Fix /etc/pki/ca-trust/extracted/pem permissions issue #263
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
Testing this fix |
|
Let me know if I'm wrong but I wouldn't expect this to work, if something is now mounting to this location at runtime I don't think changing the perms during a build will help. I expect the fix needs to be a new way to get the cert in there, and in the command in the Deployment yaml where we do the copy today. It looked like there were some suggestions for a command to run to import certs now. |
Agreed. I just wanted to test what happens in CI for this case by fetching the image. |
akhil-rane
force-pushed
the
fix_permissions_issue_trust_bundle
branch
from
e6fb833
to
728891f
Compare
|
@dgoodwin what do you think of this approach? instead of |
|
I'm really not sure, it feels unsafe but it would be great if it's a reasonable solution. Would you mind asking in that email thread started this morning and see what folks more familiar with think? |
|
How are other operators handling this? CCO is not alone in having to set this up. |
Only CCO and image registry repos have reported issues so far. It is not fixed yet in the Image registry. I do know if any other operators are facing this. |
akhil-rane
force-pushed
the
fix_permissions_issue_trust_bundle
branch
from
728891f
to
922048a
Compare
|
/retest |
akhil-rane
force-pushed
the
fix_permissions_issue_trust_bundle
branch
from
922048a
to
d296bef
Compare
|
/assign @dgoodwin |
|
Same here, just want a clear description of what that is and how it works, and it should probably be in the commit message and comments around the Dockerfile line. Otherwise looks great indeed and nice work. |
|
I believe they're going to revert the change that caused this, however it will probably take time to make it to the build/ci clusters, so I think we probably should still merge this? |
Yes, I think we should merge. I will update the PR with the commit message. |
Currently, CCO e2es are failing because CI builds volume mount '/etc/pki/ca-trust' at runtime. Previously we used Dockerfile RUN command to make '/etc/pki/ca-trust/extracted/pem' world-writable. Because this command is now being run with a volume mounted at /etc/pki/ca-trust, the directories and files whose permissions are modified are those in the volume and are not included in the final image. To fix this we add an archive of the contents (writable empty files) of '/etc/pki/ca-trust/extracted' to the build context using Dockerfile ADD and then run 'update-ca-trust extract' as a container command to populate these files
akhil-rane
force-pushed
the
fix_permissions_issue_trust_bundle
branch
from
d296bef
to
2a8b86d
Compare
akhil-rane
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@dgoodwin I have updated the commit message to the best of my knowledge. Let me know if it does not make sense. I might be wrong about some of the things here. I believe changes to previous releases won't clear CI if we don't backport. So do we want to backport or wait for the CI team to revert the change that caused this issue? |
|
/lgtm Need to think on backporting next week, I have fixes blocked for 4.5 in the queue, we may have to clone a bug for 4.6 and 4.5 both, and backport to each. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akhil-rane, dgoodwin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Currently, CCO e2es are failing because CI builds volume mount
'/etc/pki/ca-trust' at runtime. Previously we used Dockerfile RUN
command to make '/etc/pki/ca-trust/extracted/pem' world-writable.
Because this command is now being run with a volume mounted at
/etc/pki/ca-trust, the directories and files whose permissions are
modified are those in the volume and are not included in the final
image.
To fix this we add an archive of the contents (writable empty files)
of '/etc/pki/ca-trust/extracted' to the build context using Dockerfile
ADD and then run 'update-ca-trust extract' as a container
command to populate these files
jira: https://issues.redhat.com/browse/CO-1272