Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: High
Fix Version/s: OSC 1.3.2
Affects Version/s: None
Component/s: Operator, sandboxed-containers
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Release Note Text:

Hide
Previously, when installing Openshift Sandboxed Containers on Openshift 4.10, the controller manager POD failed to start with the following error :

container has runAsNonRoot and image has non-numeric user (nonroot),
cannot verify user is non-root

This was preventing the creation of the `KataConfig` CR to succeed and, thus, preventing to run sandboxed containers.

With this release, the image of the manager container now uses a numerical user id (499) .

Show
Previously, when installing Openshift Sandboxed Containers on Openshift 4.10, the controller manager POD failed to start with the following error : container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root This was preventing the creation of the `KataConfig` CR to succeed and, thus, preventing to run sandboxed containers. With this release, the image of the manager container now uses a numerical user id (499) .
Release Note Type:
Bug Fix
Release Note Status:
Proposed

Sprint:
Kata Sprint #227
Cost of Delay:
0
WSJF:
0

SFDC Cases Counter:
SFDC Cases Links:

Description

Install OSC 1.3.1-10 on a OCP 4.10 cluster fails to start the controller manager pod

Thanks to sserafin@redhat.com for finding this

Steps to reproduce

1. install a 4.10 OCP cluster.
2. Install a catsrc pointing to the 1.3.1-10 OSC
3. subscribe to OSC with stable-1.3

4. create kataconfig

Expected result

To be able to install kataconfig

Actual result

The deployment of the controller-manager pod fails & prevents kataconfig from installing with the error:

Error "failed calling webhook "vkataconfig.kb.io": failed to call webhook: Post "https://controller-manager-service.openshift-sandboxed-containers-operator.svc:443/validate-kataconfiguration-openshift-io-v1-kataconfig?timeout=10s": no endpoints available for service "controller-manager-service"" for field "undefined".

Impact

OSC 1.3 should be supported back to OCP 4.10

Env

Server Version: 4.10.0-0.nightly-2022-10-26-042816

OSC 1.3.1-10 is in the catalog bundle

registry-proxy.engineering.redhat.com/rh-osbs/iib:341874

It was pulled into podman and pushed to

quay.io/tbuskey/operator-index:1.3.1-10

catsrc.yamland ImageContentSourcePolicy.yaml were used to get OSC 1.3.1-10 from quay/brew

Additional helpful info

channel stable-1.2 of OSC 1.3.1 works on OCP 4.10

oc get csv sandboxed-containers-operator.v1.3.1 -o yaml csv.yaml

oc get pod controller-manager-755fd4c97f-7w4f4 -o yaml controller-manager-pod.yaml

 message: 'container has runAsNonRoot and image has non-numeric user (nonroot),
          cannot verify user is non-root (pod: "controller-manager-755fd4c97f-7w4f4_openshift-sandboxed-containers-operator(af350798-c741-42b2-8527-9e31da8cf28c)",
          container: manager)'
        reason: CreateContainerConfigError

oc get deployment controller-manager -o yaml deployment.yaml

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

catsrc.yaml
0.2 kB
2022/10/26 8:23 PM
controller-manager-pod.yaml
9 kB
2022/10/26 8:18 PM
csv.yaml
34 kB
2022/10/26 8:19 PM
deployment.yaml
7 kB
2022/10/26 8:12 PM
ImageContentSourcePolicy.yaml
0.4 kB
2022/10/26 8:23 PM

Issue Links

links to

openshift/sandboxed-containers-operator#225: Use numerical uid/gid in Dockerfile

Activity

People

Assignee:: Greg Kurz

Reporter:: Tom Buskey

Contributors:: Silvia Serafini

QA Contact:: Tom Buskey

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2022/10/26 8:11 PM

Updated:: 2024/03/19 3:20 PM

Resolved:: 2022/11/02 2:05 PM