feat: update live patching scripts to support custom repo service#6139
Merged
feat: update live patching scripts to support custom repo service#6139
Conversation
YaoC
requested review from
AbelHu,
AlisonB319,
Devinwong,
UtheMan,
anujmaheshwari1,
bravebeaver,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
phealy,
r2k1,
smith1511,
timmy-wright and
zachary-bailey
as code owners
yewmsft
reviewed
Mar 31, 2025
yewmsft
reviewed
Mar 31, 2025
yagmurbaydogan
previously approved these changes
Mar 31, 2025
yewmsft
reviewed
Mar 31, 2025
| sed -i 's/https:\/\/snapshot.ubuntu.com\/ubuntu\/\([0-9]\{8\}T[0-9]\{6\}Z\)/https:\/\/snapshot.ubuntu.com\/ubuntu\/'"${golden_timestamp}"'/g' ${source_list_path} | ||
| # No live patching repo service annotation, so we need to change to use the ubuntu snapshot repo | ||
| # e.g. replace http://10.224.0.5/ubuntu/ with https://snapshot.ubuntu.com/ubuntu/20250318T000000Z | ||
| sed -i 's/http:\/\/[0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+\/ubuntu\//https:\/\/snapshot.ubuntu.com\/ubuntu\/'"${golden_timestamp}"'/g' ${source_list_path} |
Member
There was a problem hiding this comment.
not related to this PR, but we need to make the same changes to the cshelper in RP
Contributor
Author
There was a problem hiding this comment.
Yes, that's what we need to update in captureVHD API if it's NI:
- Get service IP
- Update cse for copied VMSS
yewmsft
reviewed
Mar 31, 2025
| sed -i 's/https:\/\/snapshot.ubuntu.com\/ubuntu\/\([0-9]\{8\}T[0-9]\{6\}Z\)/http:\/\/'"${live_patching_repo_service}"'\/ubuntu\//g' ${source_list_path} | ||
| # upgrade the old live patching repo service to the new one | ||
| # e.g. replace http://10.224.0.5/ubuntu/ with http://10.224.0.6/ubuntu/ | ||
| sed -i 's/http:\/\/[0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+\/ubuntu\//http:\/\/'"${live_patching_repo_service}"'\/ubuntu\//g' ${source_list_path} |
Member
There was a problem hiding this comment.
Is there a way to run existing e2es on this new Image version?
Contributor
Author
There was a problem hiding this comment.
Seem the e2e is on the new image version.
Contributor
There was a problem hiding this comment.
discussed with Ye offline regarding how we can get full RP E2E coverage before merge
yewmsft
approved these changes
Apr 1, 2025
YaoC
force-pushed
the
chyao/security-patch-repo-service-support
branch
from
4918e66 to
b0df435
Compare
YaoC
force-pushed
the
chyao/security-patch-repo-service-support
branch
from
b0df435 to
8bb0a4c
Compare
YaoC
force-pushed
the
chyao/security-patch-repo-service-support
branch
from
8bb0a4c to
4dc791b
Compare
yewmsft
approved these changes
Apr 10, 2025
parts/linux/cloud-init/artifacts/mariner/mariner-package-update.sh
Outdated
Show resolved
Hide resolved
| # Network isolated cluster can't access the internet, so we deploy a live patching repo service in the cluster | ||
| # The node will use the live patching repo service to download the repo metadata and packages | ||
| # If the annotation is not set, we will use the ubuntu snapshot repo | ||
| live_patching_repo_service=$($KUBECTL get node ${node_name} -o jsonpath="{.metadata.annotations['kubernetes\.azure\.com/live-patching-repo-service']}") |
Contributor
There was a problem hiding this comment.
should we log something out if kubectl fails? you can grab the exit code with $?
Contributor
Author
There was a problem hiding this comment.
Since we added set -e for this script, if kubectl fails, it will exit directly and also log the reason.
Contributor
|
No changes to cached containers or packages on Windows VHDs |
cameronmeissner
approved these changes
Apr 22, 2025
ganeshkumarashok
pushed a commit
that referenced
this pull request
May 14, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
For network isolated clusters, when doing security patch, they can't access internet to download packages. We decided to provide an internal repo service for these clusters. This PR is to update live patching scripts to support custom repo service.
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: