Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolves #1124: Always scan the repository for provided scripts #1125

Merged
merged 4 commits into from
Nov 3, 2023
Merged

Resolves #1124: Always scan the repository for provided scripts #1125

merged 4 commits into from
Nov 3, 2023

Conversation

cuppett
Copy link
Member

@cuppett cuppett commented Aug 11, 2023

Whether the base image provides the scripts or not, the repository can supply override scripts. Removes the expectation/need of a location specified in the image.

Whether the base image provides the scripts or not, the repository can supply override scripts.
Removes the expectation/need of a location specified in the image.
@openshift-ci openshift-ci bot requested review from divyansh42 and jkhelil August 11, 2023 13:33
@bparees
Copy link
Contributor

bparees commented Aug 11, 2023

i think we're lacking some fundamental clarity about the precedence ordering of scripts.

i think it should be:

  1. use the scripts url the user provided in the config/command line (weirdly we seem to have two args for this --image-script-url and --scripts-url (as well as the deprecated --scripts). I think the intent was that image-scripts-url was supposed to point to a location within the image while scripts-url could point pretty much anywhere, but i'm not seeing the code actually differentiate on those two args in that way.

  2. use the scripts found in the source repo (this needs to be second to (1) so that a user can do a build in which they override whatever scripts the repo might happen to provide)

  3. use the scripts url specified by the builder image in the builder image's labels.

The existing code, prior to this PR, does not prioritize scripts in the repository. So in that sense this is a good change.

However the change also now prioritizes scripts from the repo over whatever config/args the user might have provided at runtime to indicate where they want to get their scripts from, meaning that you have to delete the scripts from your repository to be able to use an alternate location. Which potentially changes the behavior for existing users who are passing --scripts-url because that arg will now have no effect. (use of --image-scripts-url is, i think, unaffected because getImageScripts was already returning "false" for that arg, meaning we'd still scan the repo for scripts and use them, which is at least one of the differences between --image-scripts-url and --scripts-url).

tldr: i think this needs a little more thought/study to straighten out the interactions of the various ways of providing scripts. The other subtly here is that there's an intent to union together the sources of scripts (e.g. you might get your assemble script from the local repo, but the run script might still come from the builder image). Looking at this code(both the original and the patch) i'm not sure how all that comes together at the moment.

we also need to compare this behavior with the behavior when we directly build the image (the code path being modified here is only for the "create a dockerfile" mode, not the "invoke docker build mode" which is somewhat different) and ensure we're being consistent in how scripts are chosen between the two modes.

@cuppett
Copy link
Member Author

cuppett commented Aug 24, 2023

  1. use the scripts url the user provided in the config/command line (weirdly we seem to have two args for this --image-script-url and --scripts-url (as well as the deprecated --scripts). I think the intent was that image-scripts-url was supposed to point to a location within the image while scripts-url could point pretty much anywhere, but i'm not seeing the code actually differentiate on those two args in that way.

In my s2i command I was using to test this, I didn't specify any command line args like that (only had the annotation in the image and the stuff in the local repo). I didn't see where these would be distinguishable in the fragment of code I was looking at; it must be further upstream where that is lost.

I'll get back to this if somebody else doesn't first.

/hold if we can (I'm looking for the WIP toggle too)

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 24, 2023
@cuppett cuppett marked this pull request as draft August 24, 2023 12:35
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 24, 2023
@coreydaley
Copy link
Member

/test all

Whether the base image provides the scripts or not, the repository can supply override scripts.
Removes the expectation/need of a location specified in the image.
@cuppett
Copy link
Member Author

cuppett commented Oct 27, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 27, 2023
@cuppett cuppett marked this pull request as ready for review October 27, 2023 13:27
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 27, 2023
@cuppett
Copy link
Member Author

cuppett commented Oct 27, 2023

Have reworked this PR to honor the documented ordering and pick up the .s2i scripts in the local repository in the right spot. Re-ran my checks and saw the right behaviors.

I noticed that annotations or command line parameters which might use http:// or file:// aren't really considered/used in the dockerfile.go (they could be checked/fetched and merged into the resolved list), but I didn't try to resolve any of that.

@openshift-ci openshift-ci bot requested a review from coreydaley October 27, 2023 13:29
@coreydaley
Copy link
Member

/assign

@coreydaley
Copy link
Member

/assign @bparees
Do you want to give this a once-over since you had a very opinionated comment about how it should work?

@bparees
Copy link
Contributor

bparees commented Oct 31, 2023

Do you want to give this a once-over since you had a very opinionated comment about how it should work?

i'd prefer you internalize the summary i gave of how this is supposed to work and assess whether this PR achieves that behavior (or ask me questions about my summary if you think it's incorrect or unclear in the expectations it sets).

Copy link
Contributor

openshift-ci bot commented Nov 2, 2023

@cuppett: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 63fa22d link false /test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

}
if strings.HasPrefix(config.ImageScriptsURL, "image://") {
return strings.TrimPrefix(config.ImageScriptsURL, "image://"), false
return strings.TrimPrefix(config.ImageScriptsURL, "image://"), providedScripts
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this return make(map[string]bool) instead according to it's previous use?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. This function has been expanded to merge the precedence order (which was the issue with the previous version).

In this case, when scripts have been found in the local repo, but then in the 3rd and 4th priority cases where an annotation or fallback exists, we should merge/override with the scripts from the local repo.

The only correct spot to return an empty found map is when we have a command line parameter pointing to image:/// location (because we won't know and don't inspect the image to see which scripts may be there, so it's unilateral).

It'd be worthwhile in a future enhancement to understand more deeply how we should handle or inspect when file:/// or http:// are indicated for these ordered search locations. I couldn't see where that it's inspected anywhere and didn't try it.

},
}
for _, tc := range cases {
output, hasScripts := getImageScriptsDir(tc.Config)
output, _ := getImageScriptsDir(tc.Config, &(Dockerfile{}))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't some of these tests check for the returned map and it's contents (or lack thereof) since the hasScripts bool is being changed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests here were pretty deficient from what I saw. It only tested a "true" condition and empty map without providing any file-based overrides.

I could revise this to plop &(Dockerfile{}) in the stanzas like the "true" previously; however, it would just confuse reviewers again next time that there is an actual validation here (versus it being static/empty in all cases). I think this representation more accurately matches the current and previous value of what the test was providing us.

I looked briefly at how to mock filesystem entries but I think I'll make a bigger mess before I provide more value.

@cuppett cuppett requested a review from coreydaley November 3, 2023 11:44
@coreydaley
Copy link
Member

/lgtm

@coreydaley
Copy link
Member

/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 3, 2023
Copy link
Contributor

openshift-ci bot commented Nov 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coreydaley, cuppett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
Copy link
Contributor

openshift-ci bot commented Nov 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coreydaley, cuppett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2023
@openshift-ci openshift-ci bot merged commit 13eb773 into openshift:master Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants