2109153 – pods for daemonset failed to create after file integrity operator upgrade from v0.1.24 to v0.1.29

Bug 2109153 - pods for daemonset failed to create after file integrity operator upgrade from v0.1.24 to v0.1.29

Summary: pods for daemonset failed to create after file integrity operator upgrade fro...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	File Integrity Operator
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Matt Rogers
QA Contact:	xiyuan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-20 14:27 UTC by xiyuan
Modified:	2023-01-10 00:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* Previously, service account ownership for the File Integrity Operator regressed due to underlying OLM updates, and updates from 0.1.24 to 0.1.29 were broken. With this update, the Operator should default to upgrading to 0.1.30. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2109153[BZ#2109153]
Clone Of:
Environment:
Last Closed:	2022-08-02 08:17:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift file-integrity-operator pull 272	0	None	open	Bug 2109153: Restore CSV ownership of ServiceAccounts	2022-07-21 17:16:30 UTC
Red Hat Product Errata	RHBA-2022:5538	0	None	None	None	2022-08-02 08:17:09 UTC

Description xiyuan 2022-07-20 14:27:04 UTC

Version-Release number of selected component (if applicable):
File integrity operator + file-integrity-operator.v0.1.29
High

How reproducible:
Always

Description of problem:
pods "aide-example-fileintegrity-" failed to create after file integrity operator upgrade from v0.1.24 to v0.1.29
$ oc get fileintegrity example-fileintegrity -o=jsonpath={.status}
{"phase":"Initializing"}
$ oc describe daemonset aide-example-fileintegrity | tail
  Type     Reason            Age                     From                  Message
  ----     ------            ----                    ----                  -------
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-8rrdw
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-2k9sr
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-hzbpz
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-zcg6b
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-lxh9q
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-szssh
  Normal   SuccessfulDelete  8m39s                   daemonset-controller  Deleted pod: aide-example-fileintegrity-2k9sr
  Warning  FailedCreate      4m39s (x23 over 8m19s)  daemonset-controller  Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found

How reproducible:
Always

Steps to Reproduce:
installed released version v0.1.24
upgrade to latest version v0.1.29
Actual results:
File integrity upgrade succeeded, but pods for daemonset failed to create
$ oc get ip
NAME            CSV                               APPROVAL    APPROVED
install-cttq5   file-integrity-operator.v0.1.29   Automatic   true
install-qdcq5   file-integrity-operator.v0.1.24   Automatic   true
$ oc get csv -w
NAME                              DISPLAY                            VERSION   REPLACES                          PHASE
elasticsearch-operator.v5.5.0     OpenShift Elasticsearch Operator   5.5.0                                       Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Replacing
file-integrity-operator.v0.1.29   File Integrity Operator            0.1.29    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.29   File Integrity Operator            0.1.29    file-integrity-operator.v0.1.24   Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
^C$ oc get pod -w
NAME                                       READY   STATUS        RESTARTS        AGE
aide-example-fileintegrity-2k9sr           1/1     Terminating   0               2m44s
aide-example-fileintegrity-8rrdw           1/1     Terminating   0               2m44s
aide-example-fileintegrity-hzbpz           1/1     Terminating   0               2m44s
aide-example-fileintegrity-lxh9q           1/1     Terminating   0               2m44s
aide-example-fileintegrity-szssh           1/1     Terminating   0               2m44s
aide-example-fileintegrity-zcg6b           1/1     Terminating   0               2m44s
file-integrity-operator-5ddddddf69-lmn6q   1/1     Terminating   1 (4m54s ago)   5m11s
file-integrity-operator-6cfdc94d56-w8r5p   1/1     Running       0               18s
^C$ oc get fileintegrity
NAME                    AGE
example-fileintegrity   2m56s
$ oc get pod -w
NAME                                       READY   STATUS        RESTARTS        AGE
file-integrity-operator-5ddddddf69-lmn6q   1/1     Terminating   1 (5m14s ago)   5m31s
file-integrity-operator-6cfdc94d56-w8r5p   1/1     Running       0               38s
file-integrity-operator-5ddddddf69-lmn6q   0/1     Terminating   1 (5m16s ago)   5m33s
file-integrity-operator-5ddddddf69-lmn6q   0/1     Terminating   1 (5m16s ago)   5m33s
file-integrity-operator-5ddddddf69-lmn6q   0/1     Terminating   1 (5m16s ago)   5m33s
^$ oc get fileintegrity example-fileintegrity -o=jsonpath={.status}                                   e'
{"phase":"Initializing"}
$ oc get pod
NAME                                       READY   STATUS    RESTARTS   AGE
file-integrity-operator-6cfdc94d56-w8r5p   1/1     Running   0          78s
$ oc describe daemonset aide-example-fileintegrity | tail
  Type     Reason            Age                     From                  Message
  ----     ------            ----                    ----                  -------
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-8rrdw
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-2k9sr
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-hzbpz
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-zcg6b
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-lxh9q
  Normal   SuccessfulCreate  11m                     daemonset-controller  Created pod: aide-example-fileintegrity-szssh
  Normal   SuccessfulDelete  8m39s                   daemonset-controller  Deleted pod: aide-example-fileintegrity-2k9sr
  Warning  FailedCreate      4m39s (x23 over 8m19s)  daemonset-controller  Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found

