Bug 1862111: bump RHCOS images for CVE-2020-10713 #3983

miabbott · 2020-07-30T13:45:15Z

The mitigation path for OCP customers is to reprovision nodes, so we
should bump the boot images on the installer as well.

openshift-ci-robot · 2020-07-30T13:45:22Z

@miabbott: This pull request references Bugzilla bug 1862111, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.6.0) matches configured target release for branch (4.6.0)
bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Details

In response to this:

Bug 1862111: bump RHCOS images for CVE-2020-10713

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

miabbott · 2020-07-30T13:47:20Z

$ ./differ.py -fe api.ci -fr rhcos-4.6/46.82.202007212240-0 -se api.ci -sr rhcos-4.6/46.82.202007291847-0
{
    "sources": {
        "rhcos-4.6/46.82.202007212240-0": "https://releases-art-rhcos.svc.ci.openshift.org/art/storage/releases/rhcos-4.6/46.82.202007212240-0/x86_64/commitmeta.json",
        "rhcos-4.6/46.82.202007291847-0": "https://releases-art-rhcos.svc.ci.openshift.org/art/storage/releases/rhcos-4.6/46.82.202007291847-0/x86_64/commitmeta.json"
    },
    "diff": {
        "NetworkManager": {
            "rhcos-4.6/46.82.202007212240-0": "NetworkManager-1.22.8-5.el8_2.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "NetworkManager-1.22.8-6.el8_2.x86_64"
        },
        "NetworkManager-libnm": {
            "rhcos-4.6/46.82.202007212240-0": "NetworkManager-libnm-1.22.8-5.el8_2.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "NetworkManager-libnm-1.22.8-6.el8_2.x86_64"
        },
        "NetworkManager-ovs": {
            "rhcos-4.6/46.82.202007212240-0": "NetworkManager-ovs-1.22.8-5.el8_2.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "NetworkManager-ovs-1.22.8-6.el8_2.x86_64"
        },
        "NetworkManager-team": {
            "rhcos-4.6/46.82.202007212240-0": "NetworkManager-team-1.22.8-5.el8_2.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "NetworkManager-team-1.22.8-6.el8_2.x86_64"
        },
        "NetworkManager-tui": {
            "rhcos-4.6/46.82.202007212240-0": "NetworkManager-tui-1.22.8-5.el8_2.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "NetworkManager-tui-1.22.8-6.el8_2.x86_64"
        },
        "conmon": {
            "rhcos-4.6/46.82.202007212240-0": "conmon-2.0.17-1.rhaos4.5.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "conmon-2.0.20-1.rhaos4.6.el8.x86_64"
        },
        "coreos-installer": {
            "rhcos-4.6/46.82.202007212240-0": "coreos-installer-0.2.0-4.rhaos4.6.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "coreos-installer-0.4.0-1.rhaos4.6.el8.x86_64"
        },
        "coreos-installer-systemd": {
            "rhcos-4.6/46.82.202007212240-0": "coreos-installer-systemd-0.2.0-4.rhaos4.6.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "Not present"
        },
        "cri-o": {
            "rhcos-4.6/46.82.202007212240-0": "cri-o-1.19.0-41.rhaos4.6.git988f60e.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "cri-o-1.19.0-53.rhaos4.6.git1f9d304.el8.x86_64"
