1975554 – Installing rng-tools via Image Builder might hang the installation

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1975554 - Installing rng-tools via Image Builder might hang the installation

Summary: Installing rng-tools via Image Builder might hang the installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	8.5
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2057030
TreeView+	depends on / blocked

Reported:	2021-06-23 22:07 UTC by Christian Kellner
Modified:	2023-08-08 02:59 UTC (History)
CC List:	10 users (show)
Fixed In Version:	rng-tools-6.13-1.git.d207e0b6.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2057030 (view as bug list)
Environment:
Last Closed:	2021-11-09 19:44:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	osbuild image-builder issues 206	0	None	open	build edge image hang due to udevadm	2021-06-23 22:07:29 UTC
Red Hat Product Errata	RHBA-2021:4427	0	None	None	None	2021-11-09 19:44:55 UTC

Description Christian Kellner 2021-06-23 22:07:30 UTC

During the installation of rng-tools, the command "udevadm trigger --sysname-match=hw_random --settle" is triggered, via the "%post" section in the spec file.
Image Builder, and more specifically the low-level tool, osbuild is installing the rpm packages in a contained, isolated environment with a different network, mount et al. namespaces (via bubblewrap). In part this is done to abstract from the build host hardware, since the resulting image might run on completely different hardware than it is built on (e.g. cloud images). Specifically, in such a container, no uevents might be delivered and thus `udevadm --settle` might block. See upstream bug: https://github.com/osbuild/image-builder/issues/206

Comment 1 Yi He 2021-07-02 01:26:25 UTC

Verified with latest main branch, fixed. Image-builder service can build installer ISO image successfully.

Env:
[root@rhel84iso2 keyring]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.4"


[root@rhel84iso2 keyring]# rpm -qa|grep osbuild
python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64

Comment 2 Vladis Dronov 2021-07-03 19:47:11 UTC

hello, Christian,

thank you for reporting this. indeed, udevadm call lacks the container virtualization
guard. i'm posting a fix and i need to wait for Mon to approve this bz from qe side.

hello, Yi,
i have changed nothing yet. so i believe, smth else have changed, os-builder, i presume.
nevertheless, i'm rolling out the fix anyway.

Comment 4 Yi He 2021-07-07 08:56:25 UTC

Hi Vladis Dronov,

Thanks for fixing this bug in rng-tools side, I will keep an eye on this bug in later testing.

Comment 5 Yi He 2021-07-19 08:48:32 UTC

Update on this bug:

This bug is fixed by Christian in osbuild in this commit https://github.com/osbuild/osbuild/commit/704d5d305a4168e9720cfae510114d44aa52318b, I have verified on the main branch after this commit merged, the bug is fixed and can not be reproduced.

Following is the verification steps:

Env:
[root@rhel84iso2 keyring]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.4"

[root@rhel84iso2 keyring]# rpm -qa|grep osbuild
python3-osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-ostree-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-selinux-29-1.20210630git226a707.20210630git226a707.el8.noarch
osbuild-composer-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-core-30-1.20210629gitcca5c9f.el8.x86_64
osbuild-composer-worker-30-1.20210629gitcca5c9f.el8.x86_64

Steps:
1. Send a request to build Edge commit image and upload to s3.
2. Download and extract commit tar and serve over httpd.
3. Install Edge vm with the commit repo.
4. Can install Edge vm successfully, can login/ssh to it, run some sanity test, everything is fine.
5. Send a request to build Edge iso image and upload to s3.
6. Image-builder can build ISO image and upload to s3 successfully.

And Vladis Dronov also fixed it in rng-tools side and provided a scratch build of rng-tools, but I cannot test it at that time because I have to wait for an osbuild official build that picks up the latest rng-tools package. In the meantime, I talked with Christian and Peter about this bug, as we already fixed it in osbuild, and we will remove rng-tools from osbuild forever, there is no urgent need for composer QE to test the rng-tools package. Better to ask rng-tools QE to verify this issue.

Comment 10 Vladis Dronov 2021-08-09 16:03:49 UTC

hello, Vilem,

i'm sorry for the mess in this bz, i've got lost in multiple bzs for rng-rools.

the test plan is the same as in the bz1975588 (RHEL9 bz), since this is the same issue, just for RHEL8.

1) grab the packages from brew, task url: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38803046

wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm

2) install:

# dnf -y install jitterentropy*rpm rng-tools*rpm

3) verify that both service files contain "ConditionVirtualization=!container" line:

# grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
/usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container
/usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container

6) clean up

# dnf -y erase jitterentropy rng-tools
# rm -f jitterentropy*rpm rng-tools*rpm

Comment 11 Vilém Maršík 2021-08-09 22:30:13 UTC

Looks good, thanks for detailed instructions. Setting verified.

----

# wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3171/38803171/rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm
(...)
2021-08-09 18:23:25 (1.05 MB/s) - ‘rng-tools-6.13-1.git.d207e0b6.el8.x86_64.rpm’ saved [71408/71408]
# dnf -y install jitterentropy*rpm rng-tools*rpm
(...)
Installed:
  rng-tools-6.13-1.git.d207e0b6.el8.x86_64
Complete!
# grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
/usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container
/usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container
# dnf -y erase jitterentropy rng-tools
(...)
Removed:
  rng-tools-6.13-1.git.d207e0b6.el8.x86_64
Complete!
# rm -f jitterentropy*rpm rng-tools*rpm

Comment 15 errata-xmlrpc 2021-11-09 19:44:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4427

Note You need to log in before you can comment on or make changes to this bug.