New go-runner image for distroless scenarios #90804
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
release-note-none
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
|
/assign @justaugustus |
|
/assign @BenTheElder @fejta |
|
/sig testing |
k8s-ci-robot
added
sig/testing
dims
force-pushed
the
new-go-runner-image-for-distroless
branch
from
5628ea8
to
67f0a5f
Compare
|
/retest |
|
This is exciting! |
k8s-ci-robot
added
area/release-eng
tallclair
reviewed
May 6, 2020
dims
force-pushed
the
new-go-runner-image-for-distroless
branch
from
67f0a5f
to
1abc489
Compare
BenTheElder
reviewed
May 7, 2020
BenTheElder
reviewed
May 7, 2020
dims
force-pushed
the
new-go-runner-image-for-distroless
branch
from
f20cab5
to
4eece4e
Compare
|
I like this. distroless++
EDIT: I guess no relnote for introducing the image, relnote possibly when we start using it? |
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
dims
force-pushed
the
new-go-runner-image-for-distroless
branch
from
4eece4e
to
393e095
Compare
|
/lgtm |
k8s-ci-robot
added
do-not-merge/hold
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/test pull-kubernetes-e2e-kind |
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
/retest |
BTW, I prototyped a tiny go utility that would dump stdin to an executable file. The usecase is to pre-load it into distroless containers for debugging (until we have debug containers) by doing: I'm not sure it's worth following up on, but it was a fun hack. |
|
Very cool @tallclair |
|
That is pretty sweet. Given that the images auto push now, any reason not
to?
…On Thu, May 7, 2020, 18:15 Davanum Srinivas ***@***.***> wrote:
Very cool @tallclair <https://github.com/tallclair>
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#90804 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHADK5VCUW64IZ76H4QGOLRQNMLXANCNFSM4M2OCMIQ>
.
|
10 tasks
listx
pushed a commit
to listx/k8s.io
that referenced
this pull request
May 8, 2020
This reverts commit 97278f1. Here is the sequence of events. Originally, kubernetes#849 incorrectly promoted sha256:536ab131b0d0e3b13eb83c985cc0ac9ba7e69e7dac9521e6cacd6a8b6019e0a6 to `v0.1.0`. This was in error because this digest was not the digest of the manifest list, but only for the amd64 image. Then, PR kubernetes#850 was created to fix this. Originally, that PR assigned the correct digest of the manifest list sha256:8ee20934e6c005a9ce8d6d8b7ed23698c3bb80e0b30a3d49e5aeca928cc69bf3 to a new tag, `v0.1.1`. This was OK for the promoter (it was what I LGTM'ed), because it assigned a new tag for a new digest; however it was NOT OK because the underlying image was really versioned as `v0.1.0` (kubernetes/kubernetes#90804). Later, PR kubernetes#850 *was changed* so that sha256:8ee20934e6c005a9ce8d6d8b7ed23698c3bb80e0b30a3d49e5aeca928cc69bf3 was tagged as `v0.1.0` while a new build of `v0.1.1` was created here kubernetes/kubernetes#90852. This change to promote sha256:8ee20934e6c005a9ce8d6d8b7ed23698c3bb80e0b30a3d49e5aeca928cc69bf3 into the __existing__ `v0.1.0` tag resullted in PR kubernetes#850 becoming a NOP. The promoter simply ignored this PR because tag moves are not supported. That is, in order to honor the intent of PR kubernetes#850, the promoter would have had to __delete__ the `v0.1.0` tag from the incorrect digest sha256:536ab131b0d0e3b13eb83c985cc0ac9ba7e69e7dac9521e6cacd6a8b6019e0a6 and reassign this tag to sha256:8ee20934e6c005a9ce8d6d8b7ed23698c3bb80e0b30a3d49e5aeca928cc69bf3. This is why the promoter complained about this in PR kubernetes#850's postsubmit run about tag moves, and is still complaining about this even after PR kubernetes#853 (promoting the newly-built `v0.1.1` image) was merged, like this: ``` ... tag 'v0.1.0' in dest points to sha256:536ab131b0d0e3b13eb83c985cc0ac9ba7e69e7dac9521e6cacd6a8b6019e0a6, not sha256:8ee20934e6c005a9ce8d6d8b7ed23698c3bb80e0b30a3d49e5aeca928cc69bf3 (as per the manifest), but tag moves are not supported; skipping ... ``` Our promoter manifests should be kept free of impossible-to-do intent. The solution is to either (1) delete the existing `v0.1.0` tag from production (making the intent not a tag move, but a tag add) and keep the promoter manifest as-is, or (2) revert PR kubernetes#850 and keep the incorrect digest for `v0.1.0` to silence the tag move warning. Because this is not a production emergency, (1) would be against policy. Hence this PR, which opts for option (2). That being said, the dry run of the promoter in PR kubernetes#850 did correctly detect the tag move as well, but exited without an error. We should exit with an error on tag moves during dry runs in the future, because tag moves result from prohibited manifest *intent*. This is tracked here: kubernetes-sigs/promo-tools#212.
This was referenced May 10, 2020
Elimuhub-coder
approved these changes
Aug 22, 2022
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, dims, Elimuhub-coder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context : please see #90674
The Kubernetes go-runner image wraps the gcr.io/distroless/static image and provides a go based
binary that can run commands and wrap stdout/stderr etc.
Why do we need this? Some of our images like kube-apiserver currently use bash for collecting
logs, so we are not able to switch to distroless images directly for these images. The klog's
--log-filewas supposed to fix this problem, but we ran into trouble in scalability CI jobsaround log rotation and picked this option instead. we essentially publish a multi-arch
manifest with support for various platforms. This can be used as a base for other kubernetes
components.
For example instead of running kube-apiserver like this:
we would use go-runner like so:
The go-runner would then ensure that we run the
/usr/local/bin/kube-apiserverwith thespecified parameters and redirect stdout ONLY to the log file specified and ensure anything
logged to stderr also ends up in the log file.
Signed-off-by: Davanum Srinivas davanum@gmail.com
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: