-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More openvswitch woes #1274
Comments
This was addressed by: #1275. It only prevents us from shipping with broken groups for openvswitch |
We have a new problem now which is is rhel9 (?) builds picked up https://src.fedoraproject.org/rpms/openvswitch/c/a17c9d439da4f7e3bfec0ce4c3b178232d28d3fb?branch=rawhide it sounds like, and I believe today the problem is that use of sysusers.d just clashes with our previously hardcoded bits here https://github.com/openshift/os/blob/master/passwd#L27 and most importantly here: (note openvswitch has no groups).Basically we can do one of two things:
But it doesn't make sense to do both. At this point, we could try dropping the hardcoded user/group files from this repo and rely on sysusers (i.e. per machine state). Or we could hardcode the hugetlbfs group. Now honestly, I think the real fix here is to move openvswithch to use |
@cgwalters note that openvswitch being in hugetlbfs only happens on x86-64 and ARM where we support DPDK. Not on POWER or s390. |
@cgwalters I'm curious what's actually clashing here though. sysusers.d(5) says it'll do the things it's asked if the group/user doesn't exist yet:
But we don't get any error logs out of systemd-sysusers about why it's not doing what it's asked... If openvswitch already exists, shouldn't it just ignore /usr/lib/sysusers.d/openvswitch.conf but since hugetlbfs doesn't exist and OVS isn't in it, it should still do all of that? |
I did a little investigation on this today. I tried dropping the hardcoded bits: diff --git a/group b/group
index e86d91b..1fb1db8 100644
--- a/group
+++ b/group
@@ -42,5 +42,3 @@ nfsnobody:x:65534:
kube:x:994:
sshd:x:74:
chrony:x:992:
-openvswitch:x:800:
-hugetlbfs:x:801:
diff --git a/passwd b/passwd
index 673a3d5..893fd8a 100644
--- a/passwd
+++ b/passwd
@@ -24,4 +24,3 @@ nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
kube:x:996:994:Kubernetes user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:994:992::/var/lib/chrony:/sbin/nologin
-openvswitch:x:800:800::/:/sbin/nologin but that didn't work either (the I think after we remove the hardcoded bits now what's kicking in is this:
where
and are defined as:
So that looks normal.. but what is I will note that if on a running instance I remove |
The RPM is now using systemd-sysusers fragments [1] so we can drop the hardcoded definitions. One problem here, though, is that the hugetlbfs group never gets added to the openswitch user [2] so let's add a workaround for that for now. One side effect of this is that it does change the previously defined UID/GIDs from 800/801 do different values. I assume this is OK because of some of the discussion in [1]. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
The RPM is now using systemd-sysusers fragments [1] so we can drop the hardcoded definitions. One problem here, though, is that the hugetlbfs group never gets added to the openswitch user [2] so let's add a workaround for that for now. One side effect of this is that it does change the previously defined UID/GIDs from 800/801 to different values (dynamically generated at build time). I assume this is OK because of some of the discussion in [1]. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
WDYT of #1317 at least to get us unblocked for now? |
The RPM is now using systemd-sysusers fragments [1] and the RPM scriptlets no longer successfully add the `hugetlbfs` group to the `openvswitch` user [2]. Let's add a workaround for now while we investigate. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
The RPM is now using systemd-sysusers fragments [1] and the RPM scriptlets no longer successfully add the `hugetlbfs` group to the `openvswitch` user [2]. Let's add a workaround for now while we investigate. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
The RPM is now using systemd-sysusers fragments [1] so we can drop the hardcoded definitions. One problem here, though, is that the hugetlbfs group never gets added to the openswitch user [2] so let's add a workaround for that for now. One side effect of this is that it does change the previously defined UID/GIDs from 800/801 to different values (dynamically generated at build time). I assume this is OK because of some of the discussion in [1]. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
At this point we can either merge #1317, which drops the hardcoded bits user/group assignments, or #1318, which just works around the RPM scriptlet not working. IIUC merging #1317 will cause systems that upgrade to have a different (new) UID/GID for the |
It looks like https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/sysusers.generate-pre.sh and https://pkgs.devel.redhat.com/cgit/rpms/systemd/tree/sysusers.generate-pre.sh?h=rhel-9.2.0 have diverged, and the latter is missing multiple updates to the script. Specifically, this change that is missing in RHEL looks like the culprit to me: https://src.fedoraproject.org/rpms/systemd/c/f27d461663bec17ad64422682f260f0020ccc7f7?branch=rawhide |
