-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
services.setup: Pull Grafana image from docker.io #3388
Conversation
image-refresh in progress on 1-ci-srv-02. |
image-refresh services done: https://github.com/cockpit-project/bots/commits/image-refresh-services-20220517-102222 |
image-refresh in progress on 4-ci-srv-03. |
Silly bot. No cookie. |
image-refresh services done: https://github.com/cockpit-project/bots/commits/image-refresh-services-20220517-111414 |
Nice, thanks! I'm glad that there's some way out of the pull limits again. Apparently it doesn't like the new FreeIPA, but that's an independent problem. |
779b9ac
to
b46fce2
Compare
image-refresh in progress on 1-ci-srv-06. |
image-refresh services done: https://github.com/cockpit-project/bots/commits/image-refresh-services-20220517-131111 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minus one tiny thing :)
images/scripts/services.setup
Outdated
# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead | ||
# https://github.com/opencontainers/selinux/pull/173 | ||
# Disable relabelling for subsequent runs. | ||
sed -ie 's/data:Z/data/' /root/run-freeipa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-ie is actually creating a backup. Would you consider changing it to -i?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the catch. Updated.
15e7c4f
to
fe2246b
Compare
image-refresh in progress on 3-ci-srv-05. |
image-refresh services done: https://github.com/cockpit-project/bots/commits/image-refresh-services-20220517-163737 |
# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead | ||
# https://github.com/opencontainers/selinux/pull/173 | ||
# Disable relabelling for subsequent runs. | ||
sed -i 's/data:Z/data/' /root/run-freeipa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without properly labeled files, we need to switch off SELinux entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like it shouldn't be necessary. The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label. After that, everything in that directory will have been created by the container itself and shouldn't need relabelling.
At the same time
- this is the services image
- this is a workaround for a known bug in the image
- we have better things to work on
So 👍 to disabling selinux to deal with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label.
I have no idea how podman works, but doesn't it need to relabel the inside of a container every time a new one is created?
fd64db8
to
9e6d1e9
Compare
image-refresh in progress on 2-cockpit-9. |
image-refresh in progress on 4-ci-srv-05. |
9e6d1e9
to
c5fb264
Compare
image-refresh in progress on 1-ci-srv-02. |
image-refresh services done: https://github.com/cockpit-project/bots/commits/image-refresh-services-20220523-131010 |
48d8e8c
to
e1e0c83
Compare
Bitnami recently stopped publishing their images on quay.io after becoming a verified publisher on Dockerhub. Verified publishers are not subject to rate limitations, allowing us to pull their Grafana the image from docker.io now. bitnami-labs/sealed-secrets#822 (comment)
e1e0c83
to
4badfdd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cheers!
# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead | ||
# https://github.com/opencontainers/selinux/pull/173 | ||
# Disable relabelling for subsequent runs and make SELinux permissive. | ||
sed -i 's/data:Z/data/' /root/run-freeipa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is both ugly and error prone, and also not even necessary any more with disabling SELinux below. I suggest to simply drop the :Z
where it writes the script above, and drop this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, you want to drop this again at some point when this is fixed, I see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also not even necessary any more with disabling SELinux below.
It is, unfortunately. podman crashes regardless of whether SELinux is enabled or not.
# https://github.com/opencontainers/selinux/pull/173 | ||
# Disable relabelling for subsequent runs and make SELinux permissive. | ||
sed -i 's/data:Z/data/' /root/run-freeipa | ||
sed -i 's/enforcing/permissive/' /etc/selinux/config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FTR, 👍 from me. This has fooled us too many times, and it's completely irrelevant to what we want to test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, this is meant to be a "temporary" workaround, and hopefully we can just remove these two lines once the fix to #173 has reached us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Bitnami recently stopped publishing their images on quay.io after
becoming a verified publisher on Dockerhub.
Verified publishers are not subject to rate limitations, allowing us to
pull their Grafana the image from docker.io now.
bitnami-labs/sealed-secrets#822 (comment)