enable loopback adapter in hermetic unshare namespace

[brianwcook]

Bazel uses a client server architecture to execute even when performing network isolated builds.It works fine as long as there is any adapter, even a loopback addapter. The default unshare env has a loopback device [lo] but it is DOWN by default. This PR brings lo UP in the unshare environment so that hermetic Bazel builds will work.

It is dependent on the 'ip' command being present in the buildah image so another PR is open for that:
konflux-ci/buildah-container#90

[chmeliik]

Have you verified that this does not mess with the network isolation?

[brianwcook]

Have you verified that this does not mess with the network isolation?

I did. I added debugging statements to ensure that during my testing only the 'lo' adapter was present (to ensure both commands were running in the unshare env) and I also included things in the Dockerfile which should fail in hermetic mode, and they did.

[brianwcook]

I assume e2e tests are failing because the newest buildah-task image still doesn't container the 'ip' binary. Added hold label because I need to manually test even after that is fixed.

[tkdchen]

It should be good to make this optional, not all builds require the lo adapter enabled in a hermetic build.

[brianwcook]

it doesn't hurt anything to enable lo adapter and it still doesn't permit any actual network connectivity, so why complicate things by making it optional?

[chmeliik]

LGTM, would still appreciate a comment in the code about why it's needed

[chmeliik]

Btw, why the hold label?

[brianwcook]

/retest

[brianwcook]

I had added the hold label to make sure that the buildah-task landed and this was retested with it.

[brianwcook]

I cannot see why the e2e tests are failing - I don't seem to have rights to view the test logs.

[chmeliik]

I cannot see why the e2e tests are failing - I don't seem to have rights to view the test logs.

Pretty much the only way to find the logs after the pod has been garbage collected is

kubectl tekton -n konflux-ci logs pipelinerun build-definitions-pull-request-hrhv4

Relevant part of the log:

[e2e-tests : e2e-test] [build-service-suite Build templates E2E test] HACBS pipelines should eventually finish successfully for component with Git source URL https://githu
b.com/konflux-qe-bd/retrodep and Pipeline docker-build [build, build-templates, HACBS, pipeline, build-templates-e2e, source-build-e2e]
[e2e-tests : e2e-test] /konflux-e2e/tests/build/build_templates.go:334
...
[e2e-tests : e2e-test]   Adding the entitlement to the build
[e2e-tests : e2e-test]   sh: line 1: ip: command not found
[e2e-tests : e2e-test] 
[e2e-tests : e2e-test]   pod: test-comp-rheb-on-pull-request-cm2l9-build-container-pod | container step-sbom-syft-generate: 
[e2e-tests : e2e-test]   2024/10/12 01:46:20 Skipping step because a previous step failed

[chmeliik]

#1478 needs to go first

can't be merged yet

[brianwcook]

/retest

[brianwcook]

/retest

[chmeliik]

Now it's this:

[e2e-tests : e2e-test] [build-service-suite Build templates E2E test] HACBS pipelines should eventually finish successfully for component with Git source URL https://github.com/konflux-qe-bd/devfile-sample-python-basic and Pipeline docker-build-oci-ta [build, build-templates, HACBS, pipeline, build-templates-e2e, source-build-e2e]
[e2e-tests : e2e-test] /konflux-e2e/tests/build/build_templates.go:334
...
[e2e-tests : e2e-test]   pod: test-comp-wyso-on-pull-request-jxjlg-build-container-pod | container step-build: 
[e2e-tests : e2e-test]   Adding the entitlement to the build
[e2e-tests : e2e-test]   RTNETLINK answers: Operation not permitted

[brianwcook]

/retest

[ralphbean]

/retest

[ralphbean]

It's failing in CI because it's breaking the non-hermetic scenarios. Notice the difference of --net:

sh-5.2# unshare -Uf --net --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w . -- sh -c "ip link set lo up && echo wat"
wat                                                                                                                                

sh-5.2# unshare -Uf  --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w . -- sh -c "ip link set lo up && echo wat"     
RTNETLINK answers: Operation not permitted                                                                                         

[brianwcook]

I reproduced that error locally and fixed it. I can run test pipelines in both hermetic and non-hermetic mode, but the e2e tests are still failing.

[brianwcook]

/retest

change was made