+++ This bug was initially created as a clone of Bug #1974453 +++ From https://rpmdiff.engineering.redhat.com/run/496970/7/: ``` /usr/lib/dracut/modules.d/50rdcore/rdcore may have lost -DFORTIFY_SOURCE on ppc64le The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones. However: fortifiable symbols getcwd,memcpy,memmove,memset,read,readlink,realpath,recv are present (unfortified) in both the old and new packages. ``` ``` Detecting usr/lib/dracut/modules.d/50rdcore/rdcore with not-hardened warnings ' Hardened: rdcore: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: rdcore: FAIL: property-note test because no .note.gnu.property section found Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64 ``` ``` Detecting usr/bin/coreos-installer with not-hardened warnings ' Hardened: coreos-installer: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: coreos-installer: FAIL: property-note test because no .note.gnu.property section found Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64 ``` ``` /usr/lib/dracut/modules.d/50rdcore/rdcore lost -DFORTIFY_SOURCE on aarch64 x86_64 s390x The new binary lost all fortified symbols (__snprintf_chk) but includes the following unfortified symbol: readlink ``` ``` /usr/bin/coreos-installer may have lost -DFORTIFY_SOURCE on aarch64 x86_64 ppc64le s390x The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones. However: fortifiable symbols getcwd,memcpy,memmove,memset,pread64,read,readlink,realpath,recv are present (unfortified) in both the old and new packages. ``` --- Additional comment from Jonathan Lebon on 2021-06-21 21:02:16 UTC --- I had a hunch we were somehow compiling C code in the background. Digging deeper revealed: https://src.osci.redhat.com/rpms/coreos-installer/pull-request/27.
Fixed in coreos-installer-0.9.0-6.rhaos4.8.el8 Included in RHCOS 48.84.202106222143-0 It should land as part of a boot image bump, but I don't think it is necessary to hold up the release for this. Targeting for 4.8.z
Verified on 4.8.0-0.nightly-2021-06-29-033219 - lzma no longer bundled $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-06-29-033219 True False 4m42s Cluster version is 4.8.0-0.nightly-2021-06-29-033219 [mnguyen@pet32 4.8]$ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-138-233.us-west-2.compute.internal Ready worker 23m v1.21.0-rc.0+766a5fe ip-10-0-144-166.us-west-2.compute.internal Ready master 31m v1.21.0-rc.0+766a5fe ip-10-0-168-94.us-west-2.compute.internal Ready master 31m v1.21.0-rc.0+766a5fe ip-10-0-175-88.us-west-2.compute.internal Ready worker 24m v1.21.0-rc.0+766a5fe ip-10-0-203-100.us-west-2.compute.internal Ready worker 24m v1.21.0-rc.0+766a5fe ip-10-0-221-14.us-west-2.compute.internal Ready master 31m v1.21.0-rc.0+766a5fe $ oc debug node/ip-10-0-138-233.us-west-2.compute.internal Starting pod/ip-10-0-138-233us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9a23adde268dc8937ae293594f58fc4039b574210f320ebdac85a50ef40220dd CustomOrigin: Managed by machine-config-operator Version: 48.84.202106231817-0 (2021-06-23T18:21:06Z) ostree://457db8ff03dda5b3ce1a8e242fd91ddbe6a82f838d1b0047c3d4aeaf6c53f572 Version: 48.84.202106091622-0 (2021-06-09T16:25:42Z) sh-4.4# rpm -q --requires coreos-installer | grep lzma liblzma.so.5()(64bit) liblzma.so.5(XZ_5.0)(64bit) sh-4.4# rpm -qa coreos-installer coreos-installer-0.9.0-6.rhaos4.8.el8.x86_64 sh-4.4# rpm -qf /usr/lib64/liblzma.so.5 xz-libs-5.2.4-3.el8.x86_64 sh-4.4#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days