Bug 1905430 - usbguard extension fails to install because of missing correct protobuf dependency version
Summary: usbguard extension fails to install because of missing correct protobuf depen...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.0
Assignee: Micah Abbott
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On:
Blocks: 1905619
TreeView+ depends on / blocked
 
Reported: 2020-12-08 10:50 UTC by Sinny Kumari
Modified: 2021-02-24 15:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1905619 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:41:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:41:37 UTC

Description Sinny Kumari 2020-12-08 10:50:38 UTC
Description of problem:
Noticed that MCO 4.6 e2e-gcp-op ci failing because of extensions test failure.
After analyzing logs and running it locally, it seems usbguard doesn't have required dependency available.

# rpm-ostree install usbguard 
Checking out tree d9bad68... done
Enabled rpm-md repositories: coreos-extensions
rpm-md repo 'coreos-extensions' (cached); generated: 2020-12-02T02:33:44Z
Importing rpm-md... done
Resolving dependencies... done
error: Could not depsolve transaction; 1 problem detected:
 Problem: conflicting requests
  - nothing provides libprotobuf.so.15()(64bit) needed by usbguard-0.7.4-4.el8.x86_64


Although, I have noticed that dependencies shipped in m-o-c extensions/dependencies/ dir has protobuf-3.6.1-4.el8ost.x86_64.rpm but this package provides incompatible lib libprotobuf.so.17 

We would need to tag in correct dpes or update usbguard package.


Version-Release number of selected component (if applicable): OCP 4.6


How reproducible:

Always in recent 4.6 MCO gcp-op tes. recnt job - https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/2289/pull-ci-openshift-machine-config-operator-release-4.6-e2e-gcp-op/1335894493852864512

Comment 1 Sinny Kumari 2020-12-08 10:51:28 UTC
Setting priority to high as it impacts MCO ci test and will block any PR merge in 4.6

Comment 2 Micah Abbott 2020-12-08 14:50:39 UTC
The RHAOS 4.6 repo has a newer version of `protobuf` tagged into it, which is being selected when we download the extensions and dependencies.  We recently split the download of extension and dependencies, so we are getting different behavior.

If I do `dnf install usbguard` on a RHEL8 system with the same repos enabled that we used to build RHCOS, I get the correct version of `protobuf`

```
$ sudo dnf install usbguard
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Repository 'art-rhaos-4.6' is missing name in configuration, using id.
Repository 'rhel-8-baseos' is missing name in configuration, using id.
Repository 'rhel-8-appstream' is missing name in configuration, using id.
Repository 'rhel-8-nfv' is missing name in configuration, using id.
art-rhaos-4.6                                                                                                                                                                                                                                                                                 4.6 MB/s | 2.7 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Tue 08 Dec 2020 09:44:23 AM EST.
Dependencies resolved.
==============================================================================================================================================================================================================================================================================================================================
 Package                                                                    Architecture                                                             Version                                                                         Repository                                                                          Size
==============================================================================================================================================================================================================================================================================================================================
Installing:
 usbguard                                                                   x86_64                                                                   0.7.4-4.el8                                                                     rhel-8-appstream                                                                   477 k
Installing dependencies:
 libqb                                                                      x86_64                                                                   1.0.3-10.el8                                                                    rhel-8-baseos                                                                      113 k
 protobuf                                                                   x86_64                                                                   3.5.0-7.el8                                                                     rhel-8-appstream                                                                   895 k

Transaction Summary
==============================================================================================================================================================================================================================================================================================================================
Install  3 Packages
```

If I just do `dnf install protobuf`, I get the newer version that is incompatible.

```
$ sudo dnf install protobuf
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Repository 'art-rhaos-4.6' is missing name in configuration, using id.
Repository 'rhel-8-baseos' is missing name in configuration, using id.
Repository 'rhel-8-appstream' is missing name in configuration, using id.
Repository 'rhel-8-nfv' is missing name in configuration, using id.
Last metadata expiration check: 0:00:23 ago on Tue 08 Dec 2020 09:44:23 AM EST.
Dependencies resolved.
==============================================================================================================================================================================================================================================================================================================================
 Package                                                                          Architecture                                                           Version                                                                          Repository                                                                     Size
==============================================================================================================================================================================================================================================================================================================================
Installing:
 protobuf                                                                         x86_64                                                                 3.6.1-4.el8ost                                                                   art-rhaos-4.6                                                                 915 k
Installing dependencies:
 emacs-filesystem                                                                 noarch                                                                 1:26.1-5.el8                                                                     rhel-8-baseos                                                                  69 k

Transaction Summary
==============================================================================================================================================================================================================================================================================================================================
Install  2 Packages
```

We should be able to exclude `protobuf` from the RHAOS 4.6 repo definition, which should address this.

Comment 3 Micah Abbott 2020-12-08 17:24:10 UTC
4.7 is already excluding `protobuf` from our RHAOS repos, so this is effectively fixed already.

https://gitlab.cee.redhat.com/coreos/redhat-coreos/-/commit/db88a46ae0871c75cdb1d7599a6432950bc3605c

Comment 4 Michael Nguyen 2020-12-14 14:31:15 UTC
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-12-14-080124   True        False         8m23s   Cluster version is 4.7.0-0.nightly-2020-12-14-080124
$ cp ../extensions-usbguard.yaml .

$ cat extensions-usbguard.yaml 
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: worker-extensions-usbguard
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
    - usbguard
    
$ oc create -f extensions-usbguard.yaml 
machineconfig.machineconfiguration.openshift.io/worker-extensions-usbguard created

$ oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
00-worker                                          d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
01-master-container-runtime                        d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
01-master-kubelet                                  d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
01-worker-container-runtime                        d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
01-worker-kubelet                                  d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
99-master-generated-registries                     d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
99-master-ssh                                                                                 3.1.0             41m
99-worker-generated-registries                     d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
99-worker-ssh                                                                                 3.1.0             41m
rendered-master-40c3f64d02694a591bec76a6d2564a2f   d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
rendered-worker-35512ce18ffc35f865d698d47b22829a   d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             0s
rendered-worker-e50a1398ede9fc8469950f35026e78f0   d6b5d1922d848885cf5d2737306ab14323b7783a   3.2.0             31m
worker-extensions-usbguard                 
                                                   3.1.0             5s
$ oc get mcp/worker
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
worker   rendered-worker-e50a1398ede9fc8469950f35026e78f0   False     True       False      3              0                   0                     0                      33m

$ oc get nodes
NAME                                         STATUS                     ROLES    AGE   VERSION
ip-10-0-128-4.us-west-2.compute.internal     Ready                      master   34m   v1.19.2+e386040
ip-10-0-150-246.us-west-2.compute.internal   Ready,SchedulingDisabled   worker   28m   v1.19.2+e386040
ip-10-0-191-11.us-west-2.compute.internal    Ready                      master   34m   v1.19.2+e386040
ip-10-0-191-160.us-west-2.compute.internal   Ready                      worker   24m   v1.19.2+e386040
ip-10-0-209-240.us-west-2.compute.internal   Ready                      master   34m   v1.19.2+e386040
ip-10-0-217-215.us-west-2.compute.internal   Ready                      worker   24m   v1.19.2+e386040

$ oc debug node/ip-10-0-191-160.us-west-2.compute.internal -- chroot /host rpm -q usbguard
Starting pod/ip-10-0-191-160us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
package usbguard is not installed

Removing debug pod ...

$ watch oc get mcp/worker

$ oc get mcp/worker
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
worker   rendered-worker-35512ce18ffc35f865d698d47b22829a   True      False      False      3              3                   3                     0                      46m

$ oc debug node/ip-10-0-191-160.us-west-2.compute.internal -- chroot /host rpm -q usbguard
Starting pod/ip-10-0-191-160us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
usbguard-0.7.8-7.el8.x86_64

Removing debug pod ...

Comment 7 errata-xmlrpc 2021-02-24 15:41:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.