Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Defensive code in pull-sandbox-image.sh for custom AMI(s) #1648

Closed
wants to merge 1 commit into from
Closed

[WIP] Defensive code in pull-sandbox-image.sh for custom AMI(s) #1648

wants to merge 1 commit into from

Conversation

dims
Copy link
Member

@dims dims commented Feb 9, 2024

  • Bailout if sandbox_image is not even present (or commented out) in a custom config.toml (created by customer on top of our AMI as base or injected via user data)
  • Bailout if the sandbox_image points to something where there is no region! (could be a public community pause image or a public/private/air-gapped repository of some sort - basically non ECR)

@dims
Defensive code in pull-sandbox-image.sh for custom AMI(s)
c07955a 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
@dims dims changed the title Defensive code in pull-sandbox-image.sh for custom AMI(s) [WIP] Defensive code in pull-sandbox-image.sh for custom AMI(s) Feb 9, 2024
@dims
Copy link
Member Author

dims commented Feb 9, 2024

cc @ndbaker1 @cartermckinnon

ndbaker1
ndbaker1 reviewed Feb 9, 2024
View reviewed changes
files/pull-sandbox-image.sh
Comment on lines 19 to +21
region=$(echo "${sandbox_image}" | cut -f4 -d ".")
### skip if we don't find a region in the sandbox image
if [[ -z ${region:-} ]]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just because we parse a non-empty region doesn't mean its valid right?
registry.k8s.io/pause:3.9 is going to parse 9

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, we need more validation!

ndbaker1
ndbaker1 reviewed Feb 9, 2024
View reviewed changes
files/pull-sandbox-image.sh
@@ -29,7 +40,7 @@ function retry() {
done
}

ecr_password=$(retry aws ecr get-login-password --region $region)
ecr_password=$(retry aws ecr get-login-password --region "${region}")
Copy link
Member

@ndbaker1 ndbaker1 Feb 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we add carter's fix https://github.com/awslabs/amazon-eks-ami/pull/1646/files so that we don't break the whole workflow on this failing, the crictl calls should be fine even if the ecr_password is empty but we'd need to remove the explicit exit 1

tested empty

# crictl pull --creds "AWS:" registry.k8s.io/pause:3.9
Image is up to date for sha256:e6f1816883972d4be47bd48879a08919b96afcd344132622e4d444987919323c

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree

@dims
Copy link
Member Author

dims commented Feb 9, 2024

@ndbaker1 @cartermckinnon feel free to folks this PR/commit into something you are already working on. opened this as WIP just to highlight

@ndbaker1 ndbaker1 mentioned this pull request Feb 9, 2024
Merged
@dims dims closed this Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndbaker1 ndbaker1 ndbaker1 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dims @ndbaker1