Expected Result:
File integrity operator upgrade succeeded. Pod for daemonset created successfully.

Comment 1 Varad Ahirwadkar 2022-07-21 14:16:47 UTC

I have seen the same issue after repeating the above steps.

# oc get csv -w
NAME                              DISPLAY                   VERSION   REPLACES                          PHASE
file-integrity-operator.v0.1.24   File Integrity Operator   0.1.24                                      Replacing
file-integrity-operator.v0.1.29   File Integrity Operator   0.1.29    file-integrity-operator.v0.1.24   Pending
file-integrity-operator.v0.1.29   File Integrity Operator   0.1.29    file-integrity-operator.v0.1.24   InstallReady
file-integrity-operator.v0.1.29   File Integrity Operator   0.1.29    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.29   File Integrity Operator   0.1.29    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.29   File Integrity Operator   0.1.29    file-integrity-operator.v0.1.24   Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator   0.1.24                                      Deleting
file-integrity-operator.v0.1.24   File Integrity Operator   0.1.24                                      Deleting

# oc get pods
NAME                                       READY   STATUS    RESTARTS   AGE
file-integrity-operator-64d7d684b5-xmp9h   1/1     Running   0          8m47s

# oc get fileintegrity
NAME                    AGE
example-fileintegrity   12m

# oc get fileintegrity example-fileintegrity -o=jsonpath={.status}
{"phase":"Initializing"}

# oc describe daemonset aide-example-fileintegrity | tailple-fileintegrity | tail
Events:
  Type     Reason            Age                  From                  Message
  ----     ------            ----                 ----                  -------
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-8pcdp
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-lz9v5
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-4vflg
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-qgxvx
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-r9w72
  Normal   SuccessfulCreate  4m20s                daemonset-controller  Created pod: aide-example-fileintegrity-bxf7b
  Warning  FailedCreate      92s (x19 over 119s)  daemonset-controller  Error creating: pods "aide-example-fileintegrity-" is forbidden: error looking up service account openshift-file-integrity/file-integrity-daemon: serviceaccount "file-integrity-daemon" not found

Must gather logs: https://drive.google.com/file/d/1bD9wlP7uKEMbdJt4Rg-_trJb5b-WFyPW/view?usp=sharing

Comment 2 Varad Ahirwadkar 2022-07-21 14:19:05 UTC

(In reply to Varad Ahirwadkar from comment #1)
> I have seen the same issue after repeating the above steps.
 this is on OCP 4.11-rc.2 release on Power architecture

Comment 3 Matt Rogers 2022-07-21 17:24:09 UTC

Prior to the operator-sdk update (in 0.1.24) we included the daemon SA along with the CSV. https://github.com/openshift/file-integrity-operator/blob/330c718c6fe1c891f9a7c6ca3f4c67ed743258cc/deploy/olm-catalog/file-integrity-operator/manifests/file-integrity-operator.clusterserviceversion.yaml#L250
After the operator-sdk update, the daemon rolebinding was moved out of the CSV directly and included in the bundle's manifests, which changed the ownership status of the SA. Since the SA was only owned by the old CSV, it was deleted after 0.1.29 rolls out. Note, this also included the 'file-integrity-operator-metrics' SA.

https://github.com/openshift/file-integrity-operator/pull/272 adds a fix to move the SAs back into the CSV so they can retain ownership. I tested a catalog upgrade from 0.1.24 with it, and it worked for me.

Comment 4 xiyuan 2022-07-25 15:07:02 UTC

Verification pass with bug pre-merge process.
With https://github.com/openshift/file-integrity-operator/pull/272, follow steps in https://github.com/openshift/file-integrity-operator#building-and-deploying-from-source, make catalog quay.io/xiyuan/file-integrity-operator-catalog:0722.
#########Scenario 1: upgrade from v0.1.24 to v0.1.29:
1. install file-integrity-operator.v0.1.24 and create fileintegrity:
 oc get ip
NAME            CSV                               APPROVAL    APPROVED
install-766v8   file-integrity-operator.v0.1.24   Automatic   true
$ oc get csv
NAME                              DISPLAY                            VERSION   REPLACES   PHASE
elasticsearch-operator.v5.5.0     OpenShift Elasticsearch Operator   5.5.0                Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24               Succeeded
$ oc apply -f -<<EOF
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
  name: example-fileintegrity
spec:
  config:
    gracePeriod: 20
    maxBackups: 5
  debug: true
EOF
fileintegrity.fileintegrity.openshift.io/example-fileintegrity created
$ oc get daemonset -w
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
aide-example-fileintegrity   6         6         6       6            6           <none>          30s
^C$ oc get pod
NAME                                       READY   STATUS    RESTARTS      AGE
aide-example-fileintegrity-28vrx           1/1     Running   0             35s
aide-example-fileintegrity-2rftr           1/1     Running   0             35s
aide-example-fileintegrity-h7nd8           1/1     Running   0             35s
aide-example-fileintegrity-hn2w7           1/1     Running   0             35s
aide-example-fileintegrity-hn465           1/1     Running   0             35s
aide-example-fileintegrity-nz6pn           1/1     Running   0             35s
file-integrity-operator-5ddddddf69-qmvzb   1/1     Running   1 (66s ago)   89s
$ oc get fileintegrity example-fileintegrity  -o=jsonpath={.status}
{"phase":"Active"}$ oc get fileintegritynodestatus
NAME                                                             NODE                                       STATUS
example-fileintegrity-xiyuan25-3-6rdl2-master-0                  xiyuan25-3-6rdl2-master-0                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-1                  xiyuan25-3-6rdl2-master-1                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-2                  xiyuan25-3-6rdl2-master-2                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   Succeeded
2. upgrade:
$ oc describe packagemanifest file-integrity-operator
Name:         file-integrity-operator
...
      Maturity:  alpha
      Provider:
        Name:  Red Hat
        URL:   https://github.com/openshift/file-integrity-operator
      Related Images:
        quay.io/xiyuan/file-integrity-operator:0722
        quay.io/file-integrity-operator/file-integrity-operator:latest
      Version:      0.1.29
    Name:           alpha
  Default Channel:  alpha
  Package Name:     file-integrity-operator
  Provider:
    Name:  Red Hat
    URL:   https://github.com/openshift/file-integrity-operator
Events:    <none>
$ oc patch sub file-integrity-operator -p '{"spec":{"source":"file-integrity-operator","channel":"alpha"}}' --type='merge'
subscription.operators.coreos.com/file-integrity-operator patched
$ oc get ip
NAME            CSV                               APPROVAL    APPROVED
install-766v8   file-integrity-operator.v0.1.24   Automatic   true
install-n4z7m   file-integrity-operator.v0.1.29   Automatic   true
$ oc get csv -w
NAME                              DISPLAY                            VERSION   REPLACES                          PHASE
elasticsearch-operator.v5.5.0     OpenShift Elasticsearch Operator   5.5.0                                       Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Replacing
file-integrity-operator.v0.1.29   File Integrity Operator            0.1.29    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.29   File Integrity Operator            0.1.29    file-integrity-operator.v0.1.24   Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
^C$ oc get daemonset -w
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
aide-example-fileintegrity   6         6         6       1            6           <none>          5m13s
aide-example-fileintegrity   6         6         5       1            5           <none>          5m14s
aide-example-fileintegrity   6         6         5       2            5           <none>          5m14s
aide-example-fileintegrity   6         6         6       2            6           <none>          5m17s
aide-example-fileintegrity   6         6         5       2            5           <none>          5m22s
aide-example-fileintegrity   6         6         5       3            5           <none>          5m22s
aide-example-fileintegrity   6         6         4       3            4           <none>          5m22s
aide-example-fileintegrity   6         6         4       4            4           <none>          5m22s
aide-example-fileintegrity   6         6         3       4            3           <none>          5m23s
aide-example-fileintegrity   6         6         3       5            3           <none>          5m23s
aide-example-fileintegrity   6         6         2       5            2           <none>          5m23s
aide-example-fileintegrity   6         6         2       6            2           <none>          5m23s
aide-example-fileintegrity   6         6         3       6            3           <none>          5m24s
aide-example-fileintegrity   6         6         4       6            4           <none>          5m25s
aide-example-fileintegrity   6         6         5       6            5           <none>          5m25s
aide-example-fileintegrity   6         6         6       6            6           <none>          5m26s
^C$ oc get pod
NAME                                       READY   STATUS    RESTARTS   AGE
aide-example-fileintegrity-4r2tp           1/1     Running   0          32s
aide-example-fileintegrity-7f5sn           1/1     Running   0          12s
aide-example-fileintegrity-ncdbq           1/1     Running   0          13s
aide-example-fileintegrity-nr72p           1/1     Running   0          13s
aide-example-fileintegrity-w4fcf           1/1     Running   0          21s
aide-example-fileintegrity-x9bmt           1/1     Running   0          12s
file-integrity-operator-7f7b97b9db-vj4np   1/1     Running   0          43s
$ oc get fileintegrity example-fileintegrity  -o=jsonpath={.status}
{"phase":"Active"}
$ oc get fileintegritynodestatus
NAME                                                             NODE                                       STATUS
example-fileintegrity-xiyuan25-3-6rdl2-master-0                  xiyuan25-3-6rdl2-master-0                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-1                  xiyuan25-3-6rdl2-master-1                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-2                  xiyuan25-3-6rdl2-master-2                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   Succeeded

#######Scenario 2: deploy FIO to a namespace without openshift prefix:
oc apply -f -<<EOF
> apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: file-integrity-operator
  namespace: openshift-marketplace
spec:
  displayName: openshift-file-integrity-operator
  publisher: Red Hat
  sourceType: grpc
  image: quay.io/xiyuan/file-integrity-operator-catalog:0722
---
apiVersion: v1
kind: Namespace
metadata:
  name: fio
  labels:
    openshift.io/cluster-monitoring: "true"
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
   name: openshift-file-integrity-qbcd
   namespace: fio
spec:
   targetNamespaces:
   - fio
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
   name: file-integrity-operator
   namespace: fio
spec:
   channel: alpha
   Approval: Automatic
   name: file-integrity-operator
   source: file-integrity-operator
   sourceNamespace: openshift-marketplace
EOF
catalogsource.operators.coreos.com/file-integrity-operator unchanged
namespace/fio created
operatorgroup.operators.coreos.com/openshift-file-integrity-qbcd created
subscription.operators.coreos.com/file-integrity-operator created
$ oc patch sub file-integrity-operator -p '{"spec":{"channel":"alpha"}}' --type='merge' -n fio
subscription.operators.coreos.com/file-integrity-operator patched
$ oc project fio
Now using project "fio" on server "https://api.xiyuan25-3.alicloud-qe.devcluster.openshift.com:6443".
$ oc get ip
NAME            CSV                               APPROVAL    APPROVED
install-rpv4f   file-integrity-operator.v0.1.29   Automatic   true
$ oc get csv -w
NAME                              DISPLAY                            VERSION   REPLACES   PHASE
elasticsearch-operator.v5.5.0     OpenShift Elasticsearch Operator   5.5.0                Succeeded
file-integrity-operator.v0.1.29   File Integrity Operator            0.1.29               Succeeded
^C$ oc get pod
NAME                                       READY   STATUS    RESTARTS      AGE
file-integrity-operator-5cf4ffcccb-zh686   1/1     Running   1 (11s ago)   17s
$ oc apply -f fileintegrity.yaml 
fileintegrity.fileintegrity.openshift.io/example-fileintegrity created
$ oc get daemonset -w
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
aide-example-fileintegrity   6         6         6       6            6           <none>          8s
^C$ oc get pod
NAME                                       READY   STATUS    RESTARTS      AGE
aide-example-fileintegrity-684cj           1/1     Running   0             14s
aide-example-fileintegrity-j2kkv           1/1     Running   0             14s
aide-example-fileintegrity-ktgh7           1/1     Running   0             14s
aide-example-fileintegrity-mgxxh           1/1     Running   0             14s
aide-example-fileintegrity-s8rvn           1/1     Running   0             14s
aide-example-fileintegrity-zwbsc           1/1     Running   0             14s
file-integrity-operator-5cf4ffcccb-zh686   1/1     Running   1 (33s ago)   39s
$ oc get fileintegrity example-fileintegrity  -o=jsonpath={.status}
{"phase":"Active"}
$ oc get fileintegritynodestatus
NAME                                                             NODE                                       STATUS
example-fileintegrity-xiyuan25-3-6rdl2-master-0                  xiyuan25-3-6rdl2-master-0                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-1                  xiyuan25-3-6rdl2-master-1                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-master-2                  xiyuan25-3-6rdl2-master-2                  Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   xiyuan25-3-6rdl2-worker-us-east-1a-q6nc2   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   xiyuan25-3-6rdl2-worker-us-east-1b-5n8sh   Succeeded
example-fileintegrity-xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   xiyuan25-3-6rdl2-worker-us-east-1b-wkwxd   Succeeded

