NO-JIRA: okd-scos: pin clevis to 20-200.el9 #1631
Conversation
|
/lgtm |
|
/retest |
|
/assign mike-nguyen |
|
/retitle NO-JIRA: okd-scos: pin clevis to 20-200.el9 |
openshift-ci
bot
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@Prashanth684: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test scos-9-build-test-qemu |
|
|
||
| #packages: | ||
| packages: |
There was a problem hiding this comment.
Can you add a comment referencing https://issues.redhat.com/browse/RHEL-61612 for the pinned packages?
|
CI picked up the pinned packages |
Prashanth684
force-pushed
the
clevis-okd
branch
from
43893b2 to
ca06e32
Compare
|
/test scos-9-build-test-qemu |
|
/lgtm |
openshift-ci
bot
added
lgtm
2 similar comments
|
/usr/libexec/clevis-luks-udisks2 has setuid bit set which either doesn't exist in the newer version or is set properly in the newer version. Either this test should be updated to allow the binary or you can add the test to the kola-denylist to skip it from running. |
|
The failing test is https://github.com/coreos/fedora-coreos-config/blob/testing-devel/tests/kola/files/setuid which is not happy about Edit : I was not fast enough 🥈 |
`clevis-luks-udisks2` shipped as a subpackage of clevis have the setuid bit set [1]. I am not sure why this is failing only now since it's been enabled for a long time. [1]: https://gitlab.com/redhat/centos-stream/rpms/clevis/-/commit/ca4761025e6332e6d0e148f59833506b1f6b7470#4b7d5bd4b543f32d3da8004f4e1de346e6a2c2c9_0_184 Also see openshift/os#1631 (comment)
Well i was confused by that and it appears it has had the setuid bit since the package was introduced in c9s : https://gitlab.com/redhat/centos-stream/rpms/clevis/-/blob/c10s/clevis.spec?ref_type=heads#L203 Edit : it's been setuid since the package exist in fedora : see line 94 of the initial commit |
|
This binary comes as a subpackage of |
overrides-c9s.yaml
Outdated
| - clevis-dracut-20-200.el9 | ||
| - clevis-luks-20-200.el9 | ||
| - clevis-systemd-20-200.el9 | ||
| - clevis-udisks2-20-200.el9 |
There was a problem hiding this comment.
clevis-udisks2 is not included in the image. Any reason to add it ?
There was a problem hiding this comment.
so is it not being pulled by any other packages? if so, I can remove it - but I'm not sure how we determine that.
There was a problem hiding this comment.
I checked on a local build and it's not pulled :)
You can also look at the contents of a recent openshift RHCOS build : https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/contents.html?stream=prod/streams/4.18-9.4&release=418.94.202410090804-0&arch=x86_64
Also see my comment above : we don't pull subpackages by default in ostree builds, unless they are marked as required, which isn't the case here
There was a problem hiding this comment.
removed the package.
1 similar comment
Prashanth684
force-pushed
the
clevis-okd
branch
from
ca06e32 to
08f7a12
Compare
Latest clevis pulls in opensc and pcsc-lite which gives this error on booting: ``` [ 1.931395] dracut-initqueue[621]: pcscd: unrecognized option '--disable-polkit' [ 1.742582] dracut-initqueue[621]: pcscd: unrecognized option '--disable-polkit' [ 1.933525] dracut-initqueue[621]: Usage: pcscd options [ 1.933837] dracut-initqueue[621]: Options: [[0;32m OK [[ 1.934124] dracut-initqueue[621]: -a, --apdu log APDU commands and results 0m] Found device [0;1;39mAmazon Elastic Block Store root[0m.[ 1.934449] dracut-initqueue[621]: -c, --config path to reader.conf [ 1.934737] dracut-initqueue[621]: -f, --foreground run in foreground (no daemon), [ 1.935028] dracut-initqueue[621]: send logs to stdout instead of syslog [ 1.935341] dracut-initqueue[621]: -T, --color force use of colored logs [ 1.935628] dracut-initqueue[621]: -h, --help display usage information [ 1.935912] dracut-initqueue[621]: -H, --hotplug ask the daemon to rescan the available readers [[0;32m OK [0m] Reached target [0;1;39mInit[ 1.936468] dracut-initqueue[621]: -v, --version display the program version number rd Root Device[[ 1.936748] dracut-initqueue[621]: -d, --debug display lower level debug messages 0m. [ 1.937028] dracut-initqueue[621]: -i, --info display info level debug messages [ 1.937316] dracut-initqueue[621]: -e --error display error level debug messages (default level) [ 1.937834] dracut-initqueue[621]: -C --critical display critical only level debug messages [ 1.938109] dracut-initqueue[621]: --force-reader-polling ignore the IFD_GENERATE_HOTPLUG reader capability [ 1.938665] dracut-initqueue[621]: -t, --max-thread maximum number of threads (default 200) [ 1.938948] dracut-initqueue[621]: -s, --max-card-handle-per-thread maximum number of card handle per thread (default: 200) [ 1.939509] dracut-initqueue[621]: -r, --max-card-handle-per-reader maximum number of card handle per reader (default: 200) [ 1.940064] dracut-initqueue[621]: -x, --auto-exit pcscd will quit after 60 seconds of inactivity [ 1.940632] dracut-initqueue[621]: -S, --reader-name-no-serial do not include the USB serial number in the name ``` This addresses openshift#1630 until https://issues.redhat.com/browse/RHEL-61612 has been fixed.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ausil, jbtrystram, mike-nguyen, Prashanth684 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@Prashanth684: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Latest clevis pulls in opensc and pcsc-lite which gives this error on booting:
This addresses #1630 until https://issues.redhat.com/browse/RHEL-61612 has been fixed.