Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3658

Fileintegritynodestatus marked as failed for all the nodes after MCO update due to linkout changed for files /hostroot/etc/ipsec.d/openshift.conf and /hostroot/etc/mco/internal-registry-pull-secret.json

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Important

      Description of problem:

      Fileintegritynodestatus marked as failed for all the nodes after MCO update due to linkout changed for files /hostroot/etc/ipsec.d/openshift.conf and /hostroot/etc/mco/internal-registry-pull-secret.json

      Version-Release number of selected component (if applicable):

      4.17.0-0.nightly-2024-09-08-135628 + file-integrity-operator.v1.3.4

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install file-integrity-operator.v1.3.4
      2. Create fileintegrity

      oc apply -f -<<EOF
      apiVersion: fileintegrity.openshift.io/v1alpha1
      kind: FileIntegrity
      metadata:
        name: example-fileintegrity
        namespace: openshift-file-integrity
      spec:
        config: {}
        debug: true
      EOF

      3. Create MCO

      oc create -f - <<EOF
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        generation: 1
        labels:
          machineconfiguration.openshift.io/role: master
        name: 50-testfileintegrity1
      spec:
        config:
          ignition:
            config: {}
            security:
              tls: {}
            timeouts: {}
            version: 2.2.0
          networkd: {}
          passwd: {}
          storage:
            files:
            - contents:
                source: data:,file-integrity-operator-was-here
                verification: {}
              filesystem: root
              mode: 420
              path: /etc/fi-test-file
          systemd: {}
        fips: false
        kernelArguments: null
        kernelType: ""
        osImageURL: ""
      EOF

      4. Check fileintegritynodestatuses failed for all the nodes after MCP restart

      $ oc get fileintegritynodestatuses.fileintegrity.openshift.io 
      NAME                                                           NODE                                     STATUS
      example-fileintegrity-bgudi-manual-dcldr-master-0              bgudi-manual-dcldr-master-0              Failed
      example-fileintegrity-bgudi-manual-dcldr-master-1              bgudi-manual-dcldr-master-1              Failed
      example-fileintegrity-bgudi-manual-dcldr-master-2              bgudi-manual-dcldr-master-2              Failed
      example-fileintegrity-bgudi-manual-dcldr-worker-westus-jgmwl   bgudi-manual-dcldr-worker-westus-jgmwl   Failed
      example-fileintegrity-bgudi-manual-dcldr-worker-westus-shcnf   bgudi-manual-dcldr-worker-westus-shcnf   Failed
      example-fileintegrity-bgudi-manual-dcldr-worker-westus-tmrpv   bgudi-manual-dcldr-worker-westus-tmrpv   Failed

      Actual results:

      fileintegritynodestatuses failed for all the nodes

      Expected results:

      fileintegritynodestatuses should succeed for all the nodes

      Additional info:

       

      $ oc extract cm/aide-example-fileintegrity-bgudi-manual-dcldr-master-2-failed --to=-
      # integritylog
      Start timestamp: 2024-09-10 13:59:39 +0000 (AIDE 0.16)
      AIDE found differences between database and filesystem!!
      Summary:
        Total number of entries:    36051
        Added entries:        0
        Removed entries:        0
        Changed entries:        2
      ---------------------------------------------------
      Changed entries:
      ---------------------------------------------------
      f   ...    .C... : /hostroot/etc/ipsec.d/openshift.conf
      f   ...    .C... : /hostroot/etc/mco/internal-registry-pull-secret.json
      ---------------------------------------------------
      Detailed information about changes:
      ---------------------------------------------------
      File: /hostroot/etc/ipsec.d/openshift.conf
        SHA512   : ZzXwXy1EOR/TmnMaSupn1HIz33zsMaT0 | fRpG2ovHjeQgl3lgUrS7xREeaP5BXu9a
                   PFjk5hBhWdn839gn1exWZFr7wRbwpfns | YVzFQvNYoeYyPEd6K2QiHBaISbuWkmC/
                   mS83yYNII5ywTOj49zFnqA==         | R0nELMsD+7szsQ1Z7o6ARg==
      File: /hostroot/etc/mco/internal-registry-pull-secret.json
        SHA512   : fIsFjcSRluVefQIFzNquV4euKgQI/iUp | XHQLgDGNhRJnH7QPnmTvRWdFWgrSXdzj
                   pZbKDrer6L32qS96GqYs20EoYcy+g6nR | A9vIsNWoN1+GQ7OnTRHZQEt+W/tF/Ok3
                   D8tsKz/dPTuVUXGaI2UqUQ==         | tTn0D8oJgUsB7VfCbel50g==
      
      ---------------------------------------------------
      The attributes of the (uncompressed) database(s):
      ---------------------------------------------------
      /hostroot/etc/kubernetes/aide.db.gz
        MD5      : PEYTt5OXOsY6Hz64SoP/hw==
        SHA1     : m4JrCvLHUopx0BTmSVC3MO7rwP4=
        RMD160   : 3q+D8MsmGkU9QRuyF3fdMITnwI0=
        TIGER    : R+8efePWrxAP6IXKRjpv32Ezhe9iejQn
        SHA256   : C4pP5RkwhYo1IFOHAYgpvVZnkaaXWKXQ
                   0IF6Iy3yl+k=
        SHA512   : 2y9404blGV+S9jWYYo8pnMIxnbP4RE3+
                   Syuc6BPR8khWyrEherstqwZYIsvUG5mr
                   hZBm9gJMjI8HPPAm6nYfug==
      
      End timestamp: 2024-09-10 14:00:24 +0000 (run time: 0m 45s)
      

              wenshen@redhat.com Vincent Shen
              bgudi@redhat.com Bhargavi Gudi
              Xiaojie Yuan Xiaojie Yuan
              Maria Simon Marcos Maria Simon Marcos
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: