search

openshift / verification-tests

Blackbox test suite for OpenShift.
GNU General Public License v3.0
52 stars 170 forks source link

OCPQE-22684: fix permission issue of loading .config/containers/registries.conf.d #3615

Closed jianlinliu closed 5 months ago

jianlinliu commented 5 months ago

Since https://github.com/openshift/verification-tests/pull/3613, several cucushift-upgrade prow ci steps hit such issues:

Extracting oc
error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied

Manually reproduce it locally.

$ podman run --rm -ti --entrypoint /bin/bash --user 1001:1001 registry.ci.openshift.org/ci/verification-tests:latest
bash-4.4$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.16.0-rc.3-x86_64
error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied
bash-4.4$ ls .config/
ls: cannot open directory '.config/': Permission denied
bash-4.4$ ls -ld .config
drwx------. 3 root root 25 Jun 11 09:34 .config

If run the container using root user, will not hit such issue, but in prow ci build farm, the containers using the image is not running as root user.

Per https://github.com/containers/image/blob/main/docs/containers-registries.conf.d.5.md#configuration-precedence, once /etc/containers/registries.conf exists, the conf files in $HOME/.config/containers/registries.conf.d are being loaded, so the permission issue happened.

/etc/containers/registries.conf is installed by containers-common package as a dependency of skopeo which is installed when running tools/install_os_deps.sh.

openshift-ci-robot commented 5 months ago

@jianlinliu: This pull request references OCPQE-22684 which is a valid jira issue.

In response to [this](https://github.com/openshift/verification-tests/pull/3615): >Since https://github.com/openshift/verification-tests/pull/3613, several cucushift-upgrade prow ci steps hit such issues: >``` >Extracting oc >error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied >``` >Manually reproduce it locally. >``` >$ podman run --rm -ti --entrypoint /bin/bash --user 1001:1001 registry.ci.openshift.org/ci/verification-tests:latest >bash-4.4$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.16.0-rc.3-x86_64 >error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied >bash-4.4$ ls .config/ >ls: cannot open directory '.config/': Permission denied >bash-4.4$ ls -ld .config >drwx------. 3 root root 25 Jun 11 09:34 .config >``` >If run the container using root user, will not hit such issue, but in prow ci build farm, the containers using the image is not running as root user. > >Per https://github.com/containers/image/blob/main/docs/containers-registries.conf.d.5.md#configuration-precedence, once `/etc/containers/registries.conf` exists, the conf files in `$HOME/.config/containers/registries.conf.d` are being loaded, so the permission issue happened. The fix is removing `containers-common` package to ensure `/etc/containers/registries.conf` not installed. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fverification-tests). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
liangxia commented 5 months ago

/lgtm

jianlinliu commented 5 months ago

/hold

openshift-ci-robot commented 5 months ago

@jianlinliu: This pull request references OCPQE-22684 which is a valid jira issue.

In response to [this](https://github.com/openshift/verification-tests/pull/3615): >Since https://github.com/openshift/verification-tests/pull/3613, several cucushift-upgrade prow ci steps hit such issues: >``` >Extracting oc >error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied >``` >Manually reproduce it locally. >``` >$ podman run --rm -ti --entrypoint /bin/bash --user 1001:1001 registry.ci.openshift.org/ci/verification-tests:latest >bash-4.4$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.16.0-rc.3-x86_64 >error: reading registries.conf.d: lstat /opt/app-root/src/.config/containers/registries.conf.d: permission denied >bash-4.4$ ls .config/ >ls: cannot open directory '.config/': Permission denied >bash-4.4$ ls -ld .config >drwx------. 3 root root 25 Jun 11 09:34 .config >``` >If run the container using root user, will not hit such issue, but in prow ci build farm, the containers using the image is not running as root user. > >Per https://github.com/containers/image/blob/main/docs/containers-registries.conf.d.5.md#configuration-precedence, once `/etc/containers/registries.conf` exists, the conf files in `$HOME/.config/containers/registries.conf.d` are being loaded, so the permission issue happened. > >`/etc/containers/registries.conf` is installed by `containers-common` package as a dependency of skopeo which is installed when running `tools/install_os_deps.sh`. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fverification-tests). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
jianlinliu commented 5 months ago

/unhold

jianlinliu commented 5 months ago

/etc/containers/registries.conf is installed by containers-common package as a dependency of skopeo which is installed when running tools/install_os_deps.sh, so I revert the removal of containers-common, change anther way to fix it.

@liangxia pls help review again.

liangxia commented 5 months ago

/lgtm

openshift-ci[bot] commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liangxia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/verification-tests/blob/master/OWNERS)~~ [liangxia] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci[bot] commented 5 months ago

@jianlinliu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).