The RPM is now using systemd-sysusers fragments [1] and the RPM scriptlets no longer successfully add the `hugetlbfs` group to the `openvswitch` user [2]. Let's add a workaround for now while we investigate. [1] openshift#1274 (comment) [2] openshift#1274 (comment)
This still seems to be a problem on RHCOS 4.14-9.2. The systemd-sysusers logs
/var/lib/sysusers.d contents$ ll /usr/lib/sysusers.d/
total 108
-rw-r--r--. 2 root root 291 Jan 1 1970 00-coreos-nobody.conf
-rw-r--r--. 2 root root 1317 Jan 1 1970 00-coreos-static.conf
-rw-r--r--. 2 root root 984 Jan 1 1970 10-static-extra.conf
-rw-r--r--. 2 root root 240 Jan 1 1970 20-setup-groups.conf
-rw-r--r--. 2 root root 457 Jan 1 1970 20-setup-users.conf
-rw-r--r--. 2 root root 40 Jan 1 1970 30-rpmostree-pkg-group-hugetlbfs.conf
-rw-r--r--. 2 root root 42 Jan 1 1970 30-rpmostree-pkg-group-openvswitch.conf
-rw-r--r--. 2 root root 38 Jan 1 1970 30-rpmostree-pkg-group-unbound.conf
-rw-r--r--. 2 root root 81 Jan 1 1970 35-rpmostree-pkg-user-openvswitch.conf
-rw-r--r--. 2 root root 88 Jan 1 1970 35-rpmostree-pkg-user-unbound.conf
-rw-r--r--. 2 root root 50 Jan 1 1970 40-rpmostree-pkg-usermod-openvswitch-hugetlbfs.conf
-rw-r--r--. 2 root root 359 Jan 1 1970 README
-rw-r--r--. 2 root root 1299 Jan 1 1970 basic.conf
-rw-r--r--. 3 root root 132 Jan 1 1970 chrony.conf
-rw-r--r--. 2 root root 79 Jan 1 1970 clevis.conf
-rw-r--r--. 3 root root 118 Jan 1 1970 dbus.conf
-rw-r--r--. 3 root root 59 Jan 1 1970 dnsmasq.conf
-rw-r--r--. 2 root root 134 Jan 1 1970 openssh-server.conf
-rw-r--r--. 2 root root 189 Jan 1 1970 openvswitch.conf
-rw-r--r--. 3 root root 39 Jan 1 1970 samba.conf
-rw-r--r--. 3 root root 335 Jan 1 1970 systemd-coredump.conf
-rw-r--r--. 2 root root 316 Jan 1 1970 systemd-journal.conf
-rw-r--r--. 3 root root 339 Jan 1 1970 systemd-oom.conf
-rw-r--r--. 2 root root 333 Jan 1 1970 systemd-resolve.conf
-rw-r--r--. 2 root root 344 Jan 1 1970 systemd-timesync.conf
-rw-r--r--. 2 root root 128 Jan 1 1970 tpm2-tss.conf
-rw-r--r--. 2 root root 66 Jan 1 1970 unbound.sysusers This likely also causes openshift/installer#7265. |
It looks like https://gitlab.com/redhat/centos-stream/rpms/systemd/-/merge_requests/79 hasn't been backported to https://pkgs.devel.redhat.com/cgit/rpms/systemd/tree/sysusers.generate-pre.sh?h=rhel-9.2.0 yet. |
Messy. Yes, ultimately we need one "source of truth" for users - what these packages are doing in invoking both Backporting this logic to RHEL would help indeed. But, we probably also need to change rpm-ostree to detect this case. Looks like we already have coreos/rpm-ostree#2728 |
Ah that makes sense. As a lowly customer I don't have access to devel.redhat.com. I'll keep an eye on the Bugzilla bug, thanks!
Agreed, there doesn't seem to be a common pattern in dealing with these system-specific package configurations. I'm don't have the deepest insight into how rpmostree manages systemd configuration, I'm just confused as to why it layers identical configuration on top of what the packages already provide. |
Ahhhh OK something was really confusing me - we're not actually seeing this in OCP. It's because So a workaround today is for the OKD/SCOS build to basically remove the duplicate rpm-ostree sysusers.d entries as part of the container build. However, coreos/rpm-ostree#4505 would also address this and have other benefits. |
@cgwalters I was able to find some time again to look at this more closely: It turns out that in my case openshift/installer pulls the following RHCOS image on Initial bootstrap/master os-releaseNAME="Red Hat Enterprise Linux CoreOS"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION="414.92.202308032115-0"
VERSION_ID="4.14"
VARIANT="CoreOS"
VARIANT_ID=coreos
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 414.92.202308032115-0 (Plow)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::coreos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.14/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.14"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.14"
OPENSHIFT_VERSION="4.14"
RHEL_VERSION="9.2"
OSTREE_VERSION="414.92.202308032115-0" On the master VM, rpm-ostree - as instructed by Pivoted master os-releaseNAME="Fedora Linux"
VERSION="38.20230907.20.0 (CoreOS)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora CoreOS 38.20230907.20.0"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='38.20230907.20.0' So I'm actually trying to run OCP, but the installer/bootstrap has other things in mind and pivots to an OKD image. |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
/remove-lifecycle rotten |
openvswitch %pre scriptlet adds the
openvswitch
user to thehugetblfs
group. Since %pre runs withoutset -e
by default the failures are ignored resulting in worker nodes that do not come online during a cluster install.These errors are showing up during the rpm-ostree compose:
The text was updated successfully, but these errors were encountered: