search

alphagov / cyber-security-concourse-base-image

1 stars 3 forks source link

Add more dockerfiles to pipeline #26

Closed denizgenc closed 3 years ago

denizgenc commented 4 years ago

(Refer to the issue #23 if you can't find the Dockerfiles for the images below)

To-do:

denizgenc commented 4 years ago

The most recent 3 commits added the csw-concourse-worker and cyber-chalice Dockerfiles, and after running a fly set-pipeline, these images have been built and updated with no issue.

Working on http-api-resource and concourse-worker-health now.

denizgenc commented 4 years ago

concourse-worker-health now builds and deploys via the pipeline, only http-api-resource left.

denizgenc commented 4 years ago

tl;dr: http-api-resource has a Dockerfile that doesn't build with vito/oci-build-task, and should be fixed.

The last image, http-api-resource, fails on the following step in Concourse:

#6 [stage-1 2/6] COPY --from=0 . .
#6 ERROR: cannot replace to directory /tmp/buildkitd/runc-native/snapshots/snapshots/23/var/lock with file
------
 > [stage-1 2/6] COPY --from=0 . .:
------
error: failed to solve: rpc error: code = Unknown desc = cannot replace to directory /tmp/buildkitd/runc-native/snapshots/snapshots/23/var/lock with file

According to a similar error discussed in this issue, what seems to be happening is a file from the aequitas/http-api-resource is trying to overwrite a folder somewhere (probably in the vito/oci-build-task environment?).

Funnily enough, this build does work on my local machine, but the linked comment notes that:

If this build worked before (without BuildKit), that may be due to a bug in the classic builder, that allowed situations like this

And vito/oci-build-task uses BuildKit: https://github.com/vito/oci-build-task/blob/44a785b233a1689348361eb90f664834d5fcff78/Dockerfile - so it doesn't allow this behaviour.

0atman commented 4 years ago

We should look at this again with what we've learned from the py38 baseimage spike

0atman commented 4 years ago

Have we learned enough to re-start this?

denizgenc commented 4 years ago

I haven't looked into this in a while - I can pick it back up. It will require a change in the http-api-resource Dockerfile, though.

denizgenc commented 3 years ago

I had a look at this today - I've made it so that http-api-resource can now be built via BuildKit, but there's a different issue causing it to fail now (see https://github.com/alphagov/cyber-security-cloudwatch-config/issues/41#issuecomment-737225841).

I'm not sure how to deal with this isort issue, but hopefully it can be resolved.

denizgenc commented 3 years ago

I ran fly set-pipeline with the changes above and http-api-resource now builds without issue (thanks to https://github.com/alphagov/cyber-security-cloudwatch-config/pull/50). I've changed it back to the pipeline found on master, however, to avoid confusing people who might work on the pipeline but not on this branch.

There's a new requirement to have the base image trigger all the other builds (see https://github.com/alphagov/cyber-security-concourse-base-image/issues/23#issuecomment-707571283) so I'm unlinking this PR from #23 - I just want to get these images built into the pipeline, and the trigger can be added in a separate PR.

denizgenc commented 3 years ago

Looking into the pipeline triggering work, there's only one image that's affected, but I'm not sure how to fix it.

The cyber-chalice image doesn't pull from the cyber-concourse-base-image, instead setting its own TF_VERSION. Here's the first few lines of the Dockerfile:

FROM ubuntu:18.04

ENV TF_VERSION 0.11.14
ENV TF_CHECKSUM 9b9a4492738c69077b079e595f5b2a9ef1bc4e8fb5596610f69a6f322a8af8dd

A lot of what the Dockerfile does is quite similar to the cyber-security-concourse-base-image, so I think it makes sense to make changes to the cyber-chalice Dockerfile to base itself on the base image first, like other images.

I'll update the pipeline here under the assumption that the above changes have been made, and open a PR in csw-concourse.

denizgenc commented 3 years ago

I've decided to split off work on the CSW images to another branch, so that we can focus on the ones we're sure will work. This is now ready for review.