From 36e324987053a95e10665d62ff0f280fc26658db Mon Sep 17 00:00:00 2001 From: Michael Bridgen Date: Tue, 8 Nov 2022 17:20:24 +0000 Subject: [PATCH] Use init process (#367) * Use tini as PID 1 The operator runs as PID 1, which is expected to reap zombie processes; since it doesn't, they get left around to take up room. This commit installs `tini` and uses it as PID 1, instead. This removes the use of ssh-agent in the `build/bin/entrypoint` script, which serves only to prevent go-git from complaining about not finding an ssh-agent socket -- and doesn't help with authentication (if no SSH key is supplied, it will simply fail the SSH handshake). * Remove build/bin scripts These are relics of old operator-sdk boilerplate. In particular, - the entrypoint script is not needed because the entrypoint can be given in the Dockerfile (and doesn't need to do anything fancy) - the user_setup script isn't needed when `useradd` is run. `useradd` would not normally be available, since the base image used for controllers is often some variation of minimal, distro-less image; but, this image uses the maximalist pulumi/pulumi base image. * Fail if SSH is used but no private key given When using SSH, a key must be obtained from somewhere. On the command line, git would either use the ssh-agent socket, or try to use a key in ~/.ssh. go-git mirrors this, by resorting to ssh-agent if it is not given any other choices. But in the operator container, it doesn't make sense to try to use ssh-agent, because there's no chance to add keys to it -- its only purpose would be to stop go-git from complaining. So: treat it as an error if someone uses an SSH git URL, but doesn't supply a private SSH key. Signed-off-by: Michael Bridgen --- .goreleaser.yml | 3 --- CHANGELOG.md | 2 ++ Dockerfile | 9 +++------ build/bin/entrypoint | 4 ---- build/bin/user_setup | 11 ----------- pkg/controller/stack/stack_controller.go | 10 ++++++++++ 6 files changed, 15 insertions(+), 24 deletions(-) delete mode 100755 build/bin/entrypoint delete mode 100755 build/bin/user_setup diff --git a/.goreleaser.yml b/.goreleaser.yml index f8c066c7..3243a66a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -63,6 +63,3 @@ dockers: - "--label=org.label-schema.name={{ .ProjectName }}" - "--label=org.label-schema.vcs-ref={{ .ShortCommit }}" - "--label=org.label-schema.vcs-url='{{ .GitURL }}'" - - extra_files: - - "build/bin" diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c18f5d0..82c4aa7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ CHANGELOG [#365](https://github.com/pulumi/pulumi-kubernetes-operator/pull/365) - Rewrite test case to confirm to Pulumi YAML 1.0 (breaking) changes [#369](https://github.com/pulumi/pulumi-kubernetes-operator/pull/369) +- Use an init process so processes spawned by `pulumi` are reaped + [#367](https://github.com/pulumi/pulumi-kubernetes-operator/pull/367) ## 1.10.1 (2022-10-25) diff --git a/Dockerfile b/Dockerfile index 65ec2e33..321b80a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,10 @@ FROM pulumi/pulumi:3.46.0 -ENV OPERATOR=/usr/local/bin/pulumi-kubernetes-operator +RUN apt-get install tini +ENTRYPOINT ["tini", "--", "/usr/local/bin/pulumi-kubernetes-operator"] # install operator binary -COPY pulumi-kubernetes-operator ${OPERATOR} - -COPY build/bin/* /usr/local/bin/ -RUN /usr/local/bin/user_setup +COPY pulumi-kubernetes-operator /usr/local/bin/pulumi-kubernetes-operator RUN useradd -m pulumi-kubernetes-operator RUN mkdir -p /home/pulumi-kubernetes-operator/.ssh \ @@ -22,4 +20,3 @@ ENV XDG_CONFIG_CACHE=/tmp/.cache ENV GOCACHE=/tmp/.cache/go-build ENV GOPATH=/tmp/.cache/go -ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/build/bin/entrypoint b/build/bin/entrypoint deleted file mode 100755 index 98f67cae..00000000 --- a/build/bin/entrypoint +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -e - -eval "$(ssh-agent -s)" -exec env SSH_AUTH_SOCK="$SSH_AUTH_SOCK" SSH_AGENT_PID="$SSH_AGENT_PID" "${OPERATOR}" "$@" diff --git a/build/bin/user_setup b/build/bin/user_setup deleted file mode 100755 index 4b5b77d6..00000000 --- a/build/bin/user_setup +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -set -x - -# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be) -echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd -mkdir -p "${HOME}" -chown "${USER_UID}:0" "${HOME}" -chmod ug+rwx "${HOME}" - -# no need for this script to remain in the image after running -rm "$0" diff --git a/pkg/controller/stack/stack_controller.go b/pkg/controller/stack/stack_controller.go index 66118b92..907a1484 100644 --- a/pkg/controller/stack/stack_controller.go +++ b/pkg/controller/stack/stack_controller.go @@ -1433,6 +1433,12 @@ func (sess *reconcileStackSession) DestroyStack(ctx context.Context) error { func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitAuth, error) { gitAuth := &auto.GitAuth{} + // check that the URL is valid (and we'll use it later to check we got appropriate auth) + u, err := giturls.Parse(sess.stack.ProjectRepo) + if err != nil { + return gitAuth, err + } + if sess.stack.GitAuth != nil { if sess.stack.GitAuth.SSHAuth != nil { privateKey, err := sess.resolveResourceRef(ctx, &sess.stack.GitAuth.SSHAuth.SSHPrivateKey) @@ -1516,6 +1522,10 @@ func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitA } } + if u.Scheme == "ssh" && gitAuth.SSHPrivateKey == "" { + return gitAuth, fmt.Errorf("a private key must be provided for SSH") + } + return gitAuth, nil }