Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth #535

cgwalters · 2019-03-08T16:00:24Z

This is a workaround for us switching to an authenticated pause
image and crio not knowing how to use the kubelet's auth for this.

https://bugzilla.redhat.com/show_bug.cgi?id=1686556

cgwalters · 2019-03-08T16:01:14Z

(And we need to hack this because the template controller doesn't know about symlinks, just files)

cgwalters · 2019-03-08T16:06:28Z

Adding WIP since I only compile tested this.

wking · 2019-03-08T16:45:24Z

Adding WIP since I only compile tested this.

Is there a way for hard-code a private pause image while CI-testing this?

cgwalters · 2019-03-08T18:29:11Z

/test e2e-aws

(So I can grab the release image this time)

cgwalters · 2019-03-08T18:58:50Z

/test e2e-aws

cgwalters · 2019-03-08T19:11:35Z

Is there a way for hard-code a private pause image while CI-testing this?

Gave that a shot in

#537 (comment)

cgwalters · 2019-03-08T19:29:14Z

Testing this out live reveals I almost got it right:

$ oc debug node/ip-10-0-129-163.ec2.internal
Starting pod/ip-10-0-129-163ec2internal-debug ...
To directly access the host PATH, try `chroot /host /bin/bash`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.2# ls -al /root/
total 24
drwx------.  3 root root  123 Mar  8 19:17 .
drwxr-xr-x. 23 root root 4096 Mar  8 19:17 ..
-rw-r--r--.  1 root root   18 Mar  8 19:17 .bash_logout
-rw-r--r--.  1 root root  193 Mar  8 19:17 .bash_profile
-rw-r--r--.  1 root root  231 Mar  8 19:17 .bashrc
drwxr-xr-x.  2 root root   25 Mar  8 19:17 .docker
-rw-------.  1 root root 2667 Mar  6 22:23 anaconda-ks.cfg
-rw-------.  1 root root 2334 Mar  6 22:23 original-ks.cfg
sh-4.2# ls -al /root/.docker/
total 0
drwxr-xr-x. 2 root root  25 Mar  8 19:17 .
drwx------. 3 root root 123 Mar  8 19:17 ..
lrwxrwxrwx. 1 root root  26 Mar  8 19:17 config.json -> /var/lib/kubelet/auth.json
sh-4.2#

cgwalters · 2019-03-08T19:32:04Z

And now with s/auth.json/config.json/

cgwalters · 2019-03-08T21:56:09Z

#537 (comment)

/hold cancel

cgwalters · 2019-03-08T21:56:21Z

Let's ship this!

cgwalters · 2019-03-08T21:58:22Z

Although wait a sec...the link seems to be inside the SSH MC.

/hold

This is a workaround for us switching to an authenticated pause image and crio not knowing how to use the kubelet's auth for this. https://bugzilla.redhat.com/show_bug.cgi?id=1686556

cgwalters · 2019-03-09T00:31:20Z

OK, now this should be really ready to go.

cgwalters · 2019-03-09T00:31:27Z

/hold cancel

runcom · 2019-03-09T14:50:10Z

/approve
/lgtm

openshift-ci-robot · 2019-03-09T14:50:16Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, runcom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [cgwalters,runcom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

This PR is further fixing https://bugzilla.redhat.com/show_bug.cgi?id=1677198 by allowing an old cluster to contain links (coming from openshift#535) which are then removed when upgrading to post openshift#540. What's happening to QE is that: 1) they're starting a cluster with an MCO version which contains openshift#535 2) they're upgrading to a payload which doesn't have openshift#535 cause it has openshift#540 which reverts openshift#535 The above means that point 1) generates MachineConfigs with an unsupported symlink and when upgrading to 2), the symlink is removed causing drift and an unreconcilable error. QE can start testing with a newer MCO version to avoid this, but for ease of testing, let's add this snippet to make sure getting rid of links, which we don't support anyway, just works. Signed-off-by: Antonio Murdaca <[email protected]>

openshift-ci-robot requested review from LorbusChris and kikisdeliveryservice March 8, 2019 16:00

openshift-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 8, 2019

cgwalters changed the title ~~controller: Symlink /root/.docker/config.json to kubelet auth~~ WIP: controller: Symlink /root/.docker/config.json to kubelet auth Mar 8, 2019

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 8, 2019

smarterclayton changed the title ~~WIP: controller: Symlink /root/.docker/config.json to kubelet auth~~ WIP: Bug: 1686556: controller: Symlink /root/.docker/config.json to kubelet auth Mar 8, 2019

smarterclayton changed the title ~~WIP: Bug: 1686556: controller: Symlink /root/.docker/config.json to kubelet auth~~ WIP: Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth Mar 8, 2019

wking mentioned this pull request Mar 8, 2019

additional authentication files containers/image#595

Closed

cgwalters mentioned this pull request Mar 8, 2019

WIP: Symlink authfile with private pause #537

Closed

cgwalters force-pushed the symlink-authfile branch from 0c16de0 to 03af0e8 Compare March 8, 2019 19:30

cgwalters changed the title ~~WIP: Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth~~ Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth Mar 8, 2019

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 8, 2019

openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 8, 2019

controller: Symlink /root/.docker/config.json to kubelet auth

8b08dfb

This is a workaround for us switching to an authenticated pause image and crio not knowing how to use the kubelet's auth for this. https://bugzilla.redhat.com/show_bug.cgi?id=1686556

cgwalters force-pushed the symlink-authfile branch from 03af0e8 to 8b08dfb Compare March 8, 2019 22:01

openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 9, 2019

openshift-ci-robot assigned runcom Mar 9, 2019

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 9, 2019

openshift-merge-robot merged commit 218ec46 into openshift:master Mar 9, 2019

mtrmac mentioned this pull request Mar 11, 2019

Use CRI-O’s pause_image_auth_file option #540

Merged

runcom mentioned this pull request Mar 26, 2019

Bug 1677198: pkg/daemon: allow empty new links section #580

Merged

Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth #535

Bug: 1686556: Symlink /root/.docker/config.json to kubelet auth #535

Uh oh!

Conversation

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

wking commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 8, 2019

Uh oh!

cgwalters commented Mar 9, 2019

Uh oh!

cgwalters commented Mar 9, 2019

Uh oh!

runcom commented Mar 9, 2019

Uh oh!

openshift-ci-robot commented Mar 9, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants