Bug 1940488 - After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Gabe Montero
QA Contact: wewang
Rolfe Dlugy-Hegwer
Depends On:
Blocks: 1945692
TreeView+ depends on / blocked
Reported: 2021-03-18 14:31 UTC by Adam Kaplan
Modified: 2021-07-27 22:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1945692 (view as bug list)
Last Closed: 2021-07-27 22:54:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift builder pull 228 0 None open Bug 1940488: add etc-pki-entitlements from pod secrets if available to build container 2021-03-18 19:58:15 UTC
Github openshift builder pull 238 0 None open WIP: Bug 1940488: move entitlement related secrets back to mounts.conf 2021-03-31 04:16:51 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:54:48 UTC

Description Adam Kaplan 2021-03-18 14:31:24 UTC
Description of problem:

After fixing CVE-2021-3344, builds do not automatically mount entitlement keys that may be present on the node.

Version-Release number of selected component (if applicable): 4.5.33, 4.6.16, 4.7.0

How reproducible: Always

Steps to Reproduce:
1. Install OpenShift with a MachineConfig that adds entitlement keys to worker nodes
2. Create a Docker strategy BuildConfig that executes a yum install of subscription content.
3. Run a build from this BuildConfig

Actual results:

yum install of subscription content fails

Expected results:

yum install succeeds because entitlement keys are present

Additional info:

Reported in GitHub: https://github.com/openshift/builder/issues/227

Comment 49 Rolfe Dlugy-Hegwer 2021-04-09 12:53:10 UTC
Supporting information for release notes:

Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Bug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available.

Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node

Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container

Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node.  Note:  warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.

Comment 54 errata-xmlrpc 2021-07-27 22:54:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.