Bug 1951084 - avoid benign "Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping" messages
Summary: avoid benign "Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/container...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.8.0
Assignee: Gabe Montero
QA Contact: wewang
Srivaralakshmi Ramani
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-19 15:16 UTC by Gabe Montero
Modified: 2021-07-27 23:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, after CVE-2021-3344 was fixed, builds did not automatically mount entitlement keys on the node. As a result, when the entitlement certificates were stored on the OpenShift host or node, the fix prevented entitled builds from working seamlessly. The failure to bring in entitlement certificates stored in the OpenShift host or node was fixed with link:https://bugzilla.redhat.com/show_bug.cgi?id=1945692[BZ#1945692] in 4.7.z and link:https://bugzilla.redhat.com/show_bug.cgi?id=1946363[BZ#1946363] in 4.6.z; however, those fixes introduced a benign warning message for OpenShift builds running on Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. The current release fixes this issue by allowing builds to automatically mount entitlements only on RHEL worker nodes, and avoiding mount attempts on RHCOS worker nodes. Now, there will not be any benign warnings around entitlement mounts when running OpenShift builds on RHCOS nodes.
Clone Of:
Environment:
Last Closed: 2021-07-27 23:01:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift builder pull 239 0 None open Bug 1951084: remove mounts.conf again, but patch buildah change needed to make transient mounts work for us 2021-04-19 15:19:12 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:02:07 UTC

Description Gabe Montero 2021-04-19 15:16:06 UTC 
Description of problem:

For https://bugzilla.redhat.com/show_bug.cgi?id=1940488 we had to move the mounts of entitlements from transient mounts to mounts.conf to work around a buildah bug where they would overwrite entitlement mounts with a fips mount.

And while things work perfectly on the RHEL worker nodes that have entitlements, on RHCOS worker nodes those entitlement files will never exists, and we get 
warning messages like 

time="2021-03-31T17:16:09Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-03-31T17:16:09Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"

while those message are benign warnings, such messages of course can distract / mislead users when then see them.

In 4.8 we will vendor in the buildah change which addresses the original bug there, and switch back from mounts.conf to transient mounts.

With this, we can avoid the attempt to mount entitlement files on RHCOS worker nodes.
Comment 1 wewang 2021-04-20 08:42:30 UTC 
Launched a cluster and tested entitlement build, no warning anymore.

Version:
4.8.0-0.ci.test-2021-04-20-063706-ci-ln-1xhd8gk
Comment 3 wewang 2021-04-23 02:00:28 UTC 
Verify it manually, seems cannot verify automatically
Comment 4 Srivaralakshmi Ramani 2021-06-03 12:34:00 UTC 
Updated the Doc Text field.
Comment 5 Gabe Montero 2021-06-03 14:48:14 UTC 
Per our discussion in slack, I now realized that we should cite the 4.7.z / 4.7.z bz's instead of the 4.8 bz.

Then convey that if your are upgrading from systems at those levels, moving from those to 4.8 removes this warning message via this change.

the 4.7.z bz is https://bugzilla.redhat.com/show_bug.cgi?id=1945692

the 4.6.z bz is https://bugzilla.redhat.com/show_bug.cgi?id=1946363

Does that make sense Srivaralakshmi ?
Comment 13 errata-xmlrpc 2021-07-27 23:01:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.