        },
        "grub2-common": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-common-2.02-82.el8_2.1.noarch",
            "rhcos-4.6/46.82.202007291847-0": "grub2-common-2.02-87.el8_2.noarch"
        },
        "grub2-efi-x64": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-efi-x64-2.02-82.el8_2.1.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "grub2-efi-x64-2.02-87.el8_2.x86_64"
        },
        "grub2-pc": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-pc-2.02-82.el8_2.1.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "grub2-pc-2.02-87.el8_2.x86_64"
        },
        "grub2-pc-modules": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-pc-modules-2.02-82.el8_2.1.noarch",
            "rhcos-4.6/46.82.202007291847-0": "grub2-pc-modules-2.02-87.el8_2.noarch"
        },
        "grub2-tools": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-tools-2.02-82.el8_2.1.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "grub2-tools-2.02-87.el8_2.x86_64"
        },
        "grub2-tools-extra": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-tools-extra-2.02-82.el8_2.1.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "grub2-tools-extra-2.02-87.el8_2.x86_64"
        },
        "grub2-tools-minimal": {
            "rhcos-4.6/46.82.202007212240-0": "grub2-tools-minimal-2.02-82.el8_2.1.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "grub2-tools-minimal-2.02-87.el8_2.x86_64"
        },
        "ignition": {
            "rhcos-4.6/46.82.202007212240-0": "ignition-2.3.0-1.rhaos4.6.gitee616d5.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "ignition-2.5.0-1.rhaos4.6.git0d6f3e5.el8.x86_64"
        },
        "openshift-clients": {
            "rhcos-4.6/46.82.202007212240-0": "openshift-clients-4.6.0-202007212120.p0.git.3658.e2f0cb0.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "openshift-clients-4.6.0-202007290214.p0.git.3679.02da520.el8.x86_64"
        },
        "openshift-hyperkube": {
            "rhcos-4.6/46.82.202007212240-0": "openshift-hyperkube-4.6.0-202007110420.p1.git.0.4de1d1d.el8.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "openshift-hyperkube-4.6.0-202007291437.p0.git.93394.55d8983.el8.x86_64"
        },
        "openvswitch2.13": {
            "rhcos-4.6/46.82.202007212240-0": "openvswitch2.13-2.13.0-39.el8fdp.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "openvswitch2.13-2.13.0-48.el8fdp.x86_64"
        },
        "shim-x64": {
            "rhcos-4.6/46.82.202007212240-0": "shim-x64-15-11.x86_64",
            "rhcos-4.6/46.82.202007291847-0": "shim-x64-15-14.el8_2.x86_64"
        },
        "coreos-installer-bootinfra": {
            "rhcos-4.6/46.82.202007212240-0": "Not present",
            "rhcos-4.6/46.82.202007291847-0": "coreos-installer-bootinfra-0.4.0-1.rhaos4.6.el8.x86_64"
        },
        "openssl-pkcs11": {
            "rhcos-4.6/46.82.202007212240-0": "Not present",
            "rhcos-4.6/46.82.202007291847-0": "openssl-pkcs11-0.4.10-2.el8.x86_64"
        }
    }
}

