[BUG] patching ubi9 based images failing (microdnf)

[anthony-zawacki]

Version of copa

0.7.0

Expected Behavior

Patching to be successful.

Actual Behavior

Patching fails with a timeout because microdnf is being called without the -y options, which leads to copa being prompted "Is this ok [y/N]".

Logs:

#12 sh -c /usr/bin/microdnf update java-21-openjdk-devel java-21-openjdk-headless python-unversioned-command python3 python3-libs cups-libs java-21-openjdk && /usr/bin/microdnf clean all
#12 20.89 
#12 20.89 (microdnf:11532): librhsm-WARNING **: 13:56:01.609: Found 0 entitlement certificates
#12 20.89 
#12 20.89 (microdnf:11532): librhsm-WARNING **: 13:56:01.612: Found 0 entitlement certificates
#12 21.05 Downloading metadata...
#12 21.59 Downloading metadata...
#12 22.74 Downloading metadata...
#12 23.31 Package                                                        Repository               Size
#12 23.31 Upgrading:                                                                                  
#12 23.31  cups-libs-1:2.3.3op2-27.el9_4.x86_64                          ubi-9-baseos-rpms    270.2 kB
#12 23.31   replacing cups-libs-1:2.3.3op2-24.el9.x86_64                                              
#12 23.31  python-unversioned-command-3.9.18-3.el9_4.3.noarch            ubi-9-appstream-rpms  10.2 kB
#12 23.31   replacing python-unversioned-command-3.9.18-3.el9_4.1.noarch                              
#12 23.31  python3-3.9.18-3.el9_4.3.x86_64                               ubi-9-baseos-rpms     30.2 kB
#12 23.31   replacing python3-3.9.18-3.el9_4.1.x86_64                                                 
#12 23.31  python3-libs-3.9.18-3.el9_4.3.x86_64                          ubi-9-baseos-rpms      8.2 MB
#12 23.31    replacing python3-libs-3.9.18-3.el9_4.1.x86_64                                           
#12 23.31 Transaction Summary:
#12 23.31  Installing:        0 packages
#12 23.31  Reinstalling:      0 packages
#12 23.31  Upgrading:         4 packages
#12 23.31  Obsoleting:        0 packages
#12 23.31  Removing:          0 packages
#12 23.31  Downgrading:       0 packages
#12 23.31 Is this ok [y/N]: time="2024-07-25T14:01:17Z" level=debug msg="stopping session"
time="2024-07-25T14:01:18Z" level=error msg="patch exceeded timeout 10m0s"
Error: patch exceeded timeout 10m0s

Steps To Reproduce

The output above comes from attempting to patch the keycloak:25.0.1 image in ironbank. However, any ubi9 (and probably ubi8?) image should replicate the problem.

Try to patch any UBI9 based image with security vulnerabilities such as: registry.access.redhat.com/ubi9/ubi-minimal:9.4-949

Logs from ubi-minimal:9.4-949:

copa patch --debug --timeout 10m -i registry.access.redhat.com/ubi9/ubi-minimal:9.4-949 -a tcp://buildkitd:1234
...
time="2024-07-25T19:35:01Z" level=debug msg="RPM DB Type in image is: RPMDBSqlLite"
time="2024-07-25T19:35:01Z" level=info msg="Checking for available RPM tools in non-distroless image ..."

