Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test PR 225 (install/pre-install: Update containerd) #226

Closed
wants to merge 5 commits into from
Closed

Test PR 225 (install/pre-install: Update containerd) #226

wants to merge 5 commits into from

Conversation

wainersm
Copy link
Member

I'm trying to merge #179 before PR #225 so that the later would be tested before merge. However, PR #179 is blocked due to what seems network issues on SEV and TDX machine when it comes to build the pre-install image.

As we are approaching the 0.7.0 release I think it is more prudent to unblock the merge of #225. So this PR, where I pilled up #225 on #179 then I will run the non-TEE tests jobs. After the merge of #225 and when a new pre-install image is built then we will have the opportunity to test the updated containerd on SEV and TDX (as the pre-install image won't be built on those machines I expect the test suite to just run).

That's my rationale for this PR. Marking as do-not-merge.

@wainersm
pre-install-payload: allow to pass extra flags to docker manifest
66bbba9 
When building the pre-install-payload image for CI it needs to pull/push
the image from a local registry that is not protected. The `docker
manifest` commands (e.g. create) refuses to connect in an unsecure
registry by default, therefore the pre-install-payload build fail. That
can be solved by passing the --insecure flag to `docker manifest` thus
this change allow to pass extra flags to that command.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
@wainersm
tests/e2e: build the pre-install-payload image
d60f045 
Currently changes on install/pre-install-payload directory aren't tested
because the scripts aren't re-building the pre-install-payload image.
With this change the image will always be built and used.

It was added more two dependencies:
- kustomize: used to edit the kustomization file so to update the pre-install-payload
   image
- qemu-user-static: used by docker buildx to build the pre-install-payload image for
  multiple architectures. It also needs to pass the `--insecure` to
`docker manifest` commands because the image is pushed/pulled to a local
insecure registry, otherwise `docker manifest` fails

Fixes confidential-containers#177
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
@wainersm
Copy link
Member Author

/test-kata-qemu
/test-kata-clh

@wainersm wainersm mentioned this pull request Jul 18, 2023
Merged
@wainersm
Copy link
Member Author

On both kata-clh and kata-qemu jobs we are getting connectivety issues to build the pre-install image:

09:42:53 #9 96.23 E: Failed to fetch https://packages.cloud.google.com/apt/dists/kubernetes-xenial/main/binary-s390x/by-hash/SHA256/5347fddf3a45c1f4bef10ba934363533f13544e91c325ce8a276bcfbf3ef1f01  404  Not Found [IP: 172.253.115.101 443]
09:42:53 #9 96.23 E: Some index files failed to download. They have been ignored, or old ones used instead.
09:42:53 #9 ERROR: process "/bin/bash -o pipefail -c apt-get update && apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl xz-utils systemd && mkdir -p /etc/apt/keyrings/ && curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg && echo \"deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main\" | tee /etc/apt/sources.list.d/kubernetes.list && apt-get update && apt-get install -y --no-install-recommends kubectl && apt-get clean && rm -rf /var/lib/apt/lists/ && curl -fOL --progress-bar [https://github.com/confidential-containers/containerd/releases/download/v${VERSION}/containerd-${VERSION}-linux-${ARCH}.tar.gz](https://github.com/confidential-containers/containerd/releases/download/v$%7BVERSION%7D/containerd-$%7BVERSION%7D-linux-$%7BARCH%7D.tar.gz) && tar xvzpf containerd-${VERSION}-linux-${ARCH}.tar.gz -C ${DESTINATION}/opt/confidential-containers" did not complete successfully: exit code: 100
09:42:53 ------

@jepio
Copy link
Member

jepio commented Jul 18, 2023
edited
Loading

This might be a long shot but can you replace the repo url with:
http://packages.cloud.google.com/apt/ instead of https://apt.kubernetes.io/ (the http is intentional).

Otherwise (if that doesn't help) lets do like you suggested: fetch kubectl with curl directly.

@wainersm
Copy link
Member Author

This might be a long shot but can you replace the repo url with: http://packages.cloud.google.com/apt/ instead of https://apt.kubernetes.io/ (the http is intentional).

Otherwise (if that doesn't help) lets do like you suggested: fetch kubectl with curl directly.

hmmm... trying this solution first: 91e2c8a

@wainersm
Copy link
Member Author

/test-kata-qemu
/test-kata-clh

@wainersm
Copy link
Member Author

Forgot to install gpg in the container... let's see:

/test-kata-qemu
/test-kata-clh

wainersm and others added 2 commits July 18, 2023 21:42
@wainersm
pre-install: pull the kubectl binary
cf3aaef 
Currently we have installed the kubectl package from google cloud but it
has been problematic due to many networking and certification issues
like in below. Instead let's pull and install the kubectl binary (no
packaged).

```
10:37:14 confidential-containers#9 9.663 Err:2 https://packages.cloud.google.com/apt kubernetes-xenial InRelease
10:37:14 confidential-containers#9 9.663   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
10:37:14 confidential-containers#9 9.681 Hit:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease
10:37:15 confidential-containers#9 9.824 Reading package lists...
10:37:15 confidential-containers#9 10.81 W: GPG error: https://packages.cloud.google.com/apt kubernetes-xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
10:37:15 confidential-containers#9 10.81 E: The repository 'https://apt.kubernetes.io/ kubernetes-xenial InRelease' is not signed.
```

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
@stevenhorsman @wainersm
install/pre-install: Update containerd
32683e7 
Update containerd version now we have a new release

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@wainersm
Copy link
Member Author

Updated this PR to include the commit cf3aaef which changed the pre-install Dockerfile to pull the kubectl binary, instead of installing via package which has been a nightmare.

/test-kata-qemu
/test-kata-clh

@stevenhorsman
Copy link
Member

/test

@stevenhorsman
Copy link
Member

SEV tests have failed with:

10:37:06 + docker manifest push --insecure localhost:5000/container-engine-for-cc-payload:latest
10:37:06 failed to put manifest localhost:5000/container-engine-for-cc-payload:latest: errors:
10:37:06 manifest blob unknown: blob unknown to registry
10:37:06 manifest blob unknown: blob unknown to registry
10:37:06 manifest blob unknown: blob unknown to registry
10:37:06 manifest blob unknown: blob unknown to registry
10:37:06 manifest blob unknown: blob unknown to registry
10:37:06 manifest blob unknown: blob unknown to registry

and

11:31:13 fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failure downloading https://go.dev/dl/go1.18.5.linux-amd64.tar.gz, Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>"}

I've requeued, so hoping for third time lucky

@stevenhorsman
Copy link
Member

stevenhorsman commented Jul 19, 2023
edited
Loading

The third sev attempt failed with:

13:07:22 + docker manifest push --insecure localhost:5000/container-engine-for-cc-payload:8056fd0d9fc0b4e2bb3201bc939b85ad414ce9a4
13:07:22 failed to put manifest localhost:5000/container-engine-for-cc-payload:8056fd0d9fc0b4e2bb3201bc939b85ad414ce9a4: errors:
13:07:22 manifest blob unknown: blob unknown to registry
13:07:22 manifest blob unknown: blob unknown to registry
13:07:22 
13:07:22 make: *** [Makefile:8: containerd-container-image] Error 1

again, so I'm not going to try and re-do it a fourth time. @UnmeshDeodhar @ryansavino - do you have any ideas? Any reason why the node can't built the new container image?

@wainersm
Copy link
Member Author

The third sev attempt failed with:

13:07:22 + docker manifest push --insecure localhost:5000/container-engine-for-cc-payload:8056fd0d9fc0b4e2bb3201bc939b85ad414ce9a4
13:07:22 failed to put manifest localhost:5000/container-engine-for-cc-payload:8056fd0d9fc0b4e2bb3201bc939b85ad414ce9a4: errors:
13:07:22 manifest blob unknown: blob unknown to registry
13:07:22 manifest blob unknown: blob unknown to registry
13:07:22 
13:07:22 make: *** [Makefile:8: containerd-container-image] Error 1

again, so I'm not going to try and re-do it a fourth time. @UnmeshDeodhar @ryansavino - do you have any ideas? Any reason why the node can't built the new container image?

It is failing to push the image to a local registry. I've almost sure I saw that error before but can't remember the reason. As I commented on PR #225 I think we can disregard the sev results, merge that PR then test again with the new built image.

@wainersm
Copy link
Member Author

I am going to close this as the PR #225 is merged already.

@wainersm wainersm closed this Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wainersm @jepio @stevenhorsman