Bug 1904683: add build s2i as root uid image for associated tests

[gabemontero]

/assign @smarterclayton

hey - one of the docker.io refs used in build e2e's was not handled with your change from last week

please see https://github.com/openshift/origin/blob/master/test/extended/builds/s2i_root.go#L114

as a rule, official s2i builders do not run with root uid, so we don't have any officially s2i builder images to use instead in order to validate that such builders are not allowed

Also, in talking to @bparees this guy is so old, we are not sure which repo/Dockerfile manages this one ... it might have been manually created and pushed to docker.io ... so perhaps we need to do work along those lines to recreate all that ... either that, or pull docker.io/... and push to quay.io/....

Lastly, and related, I had trouble finding example in openshift/release in order to Define a standard CI build and publish the image to quay.io in the openshift namespace and Have the automation promote the image to the quay mirror location. per https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-image

Any guidance would be appreciated

[openshift-ci-robot]

@gabemontero: This pull request references Bugzilla bug 1904683, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.0) matches configured target release for branch (4.7.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1904683: add build s2i as root uid image for assoicated tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@gabemontero: This pull request references Bugzilla bug 1904683, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.0) matches configured target release for branch (4.7.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1904683: add build s2i as root uid image for assoicated tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gabemontero]

ok with an assist from @yselkowitz we found the build repo for the test image: https://github.com/openshift/build-test-images

I'll start looking into seeding openshift/release with a job for building that and pushing an image to quay.io

[gabemontero]

/retest

[gabemontero]

/retest

[adambkaplan]

@gabemontero should we hold/close this PR in favor of moving the image to quay.io?

Note that we could use the simple s2i image for our git clone tests, or other test suites which need a no-op s2i build.

[gabemontero]

@gabemontero should we hold/close this PR in favor of moving the image to quay.io?

My guess is that long term @smarterclayton would want us to adhere to the process at https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-image since that would cover disconnected install testing.

But short term, yes, to alleviate docker.io throttling, as we discussed in scrum, since I got quay.io/redhat-developer/test-build-roots2i:latest now up, we could switch to that short term, and perhaps hold this in the interim.

I'm still looking this afternoon into the CI piece noted in https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-image ... perhaps if I do not make enough headway by tomorrow, we employ the combo of both short and long term approaches (i.e. don't gate addressing the throttling bz with this PR, but still pursue this PR longer term).

Thoughts?

Note that we could use the simple s2i image for our git clone tests, or other test suites which need a no-op s2i build.

[gabemontero]

@gabemontero should we hold/close this PR in favor of moving the image to quay.io?

Note that we could use the simple s2i image for our git clone tests, or other test suites which need a no-op s2i build.

Also, on the using the simple s2i image from our git clone tests, unless they don't already set the user, then I think we a blocked on this specific tests that runs as uid 0 ... i.e. https://github.com/openshift/build-test-images/blob/master/roots2i/Dockerfile#L6

But if you think I missing some nuance at what you are getting at, please elaborate.

[adambkaplan]

I assumed that the simples2i image in the build-test-images repo doesn't run as root, but since that is a simple FROM busybox image I'm not as certain.

Per your update in slack, I think my original point is moot. For the git tests we want to restore, my hunch is that the core logic and images used should be OK, and the main work will be around setup and updating our test suite definitions in openshift/release.

[gabemontero]

/retest

[gabemontero]

/retest

[gabemontero]

ok per slack discussion thread with @smarterclayton and @bparees I've pushed d6ba86e which does the image.LocationFor on the new CI test image we want to mirror.

When it correctly fails in e2e-gcp-builds I'll ping @smarterclayton and he will do the mirroring piece as part of the process he is iterating on with #25769

[bparees]

why should it be moved to quay? it's not on docker.io so i would think that's good enough.

[gabemontero]

forgot to clean up that comment as part of our ongoing education here

just pushed an update that removed that quay related phrase

[bparees]

it lgtm. we'll see what the keeper of the process says

[gabemontero]

OK we have the right failure in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/25745/pull-ci-openshift-origin-master-e2e-gcp-builds/1338883704528834560 @smarterclayton

Dec 15 17:51:12.565: INFO: Error running /usr/bin/oc --namespace=e2e-test-s2i-build-root-fbzf6 --kubeconfig=/tmp/configfile210304501 new-build quay.io/openshift/community-e2e-images:e2e-registry-svc-ci-openshift-org-ocp-4-7-test-build-roots2i-ZzDWhWn0wPB9cLFM~https://github.com/sclorg/nodejs-ex --name nodejspass:
StdOut>
error: unable to locate any images in image streams, local docker images with name "quay.io/openshift/community-e2e-images:e2e-registry-svc-ci-openshift-org-ocp-4-7-test-build-roots2i-ZzDWhWn0wPB9cLFM"

from [sig-builds][Feature:Builds] s2i build with a root user image should create a root build and pass with a privileged SCC [Suite:openshift/conformance/parallel]

[smarterclayton]

/retest

Mirrored

[gabemontero]

all green tests @smarterclayton @bparees

shall we tag for merge ?

[smarterclayton]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gabemontero, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/extended/builds/OWNERS [gabemontero,smarterclayton]
• test/extended/util/image/OWNERS [smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gabemontero]

install gcp iam errors on last e2e-gcp-builds:

level=error
level=error msg=Error: Request "Create IAM Members roles/storage.admin serviceAccount:ci-op-n1cbnhfs-4e3c6-75lhv-m@openshift-gce-devel-ci.iam.gserviceaccount.com for \"project \\\"openshift-gce-devel-ci\\\"\"" returned error: Error applying IAM policy for project "openshift-gce-devel-ci": Error setting IAM policy for project "openshift-gce-devel-ci": googleapi: Error 400: Service account ci-op-6g9062nn-74927-ds9nj-m@openshift-gce-devel-ci.iam.gserviceaccount.com does not exist., badRequest
level=error
level=error msg=  on ../tmp/openshift-install-459853876/master/main.tf line 21, in resource "google_project_iam_member" "master-storage-admin":
level=error msg=  21: resource "google_project_iam_member" "master-storage-admin" {
level=error
level=error
level=fatal msg=failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change
2020/12/16 15:24:18 Failed to upload $KUBECONFIG: timed out waiting for the condition: stat /tmp/secret/kubeconfig: no such file or directory 

/test e2e-gcp-builds

[gabemontero]

sig-node sig-network failures

/test e2e-gcp

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@gabemontero: All pull requests linked via external trackers have merged:

• openshift/origin#25745

Bugzilla bug 1904683 has been moved to the MODIFIED state.

In response to this:

Bug 1904683: add build s2i as root uid image for associated tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.