build/strategy: wire in blob mount-from functionality #21613
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
There was a problem hiding this comment.
| }, | ||
| }, | ||
| {Name: "buildcachedir", VolumeSource: v1.VolumeSource{ | ||
| HostPath: &v1.HostPathVolumeSource{Path: "/miloslavcache/"}, |
There was a problem hiding this comment.
this needs to exist on the host, right? or will k8s create it?
There was a problem hiding this comment.
cri-o/docker should create it if it doesn't exist on mount time right? or does kube check that?
There was a problem hiding this comment.
i don't know, easy enough to test (create a pod that mounts a non-existent hostdir)
There was a problem hiding this comment.
We will need to check if we can create this directory on RHCOS.
There was a problem hiding this comment.
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2#
sh-4.2#
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# pwd
/
sh-4.2# mkdir miloslavcache
mkdir: cannot create directory ‘miloslavcache’: Permission denied
sh-4.2# mkdir mycache
mkdir: cannot create directory ‘mycache’: Permission denied
There was a problem hiding this comment.
I was able to create /var/lib/containers/.cache
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
There was a problem hiding this comment.
you don't need this in the git-clone container.
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
There was a problem hiding this comment.
you don't need this in the manage-dockerfile container.
pkg/build/controller/strategy/sti.go
Outdated
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
There was a problem hiding this comment.
this one is needed (we will pull images from within this container). And docker.go should have it too.
assuming you care about this cache for pulling images (not pushing them).
pkg/build/controller/strategy/sti.go
Outdated
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
| { | ||
| Name: "buildcachedir", | ||
| MountPath: "/var/lib/containers/cache/", | ||
| }, |
There was a problem hiding this comment.
this one is correct/needed.
runcom
force-pushed
the
blob-mount-from-cache
branch
4 times, most recently
from
ed07245 to
1f00740
Compare
|
We’re going back to a shared cache? Doesn’t that cance the security benefits we got? Wasn’t clear to me why shared cache is required for mount from - mount from should work even for a local user? |
as @mtrmac explained it to me, it's not a blob cache, it's just metadata/ids about the blobs.
the issue here is subsequent builds. We need some minimal cached information so a subsequent push can benefit from previous pushes that have happened. @mtrmac gave me a nice explanation but that's the extent of what i understood of it. Maybe he can put it in writing here to help. |
(Mounting itself does not require extra privileges.) This is just a metadata cache. For builds that have a base image pulled from the same registry that the build results are pushed to (e.g. if both the base image and the build result are stored in the internal registry), we don’t need a long-term metadata cache: we just need the information from the pull to be available to the push, and that will allow mounting the layers from the base image repo to the build result image repo. We do need a long-term metadata cache if the base image is located in a different registry than we are pushing the build result to, e.g. if the base image is located at registry.access.redhat.com or the Docker Hub, and the destination is the internal registry (I was told this is very common.) In that case, during the very first build, we necessarily pull all the layers of the base image from the external registry, and push all of them again (+ the new ones created during the build) to the internal one; that is unavoidable. On subsequent builds, though, we can avoid re-pushing the base layers to the internal registry again, if:
(Reordered)
Yes, the shared state does add a bit of risk, if the code running within one build somehow broke out (AFAICS the build commands are isolated from the builder in a separate OCI/ With schema2 / OCI images, this would only be a DoS because the image configuration contains DiffID (uncompressed digest) values, and is not affected by the blob substitution: so, the substituted blobs would be downloaded and rejected as non-matching (both by Docker and CRI-O), making the corrupted build result unusable. With schema1 (e.g. when pushing to a schema1-only registry), the substitutions would not be noticed, though. |
runcom
force-pushed
the
blob-mount-from-cache
branch
from
1f00740 to
4a3c9bf
Compare
runcom
force-pushed
the
blob-mount-from-cache
branch
2 times, most recently
from
bbaeb4c to
aa3139d
Compare
|
/retest |
runcom
force-pushed
the
blob-mount-from-cache
branch
from
aa3139d to
541f2f4
Compare
|
looks like you broke the formatting: Looks like there are also a few more places where you've changed the expected number of volumes. (unit test failures) otherwise it lgtm. |
runcom
force-pushed
the
blob-mount-from-cache
branch
from
541f2f4 to
b94a8c8
Compare
runcom
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
runcom
force-pushed
the
blob-mount-from-cache
branch
from
377f127 to
5cc1bac
Compare
|
/lgtm |
openshift-ci-robot
added
lgtm
Signed-off-by: Antonio Murdaca <runcom@linux.com>
runcom
force-pushed
the
blob-mount-from-cache
branch
from
5cc1bac to
36017bf
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees, runcom The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test unit |
|
/test e2e-aws |
|
/test e2e-aws-serial |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
1 similar comment
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
this is green now 🤔 |
|
@runcom: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
9 participants
@mrunalp @mtrmac @bparees @smarterclayton
This is just a wip to test things out as we need the resulting hypershift image from this PR to substitute the original one in a cluster and test this workflow, so, do not merge
Signed-off-by: Antonio Murdaca runcom@linux.com