Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use unauthenticated base image for machine exec rhel.Dockerfile (and update downstream sync scripts to handle downstreaming) #19593

Closed
nickboldt opened this issue Apr 14, 2021 · 6 comments
Closed

use unauthenticated base image for machine exec rhel.Dockerfile (and update downstream sync scripts to handle downstreaming) #19593

nickboldt opened this issue Apr 14, 2021 · 6 comments
Assignees
@nickboldt
Labels
kind/bug Outline of a bug - must adhere to the bug report template. severity/P2 Has a minor but important impact to the usage or development of the system.

Comments

@nickboldt
Copy link
Contributor

nickboldt commented Apr 14, 2021
edited
Loading

Describe the bug

The machine exec rhel.Dockerfile is evidently never used in any PR checks, as it requires authenticated access to the RHEC registry:

# https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/rhel8/go-toolset
FROM registry.redhat.io/rhel8/go-toolset:1.14.12-5 as builder

This should use the same value as in the plugin brokers:

# https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/devtools/go-toolset-rhel7
FROM registry.access.redhat.com/devtools/go-toolset-rhel7:1.14.12-4.1608220101 as builder
ENV PATH=/opt/rh/go-toolset-1.14/root/usr/bin:$PATH \

Once this change is applied, we'll also need to ensure that downstreaming jobs are updated to use the updated base image too:
@nickboldt nickboldt added the kind/bug Outline of a bug - must adhere to the bug report template. label Apr 14, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Apr 14, 2021
@nickboldt nickboldt added severity/P2 Has a minor but important impact to the usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Apr 14, 2021
@nickboldt nickboldt removed their assignment Apr 14, 2021
@nickboldt
Copy link
Contributor Author

Related to / blocks #18831

@nickboldt
Copy link
Contributor Author

From Mykhailo:

Dependabot for che-machine-exec dockerfiles has been merged today. It has proposed some updates https://github.com/eclipse-che/che-machine-exec/pulls/app%2Fdependabot , while also complained about the image in private registry https://github.com/eclipse-che/che-machine-exec/network/updates/114242756 .

updater | INFO <job_114242756> Handled error whilst updating rhel8/go-toolset: private_source_authentication_failure {:source=>"registry.redhat.io"}

So we should definitely switch to an unauth'd base image

nickboldt added a commit to eclipse-che/che-machine-exec that referenced this issue May 6, 2021
@nickboldt
eclipse-che/che#19593 try using registry.access.redhat.com/ubi8/go-to…
128e8e0 
…olset instead of registry.redhat.io/ubi8/go-toolset to make dependabot happier

Change-Id: I0e9d86896306b6eb4c7504c3bd89d5d95e416f1a
Signed-off-by: nickboldt <nboldt@redhat.com>
@nickboldt nickboldt mentioned this issue May 6, 2021
Merged
9 tasks
@nickboldt
Copy link
Contributor Author

nickboldt commented May 6, 2021
edited
Loading

possible fix in eclipse-che/che-machine-exec#159

But also noteworthy is that both the go-toolset-rhel7 and ubi8/go-toolset images are showing this notice:

End of life notice: The Go Toolset container image will be retired in May 2021 with the RHEL 8.4 release. 
The Go Toolset is available in the ubi8 repo for building ubi8 based containers.

So... we might have to move to ubi8:8.4 base image in future.

benoitf pushed a commit to eclipse-che/che-machine-exec that referenced this issue May 6, 2021
@nickboldt @benoitf
eclipse-che/che#19593 try using registry.access.redhat.com/ubi8/go-to…
74915c3 
…olset instead of registry.redhat.io/ubi8/go-toolset to make dependabot happier

Change-Id: I0e9d86896306b6eb4c7504c3bd89d5d95e416f1a
Signed-off-by: nickboldt <nboldt@redhat.com>
@nickboldt
Copy link
Contributor Author

The above fix should work as it looks like the same fix I've used elsewhere...

che-incubator/configbump@625e7e2

@nickboldt
Copy link
Contributor Author

when syncing from rhel.Dockerfile in upstream to Dockerfile in downstream, we already do this:

          sed -i ''' + TARGET_DIR + '''/Dockerfile \
            -e "s#FROM registry.redhat.io/#FROM #g" \
            -e "s#FROM registry.access.redhat.com/#FROM #g"

So the second part of this task "and update downstream sync scripts to handle downstreaming" is already done.

@nickboldt nickboldt assigned nickboldt and unassigned mkuznyetsov May 6, 2021
@nickboldt
Copy link
Contributor Author

verified works:

updater | INFO <job_119029084> Checking if ubi8/go-toolset 1.14.12-17.1618436992 needs updating
  proxy | 2021/05/06 17:01:40 [044] GET https://registry.access.redhat.com:443/v2/ubi8/go-toolset/tags/list
  proxy | 2021/05/06 17:01:41 [044] 302 https://registry.access.redhat.com:443/v2/ubi8/go-toolset/tags/list
  proxy | 2021/05/06 17:01:41 [046] GET https://registry.access.redhat.com:443/webassets/docker/content/dist/containers/rhel8/multiarch/appstream/containers/redhat-ubi8-go-toolset/tags/list
  proxy | 2021/05/06 17:01:41 [046] 200 https://registry.access.redhat.com:443/webassets/docker/content/dist/containers/rhel8/multiarch/appstream/containers/redhat-ubi8-go-toolset/tags/list
  proxy | 2021/05/06 17:01:41 [048] HEAD https://registry.access.redhat.com:443/v2/ubi8/go-toolset/manifests/latest
  proxy | 2021/05/06 17:01:41 [048] 302 https://registry.access.redhat.com:443/v2/ubi8/go-toolset/manifests/latest
  proxy | 2021/05/06 17:01:41 [050] HEAD https://registry.access.redhat.com:443/webassets/docker/content/dist/containers/rhel8/multiarch/appstream/containers/redhat-ubi8-go-toolset/manifests/list/latest
  proxy | 2021/05/06 17:01:41 [050] 200 https://registry.access.redhat.com:443/webassets/docker/content/dist/containers/rhel8/multiarch/appstream/containers/redhat-ubi8-go-toolset/manifests/list/latest
updater | INFO <job_119029084> Latest version is 1.14.12-17.1618436992
updater | INFO <job_119029084> No update needed for ubi8/go-toolset 1.14.12-17.1618436992

@nickboldt nickboldt mentioned this issue May 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nickboldt nickboldt

Labels
kind/bug Outline of a bug - must adhere to the bug report template. severity/P2 Has a minor but important impact to the usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nickboldt @mkuznyetsov @che-bot