Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plan to release etcd v3.5.14 #18013

Open
1 task done
jmhbnz opened this issue May 15, 2024 · 14 comments · May be fixed by #18250
Open
1 task done

Plan to release etcd v3.5.14 #18013

jmhbnz opened this issue May 15, 2024 · 14 comments · May be fixed by #18250
Assignees
Labels
area/security priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. type/feature

Comments

@jmhbnz
Copy link
Member

jmhbnz commented May 15, 2024

What would you like to be added?

What would you like to be added?

The etcd patch release criteria has been met for our release-3.5 stable release branch so we should release v3.5.14.

The list of commits included since the previous release is: v3.5.13...release-3.5

Work in progress CHANGELOG is: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3514-tbd

List of pull requests we still need to backport from main to release-3.5 before the patch release is issued:

Why is this needed?

Regular patch releases are vital to ensure our users have bug free and secure software.

@jmhbnz jmhbnz added area/security type/feature priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. labels May 15, 2024
@jmhbnz jmhbnz self-assigned this May 15, 2024
@serathius
Copy link
Member

Using links like v3.5.13...release-3.5 is nice, but please note that they are not static, they update as the branch is moved. In previous releases I listed each issues explicitly to make sure that we have concrete list that can inspected after the release.

@jmhbnz
Copy link
Member Author

jmhbnz commented May 15, 2024

Using links like v3.5.13...release-3.5 is nice, but please note that they are not static, they update as the branch is moved. In previous releases I listed each issues explicitly to make sure that we have concrete list that can inspected after the release.

Thanks yeah they are mutable until tag is published, once tag is published we can compare actual immutable list of commits, i.e. v3.5.12...v3.5.13

I have link to draft changelog and also the header for proposed issues still needing backport which I will add to shortly:

Work in progress CHANGELOG is: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3514-tbd

List of items we still need to backport from main to release-3.5 before the patch release is issued:
TBC

@jmhbnz
Copy link
Member Author

jmhbnz commented May 22, 2024

Updated planning for this release below:


Release team

Github handle Role
@serathius Release advisor
@jmhbnz Release lead
@ivanvc Release shadow

Backports

I have identified one required backport this morning and added to the list above. @ivanvc will also review and suggest any. @serathius are there any recent robustness related merges to main you would suggest we backport for 3.5.14?

Required backports will be discussed at triage tomorrow so we can invite the community to help get these completed in advance of the release date.


Release date

Discussed with @ivanvc today. We are both available 11:00 Pacific Time next Tuesday 28th or Wednesday 29th. @serathius would one of those options work for you for the call to cut the release? If so I will send the calendar invite.

@ivanvc
Copy link
Member

ivanvc commented May 23, 2024

I did a sweep of issues and pull requests from the main branch since v3.5.13, and couldn't find any other possible candidates for being backported.

@ivanvc
Copy link
Member

ivanvc commented May 28, 2024

@jmhbnz, @serathius, have we agreed on a date for the release?

@serathius
Copy link
Member

Please reach out to me on Slack to setup the meeting.

@jmhbnz
Copy link
Member Author

jmhbnz commented May 29, 2024

etcd v3.5.14 is now public https://github.com/etcd-io/etcd/releases/tag/v3.5.14

Thanks to everyone who contributed to the release.

I will leave this issue open for now as there are two release process improvement we would like to pursue following this release:

  1. Consider switching to a shallow git clone in scripts/release.sh by appending --depth=1 to save time.
  2. Explore if the gsutil command to set public ACL can be run on a subdirectory rather than entire bucket to prevent error message spam at conclusion of scripts/release.sh.

@ivanvc
Copy link
Member

ivanvc commented May 29, 2024

Consider switching to a shallow git clone in scripts/release.sh by appending --depth=1 to save time.

I'm currently testing this.

@ivanvc
Copy link
Member

ivanvc commented May 30, 2024

Consider switching to a shallow git clone in scripts/release.sh by appending --depth=1 to save time.

I'm currently testing this.

I tried with --single-branch, but because a shallow clone works fine (--depth=1), single branch is not required. Also per git's documentation:

--depth <depth>
      Create a shallow clone with a history truncated to the specified number of commits. Implies --single-branch unless --no-single-branch is given to fetch the histories near the tips of all branches.

@ivanvc
Copy link
Member

ivanvc commented May 30, 2024

2. Explore if the gsutil command to set public ACL can be run on a subdirectory rather than entire bucket to prevent error message spam at conclusion of scripts/release.sh.

I don't have a way to test this. So, I don't want to raise the PR. But, from the documentation it seems like it should be possible to pass a path.

Refer to: https://cloud.google.com/storage/docs/gsutil/commands/acl#set-options

The "set" sub-command has the following options

-R, -r

    Performs "acl set" request recursively, to all objects under the specified URL.

And https://cloud.google.com/storage/docs/gsutil/commands/acl#ch-examples

Grant the user john.doe@example.com READ access to all objects in example-bucket that begin with folder/:

gsutil acl ch -r -u john.doe@example.com:R gs://example-bucket/folder/

@jmhbnz
Copy link
Member Author

jmhbnz commented May 30, 2024

So there are two instances where gsutil is being used in scripts/release.sh to set bucket ACL's:

maybe_run gsutil -m acl ch -u allUsers:R -r "gs://etcd/${RELEASE_VERSION}/"

The above reference is ok as this is already limited to the specific etcd version being uploaded.

maybe_run gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com

This is the one causing log spam, as there are just over 3,000 objects in the bucket and the command is targeting the entire bucket recursively.

This gs://artifacts.etcd-development.appspot.com bucket relates to the current etcd container image hosting we have in gcr. Based on this post I believe the only way we can avoid this log spam would be to have ACL's set at the bucket level marking the entire bucket as public.

Doing some more checking, one interesting thing is that the entire bucket seems to be already marked as fully public:
image

I confirmed this with gsutil by verifying the allUsers member was present at the bucket level:

 james  ~  
 ➜ gsutil iam get gs://artifacts.etcd-development.appspot.com --format=json \
   | jq '.bindings[].members[]' | grep allUsers
"allUsers"

Based on my findings above I believe there is no point running this command every release and we can just remove that problematic line from the release script without consequence. Or at very least gate it behind a check for allUsers as mentioned above, so the line only runs if for some reason the bucket wasn't already public.

We would need consensus from @ahrtr and @serathius on this.

@ahrtr
Copy link
Member

ahrtr commented May 31, 2024

Thanks for driving the improvement!

Based on my findings above I believe there is no point running this command every release and we can just remove that problematic line from the release script without consequence.

Sounds good, but please manually verify it. e.g.

  • Manually push an image gcr.io/etcd-development/etcd:v3.5.99
  • Remove your local image;
  • try to pull it;
  • finally remove it.

Also what if we transition from gcr.io to Artifact Registry?

@ivanvc
Copy link
Member

ivanvc commented Jun 28, 2024

@jmhbnz, do we have any outstanding tasks for this issue? Or should we mark it as completed?

@jmhbnz
Copy link
Member Author

jmhbnz commented Jun 28, 2024

@jmhbnz, do we have any outstanding tasks for this issue? Or should we mark it as completed?

I have outstanding task to manually verify gcp permissions. I'll do it today so we can clear this out before 3.5.15.

Edit: Manual verification completed, steps are as follows:

# 1 - Pull existing tag
 ➜ podman pull gcr.io/etcd-development/etcd:v3.5.14                                                                                                          
Trying to pull gcr.io/etcd-development/etcd:v3.5.14...                                                                                                       
Getting image source signatures                                                                                                                              
Copying blob 33e068de2649 done   |                                                                                                                           
Copying blob 16100daf795a done   |                                                                                                                           
Copying blob 473d8557b1b2 done   |                                                                                                                           
Copying blob 7c12895b777b done   |                                                                                                                           
Copying blob b6824ed73363 done   |                                                                                                                           
Copying blob e33bce57de28 done   |                                                                                                                           
Copying blob 5664b15f108b done   |                                                                                                                           
Copying blob 27be814a09eb done   |                                                                                                                           
Copying blob 4aa0ea1413d3 done   |                                                                                                                           
Copying blob 9ef7d74bdfdf done   |                                                                                                                           
Copying blob 9112d77ee5b1 done   |                                                                                                                           
Copying blob 6105ff03ff19 done   |                                                                                                                           
Copying blob e3b9bc7bbf1f done   |                                                                                                                           
Copying blob 69598c05cddd done   |                                                                                                                           
Copying blob ec6cb1bcc188 done   |                                                                                                                           
Copying blob 105f4348d42a done   |                                                                                                                           
Copying config 13b135926e done   |                                                                                                                           
Writing manifest to image destination                                                                                                                        
13b135926ee29192305a1ab42861eca50d3b1b862869b8f4339743ad2fa7cc8e 


# 2 - Tag with new version
 ➜ podman images                                                                                                                                             
REPOSITORY                                       TAG         IMAGE ID      CREATED      SIZE                                                                 
gcr.io/etcd-development/etcd                     v3.5.14     13b135926ee2  4 weeks ago  59.3 MB                                                              

 ➜ podman tag 13b135926ee2 gcr.io/etcd-development/etcd:v9.9.99                

 ➜ podman images
REPOSITORY                                       TAG         IMAGE ID      CREATED      SIZE
gcr.io/etcd-development/etcd                     v9.9.99     13b135926ee2  4 weeks ago  59.3 MB
gcr.io/etcd-development/etcd                     v3.5.14     13b135926ee2  4 weeks ago  59.3 MB


# 3 - Push new bogus tag
 ➜ podman push gcr.io/etcd-development/etcd:v9.9.99
Getting image source signatures
Copying blob 16100daf795a skipped: already exists  
Copying blob 33e068de2649 skipped: already exists  
Copying blob e33bce57de28 skipped: already exists  
Copying blob 473d8557b1b2 skipped: already exists  
Copying blob 5664b15f108b skipped: already exists  
Copying blob 27be814a09eb skipped: already exists  
Copying blob 7c12895b777b skipped: already exists  
Copying blob b6824ed73363 skipped: already exists  
Copying blob 4aa0ea1413d3 skipped: already exists  
Copying blob 9ef7d74bdfdf skipped: already exists  
Copying blob 9112d77ee5b1 skipped: already exists  
Copying blob 6105ff03ff19 skipped: already exists  
Copying blob e3b9bc7bbf1f skipped: already exists  
Copying blob 69598c05cddd skipped: already exists  
Copying blob ec6cb1bcc188 skipped: already exists  
Copying blob 105f4348d42a skipped: already exists  
Copying config 13b135926e done   | 
Writing manifest to image destination


# 4 - Confirm new tag can be pulled after clearing locally
 ➜ podman image prune -a                                                                                                                                     
WARNING! This command removes all images without at least one container associated with them.                                                                
Are you sure you want to continue? [y/N] y                                                                                                                   
127196816bd0fa8d67a01aecf5f5987c7b289fa2c5b0f5dc2cd5c3fa54c0e46b                                                                                             
13b135926ee29192305a1ab42861eca50d3b1b862869b8f4339743ad2fa7cc8e  

 ➜ podman pull gcr.io/etcd-development/etcd:v9.9.99                                                                                                          
Trying to pull gcr.io/etcd-development/etcd:v9.9.99...                                                                                                       
Getting image source signatures                                                                                                                              
Copying blob 16100daf795a done   |                                                                                                                           
Copying blob 33e068de2649 done   |                                                                                                                           
Copying blob e33bce57de28 done   |                                                                                                                           
Copying blob 473d8557b1b2 done   |                                                                                                                           
Copying blob b6824ed73363 done   |                                                                                                                           
Copying blob 7c12895b777b done   |                                                                                                                           
Copying blob 5664b15f108b done   |                                                                                                                           
Copying blob 27be814a09eb done   |                                                                                                                           
Copying blob 4aa0ea1413d3 done   |                                                                                                                           
Copying blob 9ef7d74bdfdf done   |                                                                                                                           
Copying blob 9112d77ee5b1 done   |                                                                                                                           
Copying blob 6105ff03ff19 done   |                                                                                                                           
Copying blob e3b9bc7bbf1f done   |                                                                                                                           
Copying blob 69598c05cddd done   |                                                                                                                           
Copying blob ec6cb1bcc188 done   |                                                                                                                           
Copying blob 105f4348d42a done   |                                                                                                                           
Copying config 13b135926e done   |                                                                                                                           
Writing manifest to image destination                                                                                                                        
13b135926ee29192305a1ab42861eca50d3b1b862869b8f4339743ad2fa7cc8e  

After pushing the above bogus tag I can confirm it has automatically been marked as public:

Screenshot from 2024-06-29 17-05-38

I've now deleted the bogs tag to clean up. Will raise the pr shortly to to update our release script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. type/feature
Development

Successfully merging a pull request may close this issue.

4 participants