+++ This bug was initially created as a clone of Bug #2072620 +++
Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z
crio will change the default value of seccomp_use_default_when_empty from false to true in 4.11(crio1.24) and later versions. In order to not break current clusters, in 4.10.z we create a machine-config to have drop-in crio.conf file with seccomp_use_default_when_empty = false and make it a mandatory upgrade edge(OTA team). So seccomp_use_default_when_empty = true change be an opt-in for upgraded users, users will have the option to delete the MC associated with this file when they are ready to
consume this change for their workload
- How to verify it
Fresh cluster installation, machine configs exit on the cluster:
Upgrade to version with this patch
with ctrcfg CR on one pool
with ctrcfg CR on all the pools
with no ctrcfg CR
After upgrade tried the following
if no ctrcfg CR was created prior to upgrade, create one
if ctrcfg CR was created prior to upgrade, delete it
delete one or both of the capabilities MCs
restart the MCC
restart the MCO
reboot nodes (make sure that the delete capabilities MCs are not created again)
check that the configmap crio-seccomp-use-default-when-empty exists in the openshift-machine-config-operator namespace
Upgrade to next version 4.11.0-0.ci-2022-04-01-023231
upgrade with generated-crio-seccomp-use-default MC existing
upgrade with no generated-crio-seccomp-use-default MC
This is not a blocker, we only use blocker+ for z-streams when it's a regression introduced during the process of producing the next z-stream. This is just a bug which should be fixed as soon as possible but doesn't block the release of z-streams.
Changed to POST state since followup PR: https://github.com/openshift/machine-config-operator/pull/3109
Verified on quay.io/openshift-release-dev/ocp-release:4.10.13-x86_64
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (OpenShift Container Platform 4.10.13 bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.