Bug 1945692 - After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.z
Assignee: Gabe Montero
QA Contact: wewang
Rolfe Dlugy-Hegwer
Depends On: 1940488
Blocks: 1946363
TreeView+ depends on / blocked
Reported: 2021-04-01 16:20 UTC by Gabe Montero
Modified: 2021-07-08 06:55 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, after CVE-2021-3344 was fixed, builds did not automatically mount entitlement keys on the node. The fix minimized the amount of data copied from a pod’s `/run/secrets` directory to the build container, causing the `/run/secrets/etc-pki-entitlements` file to be omitted. As a result, the fix prevented entitled builds from working seamlessly when the entitlement certificates were stored on the OpenShift host or node. Now, the OpenShift build image and associated pod mount all entitlement-related files from /run/secrets into the build container. Entitled builds cannot pick up the certificates stored on the OpenShift host/node. Note that you can ignore warning messages like `level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn’t exist, skipping` when running OpenShift Container Platform builds on Red Hat Enterprise Linux CoreOS (RHCOS) nodes
Clone Of: 1940488
: 1946363 (view as bug list)
Last Closed: 2021-04-20 18:52:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift builder pull 240 0 None open Bug 1945692: move entitlement related secrets back to mounts.conf 2021-04-01 16:24:09 UTC
Red Hat Product Errata RHBA-2021:1149 0 None None None 2021-04-20 18:52:59 UTC

Comment 6 errata-xmlrpc 2021-04-20 18:52:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.7 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.