#11 sh -c /usr/bin/microdnf install dnf -y; dnf check-update -y; if [ $? -ne 0 ]; then echo >> /updates.txt; fi;
#11 2.977 
#11 2.977 (microdnf:2382132): librhsm-WARNING **: 19:35:04.262: Found 0 entitlement certificates
#11 2.981 
#11 2.981 (microdnf:2382132): librhsm-WARNING **: 19:35:04.267: Found 0 entitlement certificates
#11 3.691 Downloading metadata...
#11 6.372 Downloading metadata...
#11 12.18 Downloading metadata...
#11 14.87 Package                                             Repository               Size
#11 14.87 Installing:                                                                      
#11 14.87  dnf-4.14.0-9.el9.noarch                            ubi-9-baseos-rpms    497.5 kB
#11 14.87  elfutils-default-yama-scope-0.190-2.el9.noarch     ubi-9-baseos-rpms     12.5 kB
#11 14.87  elfutils-libelf-0.190-2.el9.x86_64                 ubi-9-baseos-rpms    200.2 kB
#11 14.87  elfutils-libs-0.190-2.el9.x86_64                   ubi-9-baseos-rpms    264.2 kB
#11 14.87  expat-2.5.0-2.el9_4.x86_64                         ubi-9-baseos-rpms    122.2 kB
#11 14.87  ima-evm-utils-1.4-4.el9.x86_64                     ubi-9-baseos-rpms     68.9 kB
#11 14.87  libcomps-0.1.18-1.el9.x86_64                       ubi-9-baseos-rpms     81.9 kB
#11 14.87  libgomp-11.4.1-3.el9.x86_64                        ubi-9-baseos-rpms    277.0 kB
#11 14.87  libxcrypt-compat-4.4.18-3.el9.x86_64               ubi-9-appstream-rpms  93.2 kB
#11 14.87  python-unversioned-command-3.9.18-3.el9_4.3.noarch ubi-9-appstream-rpms  10.2 kB
#11 14.87  python3-3.9.18-3.el9_4.3.x86_64                    ubi-9-baseos-rpms     30.2 kB
#11 14.87  python3-dnf-4.14.0-9.el9.noarch                    ubi-9-baseos-rpms    477.7 kB
#11 14.87  python3-gpg-1.15.1-6.el9.x86_64                    ubi-9-baseos-rpms    291.6 kB
#11 14.87  python3-hawkey-0.69.0-8.el9.x86_64                 ubi-9-baseos-rpms    109.3 kB
#11 14.87  python3-libcomps-0.1.18-1.el9.x86_64               ubi-9-baseos-rpms     53.3 kB
#11 14.87  python3-libdnf-0.69.0-8.el9.x86_64                 ubi-9-baseos-rpms    803.1 kB
#11 14.87  python3-libs-3.9.18-3.el9_4.3.x86_64               ubi-9-baseos-rpms      8.2 MB
#11 14.87  python3-pip-wheel-21.2.3-8.el9.noarch              ubi-9-baseos-rpms      1.2 MB
#11 14.87  python3-rpm-4.16.1.3-29.el9.x86_64                 ubi-9-baseos-rpms     70.2 kB
#11 14.87  python3-setuptools-wheel-53.0.0-12.el9.noarch      ubi-9-baseos-rpms    481.8 kB
#11 14.87  rpm-build-libs-4.16.1.3-29.el9.x86_64              ubi-9-baseos-rpms     92.5 kB
#11 14.87  rpm-sign-libs-4.16.1.3-29.el9.x86_64               ubi-9-baseos-rpms     22.6 kB
#11 14.87  tpm2-tss-3.2.2-2.el9.x86_64                        ubi-9-baseos-rpms    618.9 kB
#11 14.87 Transaction Summary:
#11 14.87  Installing:       23 packages
#11 14.87  Reinstalling:      0 packages
#11 14.87  Upgrading:         0 packages
#11 14.87  Obsoleting:        0 packages
#11 14.87  Removing:          0 packages
#11 14.87  Downgrading:       0 packages
#11 14.87 Downloading packages...
#11 18.19 Running transaction test...
#11 19.58 Installing: expat;2.5.0-2.el9_4;x86_64;ubi-9-baseos-rpms
#11 19.60 Installing: elfutils-libelf;0.190-2.el9;x86_64;ubi-9-baseos-rpms
#11 19.68 Installing: libcomps;0.1.18-1.el9;x86_64;ubi-9-baseos-rpms
#11 19.69 Installing: libxcrypt-compat;4.4.18-3.el9;x86_64;ubi-9-appstream-rpms
#11 19.77 Installing: python3-pip-wheel;21.2.3-8.el9;noarch;ubi-9-baseos-rpms
#11 20.29 Installing: tpm2-tss;3.2.2-2.el9;x86_64;ubi-9-baseos-rpms
#11 20.48 Installing: ima-evm-utils;1.4-4.el9;x86_64;ubi-9-baseos-rpms
#11 20.49 Installing: rpm-sign-libs;4.16.1.3-29.el9;x86_64;ubi-9-baseos-rpms
#11 20.57 Installing: python3-setuptools-wheel;53.0.0-12.el9;noarch;ubi-9-baseos-rpms
#11 20.58 Installing: python-unversioned-command;3.9.18-3.el9_4.3;noarch;ubi-9-appstream-rpms
#11 20.59 Installing: python3;3.9.18-3.el9_4.3;x86_64;ubi-9-baseos-rpms
#11 20.68 Installing: python3-libs;3.9.18-3.el9_4.3;x86_64;ubi-9-baseos-rpms
#11 23.57 Installing: python3-libdnf;0.69.0-8.el9;x86_64;ubi-9-baseos-rpms
#11 23.69 Installing: python3-hawkey;0.69.0-8.el9;x86_64;ubi-9-baseos-rpms
#11 23.78 Installing: python3-libcomps;0.1.18-1.el9;x86_64;ubi-9-baseos-rpms
#11 23.87 Installing: python3-gpg;1.15.1-6.el9;x86_64;ubi-9-baseos-rpms
#11 24.00 Installing: libgomp;11.4.1-3.el9;x86_64;ubi-9-baseos-rpms
#11 24.08 Installing: elfutils-default-yama-scope;0.190-2.el9;noarch;ubi-9-baseos-rpms
#11 24.17 Installing: elfutils-libs;0.190-2.el9;x86_64;ubi-9-baseos-rpms
#11 24.19 Installing: rpm-build-libs;4.16.1.3-29.el9;x86_64;ubi-9-baseos-rpms
#11 24.27 Installing: python3-rpm;4.16.1.3-29.el9;x86_64;ubi-9-baseos-rpms
#11 24.29 Installing: python3-dnf;4.14.0-9.el9;noarch;ubi-9-baseos-rpms
#11 24.59 Installing: dnf;4.14.0-9.el9;noarch;ubi-9-baseos-rpms
#11 27.59 Complete.
#11 30.57 Red Hat Universal Base Image 9 (RPMs) - BaseOS  420 kB/s | 516 kB     00:01    
#11 32.97 Red Hat Universal Base Image 9 (RPMs) - AppStre 1.6 MB/s | 2.1 MB     00:01    
#11 38.38 Red Hat Universal Base Image 9 (RPMs) - CodeRea 196 kB/s | 275 kB     00:01    
#11 39.18 Last metadata expiration check: 0:00:01 ago on Thu Jul 25 19:35:39 2024.
#11 39.97 
#11 39.97 glibc.x86_64                          2.34-100.el9_4.2         ubi-9-baseos-rpms
#11 39.97 glibc-common.x86_64                   2.34-100.el9_4.2         ubi-9-baseos-rpms
#11 39.97 glibc-minimal-langpack.x86_64         2.34-100.el9_4.2         ubi-9-baseos-rpms
#11 39.97 libnghttp2.x86_64                     1.43.0-5.el9_4.3         ubi-9-baseos-rpms
#11 39.97 libxml2.x86_64                        2.9.13-6.el9_4           ubi-9-baseos-rpms
#11 39.97 systemd-libs.x86_64                   252-32.el9_4.6           ubi-9-baseos-rpms
#11 DONE 40.3s

