OCPBUGS-49675, OCPBUGS-55039: In OCL. Usbguard service fails when we install the usbguard extension: IPsec tmpfile.d directives missing when enabling IPsec in OCL

[dkhater-redhat]

- What I did
Added the missing tmpfiles.d configurations ipsec and modified permissions for usbguard configuration. This is a patch and will be modified once USBGuard/usbguard#652 is backported into rhel.

- How to verify it

1. Opt into OCL
2. Apply a machine config to enable usbguard and ipsec
3. Ensure that the extensions are properly installed

- Description for the changelog

[openshift-ci-robot]

@dkhater-redhat: This pull request references Jira Issue OCPBUGS-49675, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dkhater-redhat: This pull request references Jira Issue OCPBUGS-49675, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-55039, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did
Added the missing tmpfiles.d configurations ipsec and modified permissions for usbguard configuration. This is a patch and will be modified once USBGuard/usbguard#652 is backported into rhel.

- How to verify it

1. Opt into OCL
2. Apply a machine config to enable usbguard and ipsec
3. Ensure that the extensions are properly installed

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dkhater-redhat]

/jira refresh

[openshift-ci-robot]

@dkhater-redhat: This pull request references Jira Issue OCPBUGS-49675, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-55039, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dkhater-redhat]

/jira refresh

[openshift-ci-robot]

@dkhater-redhat: This pull request references Jira Issue OCPBUGS-49675, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

This pull request references Jira Issue OCPBUGS-55039, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[umohnani8]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d5e8466 and 2 for PR HEAD d5ce541 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d5e8466 and 2 for PR HEAD d5ce541 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d5e8466 and 2 for PR HEAD d5ce541 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d5e8466 and 2 for PR HEAD d5ce541 in total

[umohnani8]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dkhater-redhat, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dkhater-redhat,umohnani8]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ptalgulk01]

Pre-merge verification
Verified using AWS IPI based TechPreview based 4.19 cluster

• Applied Below MOSC

MOSC Template

oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  name: worker-4
spec:
  machineConfigPool:
    name: worker
  imageBuilder:
    imageBuilderType: Job
  baseImagePullSecret:
    name: $(oc get secret -n openshift-config pull-secret -o json | jq "del(.metadata.namespace, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.name)" | jq '.metadata.name="pull-copy"' | oc -n openshift-machine-config-operator create -f - &> /dev/null; echo -n "pull-copy")
  renderedImagePushSecret:
    name: $(oc get -n openshift-machine-config-operator sa builder -ojsonpath='{.secrets[0].name}')
  renderedImagePushSpec: "image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/ocb-image:latest"
EOF

machineosconfig.machineconfiguration.openshift.io/worker-4 created

- After MCP update was successful applied below extension MC

oc get machineosbuilds
NAME                                        PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
worker-4-013e7244d67ba32faadf129abd020797   False      False      True        False         False    4m33s

Extension Template

oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: tc-56131-all-extensions
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
  - usbguard
  - kerberos
  - kernel-devel
  - sandboxed-containers
  - ipsec
  - wasm
  - sysstat
EOF
machineconfig.machineconfiguration.openshift.io/tc-56131-all-extensions created

- Check the extension installation

sh-5.1# rpm -qa |grep usbguard
usbguard-selinux-1.0.0-16.el9.noarch
usbguard-1.0.0-16.el9.x86_64
sh-5.1#  systemctl enable --now usbguard
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
sh-5.1# journalctl -xeu usbguard.service
~
Apr 17 09:16:37 ip-10-0-38-113 systemd[1]: Starting USBGuard daemon...
░░ Subject: A start job for unit usbguard.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit usbguard.service has begun execution.
░░ 
░░ The job identifier is 2204.
Apr 17 09:16:37 ip-10-0-38-113 systemd[1]: Started USBGuard daemon.
░░ Subject: A start job for unit usbguard.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit usbguard.service has finished successfully.
░░ 
░░ The job identifier is 2204.
sh-5.1# systemctl status usbguard       
● usbguard.service - USBGuard daemon
     Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; preset: disabled)
     Active: active (running) since Thu 2025-04-17 09:16:37 UTC; 50s ago
       Docs: man:usbguard-daemon(8)
    Process: 12338 ExecStart=/usr/sbin/usbguard-daemon -f -s -K -c /etc/usbguard/usbguard-daemon.conf (code=exited, status=0/SUCCESS)
   Main PID: 12340 (usbguard-daemon)
      Tasks: 3 (limit: 99972)
     Memory: 4.4M
        CPU: 149ms
     CGroup: /system.slice/usbguard.service
             └─12340 /usr/sbin/usbguard-daemon -f -s -K -c /etc/usbguard/usbguard-daemon.conf
Apr 17 09:16:37 ip-10-0-38-113 systemd[1]: Starting USBGuard daemon...
Apr 17 09:16:37 ip-10-0-38-113 systemd[1]: Started USBGuard daemon.
sh-5.1# rpm -V --nomtime crun-wasm kata-containers kernel-devel kernel-headers krb5-workstation libkadm5 libreswan NetworkManager-libreswan sysstat usbguard
missing     /usr/lib/tmpfiles.d/usbguard.conf
sh-5.1# rpm -qf /usr/lib/tmpfiles.d/usbguard.conf
usbguard-1.0.0-16.el9.x86_64

sh-5.1# rpm -qa | grep libreswan
libreswan-5.2-1.el9fdp.x86_64
NetworkManager-libreswan-1.2.24-1.el9.x86_64
sh-5.1# systemctl status libreswan
Unit libreswan.service could not be found.
sh-5.1# systemctl status ipsec
○ ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/ipsec.service.d
             └─01-after-configure-ovs.conf
     Active: inactive (dead)
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
sh-5.1# systemctl start ipsec
sh-5.1# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/ipsec.service.d
             └─01-after-configure-ovs.conf
     Active: active (running) since Thu 2025-04-17 15:50:00 UTC; 3s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 182322 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 182323 ExecStartPre=/usr/sbin/ipsec checknss (code=exited, status=0/SUCCESS)
    Process: 182327 ExecStartPre=/usr/sbin/ipsec checknflog (code=exited, status=0/SUCCESS)
   Main PID: 182342 (pluto)
     Status: "Startup completed."
      Tasks: 4 (limit: 99972)
     Memory: 6.8M
        CPU: 82ms
     CGroup: /system.slice/ipsec.service
             └─182342 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

/label qe-approved

[openshift-ci-robot]

@dkhater-redhat: This pull request references Jira Issue OCPBUGS-49675, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

This pull request references Jira Issue OCPBUGS-55039, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

In response to this:

- What I did
Added the missing tmpfiles.d configurations ipsec and modified permissions for usbguard configuration. This is a patch and will be modified once USBGuard/usbguard#652 is backported into rhel.

- How to verify it

1. Opt into OCL
2. Apply a machine config to enable usbguard and ipsec
3. Ensure that the extensions are properly installed

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 198d792 and 2 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b55822c and 1 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b55822c and 2 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 320f3d4 and 1 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 320f3d4 and 2 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 82ece18 and 1 for PR HEAD fc5f032 in total

[dkhater-redhat]

/retest-required

[dkhater-redhat]

/retest-required

[dkhater-redhat]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 01141a2 and 0 for PR HEAD fc5f032 in total

[openshift-ci-robot]

/hold

Revision fc5f032 was retested 3 times: holding

[dkhater-redhat]

/retest-required

[dkhater-redhat]

/unhold

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 574295e and 2 for PR HEAD fc5f032 in total

[openshift-ci]

@dkhater-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/bootstrap-unit	fc5f032	link	false	/test bootstrap-unit

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dkhater-redhat]

/test e2e-hypershift

[openshift-ci-robot]

@dkhater-redhat: Jira Issue OCPBUGS-49675: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#4986

Jira Issue OCPBUGS-49675 has been moved to the MODIFIED state.

Jira Issue OCPBUGS-55039: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#4986

Jira Issue OCPBUGS-55039 has been moved to the MODIFIED state.

In response to this:

- What I did
Added the missing tmpfiles.d configurations ipsec and modified permissions for usbguard configuration. This is a patch and will be modified once USBGuard/usbguard#652 is backported into rhel.

- How to verify it

1. Opt into OCL
2. Apply a machine config to enable usbguard and ipsec
3. Ensure that the extensions are properly installed

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-machine-config-operator
This PR has been included in build ose-machine-config-operator-container-v4.19.0-202504231110.p0.gfd75b3e.assembly.stream.el9.
All builds following this will include this PR.