-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cherry-pick commits from #1576 & #1565 & #1606 to 7.58.x #1608
Cherry-pick commits from #1576 & #1565 & #1606 to 7.58.x #1608
Conversation
Fix eclipse-che/che#21770 Signed-off-by: Andrew Obuchowicz <[email protected]>
…eclipse-che#1596) * Set SCC allowPrivilegeEscalation to true when container build enabled Running Podman inside a container in OpenShift requires the pod to have allowPrivilegeEscalation: true in its security context. * Fix tests Signed-off-by: Angel Misevski <[email protected]>
Hi @AObuchow. Thanks for your PR. I'm waiting for a eclipse-che member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
Signed-off-by: Anatolii Bazko <[email protected]>
Updated PR to include #1606 as well |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AObuchow, tolusha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Build 3.4 :: operator_3.4/5: Console, Changes, Git Data |
Build 3.4 :: sync-to-downstream_3.4/83: Console, Changes, Git Data |
Build 3.4 :: operator-bundle_3.4/25: Console, Changes, Git Data |
Build 3.4 :: sync-to-downstream_3.4/84: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/82: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/83: Console, Changes, Git Data |
Build 3.4 :: copyIIBsToQuay/756: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/83: Copied: devspaces-rhel8-operator; /job/DS_CI/job/update-digests_3.4 triggered; |
Build 3.4 :: get-sources-rhpkg-container-build_3.4/84: devspaces-operator : 3.4 :: Build 50368596 : quay.io/devspaces/devspaces-rhel8-operator:3.4-22 |
Build 3.4 :: copyIIBsToQuay/757: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/82: Copied: devspaces-operator-bundle; bundle-generated updated; |
Build 3.4 :: sync-to-downstream_3.4/83: Build container: devspaces-operator synced; /DS_CI/get-sources-rhpkg-container-build_3.4/84 triggered; |
Build 3.4 :: operator_3.4/5: Upstream sync done; /DS_CI/sync-to-downstream_3.4/83 triggered |
Build 3.4 :: sync-to-downstream_3.4/84: Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/85 triggered; /job/DS_CI/job/dsc_3.4 triggered; |
Build 3.4 :: operator-bundle_3.4/25: Upstream sync done; /DS_CI/sync-to-downstream_3.4/84 triggered |
Build 3.4 :: dsc_3.4/20: Console, Changes, Git Data |
Build 3.4 :: update-digests_3.4/195: Console, Changes, Git Data |
Build 3.4 :: update-digests_3.4/195: No new images detected: nothing to do! |
Build 3.4 :: dsc_3.4/20: 3.4.0 CI |
Build 3.4 :: operator-bundle_3.4/26: Console, Changes, Git Data |
Build 3.4 :: sync-to-downstream_3.4/85: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/84: Console, Changes, Git Data |
Build 3.4 :: copyIIBsToQuay/792: Console, Changes, Git Data |
Build 3.4 :: push-latest-container-to-quay_3.4/84: Copied: devspaces-operator-bundle; bundle-generated updated; |
Build 3.4 :: sync-to-downstream_3.4/85: Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/86 triggered; /job/DS_CI/job/dsc_3.4 triggered; |
Build 3.4 :: operator-bundle_3.4/26: Upstream sync done; /DS_CI/sync-to-downstream_3.4/85 triggered |
Build 3.4 :: dsc_3.4/21: Console, Changes, Git Data |
Build 3.4 :: dsc_3.4/21: 3.4.0 CI |
What does this PR do?
Backport of commits relevant to solving https://issues.redhat.com/browse/CRW-3400 and https://issues.redhat.com/browse/CRW-3894 in 7.58.x.
Contains the commit for configuring the container security context used in DWO: c313ecc.
Note: I modified the commit to not include the changes from #1565. This PR can be reworked to include those changes (which require DWO 0.18.0) if desired.
Also contains the commit for setting
AllowPrivilegeEscalation
totrue
: 3d07ff7Screenshot/screencast of this PR
n/a
What issues does this PR fix or reference?
Fixes eclipse-che/che#21770 & eclipse-che/che#21959 in 7.58.x
How to test this PR?
First start up an OpenShift cluster.
Install DWO 0.17.0 (0.17.1)
I've created the following catalog source which can applied with
oc apply -f
:Then go to OperatorHub and install DWO 0.17.1 from the DevWorkspace Operator catalog
Install Che using the Operator Image from this PR
make gen-chectl-tmpl TEMPLATES=/tmp/operator-resources
chectl server:deploy -p openshift --templates /tmp/operator-resources --che-operator-image=quay.io/aobuchow/che-operator:latest
(or build your own image of Che Operator on your quay repo)Patch Che-Server deployment in Che Cluster CRD
This is a temporary workaround until eclipse-che/che#21958 gets resolved.
Change the image of Che-Server used for Che to an earlier version, eg. 7.58.0:
kubectl edit checluster eclipse-che -n eclipse-che
Enable container build capabilities in Che Cluster CR
kubectl edit checluster eclipse-che -n eclipse-che
:devEnvironments: startTimeoutSeconds: 300 secondsOfRunBeforeIdling: -1 maxNumberOfWorkspacesPerUser: -1 + disableContainerBuildCapabilities: false
Start a workspace (with the latest UDI)
I've forked the Che-Website repo to use the latest UDI image, as the older one wasn't working with
podman build
.The forked repo link is: https://github.com/AObuchow/che-website
Now ensure that the workspace deployment's pod has the
container-build
SCC annotation:metadata: generateName: workspacec65af80e7611435a-b674746b7- annotations: k8s.v1.cni.cncf.io/network-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.217.0.94" ], "default": true, "dns": {} }] k8s.v1.cni.cncf.io/networks-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.217.0.94" ], "default": true, "dns": {} }] + openshift.io/scc: container-build
Also ensure that the container security context is correct:
Build a container from the workspace:
git clone https://github.com/scriptcamp/podman.git
cd podman/nginx-image
podman build -t scriptcamp/nginx .
docker.io/library/nginx:alpine
PR Checklist
As the author of this Pull Request I made sure that:
What issues does this PR fix or reference
andHow to test this PR
completedReviewers
Reviewers, please comment how you tested the PR when approving it.