-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trail run on pre-prod #88
Comments
Hi @sbose78 , I first added the And @qu1queee is helping add private github test case. Last week, we tried to onboard the build v2 on our dev env. But unluckily....ALL build strategies don't work on our dev environment because of the restrict PSP config. Such:
Without them, the buildrun/taskrun will report failures like:
I am not sure do you have the related PSP in the But in our multi-tenant environments. We have to fix or workaround them ONE by ONE. We have to focus on these blocking issues in this week first.... :( Or do you have any idea about these permission issues? |
These should work, and yes, it would be good to ensure good test coverage for these 👍 |
@gabemontero , any pointers/thoughts on the issues above? |
On the buildah example I'm missing the context on why you need
Without clarification, at first blush, seems like those could be removed. On buildpaks, yeah running as root a la https://github.com/redhat-developer/build/blob/master/samples/buildstrategy/buildpacks-v3/buildstrategy_buildpacks-v3_cr.yaml#L62 is a non starter on OpenShift for user data. To draw a parallel to builds v1, any operation like that is encapsulated in the controller and its construction of the build pod, so as to remove the user from Pod create/edit anc controlling what is done within the escalated pod. In theory then, build v2 could mimic that pattern, but then you are moving away from your plug in any image build tool seamlessly advantage. But that might be the compromise you have to make for these build tools that require root. Or you expand the list of folks to ask ;-) Lastly, if @zhangtbj is allowed to share it with us, the precise specifics of the "restricted PSP config" @zhangtbj mentions might shed some light. |
I think buildah requires this:
to pass the
|
That's right / totally forgot !! ... Thanks for the test run @zhangtbj As it turns out I see the same thing in the upstream tekton examples: https://github.com/tektoncd/catalog/blob/master/buildah/buildah.yaml#L39-L43 Also, I incorrectly mixed the two. The Fixing it is beyond to scope of build v2 alone. And there is no short path for this. There are a series of Jira's opened to track the requirement.
|
Hi @gabemontero , Thanks for the info and it is great that you and buildah team already plan on that. Today I tried ALL 4 buildstrategies. The buildpacks and kaniko can run normally without privileged permission. The S2I requires to use So S2I and buildah cannot build normally in our multi-tenant env. I opened an issue to ask for help: And I saw there are some people also have this problem from Google search. I cannot access your https://issues.redhat.com. Do you have any issue/doc or plan to track and do you know when they plan to fix this issue? Thanks! |
Don't have dates from the buildah team for the current set of dependencies. I'm going to direct you @zhangtbj to @siamaksade , our product manager for build v1, build v2, and tekton / openshift pipelines ... so he product manages for all the players here but buildah. And he can coordinate with his peer from the buildah team.
|
And as I surface this to the other players here on my end, got a good tip on how to do buildah non-privileged for build v1 (though it results in slower performance). See https://docs.openshift.com/container-platform/4.3/builds/custom-builds-buildah.html To map this to build v2 @sbose78 and @zhangtbj you'll need to reverse engineer:
The Dockerfile machinations in that example are the secret sauce here. |
It is also possible perhaps to map the Dockerfile machinations in that example to tekton tasks/steps |
Thanks for the info! We need to track this issue. emm..... I am not sure if it is worth using the custom buildah in build v2 before buildah team support the official unprivileged mode. Or how long we can reverse or support it. Do you have any idea about it? @sbose78 . And can |
If I understood you correctly, you are good with
...and
Conceptually, yeah. I don't see why it wouldn't work :-) .. it's about building from a |
Hi @sbose78 , yes, I can co-work with you to have a try the "s2i with kaniko", but can we open an issue and prioritize it in our feature list? After this privileged problem, I still need to investigate another performance blocking issue. Because the build which is executed under tenant namespace is very slower than executed by cluster admin.
It is terrible... :( If kaniko can replace the buildah, I prefer we open an issue to track "s2i with kaniko". And maybe in the middle of this month (April), we can work together to see the proposal of "s2i with kaniko". At the same time, I also would like to know if it is possible that we can workaround or fix the buildah privileged issue with buildah team.... Any idea? :) |
Absolutely! |
@zhangtbj I believe this issue can be closed, please close if possible. |
@zhangtbj , How did it go? Starting this ticket to track the status/feedback of test deployment.
The text was updated successfully, but these errors were encountered: