Comments

79 Comments

To test this build on a Fedora IoT system, run:

ARCH=$(uname -m)
rpm-ostree override replace https://kojipkgs.fedoraproject.org//packages/greenboot/0.15.5/2.fc40/${ARCH}/greenboot-0.15.5-2.fc40.${ARCH}.rpm https://kojipkgs.fedoraproject.org//packages/greenboot/0.15.5/2.fc40/${ARCH}/greenboot-default-health-checks-0.15.5-2.fc40.${ARCH}.rpm
systemctl reboot
karma

Fixed my container build failure

Did an rpm-ostree override replace with this build in an FCOS VM and performed some sanity testing.

Verified that the /var/lib/containers fix was present, too.

BZ#1671667 refresh f29 fedora-toolbox container (still pre-release image)
BZ#1671667 refresh f29 fedora-toolbox container (still pre-release image)

Still looks like https://github.com/containers/libpod/issues/1752 isn't fixed in this build:

# rpm -q podman
podman-0.10.1.3-4.gitdb08685.fc29.x86_64

# podman run --rm -it docker.io/alpine ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=47 time=11.410 ms
64 bytes from 1.1.1.1: seq=1 ttl=47 time=11.281 ms
64 bytes from 1.1.1.1: seq=2 ttl=47 time=11.331 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 11.281/11.340/11.410 ms
# systemctl reboot
...
# rpm -q podman 
podman-0.11.1-1.gita4adfe5.fc29.x86_64
# podman run --rm -it docker.io/alpine ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Fixes containers/libpod#1575 which was biting me with 0.9.3.1

karma

This appears to break rpm-ostree install functionality on F29 Atomic Host. Specifically, the writing out of the bootloader as the final piece of the install operation.

# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-atomic:fedora/29/x86_64/testing/atomic-host
                   Version: 29.20181003.0 (2018-10-03 14:59:08)
                    Commit: 5dbe63cb0db058eedba63e645df08ff4c0b0b4a8bf20e1862e4921b5232cd5d1
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4

# rpm-ostree install wget
Checking out tree 5dbe63c... done
Enabled rpm-md repositories: updates-testing updates fedora
rpm-md repo 'updates-testing' (cached); generated: 2018-10-01 21:51:38
rpm-md repo 'updates' (cached); generated: 2018-02-20 19:18:14
rpm-md repo 'fedora' (cached); generated: 2018-10-02 09:59:20
Importing metadata [=============] 100%
Resolving dependencies... done
Checking out packages (1/1) [=============] 100%
Running pre scripts... 0 done
Running post scripts... 7 done
Writing rpmdb... done
Writing OSTree commit... done
Freed: 16.5 MB (pkgcache branches: 0)
Added:
  wget-1.19.5-5.fc29.x86_64
Run "systemctl reboot" to start a reboot

# ostree admin finalize-staged
error: Bootloader write config: grub2-mkconfig: Child process exited with code 1

See https://github.com/projectatomic/rpm-ostree/issues/1598 for more info

BZ#1593419 no network access in containers when doing 'podman run' on F28AH
BZ#1622640 rpm -qi podman shows a wrong url

Doh...BZ#1595316 was for F28 and was already closed as NOTABUG. But BZ#1595300 is against F27 for the same error...that's the BZ that should be attached to the update.

karma

I had to generate a custom F27 Atomic Host compose to include this update in order to verify it works, but it does fix BZ#1595316 for me. Thanks!

I'm unable to run any containers using docker run. See https://bugzilla.redhat.com/show_bug.cgi?id=1595300

# docker run --rm -it registry.fedoraproject.org/fedora:28 echo 'hello'
standard_init_linux.go:178: exec user process caused "permission denied"

# journalctl -b | grep 'avc:  denied'
Jun 26 14:32:40 micah-f27ah-vm0626ba.localdomain audit[1253]: AVC avc:  denied  { entrypoint } for  pid=1253 comm="runc:[2:INIT]" path="/usr/bin/echo" dev="dm-0" ino=16780467 scontext=system_u:system_r:container_t:s0:c491,c888 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:32 containers
drwx------. 3 root root system_u:object_r:unlabeled_t:s0  22 Jun 26 14:08 image
drwxr-x---. 3 root root system_u:object_r:unlabeled_t:s0  19 Jun 26 14:08 network
drwx------. 4 root root system_u:object_r:unlabeled_t:s0 112 Jun 26 14:32 overlay2
drwx------. 4 root root system_u:object_r:unlabeled_t:s0  32 Jun 26 14:08 plugins
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 swarm
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:17 tmp
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 trust
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  25 Jun 26 14:08 volumes

Successfully ran the sanity atomic-host-tests against a custom tree with this build included.

karma

Fixes the linked BZ for me, too.