Include all necessary images in images pull/push commands

[zubron]

Describe the solution you'd like
If you want to use a custom registry, you can do it but it involves a lot of manual steps and the steps differ for the e2e and systmed-logs plugins. It's proving to be an error prone and confusing workflow.

I would like to modify the images command to take not only the e2e test images into account, but also the sonobuoy, conformance, and systemd-logs images. It would be ideal if users just needed to run one set of commands to pull and then push the images.

The commands would also have to accept the sonobuoy-image and conformance-image flags to allow custom images/versions to be used. If omitted we would use the defaults.

[willzhang]

it will be a good idea ,In China, I need to do a lot of work to complete the test：

#查看需要的镜像列表
sonobuoy images
#sonobuoy images download
#docker load --input images.tar.gz

#查看版本
[root@master01 ~]# sonobuoy version --kubeconfig ~/.kube/config
Sonobuoy Version: v0.16.4
MinimumKubeVersion: 1.14.0
MaximumKubeVersion: 1.16.99
GitSHA: cda71c328eef76975a4cb8d8c30f4735a072b793
API Version:  v1.15.5

#使用私有仓库
cat > custom-repos.yaml <<EOF
dockerLibraryRegistry: 192.168.93.40/sonobuoy
e2eRegistry: 192.168.93.40/sonobuoy
gcRegistry: 192.168.93.40/sonobuoy
etcdRegistry: 192.168.93.40/sonobuoy
privateRegistry: 192.168.93.40/sonobuoy
sampleRegistry: 192.168.93.40/sonobuoy
EOF

sonobuoy images pull
sonobuoy images push --e2e-repo-config  custom-repos.yaml 

PRIVATE_REG=192.168.93.40/sonobuoy
SONO_VERSION=v0.16.4
CLUSTER_VERSION=v1.15.5
SYSTEMD_LOGS_VERSION=latest

docker pull gcr.io/google-containers/conformance:$CLUSTER_VERSION
docker pull sonobuoy/sonobuoy:$SONO_VERSION
docker pull gcr.io/heptio-images/sonobuoy-plugin-systemd-logs:$SYSTEMD_LOGS_VERSION

docker tag gcr.io/google-containers/conformance:$CLUSTER_VERSION $PRIVATE_REG/conformance:$CLUSTER_VERSION
docker tag sonobuoy/sonobuoy:$SONO_VERSION $PRIVATE_REG/sonobuoy:$SONO_VERSION
docker tag gcr.io/heptio-images/sonobuoy-plugin-systemd-logs:$SYSTEMD_LOGS_VERSION $PRIVATE_REG/sonobuoy-plugin-systemd-logs:$SYSTEMD_LOGS_VERSION

docker push $PRIVATE_REG/conformance:$CLUSTER_VERSION
docker push $PRIVATE_REG/sonobuoy:$SONO_VERSION
docker push $PRIVATE_REG/sonobuoy-plugin-systemd-logs:$SYSTEMD_LOGS_VERSION

PRIVATE_REG=192.168.93.40/sonobuoy
sonobuoy gen --e2e-repo-config custom-repos.yaml \
  --sonobuoy-image $PRIVATE_REG/sonobuoy:v0.16.4 \
  --kube-conformance-image $PRIVATE_REG/conformance:v1.15.5 > modified-manifest.yaml

sed -i 's#gcr.io/heptio-images/#$PRIVATE_REG#g' modified-manifest.yaml

#默认情况下，将运行两组测试。systemd-log测试和e2e端对端测试
sonobuoy run --mode=certified-conformance -f modified-manifest.yaml

[johnSchnake]

The question I have here is what is the ideal way to specify which registry to use for the images?

The mapping on the existing images is based on overriding each registry via the YAML file.

We could:

1. Add our own yaml file to override each of the necessary registries: the sonobuoy dockerhub and also the gcr.io for the e2e image. Eventually the systemdlogs will be in the sonobuoy dockerhub so that doesn't really need its own override for now. This approach is the most explicit but very awkward to use.
2. Add a command line flag and just require that those extra images (sonobuoy, e2e, systemd-logs) all end up in the same registry. This way we'd just just have to deal with a single string (the new registry). Easier than (1) but less flexible
3. We could potentially piggy back on the existing manifest.yaml and just specify that the sonobuoy/e2e images will be assumed to be in one of the given registries; e.g. the e2eRegistry which defaults to gcr.io/kubernetes-e2e-test-images. This would require no extra flags or config files (easy!) but would be a little less intuitive and potentially sensitive to upstream changes as well

[zubron]

It will definitely be tricky to get the user experience right here.

