2011087 – Backport audit log silence change

Bug 2011087 - Backport audit log silence change

Summary: Backport audit log silence change

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Machine Config Operator
Sub Component:
Version:	4.7
Hardware:	All
OS:	All
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	4.9.0
Assignee:	Kirsten Garrison
QA Contact:	Manoj Hans
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2011083 2011375
TreeView+	depends on / blocked

Reported:	2021-10-05 23:09 UTC by Kirsten Garrison
Modified:	2021-10-18 17:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2011083
Environment:
Last Closed:	2021-10-18 17:52:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift machine-config-operator pull 2633	0	None	Merged	templates: Silence audit events from container infra by default	2021-10-06 14:08:28 UTC
Red Hat Product Errata	RHSA-2021:3759	0	None	None	None	2021-10-18 17:52:50 UTC

Description Kirsten Garrison 2021-10-05 23:09:20 UTC

+++ This bug was initially created as a clone of Bug #2011083 +++

Description of problem:

Backport https://github.com/openshift/machine-config-operator/pull/2633 for 4.8 and 4.7

Version-Release number of MCO (Machine Config Operator) (if applicable):
4.7/4.8

Platform (AWS, VSphere, Metal, etc.):
All

Actual results:

Large OCP 4.7.32 cluster seeing 10 million logs per hour during their upgrade from 4.6.25. Overwhelming cluster logging and local SSDs.

--- Additional comment from Eric Paris on 2021-10-05 23:01:48 UTC ---

This bug sets Target Release equal to a z-stream but has no bug in the 'Depends On' field. As such this is not a valid bug state and the target release is being unset.

Any bug targeting 4.1.z must have a bug targeting 4.2 in 'Depends On.'
Similarly, any bug targeting 4.2.z must have a bug with Target Release of 4.3 in 'Depends On.'

Comment 1 Kirsten Garrison 2021-10-05 23:15:17 UTC

This was already fixed directly in 4.9 via https://github.com/openshift/machine-config-operator/pull/2633

We request QE to review and close this BZ as `CURRENTRELEASE` so we can get the 4.8 fix in.

Comment 2 Kirsten Garrison 2021-10-05 23:33:33 UTC

To save some bandwidth, this can be verified by comparing audit logs in recent runs in 4.9 vs 4.8:

4.8 has 2900+ NETFILTER_CFG msg=audit messages in the audit logs. for example see:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.8-e2e-aws/1445457563997966336/artifacts/e2e-aws/gather-extra/artifacts/nodes/ip-10-0-146-190.us-east-2.compute.internal/

4.9 has 0 for example see:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws/1445422682387517440/artifacts/e2e-aws/gather-extra/artifacts/nodes/ip-10-0-134-176.ec2.internal/

Comment 6 errata-xmlrpc 2021-10-18 17:52:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Note You need to log in before you can comment on or make changes to this bug.