Bug 1887488: e2e: node: fix ping tester pod #25688

ffromani · 2020-11-16T09:25:14Z

Pin the busybox image setting a known-good tag.
It was not done previously because of an oversight, no other reason.

Generalize the code which creates the testing pod to make the
code more flexible and a bit easier to read.

Last, use privileged pods for ping tests. This is needed because of the busybox images used
by the pinger pods.
Another approach could be to change base image (e.g. using centos images) but considering
the nature of the test and the fact that the busybox image is tiny, and much smaller than the closest
good alternative (centos), this approach seems good enough.

Bug-Url: https://bugzilla.redhat.com/1887488
Signed-off-by: Francesco Romani fromani@redhat.com

ffromani · 2020-11-16T14:12:26Z

/retest

ffromani · 2020-11-16T18:01:57Z

/retest

ffromani · 2020-11-17T07:17:08Z

/retest

ffromani · 2020-11-17T09:04:11Z

this

fail [k8s.io/kubernetes@v1.19.2/test/e2e/apps/daemon_set.go:102]: Unexpected error:
    <*errors.errorString | 0xc0027641b0>: {
        s: "error while waiting for pods to become inactive daemon-set: there are 3 active pods. E.g. \"daemon-set-qkj95\" on node \"ip-10-0-130-238.us-west-2.compute.internal\"",
    }
    error while waiting for pods to become inactive daemon-set: there are 3 active pods. E.g. "daemon-set-qkj95" on node "ip-10-0-130-238.us-west-2.compute.internal"
occurred

can't be caused by this PR changing how we use an image on an unrelated test. Will report as flake.

openshift-ci-robot · 2020-11-18T10:55:21Z

@fromanirh: This pull request references Bugzilla bug 1887488, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1887488: e2e: node: generalize pod and pin image

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ffromani · 2020-11-18T10:55:59Z

/retest

ffromani · 2020-11-18T14:33:57Z

/assign @adambkaplan

openshift-ci-robot · 2020-11-18T19:22:08Z

@fromanirh: This pull request references Bugzilla bug 1887488, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1887488: e2e: node: fix ping tester pod

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ffromani · 2020-11-18T19:47:21Z

/retest

rphillips · 2020-11-19T15:20:00Z

/lgtm

ffromani · 2020-11-24T11:21:26Z

/cherry-pick release-4.6

openshift-cherrypick-robot · 2020-11-24T11:21:27Z

@fromanirh: once the present PR merges, I will cherry-pick it on top of release-4.6 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

adambkaplan · 2020-11-24T13:12:30Z

test/extended/topology_manager/resourcealign.go

@@ -24,6 +24,7 @@ import (
 const (
 	networkAttachmentAnnotation string = "k8s.v1.cni.cncf.io/networks"
 	sriovInterfaceName          string = "sriov1"
+	busyboxImage                string = "busybox:1.31.0"


Note that this is pulling from DockerHub without a pull secret, and thus can fail to deploy due to a rate limit.

Can registry.redhat.io/ubi8/ubi-minimal be used instead?

Anything which contains ping and it is maintained is fine for this task. I'll research for alternatives.

adambkaplan · 2020-11-24T16:32:16Z

test/extended/topology_manager/resourcealign.go

+		if cp.Privileged {
+			isTrue := true
+			cnt.SecurityContext = &corev1.SecurityContext{
+				Privileged: &isTrue,
+			}
+		}


Are you sure you need to run a pod that's fully privileged? This bypasses every baked in security check.

If the issue is that on busybox you now need root, you can use runAsUser: 0 in the security context. Not awesome, but better than running a privileged container.

good point. Let me narrow down the privileges.

So RunAsUser: 0 is not enough, it seems I need at least CAP_NET_RAW (which is still too much?)
if I remove Privileged: true and I replace with RunAsUser: 0 I get:

Nov 24 17:52:36.585: INFO: Error running /usr/local/bin/oc --namespace=e2e-test-topology-manager-xhjcv --kubeconfig=/home/fromani/clusters/cnflab/kubeconfig rsh -n default -c test-0 test-29pj7 ping -c 3 10.56.217.171: StdOut> bind: Permission denied PING 10.56.217.171 (10.56.217.171): 56 data bytes command terminated with exit code 2 StdErr> bind: Permission denied PING 10.56.217.171 (10.56.217.171): 56 data bytes command terminated with exit code 2

ffromani · 2020-11-25T12:39:22Z

/retest

ffromani · 2020-11-25T15:46:29Z

/retest

adambkaplan

Please squash commits, otherwise looks good.

Pin the busybox image setting a known-good tag. It was not done previously because of an oversight, no other reason. Generalize the code which creates the testing pod to make the code more flexible and a bit easier to read. Any public-available, reasonably recent (>= 1.21) busybox image is fine. We use the same image other extended tests (DNS) are already using. This solves the issues for all but one tests: the connectivity test. One of the e2e topology manager tests wants to run a basic network check between two NUMA-aligned pods, to get a basic signal if the network is working. This is done to test that resource alignment is not preventing the network to work. This test is intentionally minimal: proper network check is demanded to other testsuites (e.g. the SRIOV testsuite), but we need some basic coverage in this testsuite and we have this intentional, minimal, overlap. To do the minimal testing, the test what to ping two resource-aligned pod from each other. To do so we need a container image which contains the ping tool and which not require any special privilege. So, this patch requires the pull URL of the network-check image to be supplied using a (documented) environment variable. This way: 1. users can use existing images not part of openshift (quay.io/openshift-kni/cnf-tests) which they may want to use to validate their cluster anyway 2. users can easily opt out from this test (do not supply the env variable to skip the test) 3. in the future we can provide a very simple base image in from openshift itself to fill this role. Bug-Url: https://bugzilla.redhat.com/1887488 Signed-off-by: Francesco Romani <fromani@redhat.com>

ffromani · 2020-11-26T09:37:32Z

/retest

ffromani · 2020-11-30T09:09:21Z

/retest

rphillips · 2020-11-30T14:39:48Z

/lgtm

adambkaplan

/approve

openshift-ci-robot · 2020-11-30T17:39:02Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, fromanirh, rphillips

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~test/extended/OWNERS~~ [adambkaplan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ffromani · 2020-11-30T20:28:15Z

/test e2e-gcp

openshift-bot · 2020-11-30T20:49:03Z

/retest