I was initially leaning towards something like option 3 - with some modifications so that we could have an additional key in the yaml file (e.g. sonobuoyRegistry) which would be used for the purpose of pulling/pushing the image but would be removed/excluded from the yaml provided to the e2e plugin but now I'm not keen on that. My main concern with using the existing registry config is that I don't want to group everything for Sonobuoy and all the plugins together under the configuration for the e2e plugin.

[rplanteras]

Describe the solution you'd like
If you want to use a custom registry, you can do it but it involves a lot of manual steps and the steps differ for the e2e and systmed-logs plugins. It's proving to be an error prone and confusing workflow.

I would like to modify the images command to take not only the e2e test images into account, but also the sonobuoy, conformance, and systemd-logs images. It would be ideal if users just needed to run one set of commands to pull and then push the images.

The commands would also have to accept the sonobuoy-image and conformance-image flags to allow custom images/versions to be used. If omitted we would use the defaults.

Im sorry to add comment in this closed ticket.
I would like to confirm my understanding, based Sonobuoy air-gapped documentation, i just executed steps for sonobuoy images ang conformance image and specified in sonobuoy run to use conformance image. But this caused me to have an error with Image pull back-off policy.

Is it correct that i also need to get other test images?

[zubron]

Hi @rplanteras! Don't apologise :)

This workflow is quite complex - sorry you're having issues with it! There are a number of different images required to run Sonobuoy and the default plugins in an airgapped environment. Which image were you experiencing the image pull back-off error with?

Warning: Lots of details ahead! Apologies if you know some of this already, but I'll outline some things below (to compare with our docs and use as the basis for improvement).

To run Sonobuoy (and the E2E and systemd-logs plugins) in an airgapped environment, you need to have the following images available in the registry accessible from your cluster:

• Sonobuoy image
• systemd-logs plugin image
• e2e conformance image
• all the images required by the e2e tests

You can see the list of images required if you run sonobuoy images, for example here is the output for a 1.18 cluster:

$ sonobuoy images
docker.io/gluster/glusterdynamic-provisioner:v1.0
docker.io/library/busybox:1.29
docker.io/library/httpd:2.4.38-alpine
docker.io/library/httpd:2.4.39-alpine
docker.io/library/nginx:1.14-alpine
docker.io/library/nginx:1.15-alpine
docker.io/library/perl:5.26
docker.io/library/redis:5.0.5-alpine
gcr.io/authenticated-image-pulling/alpine:3.7
gcr.io/authenticated-image-pulling/windows-nanoserver:v1
gcr.io/google-containers/conformance:v1.18.0
gcr.io/google-containers/startup-script:v1
gcr.io/k8s-authenticated-test/agnhost:2.6
gcr.io/kubernetes-e2e-test-images/apparmor-loader:1.0
gcr.io/kubernetes-e2e-test-images/cuda-vector-add:1.0
gcr.io/kubernetes-e2e-test-images/cuda-vector-add:2.0
gcr.io/kubernetes-e2e-test-images/echoserver:2.2
gcr.io/kubernetes-e2e-test-images/ipc-utils:1.0
gcr.io/kubernetes-e2e-test-images/jessie-dnsutils:1.0
gcr.io/kubernetes-e2e-test-images/kitten:1.0
gcr.io/kubernetes-e2e-test-images/metadata-concealment:1.2
gcr.io/kubernetes-e2e-test-images/mounttest-user:1.0
gcr.io/kubernetes-e2e-test-images/mounttest:1.0
gcr.io/kubernetes-e2e-test-images/nautilus:1.0
gcr.io/kubernetes-e2e-test-images/nonewprivs:1.0
gcr.io/kubernetes-e2e-test-images/nonroot:1.0
gcr.io/kubernetes-e2e-test-images/regression-issue-74839-amd64:1.0
gcr.io/kubernetes-e2e-test-images/resource-consumer:1.5
gcr.io/kubernetes-e2e-test-images/sample-apiserver:1.17
gcr.io/kubernetes-e2e-test-images/volume/gluster:1.0
gcr.io/kubernetes-e2e-test-images/volume/iscsi:2.0
gcr.io/kubernetes-e2e-test-images/volume/nfs:1.0
gcr.io/kubernetes-e2e-test-images/volume/rbd:1.0.1
invalid.com/invalid/alpine:3.1
k8s.gcr.io/etcd:3.4.3
k8s.gcr.io/pause:3.2
k8s.gcr.io/prometheus-dummy-exporter:v0.1.0
k8s.gcr.io/prometheus-to-sd:v0.5.0
k8s.gcr.io/sd-dummy-exporter:v0.2.0
quay.io/kubernetes_incubator/nfs-provisioner:v2.2.2
sonobuoy/sonobuoy:v0.18.0
sonobuoy/systemd-logs:v0.3
us.gcr.io/k8s-artifacts-prod/e2e-test-images/agnhost:2.12

