Description of problem: After fixing CVE-2021-3344, builds do not automatically mount entitlement keys that may be present on the node. Version-Release number of selected component (if applicable): 4.5.33, 4.6.16, 4.7.0 How reproducible: Always Steps to Reproduce: 1. Install OpenShift with a MachineConfig that adds entitlement keys to worker nodes 2. Create a Docker strategy BuildConfig that executes a yum install of subscription content. 3. Run a build from this BuildConfig Actual results: yum install of subscription content fails Expected results: yum install succeeds because entitlement keys are present Additional info: Reported in GitHub: https://github.com/openshift/builder/issues/227
Supporting information for release notes: Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Bug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available. Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node. Note: warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438