Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[openstack-k8s-operators][fips-check] Use custom image #57159

Merged
merged 1 commit into from
Sep 25, 2024
Merged

[openstack-k8s-operators][fips-check] Use custom image #57159

merged 1 commit into from
Sep 25, 2024

Conversation

stuggi
Copy link
Contributor

@stuggi stuggi commented Sep 25, 2024
edited by openshift-ci bot
Loading

The fips-check job broken currently, until the image with the fix[1] is available, let's use custom image.

[1] openshift/check-payload#221

Related-Issue: OSPRH-10362

@stuggi
[openstack-k8s-operators][fips-check] Use custom image
8d96aeb 
The fips-check job broken currently, until the image
with the fix[1] is available, let's use custom image.

[1] openshift/check-payload#221

Related-Issue: OSPRH-10362

Signed-off-by: Martin Schuppert <[email protected]>
@openshift-ci-robot
Copy link
Contributor

[REHEARSALNOTIFIER]
@stuggi: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openstack-k8s-operators-test-operator-main-test-operator-build-deploy openstack-k8s-operators/test-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-swift-operator-main-swift-operator-build-deploy openstack-k8s-operators/swift-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-swift-operator-18.0.0-proposed-swift-operator-build-deploy openstack-k8s-operators/swift-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-swift-operator-main-swift-operator-build-deploy-kuttl openstack-k8s-operators/swift-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-swift-operator-18.0.0-proposed-swift-operator-build-deploy-kuttl openstack-k8s-operators/swift-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-horizon-operator-main-horizon-operator-build-deploy openstack-k8s-operators/horizon-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-horizon-operator-18.0.0-proposed-horizon-operator-build-deploy openstack-k8s-operators/horizon-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-horizon-operator-main-horizon-operator-build-deploy-kuttl openstack-k8s-operators/horizon-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-horizon-operator-18.0.0-proposed-horizon-operator-build-deploy-kuttl openstack-k8s-operators/horizon-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-infra-operator-main-infra-operator-build-deploy openstack-k8s-operators/infra-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-infra-operator-18.0.0-proposed-infra-operator-build-deploy openstack-k8s-operators/infra-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-infra-operator-main-infra-operator-build-deploy-kuttl openstack-k8s-operators/infra-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-infra-operator-18.0.0-proposed-infra-operator-build-deploy-kuttl openstack-k8s-operators/infra-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-main-keystone-operator-build-deploy openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-18.0.0-proposed-keystone-operator-build-deploy openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-main-keystone-operator-build-deploy-kuttl openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-18.0.0-proposed-keystone-operator-build-deploy-kuttl openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-main-keystone-operator-build-deploy-tempest openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-keystone-operator-18.0.0-proposed-keystone-operator-build-deploy-tempest openstack-k8s-operators/keystone-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-mariadb-operator-main-mariadb-operator-build-deploy openstack-k8s-operators/mariadb-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-mariadb-operator-18.0.0-proposed-mariadb-operator-build-deploy openstack-k8s-operators/mariadb-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-mariadb-operator-main-mariadb-operator-build-deploy-kuttl openstack-k8s-operators/mariadb-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-mariadb-operator-18.0.0-proposed-mariadb-operator-build-deploy-kuttl openstack-k8s-operators/mariadb-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-octavia-operator-main-octavia-operator-build-deploy openstack-k8s-operators/octavia-operator presubmit Registry content changed
pull-ci-openstack-k8s-operators-octavia-operator-18.0.0-proposed-octavia-operator-build-deploy openstack-k8s-operators/octavia-operator presubmit Registry content changed

A total of 91 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@stuggi
Copy link
Contributor Author

stuggi commented Sep 25, 2024

/pj-rehearse pull-ci-openstack-k8s-operators-test-operator-main-test-operator-build-deploy

@openshift-ci-robot
Copy link
Contributor

@stuggi: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci openshift-ci bot requested review from cjeanner and rlandy September 25, 2024 13:49
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 25, 2024
@stuggi
Copy link
Contributor Author

stuggi commented Sep 25, 2024

/pj-rehearse pull-ci-openstack-k8s-operators-keystone-operator-main-keystone-operator-build-deploy-kuttl

@openshift-ci-robot
Copy link
Contributor

@stuggi: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@stuggi
Copy link
Contributor Author

stuggi commented Sep 25, 2024

fips check passed using the custom image

+ oc -n openstack --request-timeout=300s debug node/oko-19-th9fk-master-0 -T -- chroot /host /usr/bin/bash -c 'podman run --authfile /var/lib/kubelet/config.json --privileged -i -v /:/myroot quay.io/mschuppe/check-payload:latest scan operator --spec docker.io/rdotripleomirror/keystone-operator:8d96aeb59f5a023da582-1838939914310258688 &> /tmp/fips-check-operator-scan.log'
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/oko-19-th9fk-master-0-debug-452t9 ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.0.35
If you don't see a command prompt, try pressing enter.

Removing debug pod ...
++ oc -n openstack --request-timeout=300s debug node/oko-19-th9fk-master-0 -- chroot /host bash -c 'cat /tmp/fips-check-operator-scan.log'
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/oko-19-th9fk-master-0-debug-zvrxk ...
To use host binaries, run `chroot /host`

Removing debug pod ...
+ REPORT_OUT='Trying to pull quay.io/mschuppe/check-payload:latest...
Getting image source signatures
Copying blob sha256:ea517ef3e8e1b9e7b32c8eb09983ef86717126973ce312d2f43462fb42600f44
Copying blob sha256:f2f6f7bfeb0c040b2c1170b22aac3ddafd1187b98b318108d3d125d659c74fbd
Copying blob sha256:cfee1e364206fe568071320670c2c0cfb53a5ccfc26ac4105a6fc45828013bca
Copying blob sha256:3059f6068401e6b82194cb486bf75573bd18356796e1010a73d575704723cc31
Copying blob sha256:122652faac59aaf8a4477e8ccee88ab28be0b83fabe892310680014b1a4da1c8
Copying blob sha256:62372d3f953fb92ce26a69afea3fee96837abba50e7b846868bef12e4c59dafe
Copying blob sha256:b2e87ff8444dd06dbec6fa519b8535277b590a034f45500b34cf9fb64abae429
Copying blob sha256:816b1f69cc6a96bcf246fb071012935e80e7193204a5a34a3c43e310dcfeda40
Copying blob sha256:1e968bfe4b57a24a9c11556b4a697e576dc9f525646bfb327fc74ed33707fcf6
Copying config sha256:df73cdb9862110d463c9abc014aacf7f845e3e96c66c443d47c44fa333552be5
Writing manifest to image destination
I0925 14:31:32.627011       1 main.go:315] using embedded config
I0925 14:31:32.628355       1 types_config.go:12] using config &{Components:[] FailOnWarnings:false FilterFile: FromFile: FromURL: InsecurePull:false Limit:-1 ContainerImageComponent: ContainerImage: OutputFile: OutputFormat:table Parallelism:5 Java:false PrintExceptions:false PullSecret: TimeLimit:1h0m0s Verbose:false UseRPMScan:false ConfigFile:{FilterFiles:[] FilterDirs:[/lib/firmware /lib/modules /usr/lib/.build-id /usr/lib/firmware /usr/lib/grub /usr/lib/modules /usr/share/app-info /usr/share/doc /usr/share/fonts /usr/share/icons /usr/share/openshift /usr/src/plugins /rootfs /sysroot] FilterImages:[] JavaDisabledAlgorithms:[DH keySize < 2048 TLSv1.1 TLSv1 SSLv3 SSLv2 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 DHE_DSS RSA_EXPORT DHE_DSS_EXPORT DHE_RSA_EXPORT DH_DSS_EXPORT DH_RSA_EXPORT DH_anon ECDH_anon DH_RSA DH_DSS ECDH 3DES_EDE_CBC DES_CBC RC4_40 RC4_128 DES40_CBC RC2 HmacMD5] CertifiedDistributions:[] PayloadIgnores:map[openshift-enterprise-pod-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/pod] Dirs:[] Tags:[]}]} openshift-istio-cni-rhel8-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrLibcryptoSoMissing Files:[/opt/cni/bin/istio-cni-rhel9] Dirs:[] Tags:[]}]} openshift-virtualization-cdi-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoNotCgoEnabled Files:[/usr/bin/cdi-containerimage-server] Dirs:[] Tags:[]}]} openshift-virtualization-virt-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/container-disk] Dirs:[] Tags:[]}]}] TagIgnores:map[] RPMIgnores:map[containernetworking-plugins:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[] Dirs:[/usr/libexec/cni] Tags:[]}]} cri-o:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crio /usr/bin/crio-status] Dirs:[] Tags:[]} {Error:ErrNotDynLinked Files:[/usr/bin/pinns] Dirs:[] Tags:[]}]} cri-tools:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crictl] Dirs:[] Tags:[]}]} glibc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/ldconfig /sbin/ldconfig] Dirs:[] Tags:[]}]} glibc-common:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/build-locale-archive] Dirs:[] Tags:[]}]} ignition:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/lib/dracut/modules.d/30ignition/ignition] Dirs:[] Tags:[]}]} podman:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/podman /usr/libexec/podman/quadlet /usr/libexec/podman/rootlessport] Dirs:[] Tags:[]} {Error:ErrNotDynLinked Files:[/usr/libexec/podman/catatonit] Dirs:[] Tags:[]}]} podman-catatonit:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/libexec/catatonit/catatonit] Dirs:[] Tags:[]}]} runc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/runc] Dirs:[] Tags:[]} {Error:ErrGoInvalidTag Files:[/usr/bin/runc] Dirs:[] Tags:[]} {Error:ErrGoMissingSymbols Files:[/usr/bin/runc] Dirs:[] Tags:[]} {Error:ErrLibcryptoMissing Files:[/usr/bin/runc] Dirs:[] Tags:[]}]} skopeo:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/skopeo] Dirs:[] Tags:[]}]} tini:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/tini-static] Dirs:[] Tags:[]}]}] ErrIgnores:[]}}
I0925 14:31:32.628541       1 main.go:103] "scan" version="0.3.1-182-g0cecf468"
---- Successful run'

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 25, 2024

@stuggi: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@stuggi
Copy link
Contributor Author

stuggi commented Sep 25, 2024

/pj-rehearse ack

@openshift-ci-robot
Copy link
Contributor

@stuggi: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci-robot openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Sep 25, 2024
olliewalsh
olliewalsh approved these changes Sep 25, 2024
View reviewed changes
Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2024
@dprince
Copy link
Contributor

dprince commented Sep 25, 2024

/lgtm

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 25, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprince, olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fmount
Copy link
Contributor

fmount commented Sep 25, 2024

+1 thank you @stuggi

@openshift-merge-bot openshift-merge-bot bot merged commit 7290e8f into openshift:master Sep 25, 2024
14 checks passed
@abays abays mentioned this pull request Sep 25, 2024
Merged
@booxter booxter mentioned this pull request Sep 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olliewalsh olliewalsh olliewalsh approved these changes

@dprince dprince dprince approved these changes

@cjeanner cjeanner Awaiting requested review from cjeanner

@rlandy rlandy Awaiting requested review from rlandy

Assignees

@dprince dprince

@olliewalsh olliewalsh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stuggi @openshift-ci-robot @dprince @fmount @olliewalsh