Pin perl-interpreter and xorg-x11-fonts NVRs for openvpn hermetic builds#10021
Open
fbladilo wants to merge 5 commits into
Open
Pin perl-interpreter and xorg-x11-fonts NVRs for openvpn hermetic builds#10021fbladilo wants to merge 5 commits into
fbladilo wants to merge 5 commits into
Conversation
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
fbladilo
force-pushed
the
fix-openvpn-perl-interpreter
branch
4 times, most recently
from
ea0875f to
5e4ff20
Compare
openshift-migration-openvpn and openshift-migration-operator hermetic builds started failing on Apr 13 with no changes to source Dockerfiles or ocp-build-data config. The root cause is art-tools PR openshift-eng#2686 (merged Apr 8), which filtered installed_rpms in the SBOM to only actually- installed packages, reducing rpms_from_build and exposing latent issues. 1. Module metadata (modules.yaml) in the lockfile causes DNF modular filtering in hermetic builds. The rebaser skips module enablement for EL8 (el_ver < 9 guard), so modular packages are filtered out. Module enable workarounds fail because lockfile RPMs are out of sync with module metadata versions, and the full module dependency graph (e.g. freeradius requiring perl:5.26) creates unresolvable conflicts. Fix: set modules to empty list to prevent module metadata inclusion in the lockfile. Without modules.yaml, DNF treats all packages as regular RPMs with no modular filtering. 2. xorg-x11-fonts-ISO8859-1-100dpi (openvpn only): doozer's _detect_nvr_vs_name() misparses this as an NVR, silently dropping it from the lockfile. Pin to full NVR 7.5-19.el8 to bypass the parser. Both issues were masked by rpms_from_build providing correct versions from the old over-broad SBOM data. No source Dockerfile changes needed. Ref: openshift-eng/art-tools#2686
fbladilo
force-pushed
the
fix-openvpn-perl-interpreter
branch
from
5e4ff20 to
9595025
Compare
Previous attempt disabled module metadata entirely (modules: []) but builds still failed because Doozer's lockfile resolver picks modular perl 5.32 RPMs as highest EVR regardless of module config. Re-enable modules and inject 'dnf module enable perl:5.32' via modifications to align DNF's modular filtering with the RPMs in the lockfile. Rebaser skips module enablement for EL8 (el_ver < 9 guard in rebaser.py), so modifications are needed to inject it manually. Affects: openshift-migration-openvpn, openshift-migration-operator See: art-tools#2686 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
…-perl Without explicit stream versions, these modules default to streams built against perl 5.26. Use perl-IO-Socket-SSL:2.066 and perl-libwww-perl:6.34 which are the multi-perl-compatible streams introduced in RHEL 8.3 (RHEA-2020:4724) that work with perl:5.32. rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
The lockfile resolver picks the highest EVR for perl-Net-SSLeay across all module contexts. The perl:5.24 context build (suffix 30f09725) has a higher EVR than the perl:5.32 context (suffix 6b8485cb) because RPM compares the hash segment numerically (30 > 6). This causes the lockfile to contain perl-Net-SSLeay built against perl 5.24, which requires libperl.so.5.24 - incompatible with perl:5.32. Verified correct NVR via: podman run ubi8 dnf module enable perl:5.32 perl-IO-Socket-SSL:2.066 && dnf repoquery perl-Net-SSLeay See: art-tools#2746 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
The full RHEL 8 EUS appstream modules.yaml includes freeradius:3.0 which declares requires: module(perl:5.26). This conflicts with perl:5.32 and prevents DNF from resolving perl dependencies (cascading into perl(DynaLoader) not found). UBI8 repos don't include freeradius, so it only fails in hermetic builds using the EUS content sets. Disable freeradius before enabling perl:5.32 to avoid the conflict. rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
openshift-migration-openvpn hermetic builds started failing on Apr 13 with no changes to the source Dockerfile or ocp-build-data config.
perl-interpreter: The bare name resolves to the modular 5.32.x from appstream (searched before baseos alphabetically). In hermetic builds, DNF filters this out by modular filtering because module enablement is skipped for EL8 (rebaser.py el_ver < 9 guard). Pin to the non-modular 5.26.3-423.el8_10 from baseos-eus.
xorg-x11-fonts-ISO8859-1-100dpi: doozer's _detect_nvr_vs_name() misparses this package name as an NVR (name=xorg-x11-fonts-ISO8859, version=1, release=100dpi), causing it to be silently dropped from the lockfile. Pin to the full NVR 7.5-19.el8 to bypass the parser.
Both packages were previously supplied by rpms_from_build (from the old over-broad SBOM data), masking these bugs. The upstream Dockerfile (migtools/openvpn release-1.8) has not changed since before the last successful build on Apr 12.