-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1904683: add build s2i as root uid image for associated tests #25745
Bug 1904683: add build s2i as root uid image for associated tests #25745
Conversation
@gabemontero: This pull request references Bugzilla bug 1904683, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@gabemontero: This pull request references Bugzilla bug 1904683, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ok with an assist from @yselkowitz we found the build repo for the test image: https://github.com/openshift/build-test-images I'll start looking into seeding openshift/release with a job for building that and pushing an image to quay.io |
/retest |
1 similar comment
/retest |
@gabemontero should we hold/close this PR in favor of moving the image to quay.io? Note that we could use the simple s2i image for our git clone tests, or other test suites which need a no-op s2i build. |
My guess is that long term @smarterclayton would want us to adhere to the process at https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-image since that would cover disconnected install testing. But short term, yes, to alleviate docker.io throttling, as we discussed in scrum, since I got I'm still looking this afternoon into the CI piece noted in https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-image ... perhaps if I do not make enough headway by tomorrow, we employ the combo of both short and long term approaches (i.e. don't gate addressing the throttling bz with this PR, but still pursue this PR longer term). Thoughts?
|
Also, on the using the simple s2i image from our git clone tests, unless they don't already set the user, then I think we a blocked on this specific tests that runs as uid 0 ... i.e. https://github.com/openshift/build-test-images/blob/master/roots2i/Dockerfile#L6 But if you think I missing some nuance at what you are getting at, please elaborate. |
I assumed that the simples2i image in the Per your update in slack, I think my original point is moot. For the git tests we want to restore, my hunch is that the core logic and images used should be OK, and the main work will be around setup and updating our test suite definitions in openshift/release. |
/retest |
bc92066
to
8efdb9d
Compare
/retest |
ok per slack discussion thread with @smarterclayton and @bparees I've pushed d6ba86e which does the When it correctly fails in e2e-gcp-builds I'll ping @smarterclayton and he will do the mirroring piece as part of the process he is iterating on with #25769 |
test/extended/util/image/image.go
Outdated
@@ -20,6 +20,10 @@ func init() { | |||
// used by oc mirror test, should be moved to publish to quay | |||
"docker.io/library/registry:2.7.1": -1, | |||
|
|||
// used by build s2i e2e's to verify that builder with USER root are not allowed, should be moved to quay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why should it be moved to quay? it's not on docker.io so i would think that's good enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
forgot to clean up that comment as part of our ongoing education here
just pushed an update that removed that quay related phrase
d6ba86e
to
ad92926
Compare
it lgtm. we'll see what the keeper of the process says |
OK we have the right failure in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/25745/pull-ci-openshift-origin-master-e2e-gcp-builds/1338883704528834560 @smarterclayton
from |
/retest Mirrored |
all green tests @smarterclayton @bparees shall we tag for merge ? |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabemontero, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
install gcp iam errors on last e2e-gcp-builds:
/test e2e-gcp-builds |
sig-node sig-network failures /test e2e-gcp |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@gabemontero: All pull requests linked via external trackers have merged: Bugzilla bug 1904683 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @smarterclayton
hey - one of the docker.io refs used in build e2e's was not handled with your change from last week
please see https://github.com/openshift/origin/blob/master/test/extended/builds/s2i_root.go#L114
as a rule, official s2i builders do not run with root uid, so we don't have any officially s2i builder images to use instead in order to validate that such builders are not allowed
Also, in talking to @bparees this guy is so old, we are not sure which repo/Dockerfile manages this one ... it might have been manually created and pushed to docker.io ... so perhaps we need to do work along those lines to recreate all that ... either that, or pull docker.io/... and push to quay.io/....
Lastly, and related, I had trouble finding example in openshift/release in order to
Define a standard CI build and publish the image to quay.io in the openshift namespace
andHave the automation promote the image to the quay mirror location.
per https://github.com/openshift/origin/blob/master/test/extended/util/image/README.md#to-add-a-new-imageAny guidance would be appreciated