Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2072620

Summary: Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z
Product: OpenShift Container Platform Reporter: Neelesh Agrawal <nagrawal>
Component: NodeAssignee: Qi Wang <qiwan>
Node sub component: Kubelet QA Contact: Sunil Choudhary <schoudha>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: high    
Priority: unspecified CC: aos-bugs
Version: 4.10   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2072621 (view as bug list) Environment:
Last Closed: 2022-04-06 16:13:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2072621    

Description Neelesh Agrawal 2022-04-06 16:04:21 UTC 
Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z

crio will change the default value of seccomp_use_default_when_empty from false to true in 4.11(crio1.24) and later versions. In order to not break current clusters, in 4.10.z we create a machine-config to have drop-in crio.conf file with seccomp_use_default_when_empty = false and make it a mandatory upgrade edge(OTA team). So seccomp_use_default_when_empty = true change be an opt-in for upgraded users, users will have the option to delete the MC associated with this file when they are ready to
consume this change for their workload

- How to verify it

Fresh cluster installation, machine configs exit on the cluster:
99-worker-generated-crio-seccomp-use-default
99-master-generated-crio-seccomp-use-default
Upgrade to version with this patch
with ctrcfg CR on one pool
with ctrcfg CR on all the pools
with no ctrcfg CR
After upgrade tried the following
if no ctrcfg CR was created prior to upgrade, create one
if ctrcfg CR was created prior to upgrade, delete it
delete one or both of the capabilities MCs
restart the MCC
restart the MCO
reboot nodes (make sure that the delete capabilities MCs are not created again)
check that the configmap crio-seccomp-use-default-when-empty exists in the openshift-machine-config-operator namespace
Upgrade to next version 4.11.0-0.ci-2022-04-01-023231
upgrade with generated-crio-seccomp-use-default MC existing
upgrade with no generated-crio-seccomp-use-default MC