Pinning coreos-assembler in FCOS releases #1068
Comments
|
Yeah, I think matching the cosa image makes sense. Hmm, I think we could have this work transparently by just using the image digest. E.g. when building Though this is dependent on the GC policy of Quay.io. If we build cosa in OpenShift, I think we might have more control. |
I think we'd just need to add a tag in quay.io whenever we do a testing build |
|
There was an ad-hoc discussion yesterday where this topic came up; it was suggested we could experiment for a couple of releases with doing a |
|
Another thing we could do is make the cosa tag to use live in https://github.com/coreos/fedora-coreos-config and have Some advantages of this is that (1) cosa is "locked" by default which improves reproducibility, and (2) we transparently get cosa tag propagation as part of the regular promotion process. A disadvantage is that it introduces more delay between cosa changes and it affecting FCOS builds (though for hotfixes, we always have the override approach at job run time). |
|
Adding context from coreos/coreos-assembler#2644: There's a second problem with the current situation: some cosa changes interlock with fedora-coreos-config changes, and sometimes the cosa side is accidentally merged before the f-c-c side reaches FCOS Another fix approach is to use separate cosa branches for each FCOS stream, similar to how RHCOS branches cosa for each release. Since the FCOS uses rolling branches, the cosa branches would also need to roll, using promotions similar to those in fedora-coreos-config. In the shorter term, or if we don't want to address this in other ways, it would still be useful to catch FCOS branch breakage in cosa CI. It'd probably be sufficient to run an additional CI job that performs a complete build and test cycle against the fedora-coreos-config |
I kind of like it.. though I think that means we'd need to create a tag (git tag) pretty much for every commit against the COSA repo and then do builds against that. Do I understand correctly?
|
|
I agree we've hit problems but so far they haven't been too hard to work around. My instinct here is to keep this very simple to start. A very simple thing would be (pretty sure I proposed this elsewhere):
Then, in a case like coreos/coreos-assembler#2643 we can just temporarily override the stable branch to use that cosa. |
|
I agree the workarounds haven't been difficult so far. The problem is that we discover the issues while performing an out-of-cycle release, which is already a time-sensitive and chaotic process. And there's still the possibility of changes that don't cause build or CI breakage, but ship unbaked functionality directly to stable. So, I don't have opinions about the technical means used to accomplish it, but I do think we should find a systematic solution here. |
|
Note: Most likely a solution to this will require us to have our multi-arch COSA build/pushing (#1027) fleshed out and working. |
Yeah, I think so. We'll have to investigate the Quay.io auto-GC options. Or maybe as you say if we do our own building and pushing, it wouldn't be hard to have that process manage the tags for us. |
|
I just did What I'm thinking actually is that we should have a controller which queries for which coreos-assembler was used to build the FCOS stable job, and updates that tag or so. |
|
Picking this up again since it's been unblocked now. @cgwalters' strawman seems like it would be simple enough to start. Translating it into more concrete terms:
The advantage of this over the cosa branches approach is that we're re-using the exact same image, whereas rebuilding a cosa git branch currently can yield different package sets each time. (Really tempting to start locking cosa...) The disadvantage is that if we really need to backport a patch, it wouldn't be as streamlined an operation. But I think we've very rarely had to do that; the primary issues have just been from using |
|
We briefly discussed this in the community meeting today. No one is opposed but can be tricky to do right. We're going to try to get together to work out some details and report a detailed proposal here. |
|
Part of the problem is that the cosa tag in quay could get updated in the middle of a run, so pushing a quay.io tag in the How about we create a new toplevel job that then triggers
This kind of requires that We could also verify that the prod streams use the right COSA image by codifying it in the There are still some details to be worked out here, but I think there is a working solution in here somwehere. |
|
I'm not thrilled by the ordering dependency in that proposal, and we'd also have to handle out-of-cycle releases, which shouldn't update the cosa pins. Semantically, we're trying to augment the fedora-coreos-config promotion process to pin cosa containers, right? Could we just do this directly in the f-c-c promotion job for |
My proposal on how to handle that is to update the build job to default to For out-of-cycle releases you just run the build job directly with the stream selected and all other defaults (basically what you do today). No shuffling of tags happens for the out-of-cycle releases. This assumes a fix in COSA wasn't needed for the out-of-cycle release, which is a safe assumption 99% of the time I think.
The reason I think doing it in a pipeline job is best is just because we already have the credentials there and the tools there to do everything. Rather than wiring that up in a GH action. |
Hmm, I'm not sure I understand that. I think it's worth a moderate amount of code complexity in exchange for the operational flexibility of running builds in any order. And the build job proposal sounds like a larger change in any event. I think my proposal basically reduces to: if [[ $src_branch =~ ^testing-devel|next-devel$ ]]; then
repo="quay.io/coreos-assembler/coreos-assembler"
manifest=$(skopeo inspect "docker://${repo}:latest" | jq -r .Digest)
tag=fcos-$(echo "${manifest}" | cut -f2 -d: | cut -c-10)
skopeo copy -a "docker://${repo}@${manifest}" "docker://${repo}:${tag}"
echo "${repo}:${tag}" > .cosa-ref
git add .cosa-ref
fiplus credential handling similar to this. |
Right now we have a testing stream and we have a stable stream. We let things bake in testing a few weeks before promoting to stable, except for all of the changes that have gone into COSA, which could be significant. Maybe we should add a tag to cosa on the day a testing release is run and use that same cosa image that was used for testing when we do the stable pipeline run.
The text was updated successfully, but these errors were encountered: