2115089 – Update container-tools:4.0/toolbox to 0.0.99.3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2115089 - Update container-tools:4.0/toolbox to 0.0.99.3

Summary: Update container-tools:4.0/toolbox to 0.0.99.3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-11-14
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	toolbox
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Debarshi Ray
QA Contact:	Petr Schindler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-03 19:46 UTC by Juan Sebastian Castro
Modified:	2023-05-16 10:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:	toolbox-0.0.99.3-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 08:30:25 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-130232	0	None	None	None	2022-08-03 19:50:04 UTC
Red Hat Product Errata	RHSA-2023:2802	0	None	None	None	2023-05-16 08:44:51 UTC

Description Juan Sebastian Castro 2022-08-03 19:46:07 UTC

Description of problem: 
The latest toolbox version is only available on streams 3.0 and according to https://access.redhat.com/support/policy/updates/containertools the the rolling stream should provide the 'latest' versions. Checking container-tools:rhel8 streams seems to have only 0.0.99.3-0.4 and 0.0.99.3-0.6 versions available.

Version-Release number of selected component (if applicable):
toolbox-0.0.99.3-1

How reproducible:
Always

Steps to Reproduce:

On a lab rhel 8.6 system

[root@rhel86 ~]# dnf module provides 'toolbox-0.0.99.3-[01]*module+el8.6.0*'
Last metadata expiration check: 0:35:12 ago on Wed 03 Aug 2022 06:11:26 PM UTC.
toolbox-0.0.99.3-0.4.module+el8.6.0+14672+b2f82327.x86_64
Module   : container-tools:4.0:8060020220401155902:2e213529:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Stable versions of podman 4.0, buildah 1.24, skopeo 1.6, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.

toolbox-0.0.99.3-0.4.module+el8.6.0+14672+b2f82327.x86_64
Module   : container-tools:4.0:8060020220422125844:3b538bd8:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Stable versions of podman 4.0, buildah 1.24, skopeo 1.6, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.

toolbox-0.0.99.3-0.4.module+el8.6.0+14673+621cb8be.x86_64
Module   : container-tools:rhel8:8060020220401155929:2e213529:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Most recent (rolling) versions of podman, buildah, skopeo, runc, conmon, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and updated as frequently as every 12 weeks.

toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64
Module   : container-tools:rhel8:8060020220426163604:3b538bd8:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Most recent (rolling) versions of podman, buildah, skopeo, runc, conmon, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and updated as frequently as every 12 weeks.

toolbox-0.0.99.3-0.6.module+el8.6.0+15917+093ca6f8.x86_64
Module   : container-tools:rhel8:8060020220711143429:3b538bd8:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Most recent (rolling) versions of podman, buildah, skopeo, runc, conmon, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and updated as frequently as every 12 weeks.

toolbox-0.0.99.3-1.module+el8.6.0+14694+4f5132e0.x86_64
Module   : container-tools:3.0:8060020220404111443:2e213529:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.

toolbox-0.0.99.3-1.module+el8.6.0+14874+64436299.x86_64
Module   : container-tools:3.0:8060020220419093427:3b538bd8:x86_64
Profiles : common
Repo     : rhel-8-for-x86_64-appstream-rpms
Summary  : Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.


Actual results:
Versions available in rhel8 stream:

toolbox-0.0.99.3-0.4
toolbox-0.0.99.3-0.6


Expected results:
Version should be toolbox-0.0.99.3-1 in rhel8 stream

Additional info:
Customer verified the RHEL advisory https://access.redhat.com/errata/RHSA-2022:2143

The server is fully updated.  We're wondering why isn't "toolbox-0.0.99.3-1" included in the "rolling' stream of container-tools?

Comment 1 Debarshi Ray 2022-08-09 11:43:31 UTC

We don't have the upstream toolbox-0.0.99.3 release built in RHEL 8.  That's why there's no toolbox-0.0.99.3-1 build.  See bug 2047290 for that.

(In reply to Juan Sebastian Castro from comment #0)
>
> [...]
>
> Actual results:
> Versions available in rhel8 stream:
> 
> toolbox-0.0.99.3-0.4
> toolbox-0.0.99.3-0.6

That said, the latest RHEL 8 build should be toolbox-0.0.99.3-0.8.

Comment 3 Debarshi Ray 2022-08-09 15:16:07 UTC

(In reply to Debarshi Ray from comment #1)
> (In reply to Juan Sebastian Castro from comment #0)
> >
> > [...]
> >
> > Actual results:
> > Versions available in rhel8 stream:
> > 
> > toolbox-0.0.99.3-0.4
> > toolbox-0.0.99.3-0.6
> 
> That said, the latest RHEL 8 build should be toolbox-0.0.99.3-0.8.

Could you please show me the contents of your /etc/containers/toolbox.conf ?