Note: Some of these images either require authentication or don't exist and will cause some errors during the pull/push steps below. These images can be safely ignored as they aren't required for the conformance tests.

You need to pull those images and then push them to your custom registry. We've included a --dry-run mode so you can see what each step would do without actually having to run it. You can use that to make sure all the image registries and tags look correct before spending a lot of time pulling and pushing the images.

To pull the images use sonobuoy images pull

$ sonbouoy images pull
INFO[0000] Pulling image: sonobuoy/sonobuoy:v0.18.0     
INFO[0000] Pulling image: gcr.io/google-containers/conformance:v1.18.0 
INFO[0000] Pulling image: gcr.io/kubernetes-e2e-test-images/nonewprivs:1.0 
...
INFO[0000] Pulling image: gcr.io/kubernetes-e2e-test-images/volume/nfs:1.0 
INFO[0000] Pulling image: sonobuoy/systemd-logs:v0.3

To push the images, you need to tell which registry sonbouoy should push them to. For the images specific to the E2E tests, you need to provide a yaml file which tells Sonobuoy which registry to use in place of the registries used by Kubernetes. You can generate the default file with the following command:

$ sonobuoy gen default-image-config
dockerGluster: docker.io/gluster
dockerLibraryRegistry: docker.io/library
e2eRegistry: gcr.io/kubernetes-e2e-test-images
gcRegistry: k8s.gcr.io
googleContainerRegistry: gcr.io/google-containers
promoterE2eRegistry: us.gcr.io/k8s-artifacts-prod/e2e-test-images
quayIncubator: quay.io/kubernetes_incubator

Save this content to a file and update it replace every registry with the one you wish to use, for example:

$ cat custom-registries.yaml
dockerGluster: my-custom-registry
dockerLibraryRegistry: my-custom-registry
e2eRegistry: my-custom-registry
gcRegistry: my-custom-registry
googleContainerRegistry: my-custom-registry
promoterE2eRegistry: my-custom-registry
quayIncubator: my-custom-registry

You can then use this file with the sonobuoy images push command which will tag every image and push it to your desired registry. You also need to specify a registry where the other images should be pushed to.

$ sonobuoy images push --e2e-repo-config custom-registries.yaml --custom-registry my-custom-registry
INFO[0000] Tagging image: sonobuoy/sonobuoy:v0.18.0 as my-custom-registry/sonobuoy:v0.18.0 
INFO[0000] Pushing image: my-custom-registry/sonobuoy:v0.18.0 
INFO[0000] Tagging image: gcr.io/google-containers/conformance:v1.18.0 as my-custom-registry/conformance:v1.18.0 
INFO[0000] Pushing image: my-custom-registry/conformance:v1.18.0 
INFO[0000] Tagging image: gcr.io/kubernetes-e2e-test-images/jessie-dnsutils:1.0 as my-custom-registry/jessie-dnsutils:1.0 
INFO[0000] Pushing image: my-custom-registry/jessie-dnsutils:1.0 
INFO[0000] Tagging image: gcr.io/kubernetes-e2e-test-images/kitten:1.0 as my-custom-registry/kitten:1.0 
INFO[0000] Pushing image: my-custom-registry/kitten:1.0 
...
INFO[0000] Tagging image: sonobuoy/systemd-logs:v0.3 as my-custom-registry/systemd-logs:v0.3 
INFO[0000] Pushing image: my-custom-registry/systemd-logs:v0.3 

