19.2+13d6aa9 ip-10-0-169-22.us-west-2.compute.internal Ready worker 67m v1.19.2+13d6aa9 ip-10-0-177-164.us-west-2.compute.internal Ready master 75m v1.19.2+13d6aa9 ip-10-0-214-17.us-west-2.compute.internal Ready worker 68m v1.19.2+13d6aa9 ip-10-0-221-212.us-west-2.compute.internal Ready master 76m v1.19.2+13d6aa9 $ oc debug node/ip-10-0-134-48.us-west-2.compute.internal Starting pod/ip-10-0-134-48us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# ls bin dev home lib64 mnt ostree root sbin sys tmp var boot etc lib media opt proc run srv sysroot usr sh-4.4# cat /usr/lib/dracut/modules.d/10 10coreos-sysctl/ 10i18n/ 10ignition-godebug/ sh-4.4# cat /usr/lib/dracut/modules.d/10ignition-godebug/* # https://bugzilla.redhat.com/show_bug.cgi?id=1886134 # Because Ignition which runs in the initrd may interface with external endpoints, # we should set the environment variable in the initrd [Manager] DefaultEnvironment=GODEBUG=x509ignoreCN=0 #!/bin/bash # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh depends() { echo systemd } install() { inst_simple "$moddir/10-default-env-godebug.conf" \ "/etc/systemd/system.conf.d/10-default-env-godebug.conf" } sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... $ oc debug node/ip-10-0-146-93.us-west-2.compute.internal Starting pod/ip-10-0-146-93us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# cat /usr/lib/dracut/modules.d/10ignition-godebug/* # https://bugzilla.redhat.com/show_bug.cgi?id=1886134 # Because Ignition which runs in the initrd may interface with external endpoints, # we should set the environment variable in the initrd [Manager] DefaultEnvironment=GODEBUG=x509ignoreCN=0 #!/bin/bash # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh depends() { echo systemd } install() { inst_simple "$moddir/10-default-env-godebug.conf" \ "/etc/systemd/system.conf.d/10-default-env-godebug.conf" } sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... Entering emergency mode. Exit the shell to continue. Type "journalctl" to view system logs. You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot after mounting them and attach it to a bug report. :/# :/# :/# env DRACUT_SYSTEMD=1 rflags= INVOCATION_ID=1ab6d4613bad44678bcc88fba29c164f hook=emergency PWD=/ root= fstype=auto HOME=/ JOURNAL_STREAM=9:13127 UDEVVERSION=239 hookdir=/lib/dracut/hooks NEWROOT=/sysroot DEBUG_MEM_LEVEL=0 action=Boot TERM=vt220 GODEBUG=x509ignoreCN=0 SHLVL=1 RD_DEBUG=no PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PS1=:${PWD}# _rdshell_name=dracut _=/usr/bin/env Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |