-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base etcd-empty-dir-cleanup on busybox, run as nobody, and update to etcdctl 3.0.14 #41674
Base etcd-empty-dir-cleanup on busybox, run as nobody, and update to etcdctl 3.0.14 #41674
Conversation
IMAGE = gcr.io/google_containers/etcd-empty-dir-cleanup | ||
TAG = 0.0.1 | ||
TAG = 3.0.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are likely to want to rev this faster than etcd versions (e.g. to pick up security fixes in the container base image). Should we make the tag start with the etcd version but have an extension too? e.g. 3.0.14.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
potentially, though I expect busybox to be less of a security issue than other base images.
an open question is how exactly to update images when we only want to update the base image: do we use explicit tags, which requires us to update manifests, or do we just move the tag to the newer image?
I guess I can tag this 3.0.14.0 while we're trying to answer that question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, we need to come up with a convention for all our images. Semantic versioning calls for 3.0.14-whatever
. Also, this image is more than the etcd version, what happens when we modify the cleanup script? I suggest keeping the image version scheme (0.1.0
or maybe 0.1.0-etcd3.0.14
)
@k8s-bot bazel test this |
9b6a437
to
c2c8632
Compare
Look good to proceed to e2e test. |
CMD bash /etcd-empty-dir-cleanup.sh | ||
|
||
# nobody:nobody | ||
USER 65534:65534 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm surprised this works... I guess etcd doesn't need any credentials? Did you verify that the empty directories actually are cleanup up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
etcdctl
doesn't seem to care which user it runs as.
I tested this, and it seems to work, except that I think this conditional is buggy, possibly under ash
, possibly in general. digging some more...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I made a /registry/foo/bar
directory, and deleting it fails with this image:
Starting cleanup...
sh: /registry/foo/bar: unknown operand
Removing empty key /registry/foo/ ...
Error: 108: Directory not empty (/registry/foo) [17]
Done with cleanup.
works fine with 0.0.1:
Starting cleanup...
Removing empty key /registry/foo/bar/ ...
Done with cleanup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this conditional might be wrong:
if [[ $(${ETCDCTL} ls $1) ]]; then
it happens to work in bash, but I'm not sure what it's actually trying to test. maybe it wants -n
?
IMAGE = gcr.io/google_containers/etcd-empty-dir-cleanup | ||
TAG = 0.0.1 | ||
TAG = 3.0.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, we need to come up with a convention for all our images. Semantic versioning calls for 3.0.14-whatever
. Also, this image is more than the etcd version, what happens when we modify the cleanup script? I suggest keeping the image version scheme (0.1.0
or maybe 0.1.0-etcd3.0.14
)
RUN chmod +x etcd-empty-dir-cleanup.sh | ||
CMD bash /etcd-empty-dir-cleanup.sh | ||
|
||
# nobody:nobody |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI - busybox maps nobody
to 99
. We could do USER nobody:nobody
, but maybe using 65534 is preferable? We need Kubernetes managed UIDs....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using nobody:nobody
probably makes more sense for busybox images, though it's frustrating that we can't be consistent.
@@ -12,12 +12,15 @@ | |||
# See the License for the specific language governing permissions and | |||
# limitations under the License. | |||
|
|||
FROM gliderlabs/alpine | |||
FROM busybox |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem with busybox is we don't currently have a way to track CVEs. It's not so much an issue with this particular image, but something to think about...
I'm tempted to put the version number in here (busybox:1.26.2
). On the one hand, it would make it easier to see which version images were on. On the other hand, it makes it easier for the versions to be left behind.... what are your thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not really sure what is best - we seem to have a mix of both, though unversioned busybox
is generally more common.
I'm also generally less worried about CVEs affecting busybox, since historically there have been very few affecting it.
@k8s-bot test this |
|
2b0f5ab
to
b5d77e3
Compare
oops, didn't see @timstclair's comments. |
10e4823
to
6ef01d6
Compare
Changed to use |
6ef01d6
to
11e09fc
Compare
/lgtm I think we should revisit the question of busybox, but this is ok for now. |
@timstclair: you can't LGTM a PR unless you are an assignee. In response to this comment:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@mbohlool does this still LG to you? |
@@ -17,7 +17,7 @@ | |||
echo "Removing empty directories from etcd..." | |||
|
|||
cleanup_empty_dirs () { | |||
if [[ $(${ETCDCTL} ls $1) ]]; then | |||
if [[ "$(${ETCDCTL} ls $1)" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not a sh/bash expert, but my understanding is [[..]]
is built-in (either supported or not but if it is supported it is a built-in check) and does not require quotes. This make me wonder if this works as expect. of course if the if statement returns true all the time, the script would still remote empty folders, but then we can simplify it by removing if statement. Have you check this if statement in busybox's sh?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not exactly a built-in in busybox:
$ docker run --rm -i -t busybox which [[
/bin/[[
That's probably why this command broke when switched from bash to busybox's ash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think busybox
's ash
is faking [[..]]
support.
Simple example inside the busybox container:
# cat test.txt
foo
bar
# if [[ $(cat test.txt) ]]; then echo a; else echo b; fi
sh: bar: unknown operand
b
# if [[ "$(cat test.txt)" ]]; then echo a; else echo b; fi
a
I could probably change this to [..]
if we want to be clearer that this isn't bash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed to [..]
.
11e09fc
to
511bdc1
Compare
@k8s-bot test this |
1 similar comment
@k8s-bot test this |
any reason not to squash your commits? The second one is a one line change that doesn't seem necessary to keep separate. /approve |
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: ixdy, roberthbailey, timstclair Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue |
I kept them separate as "implementation" and "activation". |
What this PR does / why we need it: since the
etcd-empty-dir-cleanup
image just uses a simple shell script andetcdctl
, we can base it on busybox, which is a smaller target than alpine.I've also updated this to use an
etcdctl
from etcd 3.0.14, which matches the version of etcd we're running in 1.6 clusters (I believe), and changed the tag to match theetcdctl
version.Tested in my own e2e cluster, where it seems to work.
I haven't pushed the image yet, so e2e tests may fail. Tagging
do-not-merge
; if you think this looks good, I'll push the image and retest.Release note:
cc @timstclair @mml @wojtek-t