At the moment toolbox doesn't inform the user about keeping the pulled image once and for all. We say only To remove the container and start fresh, do sudo podman rm ${TOOLBOX_NAME}. https://github.com/coreos/toolbox/blob/main/rhcos-toolbox#L146 Which can be confusing at times: 1) You have deployed OCP cluster year ago 2) Shortly after the deployment you have ran 'toolbox' which pulled whatever version of registry.redhat.io/rhel8/support-tools:latest was latest at that time 3) Now you want to run support-tools:latest again, but this time again with the latest version,however using `podman rm toolbox-root` will only stop the running container and will keep using image pulled a year ago when `toolbox` is called This is a problem because we are keep using old version of sos and redhat-support-tool on such node. Using older version of redhat-support-tool can lead to scenario where one will be not be able to upload bigger attachment to the case because dropbox (deprecated and will be decommissioned)[1] a now is being used instead of new sftp.access.redhat.com Potentially some sos bug can be hit. For these reasons i think it would make a sense to add some check inside toolbox script to make sure we are running latest image version on the node. [1] https://access.redhat.com/solutions/2112
Proposed patch at https://github.com/coreos/toolbox/pull/74
This landed in toolbox 0.0.9 but is blocked by #2104116
Verified on 4.12.0-0.nightly-2022-08-30-142847 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.nightly-2022-08-30-142847 True False 84m Cluster version is 4.12.0-0.nightly-2022-08-30-142847 $ oc get nodes NAME STATUS ROLES AGE VERSION ci-ln-c88lfib-72292-l7x8z-master-0 Ready control-plane,master 104m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-master-1 Ready control-plane,master 105m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-master-2 Ready control-plane,master 105m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 Ready worker 95m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-b-v2nvn Ready worker 95m v1.24.0+a097e26 ci-ln-c88lfib-72292-l7x8z-worker-c-btfkz Ready worker 95m v1.24.0+a097e26 $ oc debug node/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.128.2 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9536e08c1a7d517b24a30f7b08d4a0c84ab3a0bde8f083f09225b59ef4b5eaa0 CustomOrigin: Managed by machine-config-operator Version: 412.86.202208292256-0 (2022-08-29T22:59:17Z) sh-4.4# toolbox Trying to pull registry.redhat.io/rhel8/support-tools:latest... Getting image source signatures Checking if image destination supports signatures Copying blob db0f4cd41250 done Copying blob 1f10f4923dcd done Copying blob 7e3624512448 done Copying config 5ef18a77eb done Writing manifest to image destination Storing signatures 5ef18a77eb271a205c3c4604a67209126dd4d0831f63891ba1e33808c1fd36d7 Spawning a container 'toolbox-root' with image 'registry.redhat.io/rhel8/support-tools' Detected RUN label in the container image. Using that as the default... 567389b337fdff9845525fbf6b04f4a7fb096b0a2a386c343d650246bbf5f97e toolbox-root Container started successfully. To exit, type 'exit'. [root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit exit sh-4.4# toolbox Checking if there is a newer version of registry.redhat.io/rhel8/support-tools available... Container 'toolbox-root' already exists. Trying to start... (To remove the container and start with a fresh toolbox, run: sudo podman rm 'toolbox-root') toolbox-root Container started successfully. To exit, type 'exit'. [root@ci-ln-c88lfib-72292-l7x8z-worker-a-mbt22 /]# exit exit sh-4.4# sh-4.4# rpm -q toolbox toolbox-0.1.0-1.rhaos4.12.el8.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399