-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fixed security-bootstrapper Docker volume init semantics #4085
Conversation
@vli11 , please complete the PR checklist with a |
cmd/security-bootstrapper/Dockerfile
Outdated
|
||
RUN apk add --update --no-cache dumb-init su-exec | ||
|
||
ENV SECURITY_INIT_DIR /edgex-init | ||
ARG BOOTSTRAP_REDIS_DIR=${SECURITY_INIT_DIR}/bootstrap-redis | ||
ENV SECURITY_INIT_STAGING_DIR /edgex-init-staging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bnevis-i , @jim-wang-intel , Isn't this a breaking change? i.e. the ENV name change now requires end user to change the name?? Also the change to /edgex-init-staging
is breaking.
End users/adopters will have existing compose files working with the previous release and should just be able to change the version of images to bump to the next release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, @lenny-intel , i guess we could still keep the original ENV SECURITY_INIT_DIR
untouched. but we are adding a staging directory so that we can remove the work-around in Kubernetes' world. cc: @vli11
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, that is probably the better approach, i.e. support both old and new way and then in 3.0 remove old way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SECURITY_INIT_DIR was only ever used locally, so I don't think it will break anything to change it. But I have other problems with the PR that I will detail. However, I think it should it should be left as it was and add the new one.
I have not added unit tests for this bug fix because NA; only Dockerfile, entrypoint.sh changed |
I have NOT opened a PR for the related docs change because it is fix for a WA |
@vli11 , looking for you to edit the PR description and add those comment where it says example:
|
DONE |
cmd/security-bootstrapper/Dockerfile
Outdated
|
||
# Expose the file directory as a volume since there's long-running state | ||
VOLUME ${SECURITY_INIT_DIR} | ||
VOLUME ${SECURITY_INIT_STAGING_DIR} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove VOLUME line. No longer needed
cmd/security-bootstrapper/Dockerfile
Outdated
|
||
RUN apk add --update --no-cache dumb-init su-exec | ||
|
||
ENV SECURITY_INIT_DIR /edgex-init | ||
ARG BOOTSTRAP_REDIS_DIR=${SECURITY_INIT_DIR}/bootstrap-redis | ||
ENV SECURITY_INIT_STAGING_DIR /edgex-init-staging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SECURITY_INIT_DIR was only ever used locally, so I don't think it will break anything to change it. But I have other problems with the PR that I will detail. However, I think it should it should be left as it was and add the new one.
cmd/security-bootstrapper/Dockerfile
Outdated
RUN mkdir -p ${SECURITY_INIT_STAGING_DIR} \ | ||
&& mkdir -p /edgex-init \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mkdir -p ${BOOTSTRAP_REDIS_DIR}
is the only thing needed; it will create any parent directories as needed; remove the others.
cmd/security-bootstrapper/Dockerfile
Outdated
&& mkdir -p ${BOOTSTRAP_REDIS_DIR} | ||
|
||
WORKDIR ${SECURITY_INIT_DIR} | ||
WORKDIR ${SECURITY_INIT_STAGING_DIR} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
cmd/security-bootstrapper/Dockerfile
Outdated
COPY --from=builder /edgex-go/cmd/security-bootstrapper/entrypoint-scripts/ ${SECURITY_INIT_STAGING_DIR}/ | ||
RUN chmod +x ${SECURITY_INIT_STAGING_DIR}/*.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
cmd/security-bootstrapper/Dockerfile
Outdated
@@ -59,10 +60,10 @@ COPY --from=builder /edgex-go/cmd/security-bootstrapper/res/configuration.toml . | |||
COPY --from=builder /edgex-go/cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml ${BOOTSTRAP_REDIS_DIR}/res/ | |||
|
|||
# copy Consul ACL related configs | |||
COPY --from=builder /edgex-go/cmd/security-bootstrapper/consul-acl/ ${SECURITY_INIT_DIR}/consul-bootstrapper/ | |||
COPY --from=builder /edgex-go/cmd/security-bootstrapper/consul-acl/ ${SECURITY_INIT_STAGING_DIR}/consul-bootstrapper/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
@@ -37,6 +37,7 @@ EDGEX_USER_ID=${EDGEX_USER:-$DEFAULT_EDGEX_USER_ID} | |||
# which then injecting into all other related containers on other services' entrypoint scripts | |||
# if the executable is not 'security-bootstrapper'; then we consider it not running the bootstrapping process | |||
# for the user may just want to debug into the container shell itself | |||
cp -rpd /edgex-init-staging/* /edgex-init/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This cp should use the env vars defined in the dockerfile. Copy from STAGING_DIR to INIT_DIR.
@lenny-intel @jim-wang-intel all are updated, please review again |
@vli11 i think you lost your Dockerfile changes.... please do not squash the commits before others finish your change reviews... |
fixes: edgexfoundry#3851 Signed-off-by: Valina Li <valina.li@intel.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Signed-off-by: Valina Li <valina.li@intel.com>
Kudos, SonarCloud Quality Gate passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but deferring to @bnevis-i & @jim-wang-intel for approval.
@lenny-intel can you dismiss your review? |
recheck |
Hi @ernestojeda how do we do a ci/cd re-build? .. want to re-run the build to see if this is just intermittent issue |
recheck |
"recheck" is correct. However, you may not have the correct permissions, so Jenkins might have ignored. |
weird, it used to be working for me though... |
fixes: #3851
Signed-off-by: Valina Li valina.li@intel.com
If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:
describing the break)Testing Instructions
New Dependency Instructions (If applicable)