#12 sh -c /usr/bin/microdnf update  && /usr/bin/microdnf clean all
#12 3.878 
#12 3.878 (microdnf:2386335): librhsm-WARNING **: 19:35:45.462: Found 0 entitlement certificates
#12 3.883 
#12 3.883 (microdnf:2386335): librhsm-WARNING **: 19:35:45.467: Found 0 entitlement certificates
#12 4.489 Downloading metadata...
#12 6.895 Downloading metadata...
#12 12.39 Downloading metadata...
#12 14.97 Package                                                Repository            Size
#12 14.97 Installing:                                                                      
#12 14.97  glibc-langpack-en-2.34-100.el9_4.2.x86_64             ubi-9-baseos-rpms 682.4 kB
#12 14.97 Upgrading:                                                                       
#12 14.97  glibc-2.34-100.el9_4.2.x86_64                         ubi-9-baseos-rpms   2.1 MB
#12 14.97   replacing glibc-2.34-100.el9.x86_64                                            
#12 14.97  glibc-common-2.34-100.el9_4.2.x86_64                  ubi-9-baseos-rpms 320.9 kB
#12 14.97   replacing glibc-common-2.34-100.el9.x86_64                                     
#12 14.97  glibc-minimal-langpack-2.34-100.el9_4.2.x86_64        ubi-9-baseos-rpms  28.2 kB
#12 14.97   replacing glibc-minimal-langpack-2.34-100.el9.x86_64                           
#12 14.97  libnghttp2-1.43.0-5.el9_4.3.x86_64                    ubi-9-baseos-rpms  76.8 kB
#12 14.97   replacing libnghttp2-1.43.0-5.el9_3.1.x86_64                                   
#12 14.97  libxml2-2.9.13-6.el9_4.x86_64                         ubi-9-baseos-rpms 769.9 kB
#12 14.97   replacing libxml2-2.9.13-5.el9_3.x86_64                                        
#12 14.97  systemd-libs-252-32.el9_4.6.x86_64                    ubi-9-baseos-rpms 694.8 kB
#12 14.97    replacing systemd-libs-252-32.el9_4.x86_64                                    
#12 14.97 Transaction Summary:
#12 14.97  Installing:        1 packages
#12 14.97  Reinstalling:      0 packages
#12 14.97  Upgrading:         6 packages
#12 14.97  Obsoleting:        0 packages
#12 14.97  Removing:          0 packages
#12 14.97  Downgrading:       0 packages
#12 14.97 Is this ok [y/N]: time="2024-07-25T19:44:33Z" level=debug msg="stopping session"
time="2024-07-25T19:44:34Z" level=error msg="patch exceeded timeout 10m0s"
Error: patch exceeded timeout 10m0s

Are you willing to submit PRs to contribute to this bug fix?

• Yes, I am willing to implement it.

[anthony-zawacki]

Is it really as simple as this line missing a -y in the string?

copacetic/pkg/pkgmgr/rpm.go

Line 425 in beb8c86

const microdnfInstallTemplate = `sh -c '%[1]s update %[2]s && %[1]s clean all'`

[MiahaCybersec]

Good catch! I've opened a PR to fix this issue.