Comment 8 Varad Ahirwadkar 2022-07-27 13:38:34 UTC

Successfully Upgraded FIO from v0.1.24 to v0.1.30 on Power OCP 4.11.0-rc.2 release

#  oc get csv -n openshift-file-integrity
file-integrity-operator.v0.1.30   File Integrity Operator   0.1.30    file-integrity-operator.v0.1.24   Succeeded

# oc get fileintegrity example-fileintegrity  -o=jsonpath={.status}
{"phase":"Active"}

# oc get pods
NAME                                       READY   STATUS    RESTARTS   AGE
aide-example-fileintegrity-5gw7p           1/1     Running   0          34s
aide-example-fileintegrity-6z9ph           1/1     Running   0          35s
aide-example-fileintegrity-d46bc           1/1     Running   0          35s
aide-example-fileintegrity-dkdld           1/1     Running   0          35s
aide-example-fileintegrity-q44fh           1/1     Running   0          35s
aide-example-fileintegrity-xc996           1/1     Running   0          35s
file-integrity-operator-79bbc8dc86-nqzjz   1/1     Running   0          78s

# oc get fileintegritynodestatus
NAME                                                                     NODE                                               STATUS
example-fileintegrity-tor01-master-0.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-master-0.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded
example-fileintegrity-tor01-master-1.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-master-1.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded
example-fileintegrity-tor01-master-2.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-master-2.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded
example-fileintegrity-tor01-worker-0.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-worker-0.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded
example-fileintegrity-tor01-worker-1.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-worker-1.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded
example-fileintegrity-tor01-worker-2.rdr-varad-ocp-411-rc2-upi.ibm.com   tor01-worker-2.rdr-varad-ocp-411-rc2-upi.ibm.com   Succeeded