After this, all of the required images should be available in your registry. To make sure they are used, you need to pass the details when using sonobuoy run, including the e2e images registry config, the sonobuoy image, the e2e conformance image and the systemd-logs image. For example:

$  sonobuoy run --e2e-repo-config custom-registries.yaml --kube-conformance-image my-custom-registry/conformance:v1.18.0 --sonobuoy-image my-custom-registry/sonobuoy:v0.18.0 --systemd-logs-image my-custom-registry/systemd-logs:v0.3

This is a lot of info - I hope it helps! Some of this info is missing from our docs unfortunately so I'll file a ticket to update them.

[rplanteras]

Hello @zubron Good morning (its morning in the Philippines hehe). Thank you very much for the response. Actually, i tried to perform some of the steps above based on willzhang's post in this ticket. I have clarification about making sure the registry is accessible. Initially, I was thinking this might be the issue but when i tried to pull image from my private registry in a different server in my k8s cluster master, is this already considered as accessible?

Thank you very much for accommodating my question.

[rplanteras]

Hello @zubron . Good day.
I tried the steps above but i got the same error.
Please see details below.

[root@sonobuoy-offline ~]# sonobuoy logs
error streaming logs from container [kube-sonobuoy]: container "kube-sonobuoy" in pod "sonobuoy" is waiting to start: trying and failing to pull image[root@sonobuoy-offline ~]#
[root@sonobuoy-offline ~]#
[root@sonobuoy-offline ~]#

---------------------------------------------------------------------

[root@sonobuoy-offline ~]# sonobuoy run --e2e-repo-config custom-registries.yaml --kube-conformance-image myregistry.local:5000/conformance:v1.17.2 --sonobuoy-image myregistry.local:5000/sonobuoy:v0.17.2 --systemd-logs-image myregistry.local:5000/systemd-logs:v0.3 --mode quick --wait
INFO[0000] created object                                name=sonobuoy namespace= resource=namespaces
INFO[0000] created object                                name=sonobuoy-serviceaccount namespace=sonobuoy resource=serviceaccounts
INFO[0000] created object                                name=sonobuoy-serviceaccount-sonobuoy namespace= resource=clusterrolebindings
INFO[0000] created object                                name=sonobuoy-serviceaccount-sonobuoy namespace= resource=clusterroles
INFO[0000] created object                                name=sonobuoy-config-cm namespace=sonobuoy resource=configmaps
INFO[0000] created object                                name=sonobuoy-plugins-cm namespace=sonobuoy resource=configmaps
INFO[0000] created object                                name=sonobuoy namespace=sonobuoy resource=pods
INFO[0000] created object                                name=repolist-cm namespace=sonobuoy resource=configmaps
INFO[0001] created object                                name=sonobuoy-master namespace=sonobuoy resource=services



<< Execution does not end within the expected time of execution for quick mode >>

---------------------------------------------------------------------

[root@k8s-master1 centos]# kubectl  get pods -A | grep sonobuoy
sonobuoy          sonobuoy                                        0/1     ImagePullBackOff   0          5m42s
[root@k8s-master1 centos]# kubectl get namespaces | grep sonobuoy
sonobuoy                   Active   6m4s
[root@k8s-master1 centos]#

[zubron]

Hi again! If you can successfully pull an image from your private registry from a node in the cluster where Sonobuoy will be running then yes, the registry is considered accessible and as long as all the images are in the registry, and you perform the other steps it should work. Did you perform all the push/pull steps outlined above? Can you pull myregistry.local:5000/sonobuoy:v0.17.2 from within your cluster?

[zubron]

If you run kubectl describe pod -n sonobuoy sonobuoy do you get any additional information about the ImagePullBackoff error?

[rplanteras]

Hello zubron. Issue is fix, the steps you mentioned were ok, its my cluster proxy configuration on the slave nodes that has issues. Thank you very much for your help. :)