miabbott · 2020-07-30T14:13:09Z

/test verify-codegen

cgwalters · 2020-07-30T14:15:45Z

/approve
Changes look right to me.

miabbott · 2020-07-30T16:07:15Z

/hold

While we've tested that booting this RHCOS version via qemu using Secure Boot is successful, there are reports of problems booting with the grub2 mitigation in place - https://bugzilla.redhat.com/show_bug.cgi?id=1861977

I'm going to tentatively hold this until we have more confidence

The mitigation path for OCP customers is to reprovision nodes, so we should bump the boot images on the installer as well.

miabbott · 2020-08-03T18:38:21Z

/unhold

The new RHCOS build includes the fix to shim that addresses BZ#1861977.

Additionally, it notably gained a new coreos-installer and toolbox.

$ ./differ.py -fe api.ci -fr rhcos-4.6/46.82.202007291847-0 -se api.ci -sr rhcos-4.6/46.82.202008030340-0
{
    "sources": {
        "rhcos-4.6/46.82.202007291847-0": "https://releases-art-rhcos.svc.ci.openshift.org/art/storage/releases/rhcos-4.6/46.82.202007291847-0/x86_64/commitmeta.json",
        "rhcos-4.6/46.82.202008030340-0": "https://releases-art-rhcos.svc.ci.openshift.org/art/storage/releases/rhcos-4.6/46.82.202008030340-0/x86_64/commitmeta.json"
    },
    "diff": {
        "containers-common": {
            "rhcos-4.6/46.82.202007291847-0": "containers-common-1.0.0-1.module+el8.2.1+6676+604e1b26.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "containers-common-1.1.1-2.rhaos4.6.el8.x86_64"
        },
        "coreos-installer": {
            "rhcos-4.6/46.82.202007291847-0": "coreos-installer-0.4.0-1.rhaos4.6.el8.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "coreos-installer-0.5.0-1.rhaos4.6.el8.x86_64"
        },
        "coreos-installer-bootinfra": {
            "rhcos-4.6/46.82.202007291847-0": "coreos-installer-bootinfra-0.4.0-1.rhaos4.6.el8.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "coreos-installer-bootinfra-0.5.0-1.rhaos4.6.el8.x86_64"
        },
        "cri-o": {
            "rhcos-4.6/46.82.202007291847-0": "cri-o-1.19.0-53.rhaos4.6.git1f9d304.el8.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "cri-o-1.19.0-61.rhaos4.6.git79c1228.el8.x86_64"
        },
        "openshift-clients": {
            "rhcos-4.6/46.82.202007291847-0": "openshift-clients-4.6.0-202007290214.p0.git.3679.02da520.el8.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "openshift-clients-4.6.0-202008011451.p0.git.3685.3939f2f.el8.x86_64"
        },
        "openshift-hyperkube": {
            "rhcos-4.6/46.82.202007291847-0": "openshift-hyperkube-4.6.0-202007291437.p0.git.93394.55d8983.el8.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "openshift-hyperkube-4.6.0-202008011154.p0.git.93402.577b186.el8.x86_64"
        },
        "openvswitch2.13": {
            "rhcos-4.6/46.82.202007291847-0": "openvswitch2.13-2.13.0-48.el8fdp.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "openvswitch2.13-2.13.0-49.el8fdp.x86_64"
        },
        "shim-x64": {
            "rhcos-4.6/46.82.202007291847-0": "shim-x64-15-14.el8_2.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "shim-x64-15-15.el8_2.x86_64"
        },
        "skopeo": {
            "rhcos-4.6/46.82.202007291847-0": "skopeo-1.0.0-1.module+el8.2.1+6676+604e1b26.x86_64",
            "rhcos-4.6/46.82.202008030340-0": "skopeo-1.1.1-2.rhaos4.6.el8.x86_64"
        },
        "toolbox": {
            "rhcos-4.6/46.82.202007291847-0": "toolbox-0.0.7-1.rhaos4.5.el8.noarch",
            "rhcos-4.6/46.82.202008030340-0": "toolbox-0.0.8-1.rhaos4.6.el8.noarch"
        }
    }
}

cgwalters · 2020-08-03T23:50:59Z

/lgtm

miabbott · 2020-08-04T14:23:44Z

e2e-openstack has been mostly red for the last 48h, so I don't believe this change is causing the failure there.

e2e-aws-fips has known problems, see openshift/release#10488 and openshift/origin#25362 and openshift/release#10653

e2e-libvirt appears to be pretty flaky; not convinced this change is causing the failure

e2e-metal-ipi has been mostly red in the last 48h; doesn't appear related to this change

e2e-ovirt has been completely red the last 48h; doesn't appear related to this change

e2e-crc has been completely red the last 48h; doesn't appear related to this change

cgwalters · 2020-08-04T14:57:36Z

Agree, let's ship this.

miabbott · 2020-08-05T13:50:48Z

@abhinavdahiya @sdodson Could one of you have a look here? We like to get this landed so we can land the other boot image bumps for 4.5.z, 4.4.z, and 4.3.z

sdodson · 2020-08-05T15:14:02Z

/test e2e-ovirt
/test e2e-vsphere
/test e2e-gcp

sdodson · 2020-08-05T15:30:54Z

I agree ovirt and libvirt are not providing meaningful signal. Openstack however does seem to at least make it past installation a fair amount so giving it one more shot. GCP wasn't run so running that once.

sdodson · 2020-08-05T17:08:58Z

vSphere died on dns config before install happened, seems common infra problem amongst recent runs.
OpenStack folks are aware of other critical failures going on at this time so lets move forward.
/lgtm
/approve

openshift-ci-robot · 2020-08-05T17:09:19Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [sdodson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2020-08-05T17:12:18Z

/retest