Comment 4 Juan Sebastian Castro 2022-08-17 14:11:00 UTC

Hello Debarshi, from test box r86 toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 was installed and content of /etc/containers/toolbox.conf is:

[root@rhel86 ~]# cat /etc/containers/toolbox.conf
[general]
# Create a toolbox container for a different operating system distro than the
# host. Cannot be used with 'image'.
## distro = "fedora"

# Create a toolbox container for a different operating system release than the
# host. Cannot be used with 'image'.
## release = "33"

# Change the name of the image used to create the toolbox container. This is
# useful for creating containers from custom-built images. Cannot be used with
# 'distro' or 'release'.
#
# If the name does not contain a registry, the local image storage will be
# consulted, and if it's not present there then it will be pulled from a
# suitable remote registry.
image = "registry.access.redhat.com/ubi8/toolbox:latest"
[root@rhel86 ~]# rpm -qa | grep toolbox
toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64

--------------------------------------------------------------------------------------------------------------------------------

[root@rhel86 ~]# cat /etc/containers/toolbox.conf
[general]
# Create a toolbox container for a different operating system distro than the
# host. Cannot be used with 'image'.
## distro = "fedora"

# Create a toolbox container for a different operating system release than the
# host. Cannot be used with 'image'.
## release = "33"

Both versions are available from rhel8 stream, that is the most recent (rolling) version that provides latest packages for podman, buildah, etc.. as well as dependencies packages for those componentes. But toolbox-0.0.99.3-1 is not coming on rhel8 stream but on 3.0. First question raised by customer was why the latest version wasn't found in rhel8 stream but 3.0 stream instead. Since most security scanners will pop up a warning as latest version is not being used.

Of course looking within https://access.redhat.com/security/cve/CVE-2022-1227 and https://bugzilla.redhat.com/show_bug.cgi?id=2070368 we can see that psgo: Privilege escalation in 'podman top' is fixed.

Now there is only the versioning concerns about why 0.0.99.3-1 is not within rhel8 stream.

Comment 5 Debarshi Ray 2022-08-18 14:19:25 UTC

Thanks for doing all that ground work, Juan!  It was really helpful.

(In reply to Juan Sebastian Castro from comment #4)
> Hello Debarshi, from test box r86
> toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64 was installed and
> content of /etc/containers/toolbox.conf is:
> 
> [root@rhel86 ~]# cat /etc/containers/toolbox.conf
> [general]
>
> [...]
>
> # If the name does not contain a registry, the local image storage will be
> # consulted, and if it's not present there then it will be pulled from a
> # suitable remote registry.
> image = "registry.access.redhat.com/ubi8/toolbox:latest"

Ok.  This looks good.  I was worried about the value of the 'image' setting.

> [root@rhel86 ~]# rpm -qa | grep toolbox
> toolbox-0.0.99.3-0.4.module+el8.6.0+14877+f643d2d6.x86_64
>  
> -----------------------------------------------------------------------------
> 
> [root@rhel86 ~]# cat /etc/containers/toolbox.conf
> [general]
>
> [...]
>
> # If the name does not contain a registry, the local image storage will be
> # consulted, and if it's not present there then it will be pulled from a
> # suitable remote registry.
> image = "registry.access.redhat.com/ubi8/toolbox:latest"

Ok.  This also looks good.  I was again worried about the value of the 'image' setting.

> [root@rhel86 ~]# rpm -qa | grep toolbox
> toolbox-0.0.99.3-0.6.module+el8.6.0+15917+093ca6f8.x86_64

Comment 6 Debarshi Ray 2022-08-18 14:37:31 UTC

From a user's (or customer's) perspective, the main difference between toolbox-0.0.99.3-0.4 and toolbox-0.0.99.3-0.6 is a rebuild with a newer Go toolchain to fix bug 1975365

This means that if FIPS-mode is important for someone, then they should use toolbox-0.0.99.3-0.6

Comment 8 Debarshi Ray 2022-08-18 15:24:35 UTC

(In reply to Juan Sebastian Castro from comment #4)
> First question
> raised by customer was why the latest version wasn't found in rhel8 stream
> but 3.0 stream instead. Since most security scanners will pop up a warning
> as latest version is not being used. 
> 
> Of course looking within
> https://access.redhat.com/security/cve/CVE-2022-1227 and
> https://bugzilla.redhat.com/show_bug.cgi?id=2070368 we can see that psgo:
> Privilege escalation in 'podman top' is fixed.  

Are there specific CVEs that the customer is worried about?

I am not aware of any important unfixed CVEs, but I could be wrong.

Comment 14 Debarshi Ray 2022-08-29 14:45:17 UTC

I am re-labeling this bug for the 4.0 stream of the container-tools module in RHEL 8.

We can use bug 2047290 for the 'rolling' stream of the container-tools module in RHEL 8.

Comment 15 Debarshi Ray 2022-11-07 13:17:07 UTC

Built toolbox-0.0.99.3-2.el8 as part of container-tools:4.0:
https://mbs.engineering.redhat.com/module-build-service/2/module-builds/17177
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48831787

Comment 16 Debarshi Ray 2022-11-07 14:06:08 UTC

(In reply to Debarshi Ray from comment #1)
> We don't have the upstream toolbox-0.0.99.3 release built in RHEL 8.

It turns out that this is still true.

The fact that there's a toolbox-0.0.99.3-1 RPM in container-tools:3.0 doesn't mean that it actually has the upstream 0.0.99.3 sources.  It doesn't.  :(

I filed bug 2140643 to fix that.

Comment 17 Petr Schindler 2022-11-15 12:09:27 UTC

All tests pass. toolbox works as intended.

Comment 20 errata-xmlrpc 2023-05-16 08:30:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:4.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2802

Comment 21 errata-xmlrpc 2023-05-16 08:44:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:4.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2802

Note You need to log in before you can comment on or make changes to this bug.