Base etcd-empty-dir-cleanup on busybox, run as nobody, and update to etcdctl 3.0.14 #41674
Conversation
ixdy
added
the
do-not-merge
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/S
|
This change is |
| IMAGE = gcr.io/google_containers/etcd-empty-dir-cleanup | ||
| TAG = 0.0.1 | ||
| TAG = 3.0.14 |
There was a problem hiding this comment.
We are likely to want to rev this faster than etcd versions (e.g. to pick up security fixes in the container base image). Should we make the tag start with the etcd version but have an extension too? e.g. 3.0.14.0
There was a problem hiding this comment.
potentially, though I expect busybox to be less of a security issue than other base images.
an open question is how exactly to update images when we only want to update the base image: do we use explicit tags, which requires us to update manifests, or do we just move the tag to the newer image?
I guess I can tag this 3.0.14.0 while we're trying to answer that question.
There was a problem hiding this comment.
Agreed, we need to come up with a convention for all our images. Semantic versioning calls for 3.0.14-whatever. Also, this image is more than the etcd version, what happens when we modify the cleanup script? I suggest keeping the image version scheme (0.1.0 or maybe 0.1.0-etcd3.0.14)
|
@k8s-bot bazel test this |
ixdy
force-pushed
the
etcd-empty-dir-cleanup-busybox
branch
from
9b6a437
to
c2c8632
Compare
mbohlool
added
the
lgtm
|
Look good to proceed to e2e test. |
mbohlool
removed
the
lgtm
| CMD bash /etcd-empty-dir-cleanup.sh | ||
|
|
||
| # nobody:nobody | ||
| USER 65534:65534 |
There was a problem hiding this comment.
I'm surprised this works... I guess etcd doesn't need any credentials? Did you verify that the empty directories actually are cleanup up?
There was a problem hiding this comment.
etcdctl doesn't seem to care which user it runs as.
I tested this, and it seems to work, except that I think this conditional is buggy, possibly under ash, possibly in general. digging some more...
There was a problem hiding this comment.
yeah, I made a /registry/foo/bar directory, and deleting it fails with this image:
Starting cleanup...
sh: /registry/foo/bar: unknown operand
Removing empty key /registry/foo/ ...
Error: 108: Directory not empty (/registry/foo) [17]
Done with cleanup.
works fine with 0.0.1:
Starting cleanup...
Removing empty key /registry/foo/bar/ ...
Done with cleanup.
There was a problem hiding this comment.
I think this conditional might be wrong:
if [[ $(${ETCDCTL} ls $1) ]]; thenit happens to work in bash, but I'm not sure what it's actually trying to test. maybe it wants -n?
| IMAGE = gcr.io/google_containers/etcd-empty-dir-cleanup | ||
| TAG = 0.0.1 | ||
| TAG = 3.0.14 |
There was a problem hiding this comment.
Agreed, we need to come up with a convention for all our images. Semantic versioning calls for 3.0.14-whatever. Also, this image is more than the etcd version, what happens when we modify the cleanup script? I suggest keeping the image version scheme (0.1.0 or maybe 0.1.0-etcd3.0.14)
| RUN chmod +x etcd-empty-dir-cleanup.sh | ||
| CMD bash /etcd-empty-dir-cleanup.sh | ||
|
|
||
| # nobody:nobody |
There was a problem hiding this comment.
FYI - busybox maps nobody to 99. We could do USER nobody:nobody, but maybe using 65534 is preferable? We need Kubernetes managed UIDs....
There was a problem hiding this comment.
using nobody:nobody probably makes more sense for busybox images, though it's frustrating that we can't be consistent.
| @@ -12,12 +12,15 @@ | |||
| # See the License for the specific language governing permissions and | |||
| # limitations under the License. | |||
|
|
|||
| FROM gliderlabs/alpine | |||
| FROM busybox | |||
There was a problem hiding this comment.
The problem with busybox is we don't currently have a way to track CVEs. It's not so much an issue with this particular image, but something to think about...
I'm tempted to put the version number in here (busybox:1.26.2). On the one hand, it would make it easier to see which version images were on. On the other hand, it makes it easier for the versions to be left behind.... what are your thoughts?
There was a problem hiding this comment.
I'm not really sure what is best - we seem to have a mix of both, though unversioned busybox is generally more common.
I'm also generally less worried about CVEs affecting busybox, since historically there have been very few affecting it.
|
@k8s-bot test this |
|
|
ixdy
force-pushed
the
etcd-empty-dir-cleanup-busybox
branch
2 times, most recently
from
2b0f5ab
to
b5d77e3
Compare
|
oops, didn't see @timstclair's comments. |
ixdy
force-pushed
the
etcd-empty-dir-cleanup-busybox
branch
2 times, most recently
from
10e4823
to
6ef01d6
Compare
|
Changed to use |
ixdy
removed
the
do-not-merge
ixdy
force-pushed
the
etcd-empty-dir-cleanup-busybox
branch
from
6ef01d6
to
11e09fc
Compare
|
/lgtm I think we should revisit the question of busybox, but this is ok for now. |
|
@timstclair: you can't LGTM a PR unless you are an assignee. In response to this comment:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@mbohlool does this still LG to you? |
ixdy
added
release-note
| @@ -17,7 +17,7 @@ | |||
| echo "Removing empty directories from etcd..." | |||
|
|
|||
| cleanup_empty_dirs () { | |||
| if [[ $(${ETCDCTL} ls $1) ]]; then | |||
| if [[ "$(${ETCDCTL} ls $1)" ]]; then | |||
There was a problem hiding this comment.
I am not a sh/bash expert, but my understanding is [[..]] is built-in (either supported or not but if it is supported it is a built-in check) and does not require quotes. This make me wonder if this works as expect. of course if the if statement returns true all the time, the script would still remote empty folders, but then we can simplify it by removing if statement. Have you check this if statement in busybox's sh?
There was a problem hiding this comment.
It's not exactly a built-in in busybox:
$ docker run --rm -i -t busybox which [[
/bin/[[
That's probably why this command broke when switched from bash to busybox's ash.
There was a problem hiding this comment.
I think busybox's ash is faking [[..]] support.
Simple example inside the busybox container:
# cat test.txt
foo
bar
# if [[ $(cat test.txt) ]]; then echo a; else echo b; fi
sh: bar: unknown operand
b
# if [[ "$(cat test.txt)" ]]; then echo a; else echo b; fi
aI could probably change this to [..] if we want to be clearer that this isn't bash.
ixdy
force-pushed
the
etcd-empty-dir-cleanup-busybox
branch
from
11e09fc
to
511bdc1
Compare
mbohlool
added
the
lgtm
|
@k8s-bot test this |
1 similar comment
|
@k8s-bot test this |
|
any reason not to squash your commits? The second one is a one line change that doesn't seem necessary to keep separate. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: ixdy, roberthbailey, timstclair Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue |
|
I kept them separate as "implementation" and "activation". |
What this PR does / why we need it: since the
etcd-empty-dir-cleanupimage just uses a simple shell script andetcdctl, we can base it on busybox, which is a smaller target than alpine.I've also updated this to use an
etcdctlfrom etcd 3.0.14, which matches the version of etcd we're running in 1.6 clusters (I believe), and changed the tag to match theetcdctlversion.Tested in my own e2e cluster, where it seems to work.
I haven't pushed the image yet, so e2e tests may fail. Tagging
do-not-merge; if you think this looks good, I'll push the image and retest.Release note:
cc @timstclair @mml @wojtek-t