Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2013822

Summary: ensure that the `container-tools` content comes from the RHAOS plashets
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Michael Nguyen <mnguyen>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: dornelas, jligon, miabbott, mnguyen, mrussell, nstielau, smilner, travier
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2013849 (view as bug list) Environment:
Last Closed: 2022-08-10 10:38:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2013849, 2036202    

Description Micah Abbott 2021-10-13 20:44:20 UTC 
It was noticed that the `runc` package is getting pulled from the `rhel-8-appstream` location for RHCOS 4.9 and it is older than expected.

We want to ensure we are getting `runc` (and all of the `container-tools` content) is retrieved from the RHAOS plashets.

This BZ tracks that fix.
Comment 3 Micah Abbott 2022-01-27 15:11:25 UTC 
From https://github.com/openshift/os/pull/681#issuecomment-1022443830


```
TL;DR - OCP/RHCOS 4.10 will continue to get most of the `container-tools` content from the RHEL 8.4.Z EUS `container-tools:rhel8` module stream. (See caveats at the bottom of this comment)

---

We've recognized that users/customers want to have most of the OS remain stable, but would like to be able to use newer pieces of the container stack, i.e. `podman`, `crun`, etc.

Towards that goal, some folks from CoreOS have had multiple discussions with the Container team on how best to achieve it.

At first, we thought it would be as simple as "build the newest `container-tools` content in the OCP 4.10 tag and make it available via the RHOSE repo". We tried to include the latest version of `container-tools:rhel8` that was targeting RHEL 8.6.

This ran into a number of snags that included:

  - conflicting dependencies on `protobuf-c` in the OCP 4.10 build root when building `criu`
  - install dependencies on unreleased RHEL 8.6 content for things like `podman`

We didn't want to be in the position of having to ask permission to ship unreleased RHEL 8.6 content as part of OCP/RHCOS 4.10, so we punted on this original plan.

We regrouped and decided to try just making the latest version of `container-tools:rhel8` that is available to RHEL 8.5 customers. This would still get us newer versions of RPMs, but shouldn't require us to ship unreleased content.

Unfortunately, that decision was made a bit too late towards code freeze and we ran into additional issues trying to make that work:

  - `container-selinux` isn't building due to a `selinux-policy` dependency problem
  - `criu` is still not building due to conflicting `protobuf-c` dependencies in the buildroot

So for OCP/RHCOS 4.10 GA, we've abandoned the plan to get newer `container-tools` content into RHCOS. We do plan to revisit this idea as part of 4.11 (and hopefully 4.10.z).

For now the versions of RPMs from the `container-tools` stack that will be available in RHCOS 4.10 will look like this:

  - conmon-2.0.29-1.module+el8.4.0+11822+6cc1e7d7.x86_64
  - container-selinux-2.173.1-0.rhaos4.10.el8.6.noarch *
  - containernetworking-plugins-0.9.1-1.module+el8.4.0+11822+6cc1e7d7.x86_64
  - containers-common-1.3.1-5.module+el8.4.0+11990+22932769.x86_64
  - criu-3.15-1.module+el8.4.0+11822+6cc1e7d7.x86_64
  - crun-1.2-3.rhaos4.10.el8.x86_64 **
  - fuse-overlayfs-1.6-1.module+el8.4.0+11822+6cc1e7d7.x86_64
  - libslirp-4.3.1-1.module+el8.4.0+11822+6cc1e7d7.x86_64
  - podman-3.2.3-0.11.module+el8.4.0+12050+ef972f71.x86_64
  - runc-1.0.1-3.rhaos4.10.el8.x86_64 ***
  - skopeo-1.3.1-5.module+el8.4.0+11990+22932769.x86_64
  - slirp4netns-1.1.8-1.module+el8.4.0+11822+6cc1e7d7.x86_64

* container-selinux is newer than what is included in RHEL 8.4.Z EUS, but addresses some BZs that customers were encountering
** crun is newer than what is included in RHEL 8.4.Z EUS, because the k8s folks wanted to start testing with 1.x versions of crun
*** runc is slightly newer than what is included in RHEL 8.4.Z EUS, because we had previously shipped a newer version in OCP/RHCOS 4.9 and had to preserve the upgrade path
```

Ultimately, this means that this BZ will not get addressed until 4.11
Comment 5 Micah Abbott 2022-07-07 13:42:04 UTC 
We started using a subset of `container-tools` that was build specifically for RHCOS/OCP 4.11; this will be the pattern in future releases.

The subset is defined here- https://github.com/openshift/os/blob/release-4.11/manifest.yaml#L359-L374
Comment 9 Michael Nguyen 2022-07-18 19:02:52 UTC 
Verified on registry.ci.openshift.org/ocp/release:4.11.0-0.nightly-2022-07-18-110647 which is running RHCOS 411.86.202207150124-0. The packages listed in https://github.com/openshift/os/blob/release-4.11/manifest.yaml#L359-L374 are coming from the RHAOS plashets in the build logs.
Comment 10 errata-xmlrpc 2022-08-10 10:38:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069