Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-1824

OSC 1.3.1 channel-1.3 on OCP 4.10 won't start kataconfig

XMLWordPrintable

    • False
    • None
    • False
    • Hide
      Previously, when installing Openshift Sandboxed Containers on Openshift 4.10, the controller manager POD failed to start with the following error :

      container has runAsNonRoot and image has non-numeric user (nonroot),
                cannot verify user is non-root

      This was preventing the creation of the `KataConfig` CR to succeed and, thus, preventing to run sandboxed containers.

      With this release, the image of the manager container now uses a numerical user id (499) .
      Show
      Previously, when installing Openshift Sandboxed Containers on Openshift 4.10, the controller manager POD failed to start with the following error : container has runAsNonRoot and image has non-numeric user (nonroot),           cannot verify user is non-root This was preventing the creation of the `KataConfig` CR to succeed and, thus, preventing to run sandboxed containers. With this release, the image of the manager container now uses a numerical user id (499) .
    • Bug Fix
    • Proposed
    • Kata Sprint #227
    • 0
    • 0

      Description

      Install OSC 1.3.1-10 on a OCP 4.10 cluster fails to start the controller manager pod

       

      Thanks to sserafin@redhat.com for finding this

      Steps to reproduce

      1. install a 4.10 OCP cluster.  
      2. Install a catsrc pointing to the 1.3.1-10 OSC
      3. subscribe to OSC with stable-1.3

      4. create kataconfig

      Expected result

      To be able to install kataconfig

      Actual result

      The deployment of the controller-manager pod fails & prevents kataconfig from installing with the error:

       

      Error "failed calling webhook "vkataconfig.kb.io": failed to call webhook: Post "https://controller-manager-service.openshift-sandboxed-containers-operator.svc:443/validate-kataconfiguration-openshift-io-v1-kataconfig?timeout=10s": no endpoints available for service "controller-manager-service"" for field "undefined".

       

      Impact

      OSC 1.3 should be supported back to OCP 4.10

      Env

      Server Version: 4.10.0-0.nightly-2022-10-26-042816

      OSC 1.3.1-10 is in the catalog bundle

       

      registry-proxy.engineering.redhat.com/rh-osbs/iib:341874

      It was pulled into podman and pushed to 

      quay.io/tbuskey/operator-index:1.3.1-10

      catsrc.yamland ImageContentSourcePolicy.yaml were used to get OSC 1.3.1-10 from quay/brew

      Additional helpful info

      channel stable-1.2 of OSC 1.3.1 works on OCP 4.10

      oc get csv sandboxed-containers-operator.v1.3.1 -o yaml csv.yaml

      oc get pod controller-manager-755fd4c97f-7w4f4 -o yaml controller-manager-pod.yaml

       message: 'container has runAsNonRoot and image has non-numeric user (nonroot),
                cannot verify user is non-root (pod: "controller-manager-755fd4c97f-7w4f4_openshift-sandboxed-containers-operator(af350798-c741-42b2-8527-9e31da8cf28c)",
                container: manager)'
              reason: CreateContainerConfigError

      oc get deployment controller-manager -o yaml deployment.yaml

        1. catsrc.yaml
          0.2 kB
          Tom Buskey
        2. controller-manager-pod.yaml
          9 kB
          Tom Buskey
        3. csv.yaml
          34 kB
          Tom Buskey
        4. deployment.yaml
          7 kB
          Tom Buskey
        5. ImageContentSourcePolicy.yaml
          0.4 kB
          Tom Buskey

              rhgkurz Greg Kurz
              tbuskey-rh Tom Buskey
              Silvia Serafini
              Tom Buskey Tom Buskey
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: