Bug 2072621 - Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z
Summary: Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.z
Assignee: Qi Wang
QA Contact: MinLi
URL:
Whiteboard:
Depends On: 2072620
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-06 16:11 UTC by Neelesh Agrawal
Modified: 2022-05-11 10:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2072620
Environment:
Last Closed: 2022-05-11 10:31:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 3008 0 None Waiting on Red Hat Podman timezone not working under Java 2022-05-18 04:43:21 UTC
Github openshift machine-config-operator pull 3109 0 None open Bug 2072621: Add namespace arg to fixe2e test 2022-04-22 19:53:41 UTC
Red Hat Product Errata RHBA-2022:1690 0 None None None 2022-05-11 10:32:20 UTC

Description Neelesh Agrawal 2022-04-06 16:11:48 UTC 
+++ This bug was initially created as a clone of Bug #2072620 +++

Create a MCO drop-in to explicitly set seccomp_use_default_when_empty = false in 4.10.z

crio will change the default value of seccomp_use_default_when_empty from false to true in 4.11(crio1.24) and later versions. In order to not break current clusters, in 4.10.z we create a machine-config to have drop-in crio.conf file with seccomp_use_default_when_empty = false and make it a mandatory upgrade edge(OTA team). So seccomp_use_default_when_empty = true change be an opt-in for upgraded users, users will have the option to delete the MC associated with this file when they are ready to
consume this change for their workload

- How to verify it

Fresh cluster installation, machine configs exit on the cluster:
99-worker-generated-crio-seccomp-use-default
99-master-generated-crio-seccomp-use-default
Upgrade to version with this patch
with ctrcfg CR on one pool
with ctrcfg CR on all the pools
with no ctrcfg CR
After upgrade tried the following
if no ctrcfg CR was created prior to upgrade, create one
if ctrcfg CR was created prior to upgrade, delete it
delete one or both of the capabilities MCs
restart the MCC
restart the MCO
reboot nodes (make sure that the delete capabilities MCs are not created again)
check that the configmap crio-seccomp-use-default-when-empty exists in the openshift-machine-config-operator namespace
Upgrade to next version 4.11.0-0.ci-2022-04-01-023231
upgrade with generated-crio-seccomp-use-default MC existing
upgrade with no generated-crio-seccomp-use-default MC
Comment 1 Scott Dodson 2022-04-11 12:59:56 UTC 
This is not a blocker, we only use blocker+ for z-streams when it's a regression introduced during the process of producing the next z-stream. This is just a bug which should be fixed as soon as possible but doesn't block the release of z-streams.
Comment 9 Qi Wang 2022-04-22 19:18:11 UTC 
Changed to POST state since followup PR: https://github.com/openshift/machine-config-operator/pull/3109
Comment 14 Sunil Choudhary 2022-05-09 16:06:44 UTC 
Verified on quay.io/openshift-release-dev/ocp-release:4.10.13-x86_64
Comment 16 errata-xmlrpc 2022-05-11 10:31:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.13 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1690
Note You need to log in before you can comment on or make changes to this bug.