Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cherry-pick v3.26] calico-kube-controllers: Run as non-root by default for the s390x image #7956

Merged
merged 1 commit into from
Aug 29, 2023
Merged

[cherry-pick v3.26] calico-kube-controllers: Run as non-root by default for the s390x image #7956

merged 1 commit into from
Aug 29, 2023

Conversation

liudalibj
Copy link
Contributor

@liudalibj liudalibj commented Aug 24, 2023
edited by mgleung

Description

Run as non-root by default for the s390x image

  • create status and profiles folder
  • create related files and chown to 999

Related issues/PRs

fixes Fixes: #7957

Todos

  • Tests
  • Documentation
  • Release note

Release Note

kube controllers run as a non-root user in s390x builds by default

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@liudalibj liudalibj requested a review from a team as a code owner August 24, 2023 05:59
@marvin-tigera marvin-tigera added this to the Calico v3.26.2 milestone Aug 24, 2023
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Aug 24, 2023
@liudalibj liudalibj mentioned this pull request Aug 24, 2023
Closed
@mgleung mgleung added the docs-not-required Docs not required for this change label Aug 24, 2023
@marvin-tigera marvin-tigera removed the docs-pr-required Change is not yet documented label Aug 24, 2023
mgleung
mgleung approved these changes Aug 24, 2023
View reviewed changes
Copy link
Contributor

@mgleung mgleung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mgleung
Copy link
Contributor

mgleung commented Aug 24, 2023

/sem-approve

@liudalibj
Copy link
Contributor Author

liudalibj commented Aug 25, 2023
edited

@mgleung thanks for take a look on this PR.

I want to check the failed job but it hang on loading page https://tigera.semaphoreci.com/jobs/282e4f5e-3a16-42d5-accc-3aa6702a517e
would you like help to paste/check the details error?

@liudalibj
Copy link
Contributor Author

I run the make ci command on my dev machine and it reports

• Failure [83.703 seconds]
[kdd] kube-controllers health check FV tests
/go/src/github.com/projectcalico/calico/kube-controllers/cmd/kube-controllers/fv_test.go:171
  Healthcheck FV tests
  /go/src/github.com/projectcalico/calico/kube-controllers/cmd/kube-controllers/fv_test.go:249
    should fail health check if apiserver is not running [It]
    /go/src/github.com/projectcalico/calico/kube-controllers/cmd/kube-controllers/fv_test.go:268

    Timed out after 60.196s.
    Expected
        <[]uint8 | len:6, cap:1024>: [82, 101, 97, 100, 121, 10]
    to contain substring
        <string>: Error

    /go/src/github.com/projectcalico/calico/kube-controllers/cmd/kube-controllers/fv_test.go:286

So maybe the apiserver doesn't be stopped in given time.

			apiserver.Stop()

@lwr20
Copy link
Member

lwr20 commented Aug 25, 2023

Tail end of the CI log from https://tigera.semaphoreci.com/jobs/282e4f5e-3a16-42d5-accc-3aa6702a517e

�[0m => [ubi 2/7] RUN mkdir /licenses                                          0.1s
�[?25h�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[0G�[?25l[+] Building 2.1s (6/16)                                         docker:default
�[34m => [internal] load build definition from Dockerfile.s390x                 0.0s
�[0m�[34m => => transferring dockerfile: 1.46kB                                     0.0s
�[0m�[34m => [internal] load .dockerignore                                          0.0s
�[0m�[34m => => transferring context: 2B                                            0.0s
�[0m�[34m => [internal] load metadata for registry.access.redhat.com/ubi8/ubi-mini  0.5s
�[0m�[34m => [ubi 1/7] FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8@sha256  1.4s
�[0m�[34m => => resolve registry.access.redhat.com/ubi8/ubi-minimal:8.8@sha256:8d4  0.0s
�[0m�[34m => => sha256:8d43664c250c72d35af8498c7ff76a9f0d42f16b9b3 1.47kB / 1.47kB  0.0s
�[0m�[34m => => sha256:3571da1427c9fed36a5c749ce060e2a29b4ceed67527fb5 429B / 429B  0.0s
�[0m�[34m => => sha256:fd2b2085382c45e5f2ab14a67c716a74c44f3371658 6.24kB / 6.24kB  0.0s
�[0m�[34m => => sha256:a99176ec2bf612eecd92246528bb982ebd6b13602 37.45MB / 37.45MB  0.5s
�[0m�[34m => => extracting sha256:a99176ec2bf612eecd92246528bb982ebd6b136024415967  0.8s
�[0m�[34m => [internal] load build context                                          0.5s
�[0m�[34m => => transferring context: 74.64MB                                       0.5s
�[0m�[31m => ERROR [ubi 2/7] RUN mkdir /licenses                                    0.2s
�[0m�[?25h------
 > [ubi 2/7] RUN mkdir /licenses:
0.138 exec /bin/sh: no such file or directory
------
Dockerfile.s390x:20
--------------------
  18 |     
  19 |     # Add in top-level license file
  20 | >>> RUN mkdir /licenses
  21 |     COPY LICENSE /licenses
  22 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c mkdir /licenses" did not complete successfully: exit code: 1
make[1]: *** [Makefile:110: image.created-s390x] Error 1
make[1]: Leaving directory '/home/semaphore/calico/kube-controllers'
make: *** [Makefile:103: sub-image-s390x] Error 2

@liudalibj
calico-kube-controllers: Run as non-root by default for the s390x image
f0dcbb9 
- create status and profiles folder
- create related files and chown to 999

Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
@liudalibj liudalibj changed the title calico-kube-controllers: Run as non-root by default for the s390x image [cherry-pick v3.26] calico-kube-controllers: Run as non-root by default for the s390x image Aug 28, 2023
@liudalibj
Copy link
Contributor Author

liudalibj commented Aug 28, 2023
edited

Thanks @lwr20 for helping to provide the details error:

Tail end of the CI log from https://tigera.semaphoreci.com/jobs/282e4f5e-3a16-42d5-accc-3aa6702a517e

�[0m => [ubi 2/7] RUN mkdir /licenses                                          0.1s
�[?25h�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[1A�[0G�[?25l[+] Building 2.1s (6/16)                                         docker:default
�[34m => [internal] load build definition from Dockerfile.s390x                 0.0s
�[0m�[34m => => transferring dockerfile: 1.46kB                                     0.0s
�[0m�[34m => [internal] load .dockerignore                                          0.0s
�[0m�[34m => => transferring context: 2B                                            0.0s
�[0m�[34m => [internal] load metadata for registry.access.redhat.com/ubi8/ubi-mini  0.5s
�[0m�[34m => [ubi 1/7] FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8@sha256  1.4s
�[0m�[34m => => resolve registry.access.redhat.com/ubi8/ubi-minimal:8.8@sha256:8d4  0.0s
�[0m�[34m => => sha256:8d43664c250c72d35af8498c7ff76a9f0d42f16b9b3 1.47kB / 1.47kB  0.0s
�[0m�[34m => => sha256:3571da1427c9fed36a5c749ce060e2a29b4ceed67527fb5 429B / 429B  0.0s
�[0m�[34m => => sha256:fd2b2085382c45e5f2ab14a67c716a74c44f3371658 6.24kB / 6.24kB  0.0s
�[0m�[34m => => sha256:a99176ec2bf612eecd92246528bb982ebd6b13602 37.45MB / 37.45MB  0.5s
�[0m�[34m => => extracting sha256:a99176ec2bf612eecd92246528bb982ebd6b136024415967  0.8s
�[0m�[34m => [internal] load build context                                          0.5s
�[0m�[34m => => transferring context: 74.64MB                                       0.5s
�[0m�[31m => ERROR [ubi 2/7] RUN mkdir /licenses                                    0.2s
�[0m�[?25h------
 > [ubi 2/7] RUN mkdir /licenses:
0.138 exec /bin/sh: no such file or directory
------
Dockerfile.s390x:20
--------------------
  18 |     
  19 |     # Add in top-level license file
  20 | >>> RUN mkdir /licenses
  21 |     COPY LICENSE /licenses
  22 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c mkdir /licenses" did not complete successfully: exit code: 1
make[1]: *** [Makefile:110: image.created-s390x] Error 1
make[1]: Leaving directory '/home/semaphore/calico/kube-controllers'
make: *** [Makefile:103: sub-image-s390x] Error 2

this issue should be fixed by update the Dockerfile.s390x, which is same as the one for apiserver https://github.com/projectcalico/calico/blob/master/apiserver/docker-image/Dockerfile.s390x#L7

COPY --from=qemu /usr/bin/qemu-s390x-static /usr/bin/

@liudalibj
Copy link
Contributor Author

@mgleung @lwr20 would you like help to trigger the pr build again? Thanks!

@lwr20
Copy link
Member

lwr20 commented Aug 29, 2023

/sem-approve

@liudalibj
Copy link
Contributor Author

@lwr20 thanks for trigger the pr build again, the build is passed, can you help to merge it?

@lwr20 lwr20 merged commit b17312d into projectcalico:release-v3.26 Aug 29, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgleung mgleung mgleung approved these changes

Assignees
No one assigned
Labels
docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Milestone
Calico v3.26.2
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@liudalibj @mgleung @lwr20 @marvin-tigera