From https://rpmdiff.engineering.redhat.com/run/496970/7/: ``` /usr/lib/dracut/modules.d/50rdcore/rdcore may have lost -DFORTIFY_SOURCE on ppc64le The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones. However: fortifiable symbols getcwd,memcpy,memmove,memset,read,readlink,realpath,recv are present (unfortified) in both the old and new packages. ``` ``` Detecting usr/lib/dracut/modules.d/50rdcore/rdcore with not-hardened warnings ' Hardened: rdcore: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: rdcore: FAIL: property-note test because no .note.gnu.property section found Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64 ``` ``` Detecting usr/bin/coreos-installer with not-hardened warnings ' Hardened: coreos-installer: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: coreos-installer: FAIL: property-note test because no .note.gnu.property section found Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64 ``` ``` /usr/lib/dracut/modules.d/50rdcore/rdcore lost -DFORTIFY_SOURCE on aarch64 x86_64 s390x The new binary lost all fortified symbols (__snprintf_chk) but includes the following unfortified symbol: readlink ``` ``` /usr/bin/coreos-installer may have lost -DFORTIFY_SOURCE on aarch64 x86_64 ppc64le s390x The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones. However: fortifiable symbols getcwd,memcpy,memmove,memset,pread64,read,readlink,realpath,recv are present (unfortified) in both the old and new packages. ```
I had a hunch we were somehow compiling C code in the background. Digging deeper revealed: https://src.osci.redhat.com/rpms/coreos-installer/pull-request/27.
In the end we still needed a waiver, but we can use this RHBZ to at least track the lzma debundling. PR above for that was merged and the package was rebuilt.
Latest builds of RHCOS 4.9 include coreos-installer-0.9.1-4.rhaos4.9.el8, which includes the dependency on `xz-devel` Moving to MODIFIED
Verified on 4.9.0-0.nightly-2021-08-30-070917 lzma no longer bundled with coreos-installer $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-08-30-070917 True False 123m Cluster version is 4.9.0-0.nightly-2021-08-30-070917 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-142-160.us-west-2.compute.internal Ready master 147m v1.22.0-rc.0+b708912 ip-10-0-154-16.us-west-2.compute.internal Ready worker 136m v1.22.0-rc.0+b708912 ip-10-0-161-64.us-west-2.compute.internal Ready master 147m v1.22.0-rc.0+b708912 ip-10-0-181-110.us-west-2.compute.internal Ready worker 140m v1.22.0-rc.0+b708912 ip-10-0-196-10.us-west-2.compute.internal Ready worker 141m v1.22.0-rc.0+b708912 ip-10-0-199-150.us-west-2.compute.internal Ready master 147m v1.22.0-rc.0+b708912 $ oc debug node/ip-10-0-154-16.us-west-2.compute.internal Starting pod/ip-10-0-154-16us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# rpm -q --requires coreos-installer gnupg kpartx ld-linux-x86-64.so.2()(64bit) ld-linux-x86-64.so.2(GLIBC_2.3)(64bit) libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.15)(64bit) libc.so.6(GLIBC_2.17)(64bit) libc.so.6(GLIBC_2.18)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.2)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libc.so.6(GLIBC_2.9)(64bit) libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) liblzma.so.5()(64bit) liblzma.so.5(XZ_5.0)(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libpthread.so.0(GLIBC_2.3.2)(64bit) libpthread.so.0(GLIBC_2.3.3)(64bit) librt.so.1()(64bit) libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 rtld(GNU_HASH) systemd-udev util-linux sh-4.4# rpm -qf /usr/lib64/liblz liblz4.so.1 liblzma.so.5 liblzo2.so.2 liblz4.so.1.8.3 liblzma.so.5.2.4 liblzo2.so.2.0.0 sh-4.4# rpm -qf /usr/lib64/liblzma.so.5 xz-libs-5.2.4-3.el8.x86_64 sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c32cf7cd356c9b12cce1cf022acb1f053d5ccaf5bea22e1757cf466d360ae22f CustomOrigin: Managed by machine-config-operator Version: 49.84.202108272238-0 (2021-08-27T22:41:52Z) ostree://95aec436ee83751dea39060f5234a45c8eb389e19f4b535eb34f33c9d42208fb Version: 49.84.202108221651-0 (2021-08-22T16:55:03Z) sh-4.4#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759