-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure libseccomp is installed before starting containerd on CentOS 8 #6922
Ensure libseccomp is installed before starting containerd on CentOS 8 #6922
Conversation
Welcome @OwenTuz! |
Hi @OwenTuz. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Re-pushed to fix invalid commit message |
a65dff6
to
08bb507
Compare
08bb507
to
b60df76
Compare
@floryut done! Thanks for the heads up |
Build failure looks like we've hit a rate limit on DockerHub:
https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/866416207 |
@OwenTuz, wouldn't it be better idea instead of |
@karlism that's totally reasonable, this is almoost entirely a copy/paste job on my part. I can update and push? |
b60df76
to
d946d93
Compare
Simplified this quite a bit as suggested by @karlism. Some notes:
|
d946d93
to
587f380
Compare
Found out why the version check was present! cri-o needs a version of libseccomp > 2.3. Docker and containerd don't seem to care. I've reverted this to use |
587f380
to
0307a9d
Compare
- Uses `package` module - Replaces complex version check with 'state: latest'. The version must be > 2.3 when using with cri-o. - Removes unnecessary `not is_ostree` condition as CentOS 8 does not use ostree
0307a9d
to
da66e60
Compare
/ok-to-test |
name: libseccomp | ||
state: latest | ||
when: | ||
- ansible_distribution == "CentOS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but what about the RedHat or Fedora ?
do they need this package too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also copied and pasted from the CRI-O code: but I can say I haven't had this problem when testing with Fedora. Some other issues blocked me from investigating RHEL8, but I'll see if I can get past those and let you know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LuckySB Now that I've managed to get a developer subscription and test: I can confirm that RHEL8 and Fedora do not seem to need this package explicitly installed.
Seems my RHEL issues had been encountered before and fixed but there was a typo, I'll raise another PR :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chrony depends on libseccomp, that is why, please make it for all RedHat family (EL7/EL8)
/lgtm |
- name: Ensure latest version of libseccomp installed # noqa 403 | ||
package: | ||
name: libseccomp | ||
state: latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be state: present
no ?
name: libseccomp | ||
state: latest | ||
when: | ||
- ansible_distribution == "CentOS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chrony depends on libseccomp, that is why, please make it for all RedHat family (EL7/EL8)
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LuckySB, OwenTuz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@LuckySB you completely ignored my review ... |
Sorry for not responding earlier, I was planning on taking a look tomorrow
- just saw the emails that this has merged.
I'm happy to raise another PR to address these comments if necessary.
Re `latest` vs `present` - I used `latest` here because `present` installs
the wrong version for CRI-O. Perhaps there's a better way to work around
this?
I'm probably missing something obvious, sorry, but I'm not entirely clear
on the objection to using `latest` here?
I've no problem with installing libseccomp for all the Red Hat variants.
…On Thu, 3 Dec 2020, 21:44 Etienne Champetier, ***@***.***> wrote:
@LuckySB <https://github.com/LuckySB> you completely ignored my review ...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6922 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYSNPAZ2PNPNWF5JTRYUG3STABCXANCNFSM4TY4ZGEA>
.
|
@OwenTuz no problem, I just commented today. Docker and containerd don't need latest, so lets not put present there |
Yup that's an approval a bit quick... sorry about that, maybe raise another PR indeed to address the issues/comments raise by @champtar |
Sorry, things got busy elsewhere: just a note to say I've not forgotten abut this and will raise that PR in the next few days. |
…kubernetes-sigs#6922) * Ensure libseccomp is installed before starting containerd on CentOS 8 * Simplify libseccomp install on CentOS 8 - Uses `package` module - Replaces complex version check with 'state: latest'. The version must be > 2.3 when using with cri-o. - Removes unnecessary `not is_ostree` condition as CentOS 8 does not use ostree
What type of PR is this?
/kind bug
What this PR does / why we need it:
Starting containerd (and therefore docker, which requires containerd) currently fails on Centos 8 due to a missing dependency. This PR copies what we already do for CRI-O to ensure libseccomp is installed.
To test, create
vagrant/config.rb
containing the line$os = "centos8"
and provision, as described in issue #6920Which issue(s) this PR fixes:
Fixes #6920
Special notes for your reviewer:
Please flag if there's any way I can introduce better tests for this.
I had hoped to make sure it was covered, but it seems molecule only tests against ubuntu (reasonably enough, since it's meant to be fast), and I was unclear on whether CI currently tests against Centos 8.
Does this PR introduce a user-facing change?: