Description of problem:
After fixing CVE-2021-3344, builds do not automatically mount entitlement keys that may be present on the node.
Version-Release number of selected component (if applicable): 4.5.33, 4.6.16, 4.7.0
How reproducible: Always
Steps to Reproduce:
1. Install OpenShift with a MachineConfig that adds entitlement keys to worker nodes
2. Create a Docker strategy BuildConfig that executes a yum install of subscription content.
3. Run a build from this BuildConfig
yum install of subscription content fails
yum install succeeds because entitlement keys are present
Reported in GitHub: https://github.com/openshift/builder/issues/227
Supporting information for release notes:
Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Red HatBug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available.
Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node
Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container
Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node. Note: warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.