steps/proxy: Port to Fedora CoreOS

[cgwalters]

We're currently using RHCOS as a way to run a container image
in a single disposable VM. Let's use FCOS because it's more
oriented towards this use case and also gets us out of needing
to deal with Ignition version dependencies - we can just
unconditionally use spec 3 (which RHCOS also uses in 4.6).

[cgwalters]

(Didn't test this locally, we'll see what rehearse says)

[ewolinetz]

do we also need to bump here? https://github.com/openshift/release/pull/11750/files#diff-e687af75ecf4bc3dee02258e9703afa7R218

[cgwalters]

do we also need to bump here? https://github.com/openshift/release/pull/11750/files#diff-e687af75ecf4bc3dee02258e9703afa7R218

That link is taking me to the toplevel of the diff - can you elaborate on "here"?

[ewolinetz]

we are specifying version 2.1.0 here still, does that need to be bumped?

UserData:
        Fn::Base64: !Sub
        - '{"ignition":{"config":{"replace":{"source":"\${IgnitionLocation}","verification":{}}},"timeouts":{},"version":"2.1.0"},"networkd":{},"passwd":{},"storage":{},"systemd":{}}'
        - {
          IgnitionLocation: !Ref ProxyIgnitionLocation
        }

[cgwalters]

we are specifying version 2.1.0 here still, does that need to be bumped?

It does and done!

[cgwalters]

/retest

[cgwalters]

rpm-md issues
/retest

[ewolinetz]

it looks like the proxy instance still isn't able to come up...
https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_release/11750/rehearse-11750-pull-ci-openshift-installer-master-e2e-aws-proxy/1304420641117573120/artifacts/e2e-aws-proxy/gather-aws-console/i-0951c95379a9e8bc5

[cgwalters]

OK yeah I'm refactoring this script so I can more easily generate the Ignition outside of Prow and test things.

[cgwalters]

OK running the generated ignition appears to work when doing some quick tests in qemu but I notice we were still missing the After=network-online.target so I pushed that.

We also have docs for this use case of course: https://docs.fedoraproject.org/en-US/fedora-coreos/running-containers/
It'd be better to port this to fcct (inline data etc.) but one step at a time.

[cgwalters]

OK this time the proxy host definitely came up, and I see access logs in its console.

And I think now the problem we're hitting is that machineAPI isn't able to provision workers due to the proxy:

E0912 15:38:22.441079       1 reconciler.go:236] ci-op-v9v01r44-4c51b-npq94-worker-us-east-2b-pzx25: error getting existing instances: RequestError: send request failed
caused by: Post "https://ec2.us-east-2.amazonaws.com/": dial tcp 52.95.18.3:443: i/o timeout
E0912 15:38:22.441108       1 controller.go:272] ci-op-v9v01r44-4c51b-npq94-worker-us-east-2b-pzx25: failed to check if machine exists: RequestError: send request failed
caused by: Post "https://ec2.us-east-2.amazonaws.com/": dial tcp 52.95.18.3:443: i/o timeout
E0912 15:38:22.441173       1 controller.go:258] controller-runtime/controller "msg"="Reconciler error" "error"="RequestError: send request failed\ncaused by: Post \"https://ec2.us-east-2.amazonaws.com/\": dial tcp 52.95.18.3:443: i/o timeout"  "controller"="machine_controller" "request"={"Namespace":"openshift-machine-api","Name":"ci-op-v9v01r44-4c51b-npq94-worker-us-east-2b-pzx25"}

So we could probably force merge this and then fix that as a followup?

[wking]

Hmm. How do we square "proxy console has access logs" with "we still cannot SSH in to gather those logs"?

[cgwalters]

"we still cannot SSH in to gather those logs"?

The ssh process is being run from the CI cluster - it can't SSH into a private VPC right?

[cgwalters]

Re-simplified this and addressed comments.

[cgwalters]

Logs from that run also show the proxy successfully running.

[wking]

The ssh process is being run from the CI cluster...

Yes.

... it can't SSH into a private VPC right?

We should be launching the proxy instance in a public subnet, so it should be reachable from the CI cluster.

[cgwalters]

We should be launching the proxy instance in a public subnet, so it should be reachable from the CI cluster.

OK. Then is there a security group set up allowing SSH?

[cgwalters]

Updated the commit message per #11750 (comment)

[wking]

/lgtm

e2e-aws-proxy failed to build openstack-installer, presumably a flake. Hold until we see the proxy's connections logs again:

/hold
/retest

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/ipi/conf/aws/proxy/OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wking]

Then is there a security group set up allowing SSH?

Yup.

[cgwalters]

I definitely verified that if I booted an instance with this Ignition config outside of Prow (using coreos-assembler tooling) that I was able to ssh in just fine. So I still think this is something related to the VPC.

[cgwalters]

/retest

[cgwalters]

/test ci/prow/pj-rehearse

[openshift-ci-robot]

@cgwalters: The specified target(s) for /test were not found.
The following commands are available to trigger jobs:

• /test app-ci-config-dry
• /test build01-dry
• /test build02-dry
• /test ci-operator-config
• /test ci-operator-config-metadata
• /test ci-operator-registry
• /test config
• /test core-dry
• /test core-valid
• /test correctly-sharded-config
• /test generated-config
• /test generated-dashboards
• /test ordered-prow-config
• /test owners
• /test pj-rehearse
• /test prow-config
• /test prow-config-filenames
• /test prow-config-semantics
• /test release-controller-config
• /test services-dry
• /test services-valid
• /test step-registry-metadata
• /test step-registry-shellcheck
• /test vsphere-dry
• /test pylint

Use /test all to run the following jobs:

• pull-ci-openshift-release-master-app-ci-config-dry
• pull-ci-openshift-release-master-build01-dry
• pull-ci-openshift-release-master-build02-dry
• pull-ci-openshift-release-master-ci-operator-config
• pull-ci-openshift-release-master-ci-operator-config-metadata
• pull-ci-openshift-release-master-ci-operator-registry
• pull-ci-openshift-release-master-config
• pull-ci-openshift-release-master-core-dry
• pull-ci-openshift-release-master-core-valid
• pull-ci-openshift-release-master-correctly-sharded-config
• pull-ci-openshift-release-master-generated-config
• pull-ci-openshift-release-master-generated-dashboards
• pull-ci-openshift-release-master-ordered-prow-config
• pull-ci-openshift-release-master-owners
• pull-ci-openshift-release-master-pj-rehearse
• pull-ci-openshift-release-master-prow-config
• pull-ci-openshift-release-master-prow-config-filenames
• pull-ci-openshift-release-master-prow-config-semantics
• pull-ci-openshift-release-master-release-controller-config
• pull-ci-openshift-release-master-services-dry
• pull-ci-openshift-release-master-services-valid
• pull-ci-openshift-release-master-step-registry-metadata
• pull-ci-openshift-release-master-step-registry-shellcheck
• pull-ci-openshift-release-master-vsphere-dry

Details

In response to this:

/test ci/prow/pj-rehearse

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cgwalters]

/test pj-rehearse

[cgwalters]

/test pj-rehearse

[openshift-ci-robot]

@cgwalters: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/rehearse/openshift/aws-ebs-csi-driver/master/e2e-aws-csi	f4541a0fa1bbfbd855c11b2892414cffaef1cbe5	link	/test pj-rehearse
ci/rehearse/cri-o/cri-o/master/e2e-aws	f4541a0fa1bbfbd855c11b2892414cffaef1cbe5	link	/test pj-rehearse

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[wking]

The most recent rehearsal failed with:

level=fatal msg="failed to initialize the cluster: Some cluster operators are still updating: authentication, console, image-registry, ingress, kube-storage-version-migrator, monitoring"

So it got past bootstrap-complete, which means the proxy must be working. It's possible that machine-API not supporting proxy plus lack of a functional EC2 VPC endpoint is the only remaining problem blocking install, or that there are more. SSH into the proxy still fails, and we still don't understand why not. AWS flaked out on console log gathering too, or I'd expect to see some logs here. Still progress. Let's just land this and keep poking at SSH access in follow-up work.

/hold cancel

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@cgwalters: Updated the following 2 configmaps:

• step-registry configmap in namespace ci at cluster api.ci using the following files:
  • key ipi-conf-aws-proxy-commands.sh using file ci-operator/step-registry/ipi/conf/aws/proxy/ipi-conf-aws-proxy-commands.sh
• step-registry configmap in namespace ci at cluster app.ci using the following files:
  • key ipi-conf-aws-proxy-commands.sh using file ci-operator/step-registry/ipi/conf/aws/proxy/ipi-conf-aws-proxy-commands.sh

Details

In response to this:

We're currently using RHCOS as a way to run a container image
in a single disposable VM. Let's use FCOS because it's more
oriented towards this use case and also gets us out of needing
to deal with Ignition version dependencies - we can just
unconditionally use spec 3 (which RHCOS also uses in 4.6).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.