RHEL: Do not pull rootless CNI infra image, and instead request that user build it. #8671
Conversation
The existing logic (Range > 0) always triggered, because range is guaranteed to be at least 1 (a single port has a range of 1, a two port range (e.g. 80-81) has a range of 2, and so on). As such this could cause ports that had a host port assigned to them by the user to randomly assign one instead. Fixes containers#8650 Fixes containers#8651 Signed-off-by: Matthew Heon <mheon@redhat.com>
openshift-ci-robot
added
the
approved
|
@mheon Looks like you have a PR in here that is not supposed to be here on Ports. |
|
@rhatdan Deliberate cherry-pick - that's a pretty significant bugfix we should get into RHEL. We're not frozen yet, so I grabbed it. |
|
LGTM |
libpod/rootless_cni_linux.go
Outdated
| if err != nil { | ||
| if errors.Cause(err) == define.ErrNoSuchImage { | ||
| return nil, errors.Errorf("rootless CNI infra image not present - please build image from https://github.com/containers/podman/blob/v2.2.1/contrib/rootless-cni-infra/Containerfile and tag as %q", imageName) |
There was a problem hiding this comment.
I know it's long already, but could we give them the command to use to build the image instead of just the Containerfile?
There was a problem hiding this comment.
I don't think so - the actual build process is getting very complicated because we can't just do a podman build $URL (you need to pull down not just the containerfile, but the directory containing it, and then do a podman build on that)
There was a problem hiding this comment.
We have a separate card to document this elsewhere, which is where I think that sort of documentation will need to land.
There was a problem hiding this comment.
What about letting Podman itself execute git clone ... && git checkout ... && podman build -t rootless-cni-infra .
There was a problem hiding this comment.
Problem is disconnected environments - we can't guarantee the system has a working connection to the internet.
mheon
force-pushed
the
rhel_no_pull_infra
branch
2 times, most recently
from
0a596dd
to
fefb663
Compare
|
@AkihiroSuda PTAL. At some point we'd love to ship multi-arch images but the local build seems like the best way forward for now. |
Ah, that's a RHEL-only branch |
test/e2e/network_create_test.go
Outdated
| @@ -74,6 +74,7 @@ var _ = Describe("Podman network create", func() { | |||
| ) | |||
|
|
|||
| BeforeEach(func() { | |||
| SkipIfRootless("rootless CNI is tech preview in 8.3.1") | |||
|
I don't have visibility in this URL, but I'm wondering Red Hat could build and upload the infra image by themselves if they have concern in the image built outside Red Hat. |
I think that's the long-term goal. Thanks for checking! |
mheon
force-pushed
the
rhel_no_pull_infra
branch
from
fefb663
to
c2ad5a8
Compare
|
Re-pushed. Added some extra docs to the README on Github about building, which should help people get started. |
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.3.1, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place. Ref: https://issues.redhat.com/browse/RUN-1127 Please note that this is a RHEL only change and should not be included in non-RHEL branches. Signed-off-by: Matthew Heon <mheon@redhat.com>
mheon
force-pushed
the
rhel_no_pull_infra
branch
from
c2ad5a8
to
4007554
Compare
|
Good to merge |
|
@containers/podman-maintainers PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.4.0, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place. Ref: https://issues.redhat.com/browse/RUN-1127 Please note that this is a RHEL only change and should not be included in non-RHEL branches. This is a forward-port of the original changes in containers#8671 to the new v3.0.1-rhel branch. Signed-off-by: Matthew Heon <mheon@redhat.com>
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.4.0, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place. Ref: https://issues.redhat.com/browse/RUN-1127 Please note that this is a RHEL only change and should not be included in non-RHEL branches. This is a forward-port of the original changes in containers#8671 to the new v3.0.1-rhel branch. Signed-off-by: Matthew Heon <mheon@redhat.com>
github-actions
bot
added
the
locked - please file new issue/PR
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.3.1, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place.
Ref: https://issues.redhat.com/browse/RUN-1127
Please note that this is a RHEL only change and should not be included in non-RHEL branches.
Also, cherry-pick #8652 into the RHEL tree.