Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure a built images contains the correct binary #9758

Closed
chrischdi opened this issue Nov 22, 2023 · 7 comments · Fixed by #9932
Closed

Ensure a built images contains the correct binary #9758

chrischdi opened this issue Nov 22, 2023 · 7 comments · Fixed by #9932
Assignees
@akshay196
Labels
area/ci Issues or PRs related to ci help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@chrischdi
Copy link
Member

What would you like to be added (User Story)?

As a maintainer I want to be sure that the images we publish contain the correct binary and are for the correct architecture

Detailed Description

We had to revert #9753 because images which got built using google cloud build (which uses make release-staging -j 8 -O) did not contain the wanted binaries.

To be more concrete: images for CAPD did contain the test-extension binary instead of the one for CAPD.

Anything else you would like to add?

Disclamer: we are not sure where exactly the issue happened, the current idea is it is during building the images, not when pushing the images.

The CI for building an image could try to analyse the image for having the correct binary. The used method needs to work independent of the architecture of the image.

Example which uses docker, go, mkdir and tar:

function TESTIMAGE() {
  IMAGE="${1}"
  ARCH="${2}"
  GREPGOPATH="${3}"
  BINARYPATH="${4:-manager}"

  echo "> Testing $IMAGE"

  docker save ${IMAGE} -o img.tar
  mkdir -p extracted-img extracted
  tar -xf img.tar -C extracted-img/
  for layer in $(find extracted-img/ -name "*.tar"); do
    tar -xf ${layer} -C extracted
  done

  go version -m extracted/${BINARYPATH} | grep -P "\tpath" | grep -E -q -e ${GREPGOPATH} || (echo "FAILED ${IMAGE} expected value for path: \"${GREPVALUE}\""; go version -m extracted/${BINARYPATH} | grep "\tpath")
  go version -m extracted/${BINARYPATH} | grep -q -E "GOARCH=${ARCH}$" || (echo "Failed ${IMAGE} expected GOARCH to be \"$ARCH\""; go version -m extracted/${BINARYPATH} | grep "GOARCH=")
  rm -rf img.tar extracted-img extracted
}

TESTIMAGE "gcr.io/k8s-staging-cluster-api/capd-manager-amd64:dev" "amd64" "command-line-arguments$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/bootstrap/kubeadm$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/controlplane/kubeadm$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/capim-manager-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/test/infrastructure/inmemory$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/clusterctl-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/cmd/clusterctl$-amd64:dev" "amd64" "clusterctl"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/test-extension-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/test/extension$"

xref: #9752

Label(s) to be applied

/kind ci
@k8s-ci-robot
Copy link
Contributor

@chrischdi: The label(s) kind/ci cannot be applied, because the repository doesn't have them.

In response to this:

What would you like to be added (User Story)?

As a maintainer I want to be sure that the images we publish contain the correct binary and are for the correct architecture

Detailed Description

We had to revert #9753 because images which got built using google cloud build (which uses make release-staging -j 8 -O) did not contain the wanted binaries.

To be more concrete: images for CAPD did contain the test-extension binary instead of the one for CAPD.

Anything else you would like to add?

Disclamer: we are not sure where exactly the issue happened, the current idea is it is during building the images, not when pushing the images.

The CI for building an image could try to analyse the image for having the correct binary. The used method needs to work independent of the architecture of the image.

Example which uses docker, go, mkdir and tar:

function TESTIMAGE() {
 IMAGE="${1}"
 ARCH="${2}"
 GREPGOPATH="${3}"
 BINARYPATH="${4:-manager}"

 echo "> Testing $IMAGE"

 docker save ${IMAGE} -o img.tar
 mkdir -p extracted-img extracted
 tar -xf img.tar -C extracted-img/
 for layer in $(find extracted-img/ -name "*.tar"); do
   tar -xf ${layer} -C extracted
 done

 go version -m extracted/${BINARYPATH} | grep -P "\tpath" | grep -E -q -e ${GREPGOPATH} || (echo "FAILED ${IMAGE} expected value for path: \"${GREPVALUE}\""; go version -m extracted/${BINARYPATH} | grep "\tpath")
 go version -m extracted/${BINARYPATH} | grep -q -E "GOARCH=${ARCH}$" || (echo "Failed ${IMAGE} expected GOARCH to be \"$ARCH\""; go version -m extracted/${BINARYPATH} | grep "GOARCH=")
 rm -rf img.tar extracted-img extracted
}

TESTIMAGE "gcr.io/k8s-staging-cluster-api/capd-manager-amd64:dev" "amd64" "command-line-arguments$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/bootstrap/kubeadm$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/controlplane/kubeadm$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/capim-manager-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/test/infrastructure/inmemory$"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/clusterctl-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/cmd/clusterctl$-amd64:dev" "amd64" "clusterctl"
TESTIMAGE "gcr.io/k8s-staging-cluster-api/test-extension-amd64:dev" "amd64" "sigs.k8s.io/cluster-api/test/extension$"

xref: #9752

Label(s) to be applied

/kind ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Nov 22, 2023
@furkatgofurov7 furkatgofurov7 mentioned this issue Nov 22, 2023
Closed
4 tasks
@sbueringer sbueringer added the area/ci Issues or PRs related to ci label Nov 22, 2023
@sbueringer
Copy link
Member

Thx!

/triage accepted

This would be good as a safeguard considering that we only found out about the issue by coincidence.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 22, 2023
@sbueringer
Copy link
Member

/help

@k8s-ci-robot
Copy link
Contributor

@sbueringer:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Nov 22, 2023
@dharmjit
Copy link

dharmjit commented Dec 4, 2023
edited
Loading

I am not sure but is it possible to leverage the SBOM generation work being done in #6153 to identify any ingredients(binary in this case) being part of OCI images. I am not sure if the SBOM specs are supposed to capture the architecture of the binaries as well.

@chrischdi
Copy link
Member Author

I am not sure but is it possible to leverage the SBOM generation work being done in #6153 to identify any ingredients(binary in this case) being part of OCI images. I am not sure if the SBOM specs are supposed to capture the architecture of the binaries as well.

If the sbom generation gets done on top of an image: that data may be a good way to solve this.

If the sbom gets generated from the repo it won't be able to solve the described issue.

@akshay196
Copy link
Contributor

I am interested in this.

/assign

akshay196 added a commit to akshay196/cluster-api that referenced this issue Dec 28, 2023
@akshay196
Add docker image test script
b97f3f7 
Fixes kubernetes-sigs#9758

Ensures build images contains the correct binary and are for the
correct architecture.

Signed-off-by: Akshay Gaikwad <[email protected]>
@akshay196 akshay196 mentioned this issue Dec 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akshay196 akshay196

Labels
area/ci Issues or PRs related to ci help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
CAPI v1.7 release improvement tasks
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🌱 Ensure build images contains correct binary and for correct architecture akshay196/cluster-api
5 participants
@chrischdi @dharmjit @sbueringer @akshay196 @k8s-ci-robot