-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a forked copy of multiarch/qemu-user-static scripts instead of a privileged container #69820
Conversation
/assign @lavalamp |
/lgtm |
Thanks, /lgtm |
# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390/HPPA/Xtensa/microblaze | ||
# program execution by the kernel | ||
# | ||
# downloaded from https://raw.githubusercontent.com/qemu/qemu/master/scripts/qemu-binfmt-conf.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this file really downloaded from here @ixdy ? (the one in the url looks different)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In https://github.com/kubernetes/kubernetes/pull/69820/files#diff-411cd91074aad363eef8c602401707e0R1 he notes that it was downloaded at a specific commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah thanks!
/hold cancel
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, this file was actually copied from qemu/qemu into multiarch/qemu-user-static, where this comment was added (see https://github.com/multiarch/qemu-user-static/blob/22b0013668d2aed4a2cfd21650e85c664b1f21c6/register/qemu-binfmt-conf.sh#L5).
/hold one question on the script inline |
Of course our build image doesn't have |
502c05b
to
fd1c81c
Compare
/hold cancel I added some Makefile one-liners to fix the sudo issue, PTAL. |
fd1c81c
to
aeda6b0
Compare
@@ -27,6 +27,8 @@ ALL_ARCH = amd64 arm arm64 ppc64le s390x | |||
TEMP_DIR:=$(shell mktemp -d) | |||
QEMUVERSION=v2.9.1 | |||
|
|||
SUDO=$(if $(filter 0,$(shell id -u)),,sudo) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To explain this: make
doesn't let you do equality checks in variable assignment, so this is next best option. Basically, filter pattern,text
returns whitespace-separated words from text
that match the pattern
, so here we're returning 0
when the user is root and empty string otherwise.
the if
in variable assignment considers nonempty strings as true, empty strings as false. thus when the effective user id is 0 (i.e. you're root), filter
returns 0
, which evaluates to true, and so we don't use sudo
. Otherwise we do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(this implementation was basically copied from https://stackoverflow.com/a/9008922/9723266.)
(I pushed new changes to reverse the order of arguments to |
oh, this is failing because I think the cross job isn't running in a privileged container. I guess we can switch that, but it's a little unfortunate... cc @BenTheElder |
I wonder if we can move symlink creation to the hyperkube base image, and then remove the need for the register call entirely. |
[FYI we discussed offline and Jeff is trying the route mentioned above] |
cross-linking: #69832 is the PR to move symlink creation to the hyperkube base image. I think we still want this PR, since there are cases (like creation of the base images) where we need to register the qemu handlers, and I'd rather use a local script instead of a privileged container. |
aeda6b0
to
a882445
Compare
I've rebased now that #69832 has merged. I believe this should be good to go now. |
/lgtm |
/assign @smarterclayton can you review/approve the |
@thockin @smarterclayton can you please approve the changes under third_party? |
/assign @lavalamp Can someone please approve for third_party? :) |
ping? |
/approve sorry didn't see this in my email until now |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, ixdy, lavalamp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it: in several of our Makefiles, we run
docker run --privileged multiarch/qemu-user-static:register
to register qemu in the host kernel, but this is roughly equivalent tocurl | sudo sh
.As we have to run these operations as root, we should at least run copies of the script that we can maintain and audit.
Release note:
/assign @cblecker @dims @mkumatag @tallclair