update CI images to include pasta

[Luap99]

Ref: containers/automation_images#246

Does this PR introduce a user-facing change?

None

[cevich]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cevich, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Luap99]

@giuseppe @cdoern PTAL I see cgroup and pause/unpause issues with the new image:
https://api.cirrus-ci.com/v1/artifact/task/6308142752464896/html/bud-remote-fedora-37-root-host.log.html
https://api.cirrus-ci.com/v1/artifact/task/5163041256374272/html/int-podman-fedora-37-root-container.log.html

[Luap99]

FYI these are the installed versions:

Fedora release 37 (Thirty Seven)
Kernel:  6.0.8-300.fc37.x86_64
Cgroups:  cgroup2fs
aardvark-dns-1.2.0-6.fc37-x86_64
conmon-2.1.4-3.fc37-x86_64
containernetworking-plugins-1.1.1-8.fc37-x86_64
containers-common-1-73.fc37-noarch
container-selinux-2.191.0-1.fc37-noarch
criu-3.17.1-3.fc37-x86_64
crun-1.7-1.fc37-x86_64
golang-1.19.2-1.fc37-x86_64
libseccomp-2.5.3-3.fc37-x86_64
netavark-1.2.0-5.fc37-x86_64
passt-0^20221110.g4129764-1.fc37-x86_64
podman-4.3.1-1.fc37-x86_64
runc-1.1.4-1.fc37-x86_64
skopeo-1.10.0-3.fc37-x86_64
slirp4netns-1.2.0-8.fc37-x86_64

[Luap99]

@giuseppe reping, could please take a look at the e2e failures, they look all cgroup related.

[giuseppe]

it looks like a regression in crun 1.7. Taking a look...

[giuseppe]

fix here: containers/crun#1084

I'll release 1.7.2 ASAP

[Luap99]

fix here: containers/crun#1084

I'll release 1.7.2 ASAP

Thank you.

[giuseppe]

rpms here:

• https://bodhi.fedoraproject.org/updates/FEDORA-2022-7e7bce3425
• https://bodhi.fedoraproject.org/updates/FEDORA-2022-87411cbdd0

[Luap99]

@giuseppe @adrianreber It looks like checkpoint/restore is broken on fedora 36

Error is

could not load `libcriu.so.2`

These are the version installed:

Kernel:  6.0.12-200.fc36.x86_64
criu-3.17.1-2.fc36-x86_64
crun-1.7.2-1.fc36-x86_64

How to fix this?

[adrianreber]

@giuseppe @adrianreber It looks like checkpoint/restore is broken on fedora 36

Error is

could not load `libcriu.so.2`

These are the version installed:

Kernel:  6.0.12-200.fc36.x86_64
criu-3.17.1-2.fc36-x86_64
crun-1.7.2-1.fc36-x86_64

How to fix this?

dnf -y install criu-libs

The crun fix is on its way: https://bodhi.fedoraproject.org/updates/FEDORA-2022-68051670ee

[cevich]

I have an older image-update PR I've been kicking around for a while now. Since this one is better, and there's no sense in two separate image-update PRs, I'll close mine in favor of this one. I'll keep subscribed here though in case my eyeballs are needed.

[Luap99]

For reference, test failures are caused by a bind() kernel bug: https://bugzilla.redhat.com/show_bug.cgi?id=2159066

[cevich]

We also need to make sure no new release-branches are created

Ugh...this may actually be the case. Well 💩

@Luap99 let me guess, your preference is to get this PR merged before any new releases, ya?

To be clear, what I'm worried about is:

    # FIXME FIXME FIXME: hard coding the windows ID to use an older image
    # something is wrong with WSL with the new images, see https://github.com/containers/podman/pull/16525#issuecomment-1379890071
    WINDOWS_AMI: "win-server-wsl-c5069932136759296"
    # WINDOWS_AMI: "win-server-wsl-${IMAGE_SUFFIX}"

That's going to end up in a release-branch. That makes me nervous. Our image timestamping automation can handle it just fine, it's the human-maintainers I'm worried about 😖

Context: It's both bad, and wrong (and often technically difficult) to update a CI VM-image set in release branches. If we merge this, it means everyone agrees to live with the de-sync, basically forever.

Am I being paranoid, or is this a real problem we should consider?

[Luap99]

Am I being paranoid, or is this a real problem we should consider?

No this is a problem. I don't like it either, I don't think we have to merge it right now. The blocked PR already skipped the test anyway and was merged earlier so it should not block somebodies work, at least I am not aware of anything.

My only point is that it makes sense to test on more recent images. At this point I really do not believe the current images reflect the software on actual users systems any more and therefore we might miss critical bugs because of it. I know we have gating tests in fedora but they only cover a subset compared to upstream CI.

[cevich]

No this is a problem.

Okay, thanks for the sanity-check. Let's wait for @n1hility to help fix Windows (what would we do without him!) and/or merge this PR after the release is branched. Maybe the kernel bug will be resolved by then (one can wish).

At this point I really do not believe the current images reflect the software on actual users systems any more

I 100% agree, the current images are based on a beta-build of F37 😕 The good thing is, I think in a few weeks you've blown through image-update problems I was failing to fix for more than a month 😁

[n1hility]

@cevich It's a hairy problem, although I have a solution almost ready to go, just needs polishing. It will require PRs to images and podman to address.

[cevich]

@n1hility okay, thanks for the update and guesstimate. Last I looked, you're in-the-clear for an automation_images PR, there's nothing else happening over there ATM.

This PR is the main one trying to update images for Podman CI, so we can update the ID here when it's ready. Thanks again.

[Luap99]

Rebased to include the windows fix, this should turn green now unless I am the most unluckiest person ever.
@cevich @edsantiago PTAL again

[cevich]

/lgtm

[Luap99]

Not a single flake as far as I can tell, guess I am not so unlucky after all.

[cevich]

Nope, sometimes all it takes is persistence, and teamwork 👍