c9s: Add distribution-gpg-keys rpm from EPEL #1032
Conversation
This is required for the extensions build running inside the base OS container via COSA as otherwise the GPG key files are not available there.
With the inclusion of the `distribution-gpg-keys` rpm package in SCOS in openshift/os#1032, it is no longer required to fetch them from the internet.
With the inclusion of the `distribution-gpg-keys` rpm package in SCOS in openshift/os#1032, it is no longer required to fetch them from the internet.
openshift-ci
bot
added
lgtm
|
But I'm wondering, which package from EPEL are we using? Aren't those key available in the C9S repos? |
|
The We currently have this workaround in place: https://github.com/okd-project/okd-coreos-pipeline/blob/581420489cb09616c5b2225869d6e96995712c75/manifests/tekton/tasks/base/cosa-init.yaml#L64-L65 See also #1006 |
|
If we were to do this only in RHCOS/C9S, it'd create another divergence from FCOS - i.e. we should consider this also for FCOS if we were to do this. Oh wait, we're actually doing this only for C9S, which means just that stream diverges a bit. On one hand, the idea of adding It's a bit unfortunate that this package is in EPEL, because enabling the EPEL repos by default is a whole other world of stuff. All this said, which actual keys are you needing? And for what packages? I think we talked about this before, but can you remind me? Do you have a link to a PR/code that needs this? |
|
Oh I see, sorry you did link it here. OK, right and I'm paging back in the context from #1006 (Ohhh wow and I see https://github.com/okd-project/okd-coreos-pipeline/blob/581420489cb09616c5b2225869d6e96995712c75/manifests/tekton/tasks/base/cosa-init.yaml#L80 - so it begins... I think honestly we are all under a bit of confusion as to who builds scos and how/where and with what config. okd-project/okd-coreos-pipeline@e7fc6d8 seems exactly like the kind of thing that conceptually should have been in this repository right? ) Anyways um...but wait is the problem that you're getting the |
indeed 😂 😭
The plan has always been to involve the CoreOS team as much as possible, but it was made quite clear that the there are limited resources to work on the OKD pipeline and that the team had to focus on building RHCOS 9. Also we needed (and still need) something that does not require an
Yes that's exactly the problem. Everything is copied into the container to build the extensions, which is required to get the manifests etc in there ( Line 8 in de8da21 rpm-ostree compose to not use the .repo file(s) in the dir it's invoked from?
|
|
On a side note: The extensions build regularly breaks for us for so far unknown reasons. I think it would be clearer to do the extensions build in the same env as the base build instead of in a nested container. |
|
/retest |
|
/test scos-9-build-test-qemu |
|
@LorbusChris: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Is this because the builds run in RHCOS? https://github.com/openshift/os/blob/master/extensions/Dockerfile#L2 Edit: Re-reading #1006, and I'm confused. Can we set some time to talk about this synchronously? |
|
/lgtm cancel |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: LorbusChris The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
removed
the
approved
Yeah, Though at at even higher level, to me again the extensions container is just a crutch - anyone who wants to inject code into the host can do it on their own in a fully "container native" way, although it does take over OS updates. |
|
The problem is that the extensions build runs inside an SCOS base container (with the FROM directive being replaced automatically by COSA as Colin mentioned), and that very SCOS base does not have the GPG keys at the locations specified in I agree that the extensions container is a crutch (and the nested way in which its currently built, too). We're not currently shipping it with OKD/SCOS. However if we wanted to do that, we'd need the metadata that Happy to talk about this synchronously, however next week I'll only be available on Wednesday or Friday (due to a public holiday on Monday, travels on Tuesday, and the Mini DevConf.cz in Brno on Thursday 🙂 ). Edit: Also, I don't think the Prow SCOS CI build failures that we are seeing on this PR are caused by this RPM addition. |
|
Ah OK, now I think I understand. I don't really like adding a dependency on EPEL. Could the SCOS pipeline do a sed on the c9s repo config files to fix the path before starting the build-extensions-container step? We could also ship symlinks in the image which is also fine for me. |
|
@travier we currently hack around this with |
With the inclusion of the `distribution-gpg-keys` rpm package in SCOS in openshift/os#1032, it is no longer required to fetch them from the internet.
|
@travier please see the comment above. Can we merge this? |
|
One thing I could imagine doing here is teaching the dnf stack to automatically look in This issue is annoying I agree because otherwise I think pretty much everything else is set up to work in both src != target mode (how we build the "base image" with cosa) and src == target (extensions container). Perhaps for now, we could carry the sed invocation inside the extensions container build, or do it automatically in coreos-assembler? |
|
It's worth noting here that this isn't biting FCOS as it doesn't ship an extensions container today. |
|
Alternative in #1116 |
Make a "local" copy of distribution GPG keys from COSA to use them inside the container build as we may not have all keys there or they may not be in the same place. See: openshift/os#1032 See: openshift/os#1116
|
Better option in #1118 |
|
/close |
|
@travier: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
With the inclusion of the `distribution-gpg-keys` rpm package in SCOS in openshift/os#1032, it is no longer required to fetch them from the internet.
This is required for the extensions build running inside the base OS container via COSA as otherwise the GPG key files are not available there.