Skip to content

v0.5.0: pkg: Pin to RHCOS 47.167 and quay.io/openshift-release-dev/ocp-release:4.0.0-3 #773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wking wants to merge 2 commits into from
Closed

v0.5.0: pkg: Pin to RHCOS 47.167 and quay.io/openshift-release-dev/ocp-release:4.0.0-3 #773

wking wants to merge 2 commits into from

Conversation

@wking
Copy link
Member

@wking wking commented Dec 2, 2018

DO NOT MERGE!

That's the latest RHCOS release:

$ curl -s https://releases-rhcos.svc.ci.openshift.org/storage/releases/maipo/builds.json | jq '{latest: .builds[0], timestamp}'
{
  "latest": "47.165",
  "timestamp": "2018-12-02T06:41:22Z"
}

And @smarterclayton just pushed 4.0.0-0.alpha-2018-12-02-020136 to quay.io/openshift-release-dev/ocp-release:4.0.0-3.

This PR builds on #772. The CHANGELOG commit (also in #772) will be merged into master. The pin commit (unique to this PR) will get the v0.5.0 tag, but not be merged into master. I'm just targetting master with the PR because I want CI to pass on the pinned dependencies before we tag the release.

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 2, 2018
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 2, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 2, 2018
@wking
Copy link
Member Author

wking commented Dec 2, 2018

In case a graph is easier to understand, here's where I think we want to be post-release:

*   9a6ae15 (tag: v0.5.0-master, origin/master) Merge branch 'version-0.5.0'
|\  
| | * 54ba349 (tag: v0.5.0, origin/pr/773) pkg: Pin to RHCOS 47.167 and quay.io/openshift-release-dev/ocp-release:4.0.0-3
| |/  
| * fc0e947 (origin/pr/772) CHANGELOG: Document changes since v0.4.0
|/  
*   12ef0cb Merge pull request #748 from ingvagabund/change-machine-apiversion

Modulo any hash changes due to future rebasing of #772 or #773, and Tide generating the merge that is 9a6ae15 in that graph instead of me generating it locally.

@wking wking force-pushed the version-0.5.0-pins branch from 54ba349 to f8a93b3 Compare December 2, 2018 09:29
@wking
Copy link
Member Author

wking commented Dec 2, 2018

e2e-aws included:

fail [github.com/openshift/origin/test/extended/operators/operators.go:78]: Dec 2 10:01:08.686: ClusterVersion never became available: Unable to apply 4.0.0-3: a required extension is not available to update

Maybe a flake? Or due to pulling the payload from quay.io, @smarterclayton?

@smarterclayton
Copy link
Contributor

smarterclayton commented Dec 2, 2018

Crap. That’s the but with cvo processing files. I’ll have to run the older release command (so this won’t be a valid Cincinnati release).

Will push with an older binary shortly

@smarterclayton
Copy link
Contributor

smarterclayton commented Dec 2, 2018

Bug

@smarterclayton
Copy link
Contributor

smarterclayton commented Dec 2, 2018 via email

@smarterclayton
Copy link
Contributor

smarterclayton commented Dec 2, 2018 via email

@wking
Copy link
Member Author

wking commented Dec 3, 2018

e2e-aws timed out waiting for bootstrap-complete:

level=warning msg="Failed to connect events watcher: Get https://ci-op-5g5vrcw1-1d3f3-api.origin-ci-int-aws.dev.rhcloud.com:6443/api/v1/namespaces/kube-system/events?watch=true: dial tcp 52.2.108.126:6443: connect: connection refused"
level=fatal msg="Error executing openshift-install: waiting for bootstrap-complete: timed out waiting for the condition"

I'm going to launch it again and see if I can grab the error from the CI nodes before they get torn down.

/retest

@wking
Copy link
Member Author

wking commented Dec 3, 2018

From this run's bootstrap node:

[core@ip-10-0-10-189 ~]$ journalctl -n5 -u bootkube.service | cat
-- Logs begin at Mon 2018-12-03 06:54:37 UTC, end at Mon 2018-12-03 07:24:52 UTC. --
Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: Trying to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b...Failed
Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: unable to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: unable to pull image: Error determining manifest MIME type for docker://quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: Error reading manifest sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b in quay.io/openshift-release-dev/ocp-v4.0: unauthorized: access to the requested resource is not authorized
Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service: main process exited, code=exited, status=125/n/a
Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: Unit bootkube.service entered failed state.
Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service failed.

The secret in the bootstrap's /opt/tectonic/manifests/pull.json has an entry for quay.io, and when I copy the secret's .dockerconfigjson down (and base64 decode it) to my dev box and run:

$ podman pull --authfile path/to/ci-pull.json quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b

it works. I'll add the pull JSON (without any Kubernetes wrapping) to the bootstrap ignition and point REGISTRY_AUTH_FILE at it.

@wking wking mentioned this pull request Dec 3, 2018
Merged
@wking
Copy link
Member Author

wking commented Dec 3, 2018

I'll add the pull JSON (without any Kubernetes wrapping) to the bootstrap ignition and point REGISTRY_AUTH_FILE at it.

Done in #775. I've cherry-picked that commit onto this branch so we can test it against protected content. Once both #775 and this branch are green, we can land #775 and rebase #772 and #773 on top.

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 3, 2018
sjenning
sjenning reviewed Dec 3, 2018
View reviewed changes
pkg/asset/ignition/bootstrap/bootstrap.go Outdated
Copy link
Contributor

@sjenning sjenning Dec 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why?

Copy link
Member Author

@wking wking Dec 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last paragraph from f8a93b33f72fbd10e02d9a8688c48b97d62c34f5

@wking wking force-pushed the version-0.5.0-pins branch from e8fe290 to 782da57 Compare December 3, 2018 18:04
@wking wking mentioned this pull request Dec 3, 2018
Merged
@wking wking force-pushed the version-0.5.0-pins branch from 782da57 to e101389 Compare December 3, 2018 18:48
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 3, 2018
wking added a commit to wking/openshift-installer that referenced this pull request Dec 3, 2018
@wking
pkg/asset/ignition/bootstrap: Add /root/.docker/config.json
791a41c 
We already provide /opt/tectonic/manifests/pull.json with a Kubernetes
secret that contains the auth JSON, but the new file has the auth JSON
without any wrapping.  This resolves issues with auth-protected update
payloads [1]:

  [core@ip-10-0-10-189 ~]$ journalctl -n5 -u bootkube.service
  -- Logs begin at Mon 2018-12-03 06:54:37 UTC, end at Mon 2018-12-03 07:24:52 UTC. --
  Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: Trying to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b...Failed
  Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: unable to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: unable to pull image: Error determining manifest MIME type for docker://quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: Error reading manifest sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b in quay.io/openshift-release-dev/ocp-v4.0: unauthorized: access to the requested resource is not authorized
  Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service: main process exited, code=exited, status=125/n/a
  Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: Unit bootkube.service entered failed state.
  Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service failed.

I think the ~/.docker directory name is unfortunate, since we're not
actually using Docker at all.  But ~/.docker/config.json is an auth
location shared by Podman [2], CRI-O [3], and the kubelet [4].  And
it's the most generic on-disk location that will survive reboots (/run
will not [5]).

I've also renamed the manifest template variable to PullSecretBase64
to distinguish it from the unencoded PullSecret I'm adding to the
bootstrap template parameters.  These are different template parameter
sets, but I think recycling the same name would be unnecessarily
confusing.

[1]: openshift#773 (comment)
[2]: https://github.com/containers/libpod/blob/v0.11.1.1/docs/podman-pull.1.md#options
[3]: https://github.com/kubernetes-sigs/cri-o/blob/master/vendor/github.com/containers/image/pkg/docker/config/config.go#L32
[4]: https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry
[5]: http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#runPurpose
@wking wking force-pushed the version-0.5.0-pins branch from e101389 to 03015bf Compare December 3, 2018 19:42
@wking wking reopened this Dec 3, 2018
wking added 2 commits December 3, 2018 12:59
@wking
CHANGELOG: Document changes since v0.4.0
c2263f6 
Through 6585f5d (Merge pull request openshift#775 from
wking/pull-secret-for-bootkube.sh, 2018-12-03).
@wking
pkg: Pin to RHCOS 47.167 and quay.io/openshift-release-dev/ocp-releas…
43e1458 
…e:4.0.0-3

That's the latest RHCOS release:

  $ curl -s https://releases-rhcos.svc.ci.openshift.org/storage/releases/maipo/builds.json | jq '{latest: .builds[0], timestamp}'
  {
    "latest": "47.165",
    "timestamp": "2018-12-02T06:41:22Z"
  }

And Clayton just pushed 4.0.0-0.alpha-2018-12-02-020136 to
quay.io/openshift-release-dev/ocp-release:4.0.0-3 [1].

Renaming OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE gets us CI testing
of the pinned release despite openshift/release@60007df2 (Use
RELEASE_IMAGE_LATEST for CVO payload, 2018-10-03,
openshift/release#1793).

[1]: openshift#772 (comment)
@wking wking force-pushed the version-0.5.0-pins branch from 03015bf to 43e1458 Compare December 3, 2018 21:00
@wking
Copy link
Member Author

wking commented Dec 3, 2018

Rebased onto the current #772 tip, so now both are on top of master since #775 landed, and we're back to a target release graph like the original plan.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 3, 2018
edited
Loading

@wking: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/e2e-libvirt e8fe2907990207b4cf39528164b100ce32823e1b link /test e2e-libvirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@wking
Copy link
Member Author

wking commented Dec 3, 2018

/retest

@wking
Copy link
Member Author

wking commented Dec 3, 2018

v0.5.0 cut off this PR.

/close

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 3, 2018

@wking: Closed this PR.

Details

In response to this:

v0.5.0 cut off this PR.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking deleted the version-0.5.0-pins branch December 3, 2018 23:32
@wking wking restored the version-0.5.0-pins branch December 4, 2018 17:41
@wking
Copy link
Member Author

wking commented Dec 4, 2018

/test images

@smarterclayton wanted fresh builds from this image

@wking wking reopened this Dec 4, 2018
@wking wking closed this Dec 4, 2018
@wking wking deleted the version-0.5.0-pins branch December 6, 2018 05:08
@wking wking mentioned this pull request Dec 8, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjenning sjenning sjenning left review comments

@flaper87 flaper87 Awaiting requested review from flaper87

@staebler staebler Awaiting requested review from staebler

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wking @openshift-ci-robot @smarterclayton @sjenning