crc start fails on linux with bundle 4.19.13: Temporary error: pull secret not updated to disk (x206) #4981
Description
General information
CRC cluster fails to start completely with the error "Failed to update pull secret on the disk: Temporary error: pull secret not updated to disk (x206)".
The probable cause appears to be an expired kube-scheduler client certificate.
This is only happening with bundle 4.19.13, 4.19.8 is not having this issue. It reproduces with both 2.55.0 and 2.55.1
Operating System
Linux
Hypervisor
KVM
Did you run crc setup before crc start?
yes
Running on
Baremetal-Server
Steps to reproduce
- Run crc start
- Wait for the cluster initialization process
- Observe the failure after ~10 minutes with the pull secret update error
CRC version
CRC version: 2.55.1+6252bc
OpenShift version: 4.19.13
MicroShift version: 4.19.7CRC status
ERRO crc does not seem to be setup correctly, have you run 'crc setup'?CRC config
- bundle : https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/bundles/openshift/4.19.13/crc_libvirt_4.19.13_arm64.crcbundle
- consent-telemetry : no
- cpus : 54
- disk-size : 51
- memory : 109254
- network-mode : system
- pull-secret-file : pull-secret.txt
- skip-check-daemon-systemd-sockets : true
- skip-check-daemon-systemd-unit : true
- skip-check-ram : true
- skip-check-systemd-networkd-running : true
- skip-check-systemd-resolved-running : true
- skip-check-virt-enabled : trueHost Operating System
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logoExpected behavior
CRC cluster should start successfully and complete all initialization steps including updating the pull secret on disk.
Actual behavior
CRC VM starts successfully and the cluster begins initialization, but fails during the final stages with "Failed to update pull secret on the disk: Temporary error: pull secret not updated to disk (x206)" after waiting for cluster stabilization.
CRC Logs
+ crc start
INFO Using bundle path https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/bundles/openshift/4.19.13/crc_libvirt_4.19.13_arm64.crcbundle
INFO Checking if running as non-root
INFO Checking if running inside WSL2
INFO Checking if crc-admin-helper executable is cached
INFO Checking if running on a supported CPU architecture
WARN CRC is not officially supported on ARM64 CPUs for Linux.
INFO Checking if crc executable symlink exists
INFO Checking minimum RAM requirements
WARN Skipping above check...
INFO Check if Podman binary exists in: /home/runner/.crc/bin/oc
INFO Checking if Virtualization is enabled
WARN Skipping above check...
INFO Checking if KVM is enabled
INFO Checking if libvirt is installed
INFO Checking if user is part of libvirt group
INFO Checking if active user/process is currently part of the libvirt group
INFO Checking if libvirt daemon is running
INFO Checking if a supported libvirt version is installed
INFO Checking if crc-driver-libvirt is installed
INFO Checking crc daemon systemd socket units
WARN Skipping above check...
INFO Checking if AppArmor is configured
INFO Checking if systemd-networkd is running
WARN Skipping above check...
INFO Checking if NetworkManager is installed
INFO Checking if NetworkManager service is running
INFO Checking if dnsmasq configurations file exist for NetworkManager
INFO Checking if the systemd-resolved service is running
WARN Skipping above check...
INFO Checking if /etc/NetworkManager/dispatcher.d/99-crc.sh exists
INFO Checking if libvirt 'crc' network is available
INFO Checking if libvirt 'crc' network is active
INFO Loading bundle: crc_libvirt_4.19.13_arm64...
INFO Creating CRC VM for OpenShift 4.19.13...
INFO Generating new SSH key pair...
INFO Generating new password for the kubeadmin user
INFO Starting CRC VM for openshift 4.19.13...
INFO CRC instance is running with IP 192.168.130.11
INFO CRC VM is running
INFO Updating authorized keys...
INFO Resizing /dev/vda4 filesystem
INFO Configuring shared directories
INFO Check internal and public DNS query...
INFO Check DNS query from host...
WARN Wildcard DNS resolution for apps-crc.testing does not appear to be working
INFO Verifying validity of the kubelet certificates...
INFO Starting kubelet service
INFO Waiting for kube-apiserver availability... [takes around 2min]
INFO Adding user's pull secret to the cluster...
INFO Updating SSH key to machine config resource...
INFO Overriding password for developer user
INFO Changing the password for the users
INFO Updating cluster ID...
INFO Updating root CA cert to admin-kubeconfig-client-ca configmap...
INFO Starting openshift instance... [waiting for the cluster to stabilize]
WARN Cluster is not ready: cluster operators are still not stable after 10m0.101770067s
INFO Waiting until the user's pull secret is written to the instance disk...
ERROR Failed to update pull secret on the disk: Temporary error: pull secret not updated to disk (x206)Additional context
The probable cause appears to be an expired kube-scheduler client certificate. Certificate expiry check shows:
oc -n openshift-kube-scheduler get secret kube-scheduler-client-cert-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -enddate -subject -issuer
notAfter=Oct 24 08:31:41 2025 GMT
subject=CN = system:kube-scheduler
issuer=OU = openshift, CN = kube-control-plane-signer
The certificate expired on Oct 24, 2025, which may be preventing the cluster from stabilizing and completing the pull secret update process.
Workaround
Installed the version 4.19.8 instead, it worked fine (https://developers.redhat.com/content-gateway/rest/mirror/pub/openshift-v4/clients/crc/2.54.0).