Cleanups on top of #8212 #8590
Cleanups on top of #8212 #8590
Conversation
ad456db to
21a12d4
Compare
21a12d4 to
4776d32
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8590 +/- ##
==========================================
+ Coverage 46.45% 46.48% +0.03%
==========================================
Files 151 151
Lines 21978 21950 -28
==========================================
- Hits 10209 10203 -6
+ Misses 10703 10682 -21
+ Partials 1066 1065 -1 |
|
/retest |
|
/lgtm cancel @harche has some review feedback as well. |
| // WARNING: This hard-codes an assumption that SignaturePolicyPath set specifically for the namespace is never less restrictive | ||
| // than the default system-wide policy, i.e. that if an image is successfully pulled, it always conforms to the system-wide policy. |
There was a problem hiding this comment.
not for this PR: is there some way to confirm this invariant programatically? or change this check to also account for the system-wide one?
There was a problem hiding this comment.
There always is (or, well, soon will always be) a system-wide /etc/containers/policy.json. So just a presence wouldn’t work.
It might be possible to load the two policies and confirm that one is a superset of the other (there are no ORs and NOTs, so adding a PolicyRequirement is always more restrictive)… based on reflect.DeepEqual I suppose? I’m not 100% sure but it might work.
Doing that on every operation seems icky to me, maybe that can be cached.
|
I was wondering if this PR can be broken into multiple PRs, if that would help in understanding what bug an individual commit is trying to fix. |
server/container_restore.go
Outdated
|
|
||
| var restoreArchivePath string | ||
| if restoreStorageImageID != nil { | ||
| sb, err := s.getPodSandboxFromRequest(ctx, sbID) // Note that we might call getPodSandboxFromRequest with a different sbID later. Is that necessary? |
There was a problem hiding this comment.
we haven't run
if sbID == "" {
// restore into previous sandbox
sbID = dumpSpec.Annotations[annotations.SandboxID]
ctrID = config.ID
} else {
ctrID = ""
}
yet here (line 147) so i don't think we know for sure what's the sandbox ID yet. that's why I opted to have it below
There was a problem hiding this comment.
Yes, but that sandbox ID comes from inside the metadata image.
For simplicity, suppose the node had a policy “deny anything from docker.io”; then any attempt to restore a snapshot using a metadata image from docker.io should fail.
I don’t really know what I’m doing — I’m assuming Kubelet is always passing the same kind of metadata (at least, there’s only effectively a single CreateContainer call site in Kubelet), so using the same sandbox ID as in the non-snapshot-restore “create container” code path is using should be correct here.
But then again, I don’t know how restoring a sandbox ID / namespace from contents of the metadata image follows namespace restrictions, so I might well be missing something.
There was a problem hiding this comment.
suppose the node had a policy…
suppose the namespace invoking the operation had a policy, rather.
There was a problem hiding this comment.
The code to restore into an existing sandbox ID is a left-over from the initial pull request which supported to restore a pod. This is no longer possible with the current code. Most of the code was removed. This should haven been also removed.
There was a problem hiding this comment.
Further discussion to follow in #8706 (comment) .
| return errdefs.ErrNotImplemented | ||
| } | ||
|
|
||
| func (c *RuntimeConfig) ValidatePinnsPath(executable string) error { |
There was a problem hiding this comment.
should we add a gh action that compiles on mac so you don't need to keep playing catchup each time you commit to cri-o?
There was a problem hiding this comment.
I’d personally like that, but if you don’t have it already, you probably don’t need it to be effective in maintaining the software.
(There’s much more in CRI-O that doesn’t compile on Mac; this was only targeted at making internal/storage unit tests run.)
internal/storage/image.go
Outdated
| output <- pullImageOutputItem{Result: transports.ImageName(destRef), Name: canonicalRef.Name(), Digest: canonicalRef.Digest()} | ||
| rawCanonical, ok := canonicalRef.Raw().(reference.Canonical) | ||
| if !ok { | ||
| fmt.Fprintf(os.Stderr, "Returned reference %v is not canonical", canonicalRef.Raw().String()) |
There was a problem hiding this comment.
can you use the cri-o/internal/log package here instead of logging right to Stderr?
There was a problem hiding this comment.
I see this (and my below comment) are done above, could you cleanup both cases?
There was a problem hiding this comment.
Both of these are in pullImageChild, a separate process. The error message is explicitly expected to go to Stderr, and pullImageParent reads that (as errOutput) and turns it into a Go error.
From skimming internal/log, it seems to add Logrus’ typical log metadata; I think that should not be included in the Go error returned from pullImageParent.
internal/storage/image.go
Outdated
| rawCanonical, ok := canonicalRef.Raw().(reference.Canonical) | ||
| if !ok { | ||
| fmt.Fprintf(os.Stderr, "Returned reference %v is not canonical", canonicalRef.Raw().String()) | ||
| os.Exit(1) |
There was a problem hiding this comment.
is this a fatal programming error? like can cri-o not recover at all? if so I think we should panic() here. If not, we should find a way to error the image pull
There was a problem hiding this comment.
See above, this is in a subprocess and this is the currently-designed error reporting mechanism.
pkg/annotations/internal.go
Outdated
|
|
||
| // Image is the container image ID annotation. | ||
| Image = "io.kubernetes.cri-o.Image" | ||
| // UserRequestedImage is ann annotation containing the image specified in the container spec |
409a7fb to
a552d5e
Compare
Signed-off-by: Miloslav Trmač <[email protected]>
Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
…ullImage This is slightly less accurate in that it does not guarantee digest presence, but it guarantees a value to be present. That's actually what some code paths check (and incorrectly handle), so rely on the value presence to simplify. Also push the use of strongly typed values into the very higest layers of the PullImage call stack. Signed-off-by: Miloslav Trmač <[email protected]>
Use a single string for the whole RegistryImageReference, don't split it into a repo+digest only to combine it back. NOTE: The code is still broken, it doesn't correctly parse progress entries. Signed-off-by: Miloslav Trmač <[email protected]>
... and document its semantics in more places. Signed-off-by: Miloslav Trmač <[email protected]>
Signed-off-by: Miloslav Trmač <[email protected]>
Signed-off-by: Miloslav Trmač <[email protected]>
Signed-off-by: Miloslav Trmač <[email protected]>
It has no non-test users. Signed-off-by: Miloslav Trmač <[email protected]>
a552d5e to
0d68102
Compare
|
/lgtm thanks! |
|
/retest |
|
/override ci/prow/e2e-aws-ovn |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-aws-ovn In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Are there any commits within this PR which should be backported to release-1.31 because they fix a regression? |
|
I don’t think there are any regression fixes here. The net effect should be a minor efficiency improvement by removing no-longer-used operations (including removing a remote registry access, potentially improving reliability), and perhaps removing some small proven-to-be-unreachable code paths. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Assorted cleanups identified in reviews of #8212 .
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
See individual commit messages for details.
It might be better to split this, perhaps to discuss controversial parts separately, or because tests might be failing.
Does this PR introduce a user-facing change?