Skip to content

CMP-4050: read json-enricher volume config dynamically#158

Merged
yuumasato merged 6 commits intoopenshift:release-0.10from
Vincent056:fix-json-enricher-volume-mount
Jan 20, 2026
Merged

CMP-4050: read json-enricher volume config dynamically#158
yuumasato merged 6 commits intoopenshift:release-0.10from
Vincent056:fix-json-enricher-volume-mount

Conversation

@Vincent056
Copy link

@Vincent056 Vincent056 commented Jan 12, 2026

Read json-enricher volume config dynamically during reconciliation

The json-enricher crashes with 'read-only file system' when custom auditLogPath is configured because the volume mount from ConfigMap was only read at operator startup, not during reconciliation.

This fix reads the ConfigMap volume configuration during each reconciliation, ensuring volume mounts are applied correctly.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

CMP-4050
-->

Does this PR have test?

N/A.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

@Vincent056
CMP-4050: read json-enricher volume config dynamically during reconci…
cae491d 
…liation

The json-enricher crashes with 'read-only file system' when custom
auditLogPath is configured because the volume mount from ConfigMap
was only read at operator startup, not during reconciliation.

This fix reads the ConfigMap volume configuration during each
reconciliation, ensuring volume mounts are applied correctly.
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 12, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 12, 2026
edited by openshift-ci bot
Loading

@Vincent056: This pull request references CMP-4050 which is a valid jira issue.

Details

In response to this:

Read json-enricher volume config dynamically during reconciliation

The json-enricher crashes with 'read-only file system' when custom auditLogPath is configured because the volume mount from ConfigMap was only read at operator startup, not during reconciliation.

This fix reads the ConfigMap volume configuration during each reconciliation, ensuring volume mounts are applied correctly.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

CMP-4050
-->

Does this PR have test?

N/A.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jan 12, 2026
@openshift-ci openshift-ci bot requested review from xiaojiey and yuumasato January 12, 2026 23:12
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 12, 2026
yuumasato
yuumasato approved these changes Jan 13, 2026
View reviewed changes
Copy link

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Pending QE verification

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 13, 2026
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 14, 2026
@Vincent056
Update Dockerfile.openshift to include libbpf-devel and modify rpms.l…
996284f 
…ock.yaml for package updates

- Added `libbpf-devel` to the INSTALL_PKGS in Dockerfile.openshift to enable BPF support.
@Vincent056 Vincent056 force-pushed the fix-json-enricher-volume-mount branch from 8ef0bcb to 996284f Compare January 16, 2026 16:08
xiaojiey
xiaojiey reviewed Jan 19, 2026
View reviewed changes
Dockerfile.openshift Outdated
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.24 as builder

RUN yum -y install git libseccomp-devel && yum clean all && \
RUN yum -y install git libseccomp-devel libbpf-devel && yum clean all && \
Copy link

@xiaojiey xiaojiey Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to fix this error in the operator image build step:

Error: 
 Problem: package elfutils-libelf-devel-0.193-1.el9.x86_64 from rhel-9-for-x86_64-appstream-rpms requires elfutils-libelf(x86-64) = 0.193-1.el9, but none of the providers can be installed
  - cannot install both elfutils-libelf-0.193-1.el9.x86_64 from rhel-9-for-x86_64-baseos-rpms and elfutils-libelf-0.190-2.el9.x86_64 from @System
  - package libbpf-devel-2:1.5.0-2.el9.x86_64 from codeready-builder-for-rhel-9-x86_64-rpms requires pkgconfig(libelf), but none of the providers can be installed
  - package elfutils-debuginfod-client-0.190-2.el9.x86_64 from @System requires elfutils-libelf(x86-64) = 0.190-2.el9, but none of the providers can be installed
  - conflicting requests
  - problem with installed package elfutils-debuginfod-client-0.190-2.el9.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
subprocess exited with status 1
subprocess exited with status 1
Error: building at STEP "RUN . /cachi2/cachi2.env &&     yum -y install git libseccomp-devel libbpf-devel && yum clean all &&     yum -y clean all && rm -rf /var/cache/yum": exit status 1
step-prepare-sboms :-
2026/01/16 16:19:09 Skipping step because a previous step failed
step-push :-
2026/01/16 16:19:08 Skipping step because a previous step failed
step-sbom-syft-generate :-
2026/01/16 16:19:09 Skipping step because a previous step failed
step-upload-sbom :-
2026/01/16 16:19:09 Skipping step because a previous step failed

@Vincent056
Update Dockerfile.openshift to allow package installation with --allo…
ebdf7a4 
…werasing
@Vincent056
Enhance Dockerfile.openshift by adding elfutils-libelf and elfutils-d…
650c6e0 
…ebuginfod-client to the package installation for improved debugging support.
@Vincent056
Add new RPM packages for ppc64le and x86_64 architectures in rpms.loc…
9c8a2e4 
…k.yaml

- Included acl, dbus, dbus-broker, dbus-common, elfutils-debuginfod-client, elfutils-default-yama-scope, elfutils-libs, json-c, kmod-libs, and systemd packages for both architectures.s
@xiaojiey
Copy link

xiaojiey commented Jan 19, 2026

Pre-merge verification pass. Now, with the same procedure in https://issues.redhat.com/browse/CMP-4050, the spod pods is running:

$ oc get  configmap security-profiles-operator-profile -n security-profiles-operator -o=jsonpath={.data} | jq -r | grep logs
  "json-enricher-log-volume-mount-path": "/tmp/logs",
  "json-enricher-log-volume-source.json": "{\"hostPath\": {\"path\": \"/tmp/logs\",\"type\": \"DirectoryOrCreate\"}}",
$ oc get pod
NAME                                                  READY   STATUS    RESTARTS   AGE
security-profiles-operator-7466f45f5b-x74n7           1/1     Running   0          3m55s
security-profiles-operator-webhook-866fd755d4-fjtps   1/1     Running   0          9m40s
security-profiles-operator-webhook-866fd755d4-vk6gb   1/1     Running   0          9m40s
security-profiles-operator-webhook-866fd755d4-xcj88   1/1     Running   0          9m40s
spod-986zm                                            2/2     Running   0          3m35s
spod-k7ppz                                            2/2     Running   0          3m35s
spod-s9g4b                                            2/2     Running   0          3m35s
spod-trjk2                                            2/2     Running   0          3m35s
spod-vh6cg                                            2/2     Running   0          3m35s
$ oc logs pod/spod-986zm -c json-enricher
...
I0119 10:41:22.346896   90774 main.go:761] "JSON Enricher Configuration" logger="setup" AuditFreq="30s" AuditLogPath="" AuditLogMaxSize=100 AuditLogMaxBackup=0 AuditLogMaxAge=0 EnricherFiltersJson=""
I0119 10:41:22.346925   90774 jsonenricher.go:134] "Enricher Filters" logger="json-enricher" filters=[]
I0119 10:41:22.346990   90774 jsonenricher.go:199] "Starting audit JSON logging on node ip-10-0-34-82.us-east-2.compute.internal" logger="json-enricher"
I0119 10:41:22.347004   90774 jsonenricher.go:210] "Setting up caches with expiry of 1h0m0s" logger="json-enricher"
I0119 10:41:22.347432   90774 jsonenricher.go:252] "Reading from file /var/log/audit/audit.log" logger="json-enricher"
I0119 10:41:22.347456   90774 bpfprocesscache.go:83] "Loading bpf module..." logger="json-enricher"
libbpf: loading object 'recorder.bpf.o' from buffer
libbpf: elf: section(2) .text, size 936, link 0, flags 6, type=1
libbpf: sec '.text': found program 'cwd_read_v61' at insn offset 0 (0 bytes), code size 117 insns (936 bytes)
libbpf: elf: section(3) lsm/file_open, size 1912, link 0, flags 6, type=1
libbpf: sec 'lsm/file_open': found program 'file_open' at insn offset 0 (0 bytes), code size 239 insns (1912 bytes)
...
I0119 10:41:22.420919   90774 bpfrecorder.go:604] "attached bpf program" logger="json-enricher" name="sys_enter_execve"
I0119 10:41:22.421058   90774 bpfrecorder.go:604] "attached bpf program" logger="json-enricher" name="sys_enter_getgid"
I0119 10:41:22.421972   90774 bpfprocesscache.go:144] "BPF module successfully loaded." logger="json-enricher"
I0119 10:41:22.421984   90774 bpfrecorder.go:614] "Start BPF recording..." logger="json-enricher"
I0119 10:41:22.421997   90774 bpfrecorder.go:643] "Recording started." logger="json-enricher"
I0119 10:41:22.422001   90774 bpfprocesscache.go:150] "Started Recorder" logger="json-enricher"
I0119 10:41:22.422073   90774 bpfprocesscache.go:176] "Processing bpf events" logger="json-enricher"

@xiaojiey
Copy link

xiaojiey commented Jan 19, 2026

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jan 19, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 19, 2026
edited by openshift-ci bot
Loading

@Vincent056: This pull request references CMP-4050 which is a valid jira issue.

Details

In response to this:

Read json-enricher volume config dynamically during reconciliation

The json-enricher crashes with 'read-only file system' when custom auditLogPath is configured because the volume mount from ConfigMap was only read at operator startup, not during reconciliation.

This fix reads the ConfigMap volume configuration during each reconciliation, ensuring volume mounts are applied correctly.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

CMP-4050
-->

Does this PR have test?

N/A.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

xiaojiey
xiaojiey reviewed Jan 19, 2026
View reviewed changes
konflux/rpms.lock.yaml
@@ -4,76 +4,97 @@ lockfileVendor: redhat
arches:
- arch: ppc64le
packages:
- url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/appstream/os/Packages/e/emacs-filesystem-27.2-13.el9_6.noarch.rpm
Copy link

@xiaojiey xiaojiey Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question about the rpms.lock.yaml file, should we add rpms.in.yaml to get this file automatically updated by Konflux? Thanks.

Copy link

@yuumasato yuumasato Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can also be done in a separate PR.

yuumasato
yuumasato approved these changes Jan 20, 2026
View reviewed changes
Copy link

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 20, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [Vincent056,yuumasato]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@yuumasato yuumasato merged commit a71e186 into openshift:release-0.10 Jan 20, 2026
1 of 2 checks passed
@saschagrunert
Copy link
Member

saschagrunert commented Feb 3, 2026

Should we forward port this to the main repo?

@xiaojiey
Copy link

xiaojiey commented Feb 4, 2026

Should we forward port this to the main repo?
Yes. We need to cherry-pick it to the main repo. However, The bug still exists with the Konflux build. More fix needed.

@Vincent056 Vincent056 mentioned this pull request Mar 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuumasato yuumasato yuumasato approved these changes

+1 more reviewer

@xiaojiey xiaojiey xiaojiey left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yuumasato yuumasato

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. need-cherrypick qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Vincent056 @openshift-ci-robot @xiaojiey @saschagrunert @yuumasato