prefetch-task-rhsm-integration #1205
Conversation
| subscription-manager register \ | ||
| --org $(cat "/activation-key/orgid") \ | ||
| --activationkey $(cat "/activation-key/activationkey") |
There was a problem hiding this comment.
Is the user running inside the container privileged?
Error: this command requires root access to execute
There was a problem hiding this comment.
Where did you get that error? It is running properly already in Konflux using git ref pointing at my fork of build-defintions. The buildah task already has sufficient permissions with no modifications.
There was a problem hiding this comment.
the buildah task is running as user 0 already so imo this is a non-issue.
There was a problem hiding this comment.
Checked the buildah task, there's nothing going on in terms of user setting really (apart from ID mapping), so by default this runs as root. I guess the container itself isn't privileged, so while not ideal, I guess it's acceptable, so consider my initial comment retracted.
However, that makes things easier for cachi2 then and since we're assuming the default root user inside the container, this whole RHSM registration should IMO be baked into cachi2 rpm-dnf backend rather than in the tekton task for proper integration - we could also leverage dbus to communicate with RHSM for better error handling rather than dealing with shell.
|
IMHO the way I have implemented it is the most versatile option.
It also introduces no new dependencies on yum, dnf or subscription manager and so is insulated from changes there. The client certificate scheme hasn't changed in over a decade and should be quite stable. |
Which of ^these use cases does the following not comply with, rendering it less versatile?
|
This changes the container build to use UBI9 so that it is supportable by a major user (Red Hat) with subscription enabled repositories. The change requires using createrepo_c from PyPyi since the createrepo_c rpm is not distributed as part of the UBI9 content set and it is desireable to keep this image freely redistributable. Chaniging to UBI keeps maintenance to a minimum (just one image flavor) but in the future multiple images could be maintained if required. The subscription-manager package is included to support konflux-ci/build-definitions#1205 and containerbuildsystem#580 where it will be used to obtain TLS certificates to send to authenticate to private repositories. Signed-off-by: Brian Cook <[email protected]>
This changes the container build to use UBI9 so that it is supportable by a major user (Red Hat) with subscription enabled repositories. The change requires using createrepo_c from PyPyi since the createrepo_c rpm is not distributed as part of the UBI9 content set and it is desireable to keep this image freely redistributable. Chaniging to UBI keeps maintenance to a minimum (just one image flavor) but in the future multiple images could be maintained if required. The subscription-manager package is included to support konflux-ci/build-definitions#1205 and containerbuildsystem#580 where it will be used to obtain TLS certificates to send to authenticate to private repositories. Signed-off-by: Brian Cook <[email protected]>
This changes the container build to use UBI9 so that it is supportable by a major user (Red Hat) with subscription enabled repositories. The change requires using createrepo_c from PyPyi since the createrepo_c rpm is not distributed as part of the UBI9 content set and it is desireable to keep this image freely redistributable. Chaniging to UBI keeps maintenance to a minimum (just one image flavor) but in the future multiple images could be maintained if required. The subscription-manager package is included to support konflux-ci/build-definitions#1205 and #580 where it will be used to obtain TLS certificates to send to authenticate to private repositories. Signed-off-by: Brian Cook <[email protected]>
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
22f5975
to
cd8cad9
Compare
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
1e0fb3d
to
64ae5f9
Compare
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
e032884
to
78a571d
Compare
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
4 times, most recently
from
46f4e82
to
95e2128
Compare
|
/ok-to-test |
|
/retest |
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
b6881e4
to
e652f28
Compare
|
@eskultety I wrote some simple tests to ensure that the input manipulation here was working as intended and they are here (https://github.com/brianwcook/cachi2-input-stdz). At some point I think it should become a part of tests for the task but those are not actually possible yet, so just an FYI for now. |
task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml
Outdated
Show resolved
Hide resolved
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
7 times, most recently
from
74ebe1e
to
a55a347
Compare
|
/ok-to-test |
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
2 times, most recently
from
716753f
to
2b126d8
Compare
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
2b126d8
to
e0002e2
Compare
This adds steps to the prefetch task to detect when a Red Hat subscription activation key is provided. When prefetch is configured for RPM package manager and an acivation key is provided, the pod will be registered with Red Hat's subscription management service so that protected content can be fetched. THe input is modified, injecting the entitlement certs. After prefetch the pod is unregistered.
brianwcook
force-pushed
the
prefetch-task-rhsm-integration
branch
from
e0002e2
to
04d5e91
Compare
update: this PR has been reworked to use the new ssl options sub-key introduced into cachi2's RPM package manager.
This PR causes the prefetch task to react to the same ACTIVATION_KEY parameter that is used for non-hermetic builds. The container will use the pipeline-provided activation key to register with Red Hat's subscription manager,
container and set the proper environment variablesand augment the Cachi2 input to use the generated entitlement certificates before executing Cachi2.The following points are pertinent:
subscription-manager registerare generated by this task (by runningsubscription-manager register, immediately before running cachi2Therefore this implementation is safe from certificate revocation / rotation behavior of RHSM.