Bug 2074052 - Internal registries with a big number of images delay pod creation due to recursive SELinux file context relabeling [NEEDINFO]
Summary: Internal registries with a big number of images delay pod creation due to rec...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.9.z
Assignee: Ricardo Maraschini
QA Contact: Yaxin You
URL:
Whiteboard:
: 2102510 (view as bug list)
Depends On: 2074050
Blocks: 2074053
TreeView+ depends on / blocked
 
Reported: 2022-04-11 12:51 UTC by OpenShift BugZilla Robot
Modified: 2022-09-13 13:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-18 13:20:29 UTC
Target Upstream Version:
rmarasch: needinfo? (yyou)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 766 0 None open [release-4.9] Bug 2074052: Deployment annotations, runtimeClassName override and fs policy change 2022-04-14 01:01:07 UTC
Red Hat Product Errata RHBA-2022:2206 0 None None None 2022-05-18 13:20:57 UTC

Comment 9 XiuJuan Wang 2022-05-10 03:49:21 UTC 
In comment #4 Yayin You used a baremetal cluster on vsphere, we ensure we had set annotation and runtimeclass on image-registry pod. Yes, the registry pod could come up finally. 
And I check on a common vpshere cluster today, the registry pod could be running fast after set annotation and runtimeclass with 13 milons files.

oc get pods -l docker-registry=default  -w
NAME                              READY   STATUS        RESTARTS   AGE
image-registry-69f7bc8d99-nfb6v   1/1     Terminating   0          4m3s
image-registry-69f7bc8d99-nfb6v   0/1     Terminating   0          4m21s
image-registry-69f7bc8d99-nfb6v   0/1     Terminating   0          4m21s
image-registry-69f7bc8d99-nfb6v   0/1     Terminating   0          4m21s
image-registry-fcc77b458-bx2xf    0/1     Pending       0          0s
image-registry-fcc77b458-bx2xf    0/1     Pending       0          0s
image-registry-fcc77b458-bx2xf    0/1     ContainerCreating   0          0s
image-registry-fcc77b458-bx2xf    0/1     ContainerCreating   0          11s
image-registry-fcc77b458-bx2xf    0/1     Running             0          12s
image-registry-fcc77b458-bx2xf    1/1     Running             0          13s

oc get pods image-registry-fcc77b458-bx2xf -o yaml | grep -i selinux  -A 1 -B 1
    imageregistry.operator.openshift.io/dependencies-checksum: sha256:134bfb909a388b54f8dc8ba191dcbcb3572f968c84d65499ef7cb3e091e21f51
    io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: "true"
    k8s.v1.cni.cncf.io/network-status: |-
--
--
  restartPolicy: Always
  runtimeClassName: selinux
  schedulerName: default-scheduler
--
--
    fsGroupChangePolicy: OnRootMismatch
    seLinuxOptions:
      level: s0:c18,c17

Per comment #8, will approve the fix pr.
Comment 14 errata-xmlrpc 2022-05-18 13:20:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.33 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2206
Comment 15 Peter Hunt 2022-09-13 13:31:29 UTC 
*** Bug 2102510 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.