Bug 1889694 - usbguard fails to install as RHCOS extension due to missing libprotobuf.so.15
Summary: usbguard fails to install as RHCOS extension due to missing libprotobuf.so.15
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Jonathan Lebon
QA Contact: Michael Nguyen
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-20 11:46 UTC by Sinny Kumari
Modified: 2021-02-24 15:27 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-02-24 15:26:59 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:27:26 UTC

Description Sinny Kumari 2020-10-20 11:46:45 UTC
Description of problem:

usbguard fails to install due to missing libprotobuf.so on RHCOS system. This could be related to package dependency changed in base RHCOS packages or usbguard started depending on this new lib.

This issue was cought my MCO e2e-gcp-op ci run

Example e2e-gcp-op job - https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/2025/pull-ci-openshift-machine-config-operator-master-e2e-gcp-op/1318182107079512064

MCD Log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/2025/pull-ci-openshift-machine-config-operator-master-e2e-gcp-op/1318182107079512064/artifacts/e2e-gcp-op/pods/openshift-machine-config-operator_machine-config-daemon-llwtn_machine-config-daemon.log
E1019 14:47:38.790081    2229 writer.go:135] Marking Degraded due to: error running rpm-ostree update --install usbguard: Checking out tree a527c24...done
Enabled rpm-md repositories: coreos-extensions
Resolving dependencies...done
error: Could not depsolve transaction; 1 problem detected:
 Problem: conflicting requests
  - nothing provides libprotobuf.so.15()(64bit) needed by usbguard-0.7.4-4.el8.x86_64
: exit status 1

Expected results: usbguard should successfully install as RHCOS extensions

Comment 1 Sinny Kumari 2020-10-20 11:47:53 UTC
Setting priority to high since this blocks MCO PR getting merged

Comment 2 Jonathan Lebon 2020-10-20 14:54:38 UTC
The proper fix for this is https://github.com/coreos/rpm-ostree/issues/2055. For now, I'll just add the missing RPMs to https://github.com/openshift/os/blob/master/scripts/download-extensions. Though we really should also have a basic test to confirm that extensions overlay cleanly.

Comment 3 Steve Milner 2020-10-20 15:14:22 UTC
Targeting 4.7 since this was found in the 4.7 images.

Sinny: Are you seeing this in previous builds as well?

Comment 5 Sinny Kumari 2020-10-20 15:41:54 UTC
Not sure, there is no e2e-gcp-op test run in ci since 17 October for 4.6 branch. I will check this on a local cluster and update here.

Comment 6 Sinny Kumari 2020-10-20 18:20:43 UTC
don't see this issue in 4.6, tested with latest nightly 4.6.0-0.nightly-2020-10-20-101225

Comment 8 Micah Abbott 2020-10-21 13:21:29 UTC
The proper version of protobuf landed in 47.82.202010201950-0 and that version of RHCOS was promoted into a nightly 4.7 payload.

Comment 10 Michael Nguyen 2020-10-27 01:45:08 UTC
Verified on 4.7.0-0.nightly-2020-10-26-124513.  usbguard installs successfully.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-10-26-124513   True        False         5h23m   Cluster version is 4.7.0-0.nightly-2020-10-26-124513
$ oc get nodes
NAME                                         STATUS   ROLES    AGE     VERSION
ip-10-0-136-111.us-west-2.compute.internal   Ready    worker   5h37m   v1.19.0+e67f5dc
ip-10-0-138-139.us-west-2.compute.internal   Ready    master   5h43m   v1.19.0+e67f5dc
ip-10-0-166-15.us-west-2.compute.internal    Ready    worker   5h37m   v1.19.0+e67f5dc
ip-10-0-187-209.us-west-2.compute.internal   Ready    master   5h43m   v1.19.0+e67f5dc
ip-10-0-218-114.us-west-2.compute.internal   Ready    worker   5h32m   v1.19.0+e67f5dc
ip-10-0-219-131.us-west-2.compute.internal   Ready    master   5h44m   v1.19.0+e67f5dc
$ oc debug node/ip-10-0-218-114.us-west-2.compute.internal -- chroot /host rpm-ostree status
Starting pod/ip-10-0-218-114us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3dc9cdce1901a5f5ca6cbab5e435c48d924eb813a01f5c48e49dd91c1d2e340c
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.82.202010241242-0 (2020-10-24T12:46:24Z)

                   Version: 47.82.202010211043-0 (2020-10-21T10:47:13Z)

Removing debug pod ...
$ oc debug node/ip-10-0-218-114.us-west-2.compute.internal -- chroot /host rpm -q protobuf
Starting pod/ip-10-0-218-114us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
package protobuf is not installed

Removing debug pod ...
$ cat << EOF > 80-extensions.yaml
> apiVersion: machineconfiguration.openshift.io/v1
> kind: MachineConfig
> metadata:
>   labels:
>     machineconfiguration.openshift.io/role: worker
>   name: 80-worker-extensions
> spec:
>   config:
>     ignition:
>       version: 3.1.0
>   extensions:
>     - usbguard
$ oc create -f 80-extensions.yaml 
machineconfig.machineconfiguration.openshift.io/80-worker-extensions created
$ oc get machineconfig 80-worker-extensions
80-worker-extensions                           3.1.0             15s
$ oc get mcp
master   rendered-master-107f3aa4ffa04a053e0b320fe1d89688   True      False      False      3              3                   3                     0                      5h49m
worker   rendered-worker-c4d33fa1d6014ab23f18932769e390c2   False     True       False      3              0                   0                     0                      5h49m
$ watch oc get mcp
$ oc debug node/ip-10-0-218-114.us-west-2.compute.internal -- chroot /host rpm -q usbguard
Starting pod/ip-10-0-218-114us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...

Comment 12 Jonathan Lebon 2021-01-07 18:47:37 UTC
(Marking as No Doc Update because this was a transient thing that happened during 4.7 development which never leaked out IIRC.)

Comment 14 errata-xmlrpc 2021-02-24 15:26:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.