New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move hardware signing out of experimental #21003
Conversation
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Moving out of WIP, did manual testing with a
|
Two failures on Windows; flaky tests? https://jenkins.dockerproject.org/job/Docker-PRs-WoW-TP4/2314/console
|
@thaJeztah it seems that these are unrelated/flaky failures? I haven't had these issues with local testing and building. Should we maybe retry that build? Let me know if there's another way I can help |
@riyazdf yeah, I already restarted them after that comment, but now it looks like it failed again due to an issue on that node. I'll trigger it again. Note that that build is running on a Windows Daemon on Windows TP4, so not you have that installed locally |
@thaJeztah all green after a retry :) |
LGTM |
# if we are building experimental we recommend yubico-piv-tool | ||
echo 'yubico:Recommends=$(shell [ "$DOCKER_EXPERIMENTAL" ] && echo "yubico-piv-tool (>= 1.1.0~)")' >> debian/docker-engine.substvars | ||
# recommend yubico-piv-tool since we include pkcs11 by default | ||
echo 'yubico:Recommends=$(echo "yubico-piv-tool (>= 1.1.0~)")' >> debian/docker-engine.substvars |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't need the echo
here anymore, do we @jfrazelle? Something like this should be enough:
echo 'yubico:Recommends="yubico-piv-tool (>= 1.1.0~)"' >> debian/docker-engine.substvars
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
ping @jfrazelle could you have a look? |
@@ -133,7 +133,7 @@ RUN useradd --create-home --gid docker unprivilegeduser | |||
|
|||
VOLUME /var/lib/docker | |||
WORKDIR /go/src/github.com/docker/docker | |||
ENV DOCKER_BUILDTAGS apparmor selinux | |||
ENV DOCKER_BUILDTAGS apparmor pkcs11 selinux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be sure this will work for things like Z before adding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we support the docker CLI on those systems? Bear in mind trust all happens on the CLI side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya I just want to make sure ping @estesp
On Tuesday, March 15, 2016, David Lawrence notifications@github.com wrote:
In Dockerfile.s390x
#21003 (comment):@@ -133,7 +133,7 @@ RUN useradd --create-home --gid docker unprivilegeduser
VOLUME /var/lib/docker
WORKDIR /go/src/github.com/docker/docker
-ENV DOCKER_BUILDTAGS apparmor selinux
+ENV DOCKER_BUILDTAGS apparmor pkcs11 selinuxDo we support the docker CLI on those systems? Bear in mind trust all
happens on the CLI side.—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/21003/files#r56207250
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to ask the teams building with gccgo--I have a vague recollection that there was an issue with pkcs11 build via gccgo? @clnperez or @tophj-ibm do you have any info here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't recall anything, and this works with both gccgo and power. Is pkcs11 used for anything other than notary, because you might not want to include it with gccgo seeing as we aren't building notary there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just tested this PR on ppc64le with our old dockerfile before we switched from gccgo to golang/gc -- but with the pcks11 buildtag added. The gccgo build itself works fine. @tophj-ibm said the gccgo build on x86 works. @brahmaroutu might be able to test out z.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tophj-ibm good point, since we aren't building notary on gccgo I'll remove pkcs11.
As @endophage mentioned above we're only using pkcs11 on the CLI-side, so just keep me posted with whether we need it in this Dockerfile and I'll update accordingly :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jfrazelle @riyazdf, looks like no issues on Z and it builds fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @brahmaroutu for checking! I'll leave this Dockerfile as is then :)
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
code LGTM but couldn't test it. |
LGTM On Thu, Mar 17, 2016 at 10:33 AM, Tibor Vass notifications@github.com
Jessie Frazelle |
Move hardware signing out of experimental
Moves pkcs11 hardware signing for notary out of the experimental build tag and to the default docker build (relevant notary issue for tracking: notaryproject/notary#591).
I'm not the most familiar with exactly how our packaging works but I think I've covered the necessary changes.
Here's a cute aardvark