During the installation of rng-tools, the command "udevadm trigger --sysname-match=hw_random --settle" is triggered, via the "%post" section in the spec file. Image Builder, and more specifically the low-level tool, osbuild is installing the rpm packages in a contained, isolated environment with a different network, mount et al. namespaces (via bubblewrap). In part this is done to abstract from the build host hardware, since the resulting image might run on completely different hardware than it is built on (e.g. cloud images). Specifically, in such a container, no uevents might be delivered and thus `udevadm --settle` might block. See upstream bug: https://github.com/osbuild/image-builder/issues/206
Verified with latest main branch, fixed. Image-builder service can build installer ISO image successfully. Env: [root@rhel84iso2 keyring]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.4 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.4" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.4 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.4" [root@rhel84iso2 keyring]# rpm -qa|grep osbuild python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64 osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64 osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64
hello, Christian, thank you for reporting this. indeed, udevadm call lacks the container virtualization guard. i'm posting a fix and i need to wait for Mon to approve this bz from qe side. hello, Yi, i have changed nothing yet. so i believe, smth else have changed, os-builder, i presume. nevertheless, i'm rolling out the fix anyway.
Hi Vladis Dronov, Thanks for fixing this bug in rng-tools side, I will keep an eye on this bug in later testing.
Update on this bug: This bug is fixed by Christian in osbuild in this commit https://github.com/osbuild/osbuild/commit/704d5d305a4168e9720cfae510114d44aa52318b, I have verified on the main branch after this commit merged, the bug is fixed and can not be reproduced. Following is the verification steps: Env: [root@rhel84iso2 keyring]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.4 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.4" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.4 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.4" [root@rhel84iso2 keyring]# rpm -qa|grep osbuild python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64 osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64 osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64 Steps: 1. Send a request to build Edge commit image and upload to s3. 2. Download and extract commit tar and serve over httpd. 3. Install Edge vm with the commit repo. 4. Can install Edge vm successfully, can login/ssh to it, run some sanity test, everything is fine. 5. Send a request to build Edge iso image and upload to s3. 6. Image-builder can build ISO image and upload to s3 successfully. And Vladis Dronov also fixed it in rng-tools side and provided a scratch build of rng-tools, but I cannot test it at that time because I have to wait for an osbuild official build that picks up the latest rng-tools package. In the meantime, I talked with Christian and Peter about this bug, as we already fixed it in osbuild, and we will remove rng-tools from osbuild forever, there is no urgent need for composer QE to test the rng-tools package. Better to ask rng-tools QE to verify this issue.
hello, Vilem, i'm sorry for the mess in this bz, i've got lost in multiple bzs for rng-rools. the test plan is the same as in the bz1975588 (RHEL9 bz), since this is the same issue, just for RHEL8. 1) grab the packages from brew, task url: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38803046 wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm 2) install: # dnf -y install jitterentropy*rpm rng-tools*rpm 3) verify that both service files contain "ConditionVirtualization=!container" line: # grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service /usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container /usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container 6) clean up # dnf -y erase jitterentropy rng-tools # rm -f jitterentropy*rpm rng-tools*rpm
Looks good, thanks for detailed instructions. Setting verified. ---- # wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm (...) 2021-08-09 18:23:25 (1.05 MB/s) - ‘rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm’ saved [71408/71408] # dnf -y install jitterentropy*rpm rng-tools*rpm (...) Installed: rng-tools-6.13-1.git.d207e0b6.el8.x86_64 Complete! # grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service /usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container /usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container # dnf -y erase jitterentropy rng-tools (...) Removed: rng-tools-6.13-1.git.d207e0b6.el8.x86_64 Complete! # rm -f jitterentropy*rpm rng-tools*rpm
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4427