Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.20.z
Component/s: Bare Metal Hardware Provisioning / cluster-baremetal-operator
Labels:
- triaged

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
2
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.20.z
Release Blocker:
None
Sprint:
Metal Platform 283, Metal Platform 284
sprint_count:
2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Proposed
Release Note Type:
Bug Fix
Release Note Text:

Hide
Issue : Due to SCC selection, a OCPv 4.20.11 cluster added several extra SCC which althoug match all explicit requirements of the metal3-image-customization pods, but additionally enforce ReadOnlyRootFilesystem: true, which the Deployment just leaves as unspecified in 4.20. This causes machine-os-images init container to fail with error : "/bin/copy-metal: line 43: /coreos/coreos-aarch64.iso.sha256: Read-only file system"

Fix: Explicitly set ReadOnlyRootFilesystem to false, so that the SCC does not cause it to be set to true due to being unspecified.

Show
Issue : Due to SCC selection, a OCPv 4.20.11 cluster added several extra SCC which althoug match all explicit requirements of the metal3-image-customization pods, but additionally enforce ReadOnlyRootFilesystem: true, which the Deployment just leaves as unspecified in 4.20. This causes machine-os-images init container to fail with error : "/bin/copy-metal: line 43: /coreos/coreos-aarch64.iso.sha256: Read-only file system" Fix: Explicitly set ReadOnlyRootFilesystem to false, so that the SCC does not cause it to be set to true due to being unspecified.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Security context constrains ( SCC ) part of OCP 4.20.11 enforces readOnlyRootFilesystem: true, which is only supported in OCP 4.21 and later. This causes Read-only file system errors. Refer the discussion in  https://issues.redhat.com/browse/OCPBUGS-65971 for more details.

Version-Release number of selected component (if applicable): 4.20.11

How reproducible:
If there is a SCC that enforces the above mentioned behavior, then we will always hit this issue.

Steps to Reproduce:
1. Deploy a cluster with above mentioned SCC present

Actual results:
Deployment fails as the machine-os-images init container part of metal3-image-customization fails with below error :
/bin/copy-metal: line 43: /coreos/coreos-aarch64.iso.sha256: Read-only file system

Expected results:
Deployment should succeed

depends on

OCPBUGS-65971 The machine-os-images container writes to /coreos during runtime which will fail for readOnlyRootFS

Closed

is related to

OCPBUGS-65971 The machine-os-images container writes to /coreos during runtime which will fail for readOnlyRootFS

Closed

links to

openshift/cluster-baremetal-operator#552: OCPBUGS-75933: Explicitly set ReadOnlyRootFilesystem to false for machine-os-images so that SCC don't end up enforcing it to true

Assignee:: Himanshu Roy

Reporter:: Himanshu Roy

Need Info From:: None

Contributors:: None

QA Contact:: Jad Haj Yahya

Doc Contact:: None

Votes:: 2 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2026/02/05 5:29 AM

Updated:: 2026/02/10 4:11 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates