Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

control-service: fine-tune the job-builder-secure #2497

Merged
merged 27 commits into from
Aug 1, 2023
Merged

control-service: fine-tune the job-builder-secure #2497

merged 27 commits into from
Aug 1, 2023

Conversation

mivanov1988
Copy link
Contributor

@mivanov1988 mivanov1988 commented Jul 28, 2023
edited

Why

We attempted to execute several data jobs utilizing secure images within our internal deployments. However, we hit a lot of issues:

rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/..data': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/token': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/namespace': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/..2023_07_28_14_10_49.411331550/token': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/..2023_07_28_14_10_49.411331550/namespace': Read-only file system
rm: cannot remove '/var/run/secrets/kubernetes.io/serviceaccount/..2023_07_28_14_10_49.411331550/ca.crt': Read-only file system
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1

Traceback (most recent call last):
  File "/vdk/site-packages/vdk/internal/plugin/plugin.py", line 56, in load_plugins_from_setuptools_entrypoints
    self.__plugin_manager.load_setuptools_entrypoints(self.__group_name)
  File "/vdk/site-packages/pluggy/_manager.py", line 364, in load_setuptools_entrypoints
    plugin = ep.load()
  File "/usr/local/lib/python3.8/importlib/metadata.py", line 77, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 843, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/vdk/site-packages/vdk/plugin/kerberos/kerberos_plugin.py", line 11, in <module>
    from vdk.plugin.kerberos.authenticator_factory import KerberosAuthenticatorFactory
  File "/vdk/site-packages/vdk/plugin/kerberos/authenticator_factory.py", line 10, in <module>
    from vdk.plugin.kerberos.minikerberos_authenticator import (
  File "/vdk/site-packages/vdk/plugin/kerberos/minikerberos_authenticator.py", line 8, in <module>
    from minikerberos.common.creds import KerberosCredential
  File "/vdk/site-packages/minikerberos/common/creds.py", line 32, in <module>
    from oscrypto.asymmetric import rsa_pkcs1v15_sign, load_private_key
  File "/vdk/site-packages/oscrypto/asymmetric.py", line 19, in <module>
    from ._asymmetric import _unwrap_private_key_info
  File "/vdk/site-packages/oscrypto/_asymmetric.py", line 27, in <module>
    from .kdf import pbkdf1, pbkdf2, pkcs12_kdf
  File "/vdk/site-packages/oscrypto/kdf.py", line 9, in <module>
    from .util import rand_bytes
  File "/vdk/site-packages/oscrypto/util.py", line 14, in <module>
    from ._openssl.util import rand_bytes
  File "/vdk/site-packages/oscrypto/_openssl/util.py", line 6, in <module>
    from ._libcrypto import libcrypto, libcrypto_version_info, handle_openssl_error
  File "/vdk/site-packages/oscrypto/_openssl/_libcrypto.py", line 9, in <module>
    from ._libcrypto_cffi import (
  File "/vdk/site-packages/oscrypto/_openssl/_libcrypto_cffi.py", line 27, in <module>
    raise LibraryNotFoundError('The library libcrypto could not be found')
oscrypto.errors.LibraryNotFoundError: The library libcrypto could not be found
warning: Plugin load failed

What

We have made updates to the native dependencies of the image and reverted to the base job image model.

Testing Done

Execution of data jobs within the internal deployment.

In order to test this change you have to configure the Control Service values.yaml as follows:

   3.8-secure:
      baseImage: "registry.hub.docker.com/versatiledatakit/data-job-base-python-3.8-secure:latest"
      vdkImage: "registry.hub.docker.com/versatiledatakit/versatiledatakit/quickstart-vdk:release"
      builderImage: "harbor-repo.vmware.com/dockerhub-proxy-cache/versatiledatakit/job-builder-secure:1.3.1"

Signed-off-by: Miroslav Ivanov miroslavi@vmware.com

@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
c0bb329 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
5ae0caf 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988 mivanov1988 force-pushed the person/miroslavi/release-job-builder-secure-1.3.1 branch from c6535df to c0bb329 Compare July 28, 2023 14:25
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
2e87e02 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
773492c 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
9de6b3e 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
2c92c22 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
b2dcaf9 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
f84217a 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
4f77bd3 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
178d5f3 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
0e69880 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
93cbf6f 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
40aec13 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
07f3998 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
0f52093 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
f04af5b 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
37c30dd 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
2b9921c 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
08b93e9 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
c9f611a 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
7824934 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
7ac0c54 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
a2eb398 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988 mivanov1988 force-pushed the person/miroslavi/release-job-builder-secure-1.3.1 branch from 38bcaed to a2eb398 Compare August 1, 2023 09:20
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
4d97eb0 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
4a638a2 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988
[DRAFT] control-service: fine-tune the job-builder-secure
faae9d4 
Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
@mivanov1988 mivanov1988 changed the title [DRAFT] control-service: fine-tune the job-builder-secure control-service: fine-tune the job-builder-secure Aug 1, 2023
@mivanov1988 mivanov1988 enabled auto-merge (squash) August 1, 2023 10:20
@antoniivanov
Copy link
Collaborator

Execution of data jobs within the internal deployment.

Can you provide relevant steps to reproduce the testing. If it's standard configuration. Just link to standard configuration.

@mivanov1988 mivanov1988 merged commit 8c8b752 into main Aug 1, 2023
6 of 7 checks passed
@mivanov1988 mivanov1988 deleted the person/miroslavi/release-job-builder-secure-1.3.1 branch August 1, 2023 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoniivanov antoniivanov antoniivanov approved these changes

@doks5 doks5 doks5 approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mivanov1988 @antoniivanov @doks5 @vmwclabot