Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base entrypoint image on distroless #2562

Closed
wants to merge 1 commit into from
Closed

Base entrypoint image on distroless #2562

wants to merge 1 commit into from

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented May 6, 2020

The only reason it was based on busybox was to have access to cp,
which it used to copy its binary to /tekton/tools for use in later
steps.

Instead of relying on cp, this adds a "cp mode" to the entrypoint
binary itself. When invoked with the positional args cp <src> <dst>,
it copies src to dst using Go's os and io packages.

/hold for discussion

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

Entrypoint image is no longer based on busybox, now based on distroless like other images.

@tekton-robot tekton-robot requested review from dibyom and a user May 6, 2020 14:48
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign imjasonh
You can assign the PR to them by writing /assign @imjasonh in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 6, 2020
@imjasonh imjasonh force-pushed the entrypoint-cp branch 2 times, most recently from 25b2feb to 7adde75 Compare May 6, 2020 18:03
chmouel
chmouel reviewed May 7, 2020
View reviewed changes
cmd/entrypoint/main.go Outdated
}
defer s.Close()

d, err := os.OpenFile(dst, os.O_RDWR|os.O_CREATE, 0777)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is 777 what we want? isnt that 644 the default?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default for os.Create is 0666. With that, or 0644, subsequent steps fail with exec: \"/tekton/tools/entrypoint\": permission denied": unknown because the other group doesn't have permission to execute.

0667 works, or as little as 0311 (owner can write, anybody can execute), but I didn't really feel strongly about limiting permissions on the executable. I can knock it down to 0311 though.

@imjasonh
Base entrypoint image on distroless
d51fa66 
The only reason it was based on busybox was to have access to `cp`,
which it used to copy its binary to /tekton/tools for use in later
steps.

Instead of relying on `cp`, this adds a "cp mode" to the entrypoint
binary itself. When invoked with the positional args `cp <src> <dst>`,
it copies src to dst using Go's os and io packages.
@mattmoor
Copy link
Member

mattmoor commented May 7, 2020

If you were to just create ./cmd/tools/cp with the needed CLI surface, then you could avoid the entrypoint juggling when using this, and I bet the image would be microscopic.

@imjasonh
Copy link
Member Author

imjasonh commented May 11, 2020
edited
Loading

If you were to just create ./cmd/tools/cp with the needed CLI surface, then you could avoid the entrypoint juggling when using this, and I bet the image would be microscopic.

That would only work if I somehow got the cp binary into the same step as the entrypoint binary, to be able to copy it out to the shared volume. I guess that would be possible with (pseudocode):

initContainers:
# Use `cp` to copy `cp` to /tekton/tools
- image: ko://github.com/tektoncd/pipeline/cmd/cp
  command: ['/ko-app/cp', '/ko-app/cp', '/tekton/tools/cp']
  volumeMounts:
  - name: tekton-tools
    mountPath: /tekton/tools
# Use `cp` to copy `entrypoint` to /tekton/tools
- image: ko://github.com/tektoncd/pipeline/cmd/entrypoint
  command: ['/tekton/tools/cp', '/ko-app/entrypoint', '/tekton/tools/entrypoint']
  volumeMounts:
  - name: tekton-tools
    mountPath: /tekton/tools
...

Is that more straightforward than having a cp-mode for the single entrypoint binary? Maybe? I'm not sure.

@mattmoor
Copy link
Member

Yeah, sorry wires crossed in my head. I thought this was to enable more direct usage of cp, but this is exactly what I did in warmimage for rewriting entrypoints 😇

@imjasonh
Copy link
Member Author

Yeah, sorry wires crossed in my head. I thought this was to enable more direct usage of cp, but this is exactly what I did in warmimage for rewriting entrypoints 😇

For future reference, warm-image's sleeper binary takes a -mode flag that tells it to either sleep ~forever, or copy the binary itself to a destination:

https://github.com/mattmoor/warm-image/blob/8f6fd7efd2ebc47745f0a679e7b327c50722c089/cmd/sleeper/main.go#L31

@imjasonh
Copy link
Member Author

Closing in favor of #2606 for now.

@imjasonh imjasonh closed this May 12, 2020
@afrittoli afrittoli mentioned this pull request May 19, 2020
Merged
3 tasks
@imjasonh imjasonh mentioned this pull request Jun 4, 2020
Closed
@imjasonh
Copy link
Member Author

With ko gaining multi-arch support, this change is becoming a bit more relevant, since it makes every TaskRun require a cp binary in the base image, which makes it harder to support multi-arch support in Tekton.

I've rebased this on master and I'd like to see if we think this is still the right way forward.

/reopen

But still:
/hold

@tekton-robot
Copy link
Collaborator

@imjasonh: Failed to re-open PR: state cannot be changed. The entrypoint-cp branch was force-pushed or recreated.

In response to this:

With ko gaining multi-arch support, this change is becoming a bit more relevant, since it makes every TaskRun require a cp binary in the base image, which makes it harder to support multi-arch support in Tekton.

I've rebased this on master and I'd like to see if we think this is still the right way forward.

/reopen

But still:
/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 26, 2020
@imjasonh imjasonh mentioned this pull request Sep 26, 2020
Merged
@imjasonh
Copy link
Member Author

Can't reopen this, created #3286 instead 🤷‍♂️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chmouel chmouel chmouel left review comments

@dibyom dibyom Awaiting requested review from dibyom

Assignees
No one assigned
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@imjasonh @tekton-robot @mattmoor @chmouel