[4.16] Move ironic user and group

[snehring]

It looks like the ironic uid / perm manipulation got included in the cachito specific section by mistake.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: snehring
Once this PR has been reviewed and has the lgtm label, please assign iurygregory for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @snehring. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[snehring]

Was able to test this on one of the clusters I'd noticed the problem on and it seems to fix the issue.

[elfosardo]

/hold
what's the reason behind this change?

[snehring]

/hold what's the reason behind this change?

okd-project/okd#2030 on baremetal okd 4.16 clusters the metal3 pod never comes up fully because the ironic-inspector container crashes due to the fact that the uid and gid of ironic in the container differs from the uid and gid in the container spec. This is because the customization of the uid and gid is currently only happening in ocp builds.

[snehring]

This is only relevant for 4.16, ironic uid customizations were removed entirely in openshift/cluster-baremetal-operator#430

[elfosardo]

@snehring the assignment of UID and GID for OKD is done by the RPMs, OKD builds do not use cachito logic
I think you'll have to check the RPMs specs and see what's happening there

[snehring]

@elfosardo yes that is the behavior without this. Unfortunately they differ from the uids specified by the ironic-inspector container spec leading to a permissions issue in the container. Either the uids need to be changed here in the image or the uids need to change in the container spec in the baremetal operator.

[elfosardo]

@snehring if OKD requires a specific configuration, I suggest to apply it just for that, for example look at what I've done for OCP using the main-packages list file
even if the issue is present only in 4.16, the change will have to start from master and backported, and all tracked in a bug in the internal RED HAT Jira

[snehring]

@elfosardo I believe this is an extension of https://issues.redhat.com/browse/OCPBUGS-32304 introduced in #500. So it's not just relevant to OKD, it was just only fixed in OCP as a consequence of the fix only being placed in an OCP specific section.

[elfosardo]

@snehring again that's because only OCP builds use source code and not RPMs for the ironic projects
I think you have two choices, either you backport the BMO change to remove the specific IDs to 4.16, and let the RPM set that, or you add an OKD specific section to prepare-image, or even better a separate mechanism in the OKD dockerfile

[snehring]

@elfosardo I agree backporting the BMO change would be the best fix, this just seemed more accessible. I suppose I'll look into that.