CASMHMS-6018 Pre-signed URL support root=live:
#59
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
👋 Hey! Here is the image we built for you (Artifactory Link): artifactory.algol60.net/csm-docker/unstable/cray-bss-hmth-test:1.25.0-20230523193649.3d629e8Use podman or docker to pull it down and inspect locally: podman pull artifactory.algol60.net/csm-docker/unstable/cray-bss-hmth-test:1.25.0-20230523193649.3d629e8Or, use this script to pull the image from the build server to a dev system: Dev System Pull Script
#!/usr/bin/env bash
IMAGE=artifactory.algol60.net/csm-docker/unstable/cray-bss-hmth-test:1.25.0-20230523193649.3d629e8
podman run --rm --network host \
quay.io/skopeo/stable copy \
--src-tls-verify=false \
--dest-tls-verify=false \
--dest-username "$(kubectl -n nexus get secret nexus-admin-credential -o json | jq -r '.data.username | @base64d')" \
--dest-password "$(kubectl -n nexus get secret nexus-admin-credential -o json | jq -r '.data.password | @base64d')" \
docker://$IMAGE \
docker://registry.local/$IMAGESnyk ReportComing soon Software Bill of Materialscosign download sbom artifactory.algol60.net/csm-docker/unstable/cray-bss-hmth-test:1.25.0-20230523193649.3d629e8 > container_image.spdxIf you don't have cosign, then you can get it here. Note: this SHA is the merge of 0a1196f and the PR base branch. Good luck and make rocket go now! 🌮 🚀 |
|
👋 Hey! Here is the image we built for you (Artifactory Link): artifactory.algol60.net/csm-docker/unstable/cray-bss:1.25.0-20230523193637.3d629e8Use podman or docker to pull it down and inspect locally: podman pull artifactory.algol60.net/csm-docker/unstable/cray-bss:1.25.0-20230523193637.3d629e8Or, use this script to pull the image from the build server to a dev system: Dev System Pull Script
#!/usr/bin/env bash
IMAGE=artifactory.algol60.net/csm-docker/unstable/cray-bss:1.25.0-20230523193637.3d629e8
podman run --rm --network host \
quay.io/skopeo/stable copy \
--src-tls-verify=false \
--dest-tls-verify=false \
--dest-username "$(kubectl -n nexus get secret nexus-admin-credential -o json | jq -r '.data.username | @base64d')" \
--dest-password "$(kubectl -n nexus get secret nexus-admin-credential -o json | jq -r '.data.password | @base64d')" \
docker://$IMAGE \
docker://registry.local/$IMAGESnyk ReportComing soon Software Bill of Materialscosign download sbom artifactory.algol60.net/csm-docker/unstable/cray-bss:1.25.0-20230523193637.3d629e8 > container_image.spdxIf you don't have cosign, then you can get it here. Note: this SHA is the merge of 0a1196f and the PR base branch. Good luck and make rocket go now! 🌮 🚀 |
shunr-hpe
reviewed
May 23, 2023
rustydb
force-pushed
the
CASMHMS-6018
branch
3 times, most recently
from
4a0c6a2
to
142fc7e
Compare
Add pre-signed URL support for `root=live:` parameters, allowing users to boot with pre-signed URLs from native dracut modules.
shunr-hpe
approved these changes
May 23, 2023
jnowicki-hpe
approved these changes
May 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary and Scope
EXPLAIN WHY THIS PR IS NECESSARY. WHAT IS IMPACTED?
IS THIS A NEW FEATURE OR CRITICAL BUG FIX? SUMMARIZE WHAT CHANGED.
For CSM Application, Compute, and Hypervisor images there is a need offer boot support for native dracut.
Native dracut uses the
root=live:<url>parameter to determine where to pull the LIVE image from. Since our images are served from private S3 buckets, we use pre-signed URLs to facilitate image pulls on our nodes. Currently we only provide pre-signed URLs to themetal.servercommand line parameter, in order to support dracut's own LIVE image booting we need to support theroot=live:<url>parameter as well.DOES THIS CHANGE INVOLVE ANY SCHEME CHANGES? Y/N
No.
REMINDER: HAVE YOU INCREMENTED VERSION NUMBERS? E.G., .spec, Chart.yaml, .version, CHANGELOG.md
Yes.
REMINDER 2: HAVE YOU UPDATED THE COPYRIGHT PER hpe GUIDELINES: (C) Copyright 2014-2021 Hewlett Packard Enterprise Development LP ? Y/N
N/A
Issues and Related PRs
LIST AND CHARACTERIZE RELATIONSHIP TO JIRA ISSUES AND OTHER PULL REQUESTS. BE SURE LIST DEPENDENCIES.
Testing
Tested on:
mugWHAT WAS THE EXTENT OF TESTING PERFORMED? MANUAL VERSUS AUTOMATED TESTS (UNIT/SMOKE/OTHER)
HOW WERE CHANGES VERIFIED TO BE SUCCESSFUL?
Images using
metal.serverandroot=live:<url>successfully booted.Prior to this change,
root=live:s3://was not being replaced with a pre-signed URL:Following this change the URL was updated accordingly and the node received a pre-signed URL at
root=live:<pre-signed URL>.Risks and Mitigations
This is low-risk, it adds a new expression to the
regexfor matching applicable command line parameters to replace. The original regular expression still matches the same tokens.