Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick commits from #1576 & #1565 & #1606 to 7.58.x #1608

Merged
merged 3 commits into from
Jan 30, 2023

Conversation

AObuchow
Copy link
Contributor

@AObuchow AObuchow commented Jan 28, 2023

What does this PR do?

Backport of commits relevant to solving https://issues.redhat.com/browse/CRW-3400 and https://issues.redhat.com/browse/CRW-3894 in 7.58.x.

Contains the commit for configuring the container security context used in DWO: c313ecc.
Note: I modified the commit to not include the changes from #1565. This PR can be reworked to include those changes (which require DWO 0.18.0) if desired.

Also contains the commit for setting AllowPrivilegeEscalation to true: 3d07ff7

Screenshot/screencast of this PR

n/a

What issues does this PR fix or reference?

Fixes eclipse-che/che#21770 & eclipse-che/che#21959 in 7.58.x

How to test this PR?

First start up an OpenShift cluster.

Install DWO 0.17.0 (0.17.1)

I've created the following catalog source which can applied with oc apply -f:

apiVersion: operators.coreos.com/v1alpha1  
kind: CatalogSource  
metadata:  
 name: devworkspace-operator-catalog  
 namespace: openshift-marketplace  
spec:  
 sourceType: grpc  
 image: quay.io/aobuchow/devworkspace-operator-index@sha256:c6a5d9d727212de4332b1c79aec2b1f50e67ed4cc98defe1bb19c4ff97dee695  
 publisher: Red Hat  
 displayName: DevWorkspace Operator Catalog  
 updateStrategy:  
   registryPoll:  
     interval: 5m

Then go to OperatorHub and install DWO 0.17.1 from the DevWorkspace Operator catalog

Install Che using the Operator Image from this PR

  1. Check out the branch from this PR
  2. make gen-chectl-tmpl TEMPLATES=/tmp/operator-resources
  3. Deploy che: chectl server:deploy -p openshift --templates /tmp/operator-resources --che-operator-image=quay.io/aobuchow/che-operator:latest (or build your own image of Che Operator on your quay repo)

Patch Che-Server deployment in Che Cluster CRD

This is a temporary workaround until eclipse-che/che#21958 gets resolved.
Change the image of Che-Server used for Che to an earlier version, eg. 7.58.0: kubectl edit checluster eclipse-che -n eclipse-che

  components:
    cheServer:
      debug: false
+      deployment:
+        containers:
+          - image: 'quay.io/eclipse/che-server:7.58.0'

Enable container build capabilities in Che Cluster CR

kubectl edit checluster eclipse-che -n eclipse-che:

  devEnvironments:
    startTimeoutSeconds: 300
    secondsOfRunBeforeIdling: -1
    maxNumberOfWorkspacesPerUser: -1
+    disableContainerBuildCapabilities: false

Start a workspace (with the latest UDI)

I've forked the Che-Website repo to use the latest UDI image, as the older one wasn't working with podman build.
The forked repo link is: https://github.com/AObuchow/che-website

Now ensure that the workspace deployment's pod has the container-build SCC annotation:

metadata:
  generateName: workspacec65af80e7611435a-b674746b7-
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "openshift-sdn",
          "interface": "eth0",
          "ips": [
              "10.217.0.94"
          ],
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "openshift-sdn",
          "interface": "eth0",
          "ips": [
              "10.217.0.94"
          ],
          "default": true,
          "dns": {}
      }]
+    openshift.io/scc: container-build

Also ensure that the container security context is correct:

      securityContext:
        capabilities:
          add:
            - SETGID
            - SETUID
          drop:
            - KILL
            - MKNOD
        runAsUser: 1000680000
        runAsNonRoot: true
        allowPrivilegeEscalation: true

Build a container from the workspace:

  1. Open a new terminal from within Che Code
  2. git clone https://github.com/scriptcamp/podman.git
  3. cd podman/nginx-image
  4. podman build -t scriptcamp/nginx .
  5. Select docker.io/library/nginx:alpine
  6. The container build should be successful and have an output similar to the following:
STEP 1/2: FROM nginx:alpine
✔ docker.io/library/nginx:alpine
Trying to pull docker.io/library/nginx:alpine...
Getting image source signatures
Copying blob 83e90619bc2e done  
Copying blob 10eb2ce358fa done  
Copying blob d52adec6f48b done  
Copying blob 8921db27df28 done  
Copying blob a1be370d6a52 done  
Copying blob 689b9959905b done  
Copying blob c7a81ce22aac done  
Copying config c433c51bbd done  
Writing manifest to image destination
Storing signatures
STEP 2/2: COPY index.html /usr/share/nginx/html/index.html
COMMIT scriptcamp/nginx
--> b783ac21a4d
Successfully tagged localhost/scriptcamp/nginx:latest
b783ac21a4d1285e2ca7834ea300f6e42ea1930e5aef2c425fd1f178d6b292e1

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

AObuchow and others added 2 commits January 26, 2023 15:18
…eclipse-che#1596)

* Set SCC allowPrivilegeEscalation to true when container build enabled

Running Podman inside a container in OpenShift requires the pod to have
allowPrivilegeEscalation: true in its security context.

* Fix tests

Signed-off-by: Angel Misevski <[email protected]>
@openshift-ci
Copy link

openshift-ci bot commented Jan 28, 2023

Hi @AObuchow. Thanks for your PR.

I'm waiting for a eclipse-che member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ibuziuk
Copy link
Member

ibuziuk commented Jan 30, 2023

/ok-to-test

Signed-off-by: Anatolii Bazko <[email protected]>
@tolusha tolusha changed the title Cherry-pick commits from #1576 & #1565 to 7.58.x Cherry-pick commits from #1576 & #1565 & #1606 to 7.58.x Jan 30, 2023
@tolusha
Copy link
Contributor

tolusha commented Jan 30, 2023

Updated PR to include #1606 as well

@openshift-ci
Copy link

openshift-ci bot commented Jan 30, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AObuchow, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@nickboldt nickboldt merged commit ad19924 into eclipse-che:7.58.x Jan 30, 2023
@che-bot che-bot added this to the 7.58 milestone Jan 30, 2023
@devstudio-release
Copy link

Build 3.4 :: operator_3.4/5: Console, Changes, Git Data

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.4 :: operator-bundle_3.4/25: Console, Changes, Git Data

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.4 :: copyIIBsToQuay/756: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: push-latest-container-to-quay_3.4/83: SUCCESS

Copied: devspaces-rhel8-operator; /job/DS_CI/job/update-digests_3.4 triggered;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.4 :: copyIIBsToQuay/757: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: push-latest-container-to-quay_3.4/82: SUCCESS

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

@devstudio-release
Copy link

Build 3.4 :: sync-to-downstream_3.4/83: SUCCESS

Build container: devspaces-operator synced; /DS_CI/get-sources-rhpkg-container-build_3.4/84 triggered;

@devstudio-release
Copy link

Build 3.4 :: operator_3.4/5: SUCCESS

Upstream sync done; /DS_CI/sync-to-downstream_3.4/83 triggered

@devstudio-release
Copy link

Build 3.4 :: sync-to-downstream_3.4/84: SUCCESS

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/85 triggered; /job/DS_CI/job/dsc_3.4 triggered;

@devstudio-release
Copy link

Build 3.4 :: operator-bundle_3.4/25: SUCCESS

Upstream sync done; /DS_CI/sync-to-downstream_3.4/84 triggered

@devstudio-release
Copy link

Build 3.4 :: dsc_3.4/20: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: update-digests_3.4/195: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: update-digests_3.4/195: UNSTABLE

No new images detected: nothing to do!

@devstudio-release
Copy link

Build 3.4 :: dsc_3.4/20: SUCCESS

3.4.0 CI

@devstudio-release
Copy link

Build 3.4 :: copyIIBsToQuay/756: SUCCESS

3.4
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.4-169
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.18-2
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:latest-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:latest-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
  + quay.io/devspaces/iib:latest-v4.10-s390x
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:latest-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:latest-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
  + quay.io/devspaces/iib:latest-v4.10-x86_64
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:latest-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:latest-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le
  + quay.io/devspaces/iib:latest-v4.10-ppc64le

@devstudio-release
Copy link

Build 3.4 :: operator-bundle_3.4/26: Console, Changes, Git Data

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.4 :: copyIIBsToQuay/792: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: push-latest-container-to-quay_3.4/84: SUCCESS

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

@devstudio-release
Copy link

Build 3.4 :: sync-to-downstream_3.4/85: SUCCESS

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/86 triggered; /job/DS_CI/job/dsc_3.4 triggered;

@devstudio-release
Copy link

Build 3.4 :: operator-bundle_3.4/26: SUCCESS

Upstream sync done; /DS_CI/sync-to-downstream_3.4/85 triggered

@devstudio-release
Copy link

Build 3.4 :: dsc_3.4/21: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.4 :: copyIIBsToQuay/792: SUCCESS

3.4
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.4-170
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:???
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-422030-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-422025-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.11-422030-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.10-422025-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-422030-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-422025-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le

@devstudio-release
Copy link

Build 3.4 :: dsc_3.4/21: SUCCESS

3.4.0 CI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants