1974850 – [4.8] coreos-installer failing Execshield

Bug 1974850 - [4.8] coreos-installer failing Execshield

Summary: [4.8] coreos-installer failing Execshield

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	---
Target Release:	4.8.z
Assignee:	Jonathan Lebon
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Depends On:	1969651 1974453
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-22 16:16 UTC by Micah Abbott
Modified:	2023-09-15 01:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1974453
Environment:
Last Closed:	2021-07-27 23:13:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 23:13:53 UTC

Description Micah Abbott 2021-06-22 16:16:42 UTC

+++ This bug was initially created as a clone of Bug #1974453 +++

From https://rpmdiff.engineering.redhat.com/run/496970/7/:

```
/usr/lib/dracut/modules.d/50rdcore/rdcore may have lost -DFORTIFY_SOURCE on ppc64le
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```

```
Detecting usr/lib/dracut/modules.d/50rdcore/rdcore with not-hardened warnings '
Hardened: rdcore: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: rdcore: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
Detecting usr/bin/coreos-installer with not-hardened warnings '
Hardened: coreos-installer: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: coreos-installer: FAIL: property-note test because no .note.gnu.property section found 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
' on x86_64
```

```
/usr/lib/dracut/modules.d/50rdcore/rdcore lost -DFORTIFY_SOURCE on aarch64 x86_64 s390x
  The new binary lost all fortified symbols (__snprintf_chk) but includes the following unfortified symbol: readlink
```

```
/usr/bin/coreos-installer may have lost -DFORTIFY_SOURCE on aarch64 x86_64 ppc64le s390x
  The new binary lost all fortified symbols (__snprintf_chk) but gained no fortifiable ones.
  However: fortifiable symbols getcwd,memcpy,memmove,memset,pread64,read,readlink,realpath,recv are present (unfortified) in both the old and new packages.
```

--- Additional comment from Jonathan Lebon on 2021-06-21 21:02:16 UTC ---

I had a hunch we were somehow compiling C code in the background. Digging deeper revealed: https://src.osci.redhat.com/rpms/coreos-installer/pull-request/27.

Comment 1 Micah Abbott 2021-06-28 15:52:18 UTC

Fixed in coreos-installer-0.9.0-6.rhaos4.8.el8

Included in RHCOS 48.84.202106222143-0

It should land as part of a boot image bump, but I don't think it is necessary to hold up the release for this.  Targeting for 4.8.z

Comment 4 Michael Nguyen 2021-06-30 17:53:40 UTC

Verified on 4.8.0-0.nightly-2021-06-29-033219 - lzma no longer bundled


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-29-033219   True        False         4m42s   Cluster version is 4.8.0-0.nightly-2021-06-29-033219
[mnguyen@pet32 4.8]$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-138-233.us-west-2.compute.internal   Ready    worker   23m   v1.21.0-rc.0+766a5fe
ip-10-0-144-166.us-west-2.compute.internal   Ready    master   31m   v1.21.0-rc.0+766a5fe
ip-10-0-168-94.us-west-2.compute.internal    Ready    master   31m   v1.21.0-rc.0+766a5fe
ip-10-0-175-88.us-west-2.compute.internal    Ready    worker   24m   v1.21.0-rc.0+766a5fe
ip-10-0-203-100.us-west-2.compute.internal   Ready    worker   24m   v1.21.0-rc.0+766a5fe
ip-10-0-221-14.us-west-2.compute.internal    Ready    master   31m   v1.21.0-rc.0+766a5fe

$ oc debug node/ip-10-0-138-233.us-west-2.compute.internal
Starting pod/ip-10-0-138-233us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9a23adde268dc8937ae293594f58fc4039b574210f320ebdac85a50ef40220dd
              CustomOrigin: Managed by machine-config-operator
                   Version: 48.84.202106231817-0 (2021-06-23T18:21:06Z)

  ostree://457db8ff03dda5b3ce1a8e242fd91ddbe6a82f838d1b0047c3d4aeaf6c53f572
                   Version: 48.84.202106091622-0 (2021-06-09T16:25:42Z)
sh-4.4# rpm -q --requires coreos-installer | grep lzma   
liblzma.so.5()(64bit)
liblzma.so.5(XZ_5.0)(64bit)
sh-4.4# rpm -qa coreos-installer
coreos-installer-0.9.0-6.rhaos4.8.el8.x86_64
sh-4.4# rpm -qf /usr/lib64/liblzma.so.5
xz-libs-5.2.4-3.el8.x86_64
sh-4.4#

Comment 8 errata-xmlrpc 2021-07-27 23:13:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Comment 9 Red Hat Bugzilla 2023-09-15 01:10:23 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.