Bump image-rs rev to include image-layer-ordering fix

[mkulke]

fixes #8669

The underlying issue in the dependency has been addressed, hence the revision bump of image-rs to use the fix in the agent. I think a fix to the CCv0 branch is warranted, since it makes all images with more than a single layer work unreliably.

cc @stevenhorsman @bpradipt

[stevenhorsman]

@mkulke - I think the agreement that Pradipta made with Fabiano on the policy update was to add a statement in the commit message to confirm that this is not tested by CI, so the update is at the end users own risk or similar. @bpradipt - am I remembering that correctly?

[mkulke]

@mkulke - I think the agreement that Pradipta made with Fabiano on the policy update was to add a statement in the commit message to confirm that this is not tested by CI, so the update is at the end users own risk or similar. @bpradipt - am I remembering that correctly?

👍 seeing the disclaimer in the policy cherry-pick and added it here

[bpradipt]

/lgtm
Thanks for adding the disclaimer in the commit message.

[stevenhorsman]

LGTM. Thanks

[mkulke]

anything left to do here on my side? I don't think I can turn the remaining checks green myself (but maybe that's not required?)

[stevenhorsman]

/test

[stevenhorsman]

anything left to do here on my side? I don't think I can turn the remaining checks green myself (but maybe that's not required?)

So even though this is an untested branch now, I guess it is worth us trying to get some of the checks passing.

• Commit message check should be simple - just add agent: to the start of the commit header
• Apart from s390x tests I don't think we have any kata-containers Jenkins CI enabled, so I'll update the branch protection rules to disable it
• The static checks and s390x CI tests are failing with kata_agent.go:796: File is not gofmt-ed with -s (gofmt) - I know you didn't introduce this, and I guess it came in with Pradipta's cherry pick of policy work, but it might be worth adding that to the commit to get through this hurdle?

The alternative is we just say screw it and use admin override to merge?

[mkulke]

Commit message check should be simple - just add agent: to the start of the commit header

ah, sorry. missed that, fixed.

[mkulke]

The static checks and s390x CI tests are failing with kata_agent.go:796: File is not gofmt-ed with -s (gofmt) - I know you didn't introduce this, and I guess it came in with Pradipta's cherry pick of policy work, but it might be worth adding that to the commit to get through this hurdle?

👍 formatted the file

[stevenhorsman]

/test

[mkulke]

@stevenhorsman sry, I messed up the commit message. would you mind...

👉🌟👈

[stevenhorsman]

/test

[stevenhorsman]

We're getting:

error[E0425]: cannot find value `VERSION_3_3_0` in crate `protobuf`
  --> /home/runner/.cargo/git/checkouts/guest-components-1e54b222ad8d9630/e18e86d/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs:26:49
   |
26 | const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0;
   |                                                 ^^^^^^^^^^^^^ help: a constant with a similar name exists: `VERSION_3_2_0`
   |
  ::: /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/agent/target/x86_64-unknown-linux-musl/release/build/protobuf-0624020e552c1844/out/version.rs:7:1
   |
7  | pub const VERSION_3_2_0: () = ();
   | --------------------------- similarly named constant `VERSION_3_2_0` defined here

In the static checks now, but it looks like potentially an issue in the guest-components?

[mkulke]

We're getting:

error[E0425]: cannot find value `VERSION_3_3_0` in crate `protobuf`
  --> /home/runner/.cargo/git/checkouts/guest-components-1e54b222ad8d9630/e18e86d/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs:26:49
   |
26 | const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0;
   |                                                 ^^^^^^^^^^^^^ help: a constant with a similar name exists: `VERSION_3_2_0`
   |
  ::: /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/agent/target/x86_64-unknown-linux-musl/release/build/protobuf-0624020e552c1844/out/version.rs:7:1
   |
7  | pub const VERSION_3_2_0: () = ();
   | --------------------------- similarly named constant `VERSION_3_2_0` defined here

In the static checks now, but it looks like potentially an issue in the guest-components?

uh, oh. yeah, that's an issue with code-generated files being checked into the repo. those files have to be deleted and rebuilt. There was a similar issue in the guest-components repo.

[mkulke]

there's nothing we can do here, we need to repair this comprehensively in guest-components 😑

[stevenhorsman]

there's nothing we can do here, we need to repair this comprehensively in guest-components 😑

I guess we need to wait for that fix then and bump the image-rs version afterwards, otherwise we'll hit this issue when trying to build the kata-agent for the peer pod VM image?

