+++ This bug was initially created as a clone of Bug #2009465 +++ In order to land the fix for BZ#1969998 (and the follow-ons) as part of OCP 4.9, we needed to tag a build of `container-selinux` so that it would show up in the RHAOS plashets and be consumed by RHCOS. Since then, the `container-selinux` build shipped as part of https://access.redhat.com/errata/RHBA-2021:3661 and no longer needs to come from the RHAOS plashets. This bug is merely paperwork to allow a backport of the change to the `master` branch of `openshift/os` into the `release-4.9` branch. --- Additional comment from Micah Abbott on 2021-09-30 17:35:24 UTC --- To verify this BZ, inspect the build logs for RHCOS and ensure the following: - container-selinux-2.167.0-1 or newer is included - container-selinux comes from rhel8-appstream repo
Verify passed with 4.9.0-rc.7 and container-selinux-2:2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch (from rhel-8-appstream) $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-rc.7 True False 137m Cluster version is 4.9.0-rc.7 $ oc get nodes NAME STATUS ROLES AGE VERSION ci-ln-qzfnnct-002ac-bb2g7-master-0 Ready master 154m v1.22.0-rc.0+894a78b ci-ln-qzfnnct-002ac-bb2g7-master-1 Ready master 154m v1.22.0-rc.0+894a78b ci-ln-qzfnnct-002ac-bb2g7-master-2 Ready master 154m v1.22.0-rc.0+894a78b ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 Ready worker 145m v1.22.0-rc.0+894a78b ci-ln-qzfnnct-002ac-bb2g7-worker-centralus2-4mwkt Ready worker 144m v1.22.0-rc.0+894a78b ci-ln-qzfnnct-002ac-bb2g7-worker-centralus3-m45sr Ready worker 147m v1.22.0-rc.0+894a78b $ oc debug node/ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 sh-4.4# chroot /host sh-4.4# rpm -q container-selinux container-selinux-2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch sh-4.4# echo TEST=foobar > /etc/kubernetes/test sh-4.4# cat /etc/systemd/system/echo.service [Unit] Description=An echo unit [Service] Type=oneshot RemainAfterExit=yes EnvironmentFile=/etc/kubernetes/test ExecStart=/usr/bin/echo ${PAUSE} [Install] WantedBy=multi-user.target sh-4.4# systemctl daemon-reload && systemctl start echo.service sh-4.4# systemctl status echo.service ● echo.service - An echo unit Loaded: loaded (/etc/systemd/system/echo.service; disabled; vendor preset: disabled) Active: active (exited) since Wed 2021-10-13 06:04:25 UTC; 5s ago Process: 143541 ExecStart=/usr/bin/echo ${PAUSE} (code=exited, status=0/SUCCESS) Main PID: 143541 (code=exited, status=0/SUCCESS) CPU: 1ms Oct 13 06:04:25 ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 systemd[1]: Starting An echo unit... Oct 13 06:04:25 ci-ln-qzfnnct-002ac-bb2g7-worker-centralus1-vtc28 systemd[1]: Started An echo unit. sh-4.4# cat /etc/os-release NAME="Red Hat Enterprise Linux CoreOS" VERSION="49.84.202110081407-0" ID="rhcos" ID_LIKE="rhel fedora" VERSION_ID="4.9" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 49.84.202110081407-0 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.9/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.9" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.9" OPENSHIFT_VERSION="4.9" RHEL_VERSION="8.4" OSTREE_VERSION='49.84.202110081407-0'
Confirm with OCP QE, this fix was merged in 4.9 rc build, so change the title and execute verification
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759