Jakob-Naucke
commented
3 years ago only sort of related but: are we making sure no one uses these builds in production unintentionally? Because supply chain security wouldn't be optimal if we didn't.
Open wainersm opened 3 years ago
Jakob-Naucke
commented
3 years ago only sort of related but: are we making sure no one uses these builds in production unintentionally? Because supply chain security wouldn't be optimal if we didn't.
wainersm
commented
3 years ago only sort of related but: are we making sure no one uses these builds in production unintentionally? Because supply chain security wouldn't be optimal if we didn't.
Good question, I don't know. I don't think kata-deploy and kata snap use those cached artifacts, but IMO it is worth checking. Certainly it deserves a new issue.
Thanks for bringing that topic, @Jakob-Naucke !
Jakob-Naucke
commented
3 years ago also looping in @jongwu, maybe an opportunity to add cached builds on ARM :) I shall look into s390x
wainersm
commented
3 years ago also looping in @jongwu, maybe an opportunity to add cached builds on ARM :) I shall look into s390x
Let me know if you @Jakob-Naucke and @jongwu need help to setup the jobs for non-x86_64 arches.
jongwu
commented
3 years ago thanks @wainersm , I will follow you @Jakob-Naucke .
Which feature do you think can be improved?
Currently we have two jobs used to build and cache the Kernel and QEMU: http://jenkins.katacontainers.io/job/kata-containers-2.0-qemu-x86_64/ http://jenkins.katacontainers.io/job/kata-containers-2.0-kernel-vanilla-x86_64-nightly/ The installation scripts will build them locally only and only if there is a cache miss.
How can it be improved?
The aforementioned jobs build QEMU and Kernel for the main branch. Until now we have had luck that main and stable branches use the same version of those artifacts. That's no longer true with stable-2.2 branch, which relies on QEMU 5.2, whereas main was updated to use 6.0.
If we want to take advance of the cache for stable branches then we must create jobs accordingly .
Also I suggest renaming the existing jobs to contain the branch name. So they become: http://jenkins.katacontainers.io/job/kata-containers-2.0-main-qemu-x86_64/ http://jenkins.katacontainers.io/job/kata-containers-2.0-main-kernel-vanilla-x86_64-nightly/
/cc @fidencio @Jakob-Naucke @devimc