Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

services.setup: Pull Grafana image from docker.io #3388

Merged
merged 3 commits into from
May 24, 2022

Conversation

allisonkarlitskaya
Copy link
Member

@allisonkarlitskaya allisonkarlitskaya commented May 17, 2022

Bitnami recently stopped publishing their images on quay.io after
becoming a verified publisher on Dockerhub.

Verified publishers are not subject to rate limitations, allowing us to
pull their Grafana the image from docker.io now.

bitnami-labs/sealed-secrets#822 (comment)

  • image-refresh services

@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 1-ci-srv-02: [no-test] services.setup: Pull Grafana image from docker.io May 17, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 1-ci-srv-02.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220517-093838/

@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 1-ci-srv-02: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 17, 2022
@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 4-ci-srv-03: [no-test] services.setup: Pull Grafana image from docker.io May 17, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 4-ci-srv-03.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220517-102222/

@allisonkarlitskaya allisonkarlitskaya marked this pull request as ready for review May 17, 2022 10:24
@allisonkarlitskaya allisonkarlitskaya changed the title WIP: 4-ci-srv-03: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io, refresh services May 17, 2022
@allisonkarlitskaya
Copy link
Member Author

image-refresh in progress on 4-ci-srv-03. Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220517-102222/

Silly bot. No cookie.

@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io, refresh services services.setup: Pull Grafana image from docker.io May 17, 2022
@martinpitt
Copy link
Member

Nice, thanks! I'm glad that there's some way out of the pull limits again. Apparently it doesn't like the new FreeIPA, but that's an independent problem.

@allisonkarlitskaya allisonkarlitskaya force-pushed the services-bitnami-dockerhub branch from 779b9ac to b46fce2 Compare May 17, 2022 12:14
@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 1-ci-srv-06: [no-test] services.setup: Pull Grafana image from docker.io May 17, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 1-ci-srv-06.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220517-121515/

@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 1-ci-srv-06: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 17, 2022
Copy link

@SilviaMiranda SilviaMiranda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minus one tiny thing :)

# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead
# https://github.com/opencontainers/selinux/pull/173
# Disable relabelling for subsequent runs.
sed -ie 's/data:Z/data/' /root/run-freeipa

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-ie is actually creating a backup. Would you consider changing it to -i?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the catch. Updated.

@allisonkarlitskaya allisonkarlitskaya force-pushed the services-bitnami-dockerhub branch from 15e7c4f to fe2246b Compare May 17, 2022 15:51
@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 3-ci-srv-05: [no-test] services.setup: Pull Grafana image from docker.io May 17, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 3-ci-srv-05.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220517-155252/

@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 3-ci-srv-05: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 17, 2022
@martinpitt martinpitt removed their request for review May 23, 2022 07:27
# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead
# https://github.com/opencontainers/selinux/pull/173
# Disable relabelling for subsequent runs.
sed -i 's/data:Z/data/' /root/run-freeipa
Copy link
Member

@mvollmer mvollmer May 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without properly labeled files, we need to switch off SELinux entirely.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it shouldn't be necessary. The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label. After that, everything in that directory will have been created by the container itself and shouldn't need relabelling.

At the same time

  • this is the services image
  • this is a workaround for a known bug in the image
  • we have better things to work on

So 👍 to disabling selinux to deal with this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label.

I have no idea how podman works, but doesn't it need to relabel the inside of a container every time a new one is created?

@mvollmer mvollmer force-pushed the services-bitnami-dockerhub branch from fd64db8 to 9e6d1e9 Compare May 23, 2022 11:59
@mvollmer mvollmer added the bot label May 23, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 2-cockpit-9.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220523-121313/

@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 2-cockpit-9: [no-test] services.setup: Pull Grafana image from docker.io May 23, 2022
@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 2-cockpit-9: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 23, 2022
@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 4-ci-srv-05: [no-test] services.setup: Pull Grafana image from docker.io May 23, 2022
@cockpituous
Copy link
Contributor

image-refresh in progress on 4-ci-srv-05.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220523-121616/

@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 4-ci-srv-05: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 23, 2022
@mvollmer mvollmer force-pushed the services-bitnami-dockerhub branch from 9e6d1e9 to c5fb264 Compare May 23, 2022 12:20
@cockpituous
Copy link
Contributor

image-refresh in progress on 1-ci-srv-02.
Log: https://logs.cockpit-project.org/logs/image-refresh-3388-20220523-122121/

@cockpituous cockpituous changed the title services.setup: Pull Grafana image from docker.io WIP: 1-ci-srv-02: [no-test] services.setup: Pull Grafana image from docker.io May 23, 2022
@cockpituous
Copy link
Contributor

@cockpituous cockpituous changed the title WIP: 1-ci-srv-02: [no-test] services.setup: Pull Grafana image from docker.io services.setup: Pull Grafana image from docker.io May 23, 2022
@mvollmer mvollmer force-pushed the services-bitnami-dockerhub branch from 48d8e8c to e1e0c83 Compare May 24, 2022 06:40
allisonkarlitskaya and others added 3 commits May 24, 2022 10:36
Bitnami recently stopped publishing their images on quay.io after
becoming a verified publisher on Dockerhub.

Verified publishers are not subject to rate limitations, allowing us to
pull their Grafana the image from docker.io now.

bitnami-labs/sealed-secrets#822 (comment)
@mvollmer mvollmer force-pushed the services-bitnami-dockerhub branch from e1e0c83 to 4badfdd Compare May 24, 2022 07:36
@mvollmer mvollmer requested a review from martinpitt May 24, 2022 08:27
Copy link
Member

@martinpitt martinpitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cheers!

# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead
# https://github.com/opencontainers/selinux/pull/173
# Disable relabelling for subsequent runs and make SELinux permissive.
sed -i 's/data:Z/data/' /root/run-freeipa
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is both ugly and error prone, and also not even necessary any more with disabling SELinux below. I suggest to simply drop the :Z where it writes the script above, and drop this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you want to drop this again at some point when this is fixed, I see.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also not even necessary any more with disabling SELinux below.

It is, unfortunately. podman crashes regardless of whether SELinux is enabled or not.

# https://github.com/opencontainers/selinux/pull/173
# Disable relabelling for subsequent runs and make SELinux permissive.
sed -i 's/data:Z/data/' /root/run-freeipa
sed -i 's/enforcing/permissive/' /etc/selinux/config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR, 👍 from me. This has fooled us too many times, and it's completely irrelevant to what we want to test.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this is meant to be a "temporary" workaround, and hopefully we can just remove these two lines once the fix to #173 has reached us.

Copy link
Member

@martinpitt martinpitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@martinpitt martinpitt merged commit 751450e into main May 24, 2022
@martinpitt martinpitt deleted the services-bitnami-dockerhub branch May 24, 2022 08:32
@mvollmer mvollmer mentioned this pull request May 24, 2022
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants