Use a new base image for the git-init image.
#4758
Conversation
tekton-robot
added
do-not-merge/hold
tekton-robot
added
the
size/S
|
I threw the hold on mostly to ensure this doesn't merge too quickly and I get some explicit 👀 on the Also let me know if there are any additional things worth calling out in the release notes for this. |
|
I'll have to find some time this afternoon to debug a bit what's going on here 🤔 |
|
I spent most of my coding time today trying to get Trivy scans set up for the images, so we can make sure we are tracking those for these images, so I didn't have time yet to dig into why this is failing. The next two days are relatively meeting free, so I am holding out hope I will get to this tomorrow 🤞 |
mattmoor
force-pushed
the
use-apko-distroless
branch
from
a75e4a5 to
399d3f9
Compare
|
Rebasing to pull in the git 2.35.2 fixes to be sure it's not a bad interaction there, and then I'll start to poke through this locally. 🤞 |
config/controller.yaml
Outdated
| @@ -75,10 +75,10 @@ spec: | |||
|
|
|||
| # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim | |||
| "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", | |||
| # The shell image must be root in order to create directories and copy files to PVCs. | |||
| # gcr.io/distroless/base:debug as of February 17, 2022 | |||
| # The shell image must allow root in order to create directories and copy files to PVCs. | |||
There was a problem hiding this comment.
Just double-checking this comment: ghcr.io/distroless/busybox is not root by default, but allows root if we run it as such with runAsUser, correct? Do we add runAsUser for shell-image steps (e.g., anything that uses script:? 🤔
There was a problem hiding this comment.
I'm splitting the shell stuff off because clearly the root requirements haven't been plumbed through for shell-image as Scott did for git-init, and will chase that separately.
I'm not sure why our KinD-based tests didn't show the PVC test problems using this, which makes me wonder if the e2e test suite is being clever with t.Skip() or something (or I'm missing a feature flag).
tekton/publish.yaml
Outdated
| @@ -95,7 +95,7 @@ spec: | |||
|
|
|||
| # Combine Distroless with a Windows base image, used for the entrypoint image. | |||
| COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \ | |||
| gcr.io/distroless/base:debug-nonroot \ | |||
| ghcr.io/distroless/busybox \ | |||
There was a problem hiding this comment.
(not blocking this PR)
I'm not sure why the entrypoint image has to have a shell at all. I looked up the history and it looks like some dummy named @imjasonh added this in 95b8c71 -- prior to that (and in non-release workflows before and after that change), entrypoint is based on gcr.io/distroless/static:nonroot, which contains no shell.
If nobody remembers why I made that change, I think I'd like to change it back, and make this line ghcr.io/distroless/static.
I don't think it should block this PR, but just in case anybody remembers. @vdemeester
There was a problem hiding this comment.
nit: Let's stick with gcr.io/distroless/static until we decide to switch to the apko static image elsewhere?
There was a problem hiding this comment.
Also, I think the same sentiment applies to ALL of these, since they are all tested with static:nonroot in CI, not just entrypoint (which you specifically called out).
There was a problem hiding this comment.
Ok, so thinking through this has made me realize this use of busybox is wholly distinct from the shell-images cases, so I am going to forget about these, and you should go nuts switching things to OG static:nonroot, and then we can revisit this for NG static as part of a later convo.
|
Ok, digging thru the logs, it looks like we need to do some work to run |
This swaps our `Dockerfile` based `git-init` base image in favor of `ghcr.io/distroless/git` since it is now possible to produce a `distroless` Git image without losing one's sanity. This does NOT remove the `Dockerfile` or any logic to build it just yet, in case we want to roll this back, but that should follow in a subsequent change (tracked by the issue below). Related: tektoncd#4752
mattmoor
force-pushed
the
use-apko-distroless
branch
from
399d3f9 to
52b8f68
Compare
tekton-robot
added
size/XS
mattmoor
changed the title
git-init image.
|
Poking through the failures now, I see at least one place where we don't appear to be running I also see this in the |
|
Yeah, ok these clearly need changes too: - name: clone
image: ko://github.com/tektoncd/pipeline/cmd/git-init
script: |
CHECKOUT_DIR="$(workspaces.output.path)/$(params.subdirectory)"I don't think we're running the yaml/example tests downstream, but we should probably start to. |
|
Ok, the second commit should address the explicit use of All of the remaining failures have to do with |
|
Alright, so I put together chainguard-dev/apko#182 to create |
|
/test pull-tekton-pipeline-go-coverage |
mattmoor
changed the title
git-init image.git-init image.
tekton-robot
removed
the
do-not-merge/work-in-progress
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
This came up in tektoncd#4758, but when stitching together a linux + windows image as a base for utility images Jason had inadvertently(?) used `base:debug-nonroot` instead of `static:nonroot` for the linux side. Given that ~all testing is done with `static:nonroot` for these images, this is probably SAFER than what we're currently doing releasing based on an untested (albeit superset) configuration. However, the additional things this pulls in are `glibc` and `busybox`, which are unfortunate because `glibc` often has vulnerabilities that these images aren't susceptible to, and `busybox` is a contentious dependency in many settings (to minimizing its use it generally better). AFAIK this is untested presubmit, and I have no idea how to test this properly, so please review thoroughly! /kind cleanup
|
/lgtm Thanks! |
|
/test pull-tekton-pipeline-alpha-integration-tests tests timed out 🤔 |
This came up in #4758, but when stitching together a linux + windows image as a base for utility images Jason had inadvertently(?) used `base:debug-nonroot` instead of `static:nonroot` for the linux side. Given that ~all testing is done with `static:nonroot` for these images, this is probably SAFER than what we're currently doing releasing based on an untested (albeit superset) configuration. However, the additional things this pulls in are `glibc` and `busybox`, which are unfortunate because `glibc` often has vulnerabilities that these images aren't susceptible to, and `busybox` is a contentious dependency in many settings (to minimizing its use it generally better). AFAIK this is untested presubmit, and I have no idea how to test this properly, so please review thoroughly! /kind cleanup
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/test pull-tekton-pipeline-integration-tests Going to run e2e once more with the nightly images |
|
Let's get it baking /hold cancel |
tekton-robot
removed
the
do-not-merge/hold
This is very similar to #4758 and #4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: #4761 Related: #4752
Similar to tektoncd@ba2e7f3 - with tektoncd#4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]>
Similar to ba2e7f3 - with #4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]>
# This is the 1st commit message: change emitting results # This is the commit message #2: fix code # This is the commit message #3: A few minor cleanups in pkg/reconciler/pipelinerun/pipelinerun_test.go These just mildly annoyed me, so I thought I'd clean them up. Signed-off-by: Andrew Bayer <[email protected]> # This is the commit message #4: Instrument e2e pipelinerun_test.go files for logstream These two (`test/pipelinerun_test.go` and `test/v1alpha1/pipelinerun_test.go`) weren't done in the last PR, because they were messy and I wanted to get that PR in. But I had some time this morning, so here they are, which should be the last things in the e2e tests (other than examples/yamls testing, which are their own bucket of worms) to be instrumented with `helpers.ObjectNameForTest(t)`. Signed-off-by: Andrew Bayer <[email protected]> # This is the commit message #5: Update tutorial links We recently updated the introductory tutorial on the documnentation website. That tutorial covers the same content as the one here. To avoid duplicated efforts and content drift, I'm linkin that doc here and replacing the existing content. Additionally, this removes references to `PipelineResources`. # This is the commit message #6: Set git-clone tasks in examples to run as root Similar to tektoncd@ba2e7f3 - with tektoncd#4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]> # This is the commit message #7: adding latest release - 0.35 Updating the table to include the latest release links. # This is the commit message #8: Added a unit test for pod status. Add unit test with large result for setTaskRunStatusBasedOnStepStatus.
This came up in tektoncd#4758, but when stitching together a linux + windows image as a base for utility images Jason had inadvertently(?) used `base:debug-nonroot` instead of `static:nonroot` for the linux side. Given that ~all testing is done with `static:nonroot` for these images, this is probably SAFER than what we're currently doing releasing based on an untested (albeit superset) configuration. However, the additional things this pulls in are `glibc` and `busybox`, which are unfortunate because `glibc` often has vulnerabilities that these images aren't susceptible to, and `busybox` is a contentious dependency in many settings (to minimizing its use it generally better). AFAIK this is untested presubmit, and I have no idea how to test this properly, so please review thoroughly! /kind cleanup
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
Similar to tektoncd@ba2e7f3 - with tektoncd#4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]>
Similar to tektoncd@ba2e7f3 - with tektoncd#4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]>
Similar to ba2e7f3 - with #4758, `git-init` now uses `ghcr.io/distroless/git` as its base image, and that image needs to run as root. `git-init` by default does _not_ run as root. So the two examples using copy-pasted old versions of the `git-clone` catalog task need to be changed to run as root, or the example tests will keep failing forever. An equivalent change will be needed in the `git-clone` catalog task once it's bumped to using `git-init:v0.35.0` or later - currently, it's using `v0.29.0`. Signed-off-by: Andrew Bayer <[email protected]>
This swaps out the
Dockerfilebasedgit-initbase image in favor ofghcr.io/distroless/gitsince it is now possible to produce adistrolessGit image without losing one's sanity.This does NOT remove the
Dockerfileor any logic to build it just yet, in case we want to roll this back, but that should follow in a subsequent change (tracked by the issue below).Related: #4752
/kind cleanup
/hold
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")
Release Notes