runc has an unversioned dependency on libseccomp 2.5 or later, see https://bugzilla.redhat.com/show_bug.cgi?id=2053990 This creates problems whenever the OS was installed using 8.3 or earlier and not fully updated to 8.4 or later. If we were to ensure that libseccomp is the latest version we can avoid this problem in openshift-ansible. While there's other work ongoing to cause openshift-ansible to complaine whenever the OS is less than 8.4 that depends on the ansible fact which can be tricked by upgrading only the `redhat-release` package to 8.4 so it's better to ensure any specific packages we are about are updated as well.
An example of libseccomp < 2.5 https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.10-e2e-aws-workers-rhel8/1497764935583666176 <ip-10-0-167-102.ec2.internal> Failed to connect to the host via ssh: fatal: [ip-10-0-167-102.ec2.internal]: FAILED! => { "changed": true, "cmd": [ "podman", "run", "--rm", "registry.build04.ci.openshift.org/ci-op-l6lsng5p/release@sha256:75ab5dcba3187cfcc9525c3c9b2873bcaba3f8bf7d1026a534cd0e178ec38f2a", "image", "machine-config-operator" ], "delta": "0:00:02.736082", "end": "2022-02-27 03:34:54.323513", "invocation": { "module_args": { "_raw_params": "podman run --rm registry.build04.ci.openshift.org/ci-op-l6lsng5p/release@sha256:75ab5dcba3187cfcc9525c3c9b2873bcaba3f8bf7d1026a534cd0e178ec38f2a image machine-config-operator", "_uses_shell": false, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "msg": "non-zero return code", "rc": 126, "start": "2022-02-27 03:34:51.587431", "stderr": "/usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond\ntime=\"2022-02-27T03:34:51Z\" level=error msg=\"Error removing container ef7c5eb4b9a9cb9794f739605d88eb7abf6fd2881d41ad8aeb32fe6b9fe77ca4 from runtime after creation failed\"\nError: OCI runtime error: /usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond", "stderr_lines": [ "/usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond", "time=\"2022-02-27T03:34:51Z\" level=error msg=\"Error removing container ef7c5eb4b9a9cb9794f739605d88eb7abf6fd2881d41ad8aeb32fe6b9fe77ca4 from runtime after creation failed\"", "Error: OCI runtime error: /usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond" ], "stdout": "", "stdout_lines": [] }
Considering the libseccomp shipped with RHEL-8.4 is already libseccomp-2.5.1-1.el8, so using a RHEL-8.3 image and update the redhat-release to latest(8.5) to workaround the playbook checking. [ec2-user@ip-10-0-52-112 ~]$ rpm -q libseccomp libseccomp-2.4.3-1.el8.x86_64 [ec2-user@ip-10-0-52-112 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) Run the scaleup playbook, we can see libseccomp was updated to the latest one. TASK [openshift_node : Install openshift packages] ***************************** ... "Installed: libseccomp-2.5.1-1.el8.x86_64", ... "Removed: libseccomp-2.4.3-1.el8.x86_64"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069