# oc describe daemonset aide-example-fileintegrity | tail
  Normal  SuccessfulCreate  6m24s                  daemonset-controller  Created pod: aide-example-fileintegrity-x7jzx
  Normal  SuccessfulCreate  6m24s                  daemonset-controller  Created pod: aide-example-fileintegrity-hpb5k
  Normal  SuccessfulCreate  6m24s                  daemonset-controller  Created pod: aide-example-fileintegrity-t2wck
  Normal  SuccessfulCreate  6m24s                  daemonset-controller  Created pod: aide-example-fileintegrity-9jv2j
  Normal  SuccessfulCreate  6m24s                  daemonset-controller  Created pod: aide-example-fileintegrity-4btw4
  Normal  SuccessfulDelete  4m25s                  daemonset-controller  Deleted pod: aide-example-fileintegrity-t2wck
  Normal  SuccessfulCreate  3m54s                  daemonset-controller  Created pod: aide-example-fileintegrity-6z9ph
  Normal  SuccessfulCreate  3m54s                  daemonset-controller  Created pod: aide-example-fileintegrity-d46bc
  Normal  SuccessfulCreate  3m54s                  daemonset-controller  Created pod: aide-example-fileintegrity-dkdld
  Normal  SuccessfulCreate  3m53s (x3 over 3m54s)  daemonset-controller  (combined from similar events): Created pod: aide-example-fileintegrity-5gw7p

Comment 9 xiyuan 2022-07-28 03:57:50 UTC

verification pass with 4.12.0-0.nightly-2022-07-27-133042 and file-integrity-operator.v0.1.30
1. installed released version v0.1.24
2. upgrade to latest version v0.1.30
$ oc get ip -w
NAME            CSV                               APPROVAL    APPROVED
install-7msxh   file-integrity-operator.v0.1.24   Automatic   true
install-hx49f   file-integrity-operator.v0.1.30   Automatic   true
install-hx49f   file-integrity-operator.v0.1.30   Automatic   true
^C$ oc get csv -w
NAME                              DISPLAY                            VERSION   REPLACES   PHASE
elasticsearch-operator.v5.5.0     OpenShift Elasticsearch Operator   5.5.0                Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24               Succeeded
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Replacing
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Pending
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Pending
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   InstallReady
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Installing
file-integrity-operator.v0.1.30   File Integrity Operator            0.1.30    file-integrity-operator.v0.1.24   Succeeded
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
file-integrity-operator.v0.1.24   File Integrity Operator            0.1.24                                      Deleting
3. check upgrade result
$ oc get pod 
NAME                                       READY   STATUS              RESTARTS        AGE
aide-example-fileintegrity-7bt6q           0/1     ContainerCreating   0               4s
aide-example-fileintegrity-fdgrs           0/1     ContainerCreating   0               4s
aide-example-fileintegrity-fztrz           1/1     Running             0               4s
aide-example-fileintegrity-mvhfq           0/1     ContainerCreating   0               4s
aide-example-fileintegrity-rsg57           0/1     ContainerCreating   0               4s
aide-example-fileintegrity-vvrdj           0/1     ContainerCreating   0               4s
file-integrity-operator-5ddddddf69-cbzzk   1/1     Terminating         1 (7m16s ago)   7m37s
file-integrity-operator-79bbc8dc86-2dk42   1/1     Running             0               40s
$ oc get daemonset -w
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
aide-example-fileintegrity   6         6         5       6            5           <none>          6m57s
aide-example-fileintegrity   6         6         6       6            6           <none>          6m57s
^C$ oc get pod
NAME                                       READY   STATUS    RESTARTS   AGE
aide-example-fileintegrity-7bt6q           1/1     Running   0          23s
aide-example-fileintegrity-fdgrs           1/1     Running   0          23s
aide-example-fileintegrity-fztrz           1/1     Running   0          23s
aide-example-fileintegrity-mvhfq           1/1     Running   0          23s
aide-example-fileintegrity-rsg57           1/1     Running   0          23s
aide-example-fileintegrity-vvrdj           1/1     Running   0          23s
file-integrity-operator-79bbc8dc86-2dk42   1/1     Running   0          59s
$ oc get fileintegrity  example-fileintegrity -o=jsonpath={.status}
{"phase":"Active"}

Comment 12 errata-xmlrpc 2022-08-02 08:17:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift File Integrity Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5538

Note You need to log in before you can comment on or make changes to this bug.