2105456 – broken toolbox in OCP 4.10 with non-default image [4.11.z]

Bug 2105456 - broken toolbox in OCP 4.10 with non-default image [4.11.z]

Summary: broken toolbox in OCP 4.10 with non-default image [4.11.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Timothée Ravier
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Depends On:	2048789 2093040 2104116
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-08 20:21 UTC by Micah Abbott
Modified:	2022-09-28 05:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2048789
Environment:
Last Closed:	2022-09-28 05:09:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:6658	0	None	None	None	2022-09-28 05:10:03 UTC

Comment 1 Micah Abbott 2022-07-08 20:23:38 UTC

This was fixed as part of `toolbox-0.0.9` which is included in 4.11, but is blocked from working correctly due to BZ#2093040

Once the dependent BZ is fixed in 4.12 + 4.11.z, this should be able to be marked MODIFIED.

Comment 4 Timothée Ravier 2022-09-05 14:24:30 UTC

Whoops, my bad, this is still in POST.

Comment 6 HuijingHei 2022-09-21 00:39:35 UTC

Start rhcos-411.86.202209202019-0-qemu.x86_64.qcow2 with cosa, test with scratch build https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=47840764, toolbox works well

$ cosa run
[core@cosa-devsh ~]$ rpm -q toolbox
toolbox-0.1.0-1.rhaos4.11.el8.noarch
[core@cosa-devsh ~]$ vi ~/.toolboxrc
REGISTRY=quay.io                
IMAGE=fedora/fedora:36-x86_64   
TOOLBOX_NAME=toolbox-fedora-36

[core@cosa-devsh ~]$ toolbox 
.toolboxrc file detected, overriding defaults...
Trying to pull quay.io/fedora/fedora:36-x86_64...
Getting image source signatures
Copying blob 62946078034b done  
Copying config 2ecb6df959 done  
Writing manifest to image destination
Storing signatures
2ecb6df959942dd2fdeb65606ca2e42a54f8c06af10eeb594fdfc3e2656c53d1
Spawning a container 'toolbox-fedora-36' with image 'quay.io/fedora/fedora:36-x86_64'
499f2b7744ddfc05ca1d61fc765f1b4e1ed0f8e84bbf5fee440a28ab93e27adb
toolbox-fedora-36
Container started successfully. To exit, type 'exit'.

Comment 8 Timothée Ravier 2022-09-21 11:27:03 UTC

Let's move this one back to modified as it has not been picked up by a build yet.

Comment 10 Timothée Ravier 2022-09-22 09:37:32 UTC

Moving back to MODIFIED as it's now in a 4.11 build.

Comment 13 Michael Nguyen 2022-09-22 15:23:37 UTC

Verified on 4.11.0-0.nightly-2022-09-22-034852 which is running RHCOS 411.86.202209211811-0 with toolbox toolbox-0.1.0-1.rhaos4.11.el8.noarch


$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-09-22-034852   True        False         3m10s   Cluster version is 4.11.0-0.nightly-2022-09-22-034852
$ oc get no
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-129-129.us-east-2.compute.internal   Ready    worker   13m   v1.24.0+3882f8f
ip-10-0-139-157.us-east-2.compute.internal   Ready    worker   11m   v1.24.0+3882f8f
ip-10-0-145-187.us-east-2.compute.internal   Ready    master   18m   v1.24.0+3882f8f
ip-10-0-160-68.us-east-2.compute.internal    Ready    master   18m   v1.24.0+3882f8f
ip-10-0-221-10.us-east-2.compute.internal    Ready    master   18m   v1.24.0+3882f8f
ip-10-0-234-2.us-east-2.compute.internal     Ready    worker   12m   v1.24.0+3882f8f
$ oc debug node/ip-10-0-129-129.us-east-2.compute.internal
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/ip-10-0-129-129us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.129.129
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# vi ~/.toolboxrc
sh-4.4# cat ~/.toolboxrc 
REGISTRY=quay.io                
IMAGE=fedora/fedora:36-x86_64   
TOOLBOX_NAME=toolbox-fedora-36
sh-4.4# toolbox
.toolboxrc file detected, overriding defaults...
Trying to pull quay.io/fedora/fedora:36-x86_64...
Getting image source signatures
Copying blob 62946078034b done  
Copying config 2ecb6df959 done  
Writing manifest to image destination
Storing signatures
2ecb6df959942dd2fdeb65606ca2e42a54f8c06af10eeb594fdfc3e2656c53d1
Spawning a container 'toolbox-fedora-36' with image 'quay.io/fedora/fedora:36-x86_64'
66c8f46338f1151df10c41cb6815c3331223013794eb084195c06eecf56b3fc7
toolbox-fedora-36
Container started successfully. To exit, type 'exit'.
[root@toolbox /]# exit
exit

sh-4.4# toolbox
.toolboxrc file detected, overriding defaults...
Checking if there is a newer version of quay.io/fedora/fedora:36-x86_64 available...
Container 'toolbox-fedora-36' already exists. Trying to start...
(To remove the container and start with a fresh toolbox, run: sudo podman rm 'toolbox-fedora-36')
toolbox-fedora-36
Container started successfully. To exit, type 'exit'.
[root@toolbox /]# exit
exit

sh-4.4# toolbox
.toolboxrc file detected, overriding defaults...
Checking if there is a newer version of quay.io/fedora/fedora:36-x86_64 available...
Container 'toolbox-fedora-36' already exists. Trying to start...
(To remove the container and start with a fresh toolbox, run: sudo podman rm 'toolbox-fedora-36')
toolbox-fedora-36
Container started successfully. To exit, type 'exit'.
[root@toolbox /]# cat /etc/os-release 
NAME="Fedora Linux"
VERSION="36 (Container Image)"
ID=fedora
VERSION_ID=36
VERSION_CODENAME=""
PLATFORM_ID="platform:f36"
PRETTY_NAME="Fedora Linux 36 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:36"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f36/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=36
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=36
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Container Image"
VARIANT_ID=container
[root@toolbox /]# exit
exit

sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:42049fccd994c2bd4be11005a788c6e3e9590e32b2c95bd8174984da45585804
              CustomOrigin: Managed by machine-config-operator
                   Version: 411.86.202209211811-0 (2022-09-21T18:13:54Z)
sh-4.4# 
sh-4.4# rpm -q toolbox
toolbox-0.1.0-1.rhaos4.11.el8.noarch

Comment 15 errata-xmlrpc 2022-09-28 05:09:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.11.6 packages update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6658

Note You need to log in before you can comment on or make changes to this bug.