Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rebase container images from alpine to debian-base. #294

Merged
merged 1 commit into from
Apr 10, 2019
Merged

Rebase container images from alpine to debian-base. #294

merged 1 commit into from
Apr 10, 2019

Conversation

yuwenma
Copy link
Contributor

@yuwenma yuwenma commented Mar 28, 2019
edited
Loading

Updated containers:kube-dns, sidecar
Context:KEP: Rebase k8s images to distroless
Test:

  1. make images can create the following images
    staging-k8s.gcr.io/k8s-dns-sidecar-amd64
    staging-k8s.gcr.io/k8s-dns-node-cache-amd64
    staging-k8s.gcr.io/k8s-dns-kube-dns-amd64
    staging-k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64
    staging-k8s.gcr.io/k8s-dns-dnsmasq-amd64

  2. docker run -e <with required flags like service host/port> <Kube-DNS-IMAGE-ID>
    can successfully upstart a container.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 28, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @yuwenma. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 28, 2019
@yuwenma
Copy link
Contributor Author

yuwenma commented Mar 28, 2019

/assign bowei
/assign prameshj

@yuwenma
Copy link
Contributor Author

yuwenma commented Mar 28, 2019
edited
Loading

/assign @rramkumar1

@rramkumar1
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 28, 2019
@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 2, 2019

Gentle ping. Can I get a review on this?

@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 2, 2019

/unassign rramkumar1

/assign pavithrar
/assign zihongz

@k8s-ci-robot
Copy link
Contributor

@yuwenma: GitHub didn't allow me to assign the following users: pavithrar, zihongz.

Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/unassign rramkumar1

/assign pavithrar
/assign zihongz

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 2, 2019

/assign @MrHohn
/assign @prameshj

@prameshj
Copy link
Contributor

prameshj commented Apr 2, 2019

When switching to distroless, will we lose a shell on kube-dns containers?

@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 2, 2019

When switching to distroless, will we lose a shell on kube-dns containers?

yes, we will.

@MrHohn
Copy link
Member

MrHohn commented Apr 2, 2019

Tried building the new images and bring up a cluster with @prameshj, it seems like the sidecar is having issue coming up:

  Warning  Failed     2m (x4 over 3m)  kubelet, e2e-test-zihongz-minion-group-rq2k  Error: failed to start container "sidecar": Error response from daemon: linux spec user: unable to find user nobody: no matching entries in passwd file

@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 2, 2019

no matching entries in passwd file

@zihong, do you have any insights what this error may come from? I don't know what the nobody USER does, but it seems to be specified in the sidecar Dockerfile

@MrHohn
Copy link
Member

MrHohn commented Apr 2, 2019

@yuwenma I was under the impression that nobody was used just to make sure that container uses a user account that is in no privileged groups. Maybe that will not be a concern with distroless?

@prameshj
Copy link
Contributor

prameshj commented Apr 2, 2019

no matching entries in passwd file

@zihong, do you have any insights what this error may come from? I don't know what the nobody USER does, but it seems to be specified in the sidecar Dockerfile

The image works fine if the user is removed from the sidecar Dockerfile.

@MrHohn MrHohn mentioned this pull request Apr 3, 2019
Merged
@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 10, 2019

According to the offline discussion, dns is currently rebased to kube custom debian-base instead of distroless for debugging convenience.

@prameshj
Copy link
Contributor

@yuwenma would you mind modifying Dockerfile.node-cache line 15 with the same debian image as well? We need to pick up fixes to CVEs, i was trying to see if we can change all base images in this same PR.

@yuwenma
Copy link
Contributor Author

yuwenma commented Apr 10, 2019

@yuwenma would you mind modifying Dockerfile.node-cache line 15 with the same debian image as well? We need to pick up fixes to CVEs, i was trying to see if we can change all base images in this same PR.

Done 😃

@prameshj
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 10, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: prameshj, yuwenma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 10, 2019
@k8s-ci-robot k8s-ci-robot merged commit 70747ca into kubernetes:master Apr 10, 2019
@MrHohn MrHohn changed the title Rebase container images from alpine to distroless. Rebase container images from alpine to debian-base. Apr 15, 2019
@yuwenma yuwenma mentioned this pull request Apr 22, 2019
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bowei bowei Awaiting requested review from bowei

@prameshj prameshj Awaiting requested review from prameshj

@rramkumar1 rramkumar1 Awaiting requested review from rramkumar1

Assignees

@bowei bowei

@MrHohn MrHohn

@prameshj prameshj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@yuwenma @k8s-ci-robot @rramkumar1 @prameshj @MrHohn @bowei