+++ This bug was initially created as a clone of Bug #2072620 +++ Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z crio will change the default value of seccomp_use_default_when_empty from false to true in 4.11(crio1.24) and later versions. In order to not break current clusters, in 4.10.z we create a machine-config to have drop-in crio.conf file with seccomp_use_default_when_empty = false and make it a mandatory upgrade edge(OTA team). So seccomp_use_default_when_empty = true change be an opt-in for upgraded users, users will have the option to delete the MC associated with this file when they are ready to consume this change for their workload - How to verify it Fresh cluster installation, machine configs exit on the cluster: 99-worker-generated-crio-seccomp-use-default 99-master-generated-crio-seccomp-use-default Upgrade to version with this patch with ctrcfg CR on one pool with ctrcfg CR on all the pools with no ctrcfg CR After upgrade tried the following if no ctrcfg CR was created prior to upgrade, create one if ctrcfg CR was created prior to upgrade, delete it delete one or both of the capabilities MCs restart the MCC restart the MCO reboot nodes (make sure that the delete capabilities MCs are not created again) check that the configmap crio-seccomp-use-default-when-empty exists in the openshift-machine-config-operator namespace Upgrade to next version 4.11.0-0.ci-2022-04-01-023231 upgrade with generated-crio-seccomp-use-default MC existing upgrade with no generated-crio-seccomp-use-default MC
This is not a blocker, we only use blocker+ for z-streams when it's a regression introduced during the process of producing the next z-stream. This is just a bug which should be fixed as soon as possible but doesn't block the release of z-streams.
Changed to POST state since followup PR: https://github.com/openshift/machine-config-operator/pull/3109
Verified on quay.io/openshift-release-dev/ocp-release:4.10.13-x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.10.13 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1690