Bug 1946363 - After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Summary: After fix for CVE-2021-3344, Builds do not mount node entitlement keys
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.z
Assignee: Gabe Montero
QA Contact: wewang
Depends On: 1945692
TreeView+ depends on / blocked
Reported: 2021-04-05 21:12 UTC by Gabe Montero
Modified: 2021-07-08 07:01 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: in minimizing the amount of data from the Pod's /run/secrets copied into the build container, Bug 1916897 failed to include /run/secrets/etc-pki-entitlements if that was available. Consequence: the cve fix then prevents entitled builds from working seamlessly if the entitlement certificates are stored on the OCP host/node Fix: The OpenShift Build Image and associated Pod will now mount all available entitlement related files in /run/secrets into the build container Result: entitled builds will not be able to pick up the certificates stored on the OCP host/node. Note: warning message like 'level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping' when running OCP Builds on RHCOS nodes can be ignored.
Clone Of: 1945692
Last Closed: 2021-04-27 14:20:49 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift builder pull 242 0 None open Bug 1946363: move entitlement related secrets back to mounts.conf 2021-04-05 21:18:52 UTC
Red Hat Product Errata RHBA-2021:1232 0 None None None 2021-04-27 14:21:10 UTC

Comment 5 errata-xmlrpc 2021-04-27 14:20:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.