-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
application-inventory: use core-kit version for packages sourced from the bottlerocket-core-kit #304
application-inventory: use core-kit version for packages sourced from the bottlerocket-core-kit #304
Conversation
92b8f81
to
ad7af58
Compare
^ use the correct core kit RPM repo path, based on core kit name + vendor |
ad7af58
to
ffd809e
Compare
^ rename |
Write the application inventory generated to build output directory Signed-off-by: Gavin Inglis <giinglis@amazon.com>
ffd809e
to
962cb9c
Compare
^ improve the comment about writing the inventory to local build output dir in addition to the image itself, and remove some unnecessary jq processing |
962cb9c
to
a15d55b
Compare
^ fix bug in setting |
a15d55b
to
b125e3a
Compare
^ |
Here's a script with a few potential simplifications:
The repo query seems a bit more complex than required; we can borrow a trick from The final |
b125e3a
to
1ef38f8
Compare
^ retain the |
In order for package version comparisons to be valid in the OOTB and kits style builds of Bottlerocket, application inventory is generated to list the version of a package by where it was sourced from. This will be the kit version. This commit is a first iteration on this approach and must be extended in future work to apply to any external kit and not just the bottlerocket-core-kit, although that is the only external kit for now. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
1ef38f8
to
0127d3e
Compare
^ fix some bash lints, move |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work.
Description of changes:
In order for package version comparisons to be valid in the OOTB and
kits style builds of Bottlerocket, application inventory is generated to
list the version of a package by where it was sourced from. This will be
the kit version.
This is a first iteration on this approach and must be extended
in future work to apply to any external kit and not just the
bottlerocket-core-kit, although that is the only external kit for now.
This change will help resolve cases where downstream consumers of application inventory and security updates do not respect the Epoch field.
Testing done:
Local checkout of bottlerocket-os/bottlerocket#4060, built Bottlerocket and verified:
Given that the version of the core kit I was using matched Bottlerocket's version, for testing purposes I overrode
CORE_KIT_VERSION
to "2.0" to observe changes:and a package that is not in core kit retains Bottlerocket's version:
Testing on a Bottlerocket 1.0.0
To test that these changes work as expected, I created an
aws-dev
variant, with arelease-version
of1.0.0
in bothTwoliter.toml
andRelease.toml
. SSM reports inventory as expected:And the generated app inventory is as expected:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.