[mkulke]

there's nothing we can do here, we need to repair this comprehensively in guest-components 😑

I guess we need to wait for that fix then and bump the image-rs version afterwards, otherwise we'll hit this issue when trying to build the kata-agent for the peer pod VM image?

yes. I think that's the case. kata-agent will build w/ the "older" generated ttrpc code, but the guest-component's CI does not. I don't think we can commit the generated files

[mkulke]

there's nothing we can do here, we need to repair this comprehensively in guest-components 😑

I guess we need to wait for that fix then and bump the image-rs version afterwards, otherwise we'll hit this issue when trying to build the kata-agent for the peer pod VM image?

yes. I think that's the case. kata-agent will build w/ the "older" generated ttrpc code, but the guest-component's CI does not. I don't think we can commit the generated files

Maybe if we regenerate a full Cargo.lock file (atm only ocicrypt-rs and image-rs are bumped in the lock file) it might still work. (we'll get all sort of dependencies bumped within their semver boundaries, but maybe that's tolerable) 🤞

[stevenhorsman]

/test

[stevenhorsman]

We've got a cargo fmt failure now:

cargo fmt -- --check
Diff in /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/agent/src/rpc.rs at line 147:
     }
 }
 
-
 #[cfg(feature = "agent-policy")]
 async fn policy_allows(req: &(impl MessageDyn + serde::Serialize)) -> ttrpc::Result<()> {
     let request = serde_json::to_string(req).unwrap();

but that's better than the code-gen problem. @mkulke - can you remove that extra line as well, so we can re-try again? Thanks!

[stevenhorsman]

/test

[stevenhorsman]

One of the unit tests failed with a race condition - re-running now to see if that helps

[mkulke]

error[E0425]: cannot find value `VERSION_3_2_0` in crate `protobuf`
  --> /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/libs/protocols/src/agent.rs:28:49
   |
28 | const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0;
   |                                                 ^^^^^^^^^^^^^ help: a constant with a similar name exists: `VERSION_3_3_0`
   |
  ::: /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/agent/target/x86_64-unknown-linux-musl/debug/build/protobuf-0e973f31b1d98cd4/out/version.rs:7:1
   |
7  | pub const VERSION_3_3_0: () = ();
   | --------------------------- similarly named constant `VERSION_3_3_0` defined here

well, it was worth a try.

[stevenhorsman]

/test

[stevenhorsman]

The s390x tests are failing with:

13:13:34 error: failed to run custom build command for `ring v0.16.20`
13:13:34 
13:13:34 Caused by:
13:13:34   process didn't exit successfully: `/kata-containers/src/agent/target/release/build/ring-884cb6961366a545/build-script-build` (exit status: 101)
13:13:34   --- stderr
13:13:34   thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', /root/.cargo/registry/src/index.crates.io-d11c229612889eed/ring-0.16.20/build.rs:358:10

I know ring didn't use to support s390x. That got added in October in briansmith/ring#1297, but 0.16.20 is ~3 years old, so it won't be in there. I know that Ding did some work to ensure that ring wasn't needed to unblock s390x builds of image-rs, has that been undone recently?

[stevenhorsman]

Same error in static-checks with protobuf version:

rror[E0425]: cannot find value `VERSION_3_2_0` in crate `protobuf`
  --> /home/runner/actions-runner/_work/kata-containers/kata-containers/src/github.com/kata-containers/kata-containers/src/libs/protocols/src/agent.rs:28:49
   |
28 | const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0;
   |                                                 ^^^^^^^^^^^^^ help: a constant with a similar name exists: `VERSION_3_3_0`

[mkulke]

I know ring didn't use to support s390x. That got added in October in briansmith/ring#1297, but 0.16.20 is ~3 years old, so it won't be in there. I know that Ding did some work to ensure that ring wasn't needed to unblock s390x builds of image-rs, has that been undone recently?

sigh, possibly. that's w/ the latest guest-components commit (4ddac):

$ cat deny.toml
[bans]
multiple-versions = "allow"
deny = [
    { name = "ring" },
]
$ cargo deny check bans
error[banned]: crate 'ring = 0.16.20' is explicitly banned
  ┌─ /home/magnuskulke/dev/kata-containers/src/agent/deny.toml:4:14
  │
4 │     { name = "ring" },
  │              ^^^^^^ banned here
  │
  = ring v0.16.20
    └── tough v0.14.0
        └── sigstore v0.8.0
            └── image-rs v0.1.0
                └── kata-agent v0.1.0

error[banned]: crate 'ring = 0.17.7' is explicitly banned
  ┌─ /home/magnuskulke/dev/kata-containers/src/agent/deny.toml:4:14
  │
4 │     { name = "ring" },
  │              ^^^^^^ banned here
  │
  = ring v0.17.7
    └── rustls-webpki v0.102.0
        └── sigstore v0.8.0
            └── image-rs v0.1.0
                └── kata-agent v0.1.0

bans FAILED

image-rs w/ rev a151bca works (contains only the ttrpc files):

cargo deny check bans
bans ok

[stevenhorsman]

/test

[mkulke]

@stevenhorsman

I also bumped protobuf to 3.3.0 on src/libs/protocol since we are also seeing version conflicts on generated source files here

[stevenhorsman]

/test

[stevenhorsman]

Finally we have the tests passing, so I'll merge this as an urgent fix to CCv0, even though this branch is largely read-only and untested.